!116 sync some patches from upstream

From: @yangl777 
Reviewed-by: @robertxw 
Signed-off-by: @robertxw

backport-ITS-10016-slapo-syncprov-fix-Abandon-with-active-qtask.patch

@@ -0,0 +1,124 @@
+From 5f934c8c457ffe906c844ab2313943ae9b66bc46 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 27 Feb 2023 15:01:23 +0000
+Subject: [PATCH] ITS#10016: slapo-syncprov: fix Abandon with active qtask
+
+---
+ servers/slapd/overlays/syncprov.c | 42 ++++++++++++++++++++++++++-----
+ 1 file changed, 36 insertions(+), 6 deletions(-)
+
+diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c
+index f62d6c63ea..44a6181410 100644
+--- a/servers/slapd/overlays/syncprov.c
++++ b/servers/slapd/overlays/syncprov.c
+@@ -871,6 +871,11 @@ static void free_resinfo( syncres *sr )
+ 
+ #define FS_UNLINK	1
+ #define FS_LOCK		2
++#define FS_DEFER	4
++
++#define FSR_NOTFREE	0
++#define FSR_DIDFREE	1
++#define FSR_CANFREE	2
+ 
+ static int
+ syncprov_free_syncop( syncops *so, int flags )
+@@ -881,12 +886,19 @@ syncprov_free_syncop( syncops *so, int flags )
+ 	if ( flags & FS_LOCK )
+ 		ldap_pvt_thread_mutex_lock( &so->s_mutex );
+ 	/* already being freed, or still in use */
+-	if ( !so->s_inuse || --so->s_inuse > 0 ) {
++	if ( !so->s_inuse || so->s_inuse > 1 ) {
+ 		if ( flags & FS_LOCK )
+ 			ldap_pvt_thread_mutex_unlock( &so->s_mutex );
+-		return 0;
++		if ( !( flags & FS_DEFER ) && so->s_inuse )
++			so->s_inuse--;
++		return FSR_NOTFREE;
+ 	}
+ 	ldap_pvt_thread_mutex_unlock( &so->s_mutex );
++
++	/* caller wants to cleanup other stuff before actual free */
++	if ( flags & FS_DEFER )
++		return FSR_CANFREE;
++
+ 	if (( flags & FS_UNLINK ) && so->s_si ) {
+ 		syncops **sop;
+ 		ldap_pvt_thread_mutex_lock( &so->s_si->si_ops_mutex );
+@@ -914,7 +926,7 @@ syncprov_free_syncop( syncops *so, int flags )
+ 	}
+ 	ldap_pvt_thread_mutex_destroy( &so->s_mutex );
+ 	ch_free( so );
+-	return 1;
++	return FSR_DIDFREE;
+ }
+ 
+ /* Send a persistent search response */
+@@ -1029,6 +1041,9 @@ syncprov_qplay( Operation *op, syncops *so )
+ 			} else {
+ 				rc = syncprov_sendresp( op, sr->s_info, so, sr->s_mode );
+ 			}
++		} else {
++			/* set rc so we don't do a new qstart */
++			rc = 1;
+ 		}
+ 
+ 		free_resinfo( sr );
+@@ -1055,6 +1070,9 @@ syncprov_qplay( Operation *op, syncops *so )
+ 	return rc;
+ }
+ 
++static int
++syncprov_drop_psearch( syncops *so, int lock );
++
+ /* task for playing back queued responses */
+ static void *
+ syncprov_qtask( void *ctx, void *arg )
+@@ -1063,7 +1081,7 @@ syncprov_qtask( void *ctx, void *arg )
+ 	OperationBuffer opbuf;
+ 	Operation *op;
+ 	BackendDB be;
+-	int rc;
++	int rc, flag, frc;
+ 
+ 	op = &opbuf.ob_op;
+ 	*op = *so->s_op;
+@@ -1092,14 +1110,24 @@ syncprov_qtask( void *ctx, void *arg )
+ 	if ( !rc && !so->s_res )
+ 		rc = 1;
+ 
++	flag = FS_UNLINK;
++	if ( rc && op->o_abandon )
++		flag = FS_DEFER;
++
+ 	/* decrement use count... */
+-	if ( !syncprov_free_syncop( so, FS_UNLINK )) {
++	frc = syncprov_free_syncop( so, flag );
++	if ( frc == FSR_NOTFREE ) {
+ 		if ( rc )
+ 			/* if we didn't unlink, and task is no longer queued, clear flag */
+ 			so->s_flags ^= PS_TASK_QUEUED;
+ 		ldap_pvt_thread_mutex_unlock( &so->s_mutex );
+ 	}
+ 
++	/* if we got abandoned while processing, cleanup now */
++	if ( frc == FSR_CANFREE ) {
++		syncprov_drop_psearch( so, 1 );
++	}
++
+ 	return NULL;
+ }
+ 
+@@ -1274,7 +1302,9 @@ syncprov_op_abandon( Operation *op, SlapReply *rs )
+ 				return SLAP_CB_CONTINUE;
+ 			}
+ 		}
+-		syncprov_drop_psearch( so, 0 );
++		/* if task is active, it must drop itself */
++		if ( !( so->s_flags & PS_TASK_QUEUED ))
++			syncprov_drop_psearch( so, 0 );
+ 	}
+ 	return SLAP_CB_CONTINUE;
+ }
+-- 
+GitLab

backport-ITS-10028-crash-with-pwdMinDelay.patch

@@ -0,0 +1,27 @@
+From 0e409f49ec9a83d7259f9a671e85125d4d724144 Mon Sep 17 00:00:00 2001
+From: HAMANO Tsukasa <code@cuspy.org>
+Date: Fri, 24 Mar 2023 11:24:15 +0900
+Subject: [PATCH] ITS#10028 - crash with pwdMinDelay
+
+---
+ servers/slapd/overlays/ppolicy.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
+index 0271dde6a7..d4032cc7d3 100644
+--- a/servers/slapd/overlays/ppolicy.c
++++ b/servers/slapd/overlays/ppolicy.c
+@@ -1868,7 +1868,8 @@ ppolicy_bind_response( Operation *op, SlapReply *rs )
+ 		} else if ( ppb->pp.pwdMinDelay ) {
+ 			int waittime = ppb->pp.pwdMinDelay << fc;
+ 			time_t wait_end;
+-			struct berval lockout_stamp;
++			char lockout_stamp_buf[ LDAP_LUTIL_GENTIME_BUFSIZE ];
++			struct berval lockout_stamp = BER_BVC(lockout_stamp_buf);
+ 
+ 			if ( waittime > ppb->pp.pwdMaxDelay ) {
+ 				waittime = ppb->pp.pwdMaxDelay;
+-- 
+GitLab
+
+

backport-ITS-10035-Fix-setting-TLSv1.3-ciphersuite.patch

@@ -0,0 +1,24 @@
+From 818e2a5455bac1db029124b5aabc8b03415f917b Mon Sep 17 00:00:00 2001
+From: Ian Puleston <ipuleston@sonicwall.com>
+Date: Thu, 30 Mar 2023 13:04:50 -0700
+Subject: [PATCH] ITS#10035 Fix setting TLSv1.3 ciphersuite
+
+---
+ libraries/libldap/tls_o.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index 0a74ffa7f9..8f1d84efa1 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -335,7 +335,7 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites )
+ 				if ( !strncmp( ver, "TLSv", 4 ) && strncmp( ver+4, "1.3", 3 ) >= 0 ) {
+ 					if ( tls13_suites[0] )
+ 						ts = tlso_stecpy( ts, ":", te );
+-					ts = tlso_stecpy( ts, sname, te );
++					ts = tlso_stecpy( ts, nptr, te );
+ 				}
+ 			}
+ 		}
+-- 
+GitLab

backport-ITS-10091-Do-not-allow-dynlist-being-configured-as-global.patch

@@ -0,0 +1,28 @@
+From 02975a3dc769d0ffa60b07d91f5903bd719a6c9a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Tue, 15 Aug 2023 13:07:46 +0100
+Subject: [PATCH] ITS#10091 Do not allow dynlist being configured as global
+
+---
+ servers/slapd/overlays/dynlist.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/servers/slapd/overlays/dynlist.c b/servers/slapd/overlays/dynlist.c
+index 10cacf9798..b552353a7d 100644
+--- a/servers/slapd/overlays/dynlist.c
++++ b/servers/slapd/overlays/dynlist.c
+@@ -2740,6 +2740,11 @@ dynlist_db_init(
+ 	slap_overinst *on = (slap_overinst *)be->bd_info;
+ 	dynlist_gen_t *dlg;
+ 
++	if ( SLAP_ISGLOBALOVERLAY( be ) ) {
++		Debug( LDAP_DEBUG_ANY, "dynlist cannot be used as global overlay.\n" );
++		return 1;
++	}
++
+ 	dlg = (dynlist_gen_t *)ch_malloc( sizeof( *dlg ));
+ 	on->on_bi.bi_private = dlg;
+ 	dlg->dlg_dli = NULL;
+-- 
+GitLab
+

backport-ITS-10193-Asyncmeta-starts-more-than-one-timeout-loo.patch

@@ -0,0 +1,64 @@
+From 729a604192edd2943e1464de998626c76b808ebd Mon Sep 17 00:00:00 2001
+From: Nadezhda Ivanova <nivanova@symas.com>
+Date: Tue, 2 Apr 2024 13:34:07 +0300
+Subject: [PATCH 1/1] ITS#10193 Asyncmeta starts more than one timeout loop per
+ database and slaptest crashes
+
+Reference:https://git.openldap.org/openldap/openldap/-/commit/729a604192edd2943e1464de998626c76b808ebd
+Conflict:NA
+
+---
+ servers/slapd/back-asyncmeta/config.c | 9 ++++++---
+ servers/slapd/back-asyncmeta/init.c   | 2 +-
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/servers/slapd/back-asyncmeta/config.c b/servers/slapd/back-asyncmeta/config.c
+index fbc9681418..aae054ab0a 100644
+--- a/servers/slapd/back-asyncmeta/config.c
++++ b/servers/slapd/back-asyncmeta/config.c
+@@ -497,7 +497,8 @@ asyncmeta_cfadd( Operation *op, SlapReply *rs, Entry *p, ConfigArgs *c )
+ static int
+ asyncmeta_back_new_target(
+ 	a_metatarget_t	**mtp,
+-	a_metainfo_t     *mi )
++	a_metainfo_t     *mi,
++	BackendDB        *db )
+ {
+ 	a_metatarget_t		*mt;
+ 
+@@ -516,7 +517,9 @@ asyncmeta_back_new_target(
+ 	mt->mt_idassert_flags = LDAP_BACK_AUTH_PRESCRIPTIVE;
+ 
+ 	*mtp = mt;
+-
++	if ( !SLAP_DBOPEN(db) || !(slapMode & SLAP_SERVER_MODE)) {
++		return 0;
++	}
+ 	for ( i = 0; i < mi->mi_num_conns; i++ ) {
+ 		a_metaconn_t *mc = &mi->mi_conns[i];
+ 		mc->mc_conns = ch_realloc( mc->mc_conns, sizeof( a_metasingleconn_t ) * mi->mi_ntargets);
+@@ -1907,7 +1910,7 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
+ 			return 1;
+ 		}
+ 
+-		if ( asyncmeta_back_new_target( &mi->mi_targets[ i ], mi ) != 0 ) {
++		if ( asyncmeta_back_new_target( &mi->mi_targets[ i ], mi, c->be ) != 0 ) {
+ 			snprintf( c->cr_msg, sizeof( c->cr_msg ),
+ 				"unable to init server"
+ 				" in \"%s <protocol>://<server>[:port]/<naming context>\"",
+diff --git a/servers/slapd/back-asyncmeta/init.c b/servers/slapd/back-asyncmeta/init.c
+index 5c8016fb2b..45fccf03ec 100644
+--- a/servers/slapd/back-asyncmeta/init.c
++++ b/servers/slapd/back-asyncmeta/init.c
+@@ -275,7 +275,7 @@ asyncmeta_back_db_open(
+ 	
+ 	ber_dupbv ( &mi->mi_suffix, &be->be_suffix[0] );
+ 
+-	if ( mi->mi_ntargets > 0 ) {
++	if ( ( slapMode & SLAP_SERVER_MODE ) && mi->mi_ntargets > 0 ) {
+ 		ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
+ 		mi->mi_task = ldap_pvt_runqueue_insert( &slapd_rq, 1,
+ 							asyncmeta_timeout_loop, mi, "asyncmeta_timeout_loop", mi->mi_suffix.bv_val );
+-- 
+2.33.0
+

backport-ITS-10204-slapo-constraint-fix-double-free-on-invali.patch

@@ -0,0 +1,28 @@
+From 6d5400a2c701125c71d907988ef57130c038759c Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 30 Apr 2024 15:55:01 +0100
+Subject: [PATCH 1/1] ITS#10204 slapo-constraint: fix double-free on invalid
+ attr
+
+Reference:https://git.openldap.org/openldap/openldap/-/commit/6d5400a2c701125c71d907988ef57130c038759c
+Conflict:NA
+
+---
+ servers/slapd/overlays/constraint.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/servers/slapd/overlays/constraint.c b/servers/slapd/overlays/constraint.c
+index 0d6156af4d..9622c29929 100644
+--- a/servers/slapd/overlays/constraint.c
++++ b/servers/slapd/overlays/constraint.c
+@@ -369,6 +369,7 @@ constraint_cf_gen( ConfigArgs *c )
+ 						ap.attrs[i] = NULL;
+ 						if ( slap_str2ad( ap.lud->lud_attrs[i], &ap.attrs[i], &text ) ) {
+ 							ch_free( ap.attrs );
++							ap.attrs = NULL;
+ 							snprintf( c->cr_msg, sizeof( c->cr_msg ),
+ 								"%s <%s>: %s\n", c->argv[0], ap.lud->lud_attrs[i], text );
+ 							rc = ARG_BAD_CONF;
+-- 
+2.33.0
+

backport-ITS-10211-slapd-Fix-peercred-uid-and-gid-format.patch

@@ -0,0 +1,34 @@
+From bf01750381726db3052d94514eec4048c90a616a Mon Sep 17 00:00:00 2001
+From: Nick Porter <nick@portercomputing.co.uk>
+Date: Thu, 2 May 2024 08:48:14 +0100
+Subject: [PATCH 1/1] ITS#10211 slapd: Fix peercred uid and gid format
+
+uid and gid are unsigned int and so should be formatted as such when
+creating the authid string.
+
+Reference:https://git.openldap.org/openldap/openldap/-/commit/bf01750381726db3052d94514eec4048c90a616a
+Conflict:NA
+
+---
+ servers/slapd/daemon.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c
+index 26e7e67619..8c2dd83efd 100644
+--- a/servers/slapd/daemon.c
++++ b/servers/slapd/daemon.c
+@@ -2270,9 +2270,9 @@ slap_listener(
+ 					STRLENOF( "gidNumber=4294967295+uidNumber=4294967295,"
+ 					"cn=peercred,cn=external,cn=auth" ) + 1 );
+ 				authid.bv_len = sprintf( authid.bv_val,
+-					"gidNumber=%d+uidNumber=%d,"
++					"gidNumber=%u+uidNumber=%u,"
+ 					"cn=peercred,cn=external,cn=auth",
+-					(int) gid, (int) uid );
++					gid, uid );
+ 				assert( authid.bv_len <=
+ 					STRLENOF( "gidNumber=4294967295+uidNumber=4294967295,"
+ 					"cn=peercred,cn=external,cn=auth" ) );
+-- 
+2.33.0
+

backport-ITS-10264-free-NoD-data-we-stored-locally.patch

@@ -0,0 +1,32 @@
+From 3f6cec3b467c78104e915642b41f7625f35518d8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Wed, 2 Oct 2024 13:23:44 +0100
+Subject: [PATCH] ITS#10264 Free NoD data we stored locally
+
+Reference:https://git.openldap.org/openldap/openldap/-/commit/3f6cec3b467c78104e915642b41f7625f35518d8
+Conflict:no
+---
+ libraries/libldap/result.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c
+index acbf51f55f..e9ac9f32b3 100644
+--- a/libraries/libldap/result.c
++++ b/libraries/libldap/result.c
+@@ -904,6 +904,13 @@ nextresp2:
+ 
+ 				if ( lr != &dummy_lr ) {
+ 					ldap_return_request( ld, lr, 1 );
++				} else {
++					if ( lr->lr_res_matched ) {
++						LDAP_FREE( lr->lr_res_matched );
++					}
++					if ( lr->lr_res_error ) {
++						LDAP_FREE( lr->lr_res_error );
++					}
+ 				}
+ 				lr = NULL;
+ 			}
+-- 
+GitLab
+

backport-ITS-7226-Make-olcAuditlogFile-SINGLE-VALUE.patch

@@ -0,0 +1,25 @@
+From 242d1e6d623dbb2ac0295ae17a54a674b1b356cd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Mon, 21 Aug 2023 12:19:16 +0100
+Subject: [PATCH] ITS#7226 Make olcAuditlogFile SINGLE-VALUE
+
+---
+ servers/slapd/overlays/auditlog.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/overlays/auditlog.c b/servers/slapd/overlays/auditlog.c
+index 9292d4aa8b..43a5c15a41 100644
+--- a/servers/slapd/overlays/auditlog.c
++++ b/servers/slapd/overlays/auditlog.c
+@@ -44,7 +44,7 @@ static ConfigTable auditlogcfg[] = {
+ 	  "( OLcfgOvAt:15.1 NAME 'olcAuditlogFile' "
+ 	  "DESC 'Filename for auditlogging' "
+ 	  "EQUALITY caseExactMatch "
+-	  "SYNTAX OMsDirectoryString )", NULL, NULL },
++	  "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+ 	{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
+ };
+ 
+-- 
+GitLab
+

backport-ITS-8047-fix-tls-connection-timeout-handling.patch

@@ -0,0 +1,103 @@
+From d143f7a2dc82fb66e7741b93a1ae9e874ce2ac46 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Mon, 21 Oct 2024 11:50:11 +0100
+Subject: [PATCH] ITS#8047 Fix TLS connection timeout handling
+
+The test for async in ldap_int_tls_start was inverted, we already
+support calling ldap_int_tls_connect repeatedly. And so long as
+LBER_SB_OPT_NEEDS_* are managed correctly, the application should be
+able to do the right thing.
+
+Might require a new result code rather than reporposing
+LDAP_X_CONNECTING for this.
+
+Reference:https://git.openldap.org/openldap/openldap/-/commit/d143f7a2dc82fb66e7741b93a1ae9e874ce2ac46
+Conflict:context conflict by https://git.openldap.org/openldap/openldap/-/commit/139944ac1e5fcf74e903e1e3d887fb8498c2fd1e
+---
+ libraries/libldap/ldap-int.h |  1 +
+ libraries/libldap/tls2.c     | 18 +++++++++++++++++-
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
+index 2dae6ef..6827ec4 100644
+--- a/libraries/libldap/ldap-int.h
++++ b/libraries/libldap/ldap-int.h
+@@ -368,6 +368,7 @@ typedef struct ldap_conn {
+ #define LDAP_CONNST_NEEDSOCKET		1
+ #define LDAP_CONNST_CONNECTING		2
+ #define LDAP_CONNST_CONNECTED		3
++#define LDAP_CONNST_TLS_INPROGRESS	4
+ 	LDAPURLDesc		*lconn_server;
+ 	BerElement		*lconn_ber;	/* ber receiving on this conn. */
+ 
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index 1fb6cff..3d3b5fd 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -383,6 +383,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
+ 		if ( lo && lo->ldo_tls_connect_cb && lo->ldo_tls_connect_cb !=
+ 			ld->ld_options.ldo_tls_connect_cb )
+ 			lo->ldo_tls_connect_cb( ld, ssl, ctx, lo->ldo_tls_connect_arg );
++		conn->lconn_status = LDAP_CONNST_TLS_INPROGRESS;
+ 	}
+ 
+ 	/* pass hostname for SNI, but only if it's an actual name
+@@ -441,9 +442,11 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
+ 		ber_sockbuf_remove_io( sb, &ber_sockbuf_io_debug,
+ 			LBER_SBIOD_LEVEL_TRANSPORT );
+ #endif
++		conn->lconn_status = LDAP_CONNST_CONNECTED;
+ 		return -1;
+ 	}
+ 
++	conn->lconn_status = LDAP_CONNST_CONNECTED;
+ 	return 0;
+ }
+ 
+@@ -516,8 +519,9 @@ int
+ ldap_tls_inplace( LDAP *ld )
+ {
+ 	Sockbuf		*sb = NULL;
++	LDAPConn	*lc = ld->ld_defconn;
+ 
+-	if ( ld->ld_defconn && ld->ld_defconn->lconn_sb ) {
++	if ( lc && lc->lconn_sb ) {
+ 		sb = ld->ld_defconn->lconn_sb;
+ 
+ 	} else if ( ld->ld_sb ) {
+@@ -527,6 +531,10 @@ ldap_tls_inplace( LDAP *ld )
+ 		return 0;
+ 	}
+ 
++	if ( lc && lc->lconn_status == LDAP_CONNST_TLS_INPROGRESS ) {
++		return 0;
++	}
++
+ 	return ldap_pvt_tls_inplace( sb );
+ }
+ 
+@@ -1159,6 +1167,9 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
+ 	  */
+ 	while ( ret > 0 ) {
+ 		if ( async ) {
++			ld->ld_errno = LDAP_X_CONNECTING;
++			return (ld->ld_errno);
++		} else {
+ 			struct timeval curr_time_tv, delta_tv;
+ 			int wr=0;
+ 
+@@ -1217,6 +1228,11 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
+ 		ret = ldap_int_tls_connect( ld, conn, host );
+ 	}
+ 
++	if ( !async && ld->ld_options.ldo_tm_net.tv_sec >= 0 ) {
++		/* Restore original sb status */
++		ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)0 );
++	}
++
+ 	if ( ret < 0 ) {
+ 		if ( ld->ld_errno == LDAP_SUCCESS )
+ 			ld->ld_errno = LDAP_CONNECT_ERROR;
+-- 
+2.33.0
+

backport-ITS-9037-mdb_page_search-fix-error-code-when-DBI-rec.patch

@@ -0,0 +1,31 @@
+From 83dc42c5cab8999a5d9c20bf696b03d657170c51 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 26 Mar 2024 14:50:17 +0000
+Subject: [PATCH 1/1] ITS#9037 mdb_page_search: fix error code when DBI record
+ is missing
+
+Use the more relevant MDB_BAD_DBI instead of MDB_NOTFOUND error code
+
+Reference:https://git.openldap.org/openldap/openldap/-/commit/83dc42c5cab8999a5d9c20bf696b03d657170c51
+Conflict:NA
+
+---
+ libraries/liblmdb/mdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c
+index 0570deab23..53e1b4c257 100644
+--- a/libraries/liblmdb/mdb.c
++++ b/libraries/liblmdb/mdb.c
+@@ -5701,7 +5701,7 @@ mdb_page_search(MDB_cursor *mc, MDB_val *key, int flags)
+ 					MDB_node *leaf = mdb_node_search(&mc2,
+ 						&mc->mc_dbx->md_name, &exact);
+ 					if (!exact)
+-						return MDB_NOTFOUND;
++						return MDB_BAD_DBI;
+ 					if ((leaf->mn_flags & (F_DUPDATA|F_SUBDATA)) != F_SUBDATA)
+ 						return MDB_INCOMPATIBLE; /* not a named DB */
+ 					rc = mdb_node_read(&mc2, leaf, &data);
+-- 
+2.33.0
+

backport-ITS-9904-check-for-strdup-failure.patch

@@ -0,0 +1,70 @@
+From 3f2abd0b2eeec8522e50d5c4ea4992e70e8f9915 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Thu, 25 Aug 2022 16:13:21 +0100
+Subject: [PATCH] ITS#9904 ldap_url_parsehosts: check for strdup failure
+
+Avoid unnecessary strdup in IPv6 addr parsing, check for strdup
+failure when dup'ing scheme.
+
+Code present since 2000, 8da110a9e726dbc612b302feafe0109271e6bc59
+---
+ libraries/libldap/url.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/libraries/libldap/url.c b/libraries/libldap/url.c
+index 7e56564265..8df0abd044 100644
+--- a/libraries/libldap/url.c
++++ b/libraries/libldap/url.c
+@@ -1386,24 +1386,22 @@ ldap_url_parsehosts(
+ 		}
+ 		ludp->lud_port = port;
+ 		ludp->lud_host = specs[i];
+-		specs[i] = NULL;
+ 		p = strchr(ludp->lud_host, ':');
+ 		if (p != NULL) {
+ 			/* more than one :, IPv6 address */
+ 			if ( strchr(p+1, ':') != NULL ) {
+ 				/* allow [address] and [address]:port */
+ 				if ( *ludp->lud_host == '[' ) {
+-					p = LDAP_STRDUP(ludp->lud_host+1);
+-					/* copied, make sure we free source later */
+-					specs[i] = ludp->lud_host;
+-					ludp->lud_host = p;
+-					p = strchr( ludp->lud_host, ']' );
++					p = strchr( ludp->lud_host+1, ']' );
+ 					if ( p == NULL ) {
+ 						LDAP_FREE(ludp);
+ 						ldap_charray_free(specs);
+ 						return LDAP_PARAM_ERROR;
+ 					}
+-					*p++ = '\0';
++					/* Truncate trailing ']' and shift hostname down 1 char */
++					*p = '\0';
++					AC_MEMCPY( ludp->lud_host, ludp->lud_host+1, p - ludp->lud_host );
++					p++;
+ 					if ( *p != ':' ) {
+ 						if ( *p != '\0' ) {
+ 							LDAP_FREE(ludp);
+@@ -1429,14 +1427,19 @@ ldap_url_parsehosts(
+ 				}
+ 			}
+ 		}
+-		ldap_pvt_hex_unescape(ludp->lud_host);
+ 		ludp->lud_scheme = LDAP_STRDUP("ldap");
++		if ( ludp->lud_scheme == NULL ) {
++			LDAP_FREE(ludp);
++			ldap_charray_free(specs);
++			return LDAP_NO_MEMORY;
++		}
++		specs[i] = NULL;
++		ldap_pvt_hex_unescape(ludp->lud_host);
+ 		ludp->lud_next = *ludlist;
+ 		*ludlist = ludp;
+ 	}
+ 
+ 	/* this should be an array of NULLs now */
+-	/* except entries starting with [ */
+ 	ldap_charray_free(specs);
+ 	return LDAP_SUCCESS;
+ }
+-- 

openldap.spec

@@ -2,9 +2,9 @@
 
 Name:           openldap
 Version:        2.6.0
-Release:        5
+Release:        10
 Summary:        LDAP support libraries
-License:        OpenLDAP
+License:        Open LDAP Public License v2.8
 URL:            https://www.openldap.org/
 Source0:        https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-%{version}.tgz
 Source1:        slapd.service
@@ -25,7 +25,7 @@ Patch5:         backport-openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-s
 Patch7:         backport-check-password-makefile.patch
 Patch8:         backport-check-password.patch
 Patch9:         add-ber_sockbuf_io_udp-to-liber.map.patch
-Patch10:	backport-fix-cve-2022-29155.patch
+Patch10:        backport-fix-cve-2022-29155.patch
 
 Patch6000:      backport-ITS-7165-back-mdb-check-for-stale-readers-on-MDB_REA.patch
 Patch6001:      backport-ITS-8039-Free-resinfo-even-if-opcookie-is-the-last-o.patch
@@ -65,6 +65,20 @@ Patch6034:      backport-ITS-9876-Some-more-leaks-plugged.patch
 Patch6035:      backport-ITS-9882-bind-fix-9863-commit-use-correct-op-backend.patch
 Patch6036:      backport-ITS-9898-tests-fix-slapd-addel-non-std-syntax.patch
 Patch6037:      backport-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
+Patch6038:      backport-ITS-9904-check-for-strdup-failure.patch
+
+Patch6039:      backport-ITS-10016-slapo-syncprov-fix-Abandon-with-active-qtask.patch
+Patch6040:      backport-ITS-10028-crash-with-pwdMinDelay.patch
+Patch6041:      backport-ITS-10035-Fix-setting-TLSv1.3-ciphersuite.patch
+Patch6042:      backport-ITS-7226-Make-olcAuditlogFile-SINGLE-VALUE.patch
+Patch6043:      backport-ITS-10091-Do-not-allow-dynlist-being-configured-as-global.patch
+
+Patch6044:      backport-ITS-10193-Asyncmeta-starts-more-than-one-timeout-loo.patch
+Patch6045:      backport-ITS-10204-slapo-constraint-fix-double-free-on-invali.patch
+Patch6046:      backport-ITS-10211-slapd-Fix-peercred-uid-and-gid-format.patch
+Patch6047:      backport-ITS-9037-mdb_page_search-fix-error-code-when-DBI-rec.patch
+Patch6048:      backport-ITS-10264-free-NoD-data-we-stored-locally.patch
+Patch6049:      backport-ITS-8047-fix-tls-connection-timeout-handling.patch
 
 
 BuildRequires:  cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel
@@ -93,7 +107,7 @@ customized LDAP clients.
 
 %package        servers
 Summary:        LDAP server
-License:        OpenLDAP
+License:        OLDAP-2.8
 Requires:       openldap = %{version}-%{release}
 Requires(pre):  shadow-utils
 %{?systemd_requires}
@@ -179,6 +193,18 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch6035 -p1
 %patch6036 -p1
 %patch6037 -p1
+%patch6038 -p1
+%patch6039 -p1
+%patch6040 -p1
+%patch6041 -p1
+%patch6042 -p1
+%patch6043 -p1
+%patch6044 -p1
+%patch6045 -p1
+%patch6046 -p1
+%patch6047 -p1
+%patch6048 -p1
+%patch6049 -p1
 
 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
 mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
@@ -285,12 +311,12 @@ install -m 0644 %SOURCE1 %{buildroot}%{_unitdir}/slapd.service
 
 mv %{buildroot}%{_libdir}/slapd %{buildroot}%{_sbindir}/
 
-for X in acl add auth cat dn index passwd test schema; do
+for X in acl add auth cat dn index passwd test schema modify; do
         rm -f %{buildroot}%{_sbindir}/slap$X
         rm -f %{buildroot}%{_libdir}/slap$X
 done
 
-for X in acl add auth cat dn index passwd test schema; do
+for X in acl add auth cat dn index passwd test schema modify; do
         ln -s slapd %{buildroot}%{_sbindir}/slap$X
 done
 
@@ -465,6 +491,36 @@ popd
 %doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd
 
 %changelog
+* Thu Feb 13 2025 yanglu <yanglu72@h-partners.com> - 2.6.0-10
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:sync some patches from upstream
+
+* Fri Jun 14 2024 xinghe <xinghe2@h-partners.com> - 2.6.0-9
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix license
+
+* Wed Jan 10 2024 liubo <liubo335@huawei.com> - 2.6.0-8
+- Type:bugfix
+- ID:NA
+- SUG:restart
+- DESC:backport patch
+
+* Mon Jul 24 2023 sunhai <sunhai10@huawei.com> - 2.6.0-7
+- Type:bugfix
+- ID:NA
+- SUG:restart
+- DESC:fix empty soft link
+
+* Wed Jun 7 2023 zhujunhao <zhujunhao11@huawei.com> - 2.6.0-6
+- Type:cve
+- CVE:cve-2023-2953
+- SUG:restart
+- DESC:fix cve-2023-2953
+
 * Tue Feb 28 2023 zhujunhao <zhujunhao11@huawei.com> - 2.6.0-5
 - Type:bugfix
 - ID:NA