Patchwork [meta-oe] uprev openldap 2.4.39

login
register
mail settings
Submitter Amy Fong
Date July 28, 2014, 6:50 p.m.
Message ID <20140728185013.GA17391@windriver.com>
Download mbox | patch
Permalink /patch/76777/
State New, archived
Headers show

Comments

Amy Fong - July 28, 2014, 6:50 p.m.
From 10be38b1a220079953f1aab0d1d79eee10a9855e Mon Sep 17 00:00:00 2001
From: Amy Fong <amy.fong@windriver.com>
Date: Tue, 15 Jul 2014 17:48:54 -0400
Subject: [PATCH] keystone: package openLDAP 2.4.39

The patches are taken from Debian.

Signed-off-by: Amy Fong <amy.fong@windriver.com>
---
 .../add-tlscacert-option-to-ldap-conf.patch        |  10 +
 .../openldap-2.4.39/autogroup-makefile.patch       |  35 ++++
 .../contrib-modules-use-dpkg-buildflags.patch      |  40 ++++
 .../do-not-second-guess-sonames.patch              |  68 +++++++
 .../openldap/openldap-2.4.39/evolution-ntlm.patch  | 222 +++++++++++++++++++++
 .../openldap-2.4.39/fix-build-top-mk.patch         |  11 +
 .../openldap-2.4.39/fix-ftbfs-binutils-gold.patch  |  64 ++++++
 .../getaddrinfo-is-threadsafe.patch                |  43 ++++
 .../openldap/openldap-2.4.39/heimdal-fix.patch     |  23 +++
 .../index-files-created-as-root.patch              |  37 ++++
 .../openldap/openldap-2.4.39/install-strip.patch   |  14 ++
 .../openldap-2.4.39/ldap-conf-tls-cacertdir.patch  |  29 +++
 .../openldap-2.4.39/ldapi-socket-place.patch       |  16 ++
 .../openldap-2.4.39/libldap-symbol-versions.patch  | 161 +++++++++++++++
 .../openldap/openldap-2.4.39/man-slapd.patch       |  60 ++++++
 .../openldap-2.4.39/no-AM_INIT_AUTOMAKE.patch      |  25 +++
 .../no-bdb-ABI-second-guessing.patch               |  42 ++++
 .../openldap-2.4.39/sasl-default-path.patch        |  55 +++++
 .../openldap/openldap-2.4.39/series                |  21 ++
 .../openldap-2.4.39/slapi-errorlog-file.patch      |  16 ++
 .../openldap-2.4.39/smbk5pwd-makefile.patch        |  53 +++++
 ..._dlopenadvise-to-get-RTLD_GLOBAL-set.diff.patch |  40 ++++
 .../openldap-2.4.39/wrong-database-location.patch  |  74 +++++++
 .../recipes-support/openldap/openldap_2.4.39.bb    | 182 +++++++++++++++++
 24 files changed, 1341 insertions(+)
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/add-tlscacert-option-to-ldap-conf.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/autogroup-makefile.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/contrib-modules-use-dpkg-buildflags.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/do-not-second-guess-sonames.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/evolution-ntlm.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/fix-build-top-mk.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/fix-ftbfs-binutils-gold.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/getaddrinfo-is-threadsafe.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/heimdal-fix.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/index-files-created-as-root.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/install-strip.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/ldap-conf-tls-cacertdir.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/ldapi-socket-place.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/libldap-symbol-versions.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/man-slapd.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/no-AM_INIT_AUTOMAKE.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/no-bdb-ABI-second-guessing.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/sasl-default-path.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/series
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/slapi-errorlog-file.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/smbk5pwd-makefile.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/wrong-database-location.patch
 create mode 100644 meta-oe/recipes-support/openldap/openldap_2.4.39.bb
Martin Jansa - Aug. 12, 2014, 11:38 a.m.
On Mon, Jul 28, 2014 at 02:50:13PM -0400, Amy Fong wrote:
> From 10be38b1a220079953f1aab0d1d79eee10a9855e Mon Sep 17 00:00:00 2001
> From: Amy Fong <amy.fong@windriver.com>
> Date: Tue, 15 Jul 2014 17:48:54 -0400
> Subject: [PATCH] keystone: package openLDAP 2.4.39
> 
> The patches are taken from Debian.

Please fix:

openldap-2.4.39: openldap: Files/directories were installed but not shipped
  /run [installed-vs-shipped]

> 
> Signed-off-by: Amy Fong <amy.fong@windriver.com>
> ---
>  .../add-tlscacert-option-to-ldap-conf.patch        |  10 +
>  .../openldap-2.4.39/autogroup-makefile.patch       |  35 ++++
>  .../contrib-modules-use-dpkg-buildflags.patch      |  40 ++++
>  .../do-not-second-guess-sonames.patch              |  68 +++++++
>  .../openldap/openldap-2.4.39/evolution-ntlm.patch  | 222 +++++++++++++++++++++
>  .../openldap-2.4.39/fix-build-top-mk.patch         |  11 +
>  .../openldap-2.4.39/fix-ftbfs-binutils-gold.patch  |  64 ++++++
>  .../getaddrinfo-is-threadsafe.patch                |  43 ++++
>  .../openldap/openldap-2.4.39/heimdal-fix.patch     |  23 +++
>  .../index-files-created-as-root.patch              |  37 ++++
>  .../openldap/openldap-2.4.39/install-strip.patch   |  14 ++
>  .../openldap-2.4.39/ldap-conf-tls-cacertdir.patch  |  29 +++
>  .../openldap-2.4.39/ldapi-socket-place.patch       |  16 ++
>  .../openldap-2.4.39/libldap-symbol-versions.patch  | 161 +++++++++++++++
>  .../openldap/openldap-2.4.39/man-slapd.patch       |  60 ++++++
>  .../openldap-2.4.39/no-AM_INIT_AUTOMAKE.patch      |  25 +++
>  .../no-bdb-ABI-second-guessing.patch               |  42 ++++
>  .../openldap-2.4.39/sasl-default-path.patch        |  55 +++++
>  .../openldap/openldap-2.4.39/series                |  21 ++
>  .../openldap-2.4.39/slapi-errorlog-file.patch      |  16 ++
>  .../openldap-2.4.39/smbk5pwd-makefile.patch        |  53 +++++
>  ..._dlopenadvise-to-get-RTLD_GLOBAL-set.diff.patch |  40 ++++
>  .../openldap-2.4.39/wrong-database-location.patch  |  74 +++++++
>  .../recipes-support/openldap/openldap_2.4.39.bb    | 182 +++++++++++++++++
>  24 files changed, 1341 insertions(+)
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/add-tlscacert-option-to-ldap-conf.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/autogroup-makefile.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/contrib-modules-use-dpkg-buildflags.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/do-not-second-guess-sonames.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/evolution-ntlm.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/fix-build-top-mk.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/fix-ftbfs-binutils-gold.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/getaddrinfo-is-threadsafe.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/heimdal-fix.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/index-files-created-as-root.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/install-strip.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/ldap-conf-tls-cacertdir.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/ldapi-socket-place.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/libldap-symbol-versions.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/man-slapd.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/no-AM_INIT_AUTOMAKE.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/no-bdb-ABI-second-guessing.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/sasl-default-path.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/series
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/slapi-errorlog-file.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/smbk5pwd-makefile.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap-2.4.39/wrong-database-location.patch
>  create mode 100644 meta-oe/recipes-support/openldap/openldap_2.4.39.bb
> 
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/add-tlscacert-option-to-ldap-conf.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/add-tlscacert-option-to-ldap-conf.patch
> new file mode 100644
> index 0000000..e8e731a
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/add-tlscacert-option-to-ldap-conf.patch
> @@ -0,0 +1,10 @@
> +--- a/libraries/libldap/ldap.conf
> ++++ b/libraries/libldap/ldap.conf
> +@@ -11,3 +11,7 @@
> + #SIZELIMIT	12
> + #TIMELIMIT	15
> + #DEREF		never
> ++
> ++# TLS certificates (needed for GnuTLS)
> ++TLS_CACERT	/etc/ssl/certs/ca-certificates.crt
> ++
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/autogroup-makefile.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/autogroup-makefile.patch
> new file mode 100644
> index 0000000..d3f56c3
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/autogroup-makefile.patch
> @@ -0,0 +1,35 @@
> +--- a/contrib/slapd-modules/autogroup/Makefile
> ++++ b/contrib/slapd-modules/autogroup/Makefile
> +@@ -2,11 +2,11 @@
> + 
> + LDAP_SRC = ../../..
> + LDAP_BUILD = ../../..
> +-LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
> +-LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \
> +-	$(LDAP_BUILD)/libraries/liblber/liblber.la
> ++LDAP_INC = -I$(LDAP_BUILD)/debian/build/include -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
> ++LDAP_LIB = $(LDAP_BUILD)/debian/build/libraries/libldap_r/libldap_r.la \
> ++	$(LDAP_BUILD)/debian/build/libraries/liblber/liblber.la
> + 
> +-LIBTOOL = $(LDAP_BUILD)/libtool
> ++LIBTOOL = $(LDAP_BUILD)/debian/build/libtool
> + CC = gcc
> + OPT = -g -O2 -Wall
> + DEFS = 
> +@@ -16,13 +16,13 @@ LIBS = $(LDAP_LIB)
> + PROGRAMS = autogroup.la
> + LTVER = 0:0:0
> + 
> +-prefix=/usr/local
> ++prefix=/usr
> + exec_prefix=$(prefix)
> +-ldap_subdir=/openldap
> ++ldap_subdir=/ldap
> + 
> + libdir=$(exec_prefix)/lib
> + libexecdir=$(exec_prefix)/libexec
> +-moduledir = $(libexecdir)$(ldap_subdir)
> ++moduledir = $(libdir)$(ldap_subdir)
> + 
> + .SUFFIXES: .c .o .lo
> + 
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/contrib-modules-use-dpkg-buildflags.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/contrib-modules-use-dpkg-buildflags.patch
> new file mode 100644
> index 0000000..1b15529
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/contrib-modules-use-dpkg-buildflags.patch
> @@ -0,0 +1,40 @@
> +Description: pass CFLAGS to contrib builds
> + $(CFLAGS) is missing from the compiler invocations for autogroup and
> + smbk5pwd, which means they're not being hardened.
> +Author: Simon Ruderich <simon@ruderich.org>
> +Bug-Debian: http://bugs.debian.org/663724
> +
> +--- a/contrib/slapd-modules/autogroup/Makefile
> ++++ b/contrib/slapd-modules/autogroup/Makefile
> +@@ -27,12 +27,12 @@ moduledir = $(libexecdir)$(ldap_subdir)
> + .SUFFIXES: .c .o .lo
> + 
> + .c.lo:
> +-	$(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
> ++	$(LIBTOOL) --mode=compile $(CC) $(OPT) $(CFLAGS) $(DEFS) $(INCS) -c $<
> + 
> + all: $(PROGRAMS)
> + 
> + autogroup.la: autogroup.lo
> +-	$(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
> ++	$(LIBTOOL) --mode=link $(CC) $(OPT) $(LDFLAGS) -version-info $(LTVER) \
> + 	-rpath $(moduledir) -module -o $@ $? $(LIBS)
> + 
> + clean:
> +--- a/contrib/slapd-modules/smbk5pwd/Makefile
> ++++ b/contrib/slapd-modules/smbk5pwd/Makefile
> +@@ -46,12 +46,12 @@ moduledir = $(libexecdir)$(ldap_subdir)
> + .SUFFIXES: .c .o .lo
> + 
> + .c.lo:
> +-	$(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
> ++	$(LIBTOOL) --mode=compile $(CC) $(OPT) $(CFLAGS) $(DEFS) $(INCS) -c $<
> + 
> + all: $(PROGRAMS)
> + 
> + smbk5pwd.la:	smbk5pwd.lo
> +-	$(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
> ++	$(LIBTOOL) --mode=link $(CC) $(OPT) $(LDFLAGS) -version-info $(LTVER) \
> + 	-rpath $(moduledir) -module -o $@ $? $(LIBS)
> + 
> + clean:
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/do-not-second-guess-sonames.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/do-not-second-guess-sonames.patch
> new file mode 100644
> index 0000000..31cf652
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/do-not-second-guess-sonames.patch
> @@ -0,0 +1,68 @@
> +Rip out code that second-guesses the libsasl soname / Debian shlibs.  If
> +cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream
> +there, not kludged around upstream here!
> +
> +Debian bug #546885
> +
> +Upstream ITS #6302 filed.
> +
> +--- a/libraries/libldap/cyrus.c
> ++++ b/libraries/libldap/cyrus.c
> +@@ -74,28 +74,6 @@ int ldap_int_sasl_init( void )
> + 	/* XXX not threadsafe */
> + 	static int sasl_initialized = 0;
> + 
> +-#ifdef HAVE_SASL_VERSION
> +-	/* stringify the version number, sasl.h doesn't do it for us */
> +-#define VSTR0(maj, min, pat)	#maj "." #min "." #pat
> +-#define VSTR(maj, min, pat)	VSTR0(maj, min, pat)
> +-#define SASL_VERSION_STRING	VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \
> +-				SASL_VERSION_STEP)
> +-	{ int rc;
> +-	sasl_version( NULL, &rc );
> +-	if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) ||
> +-		(rc & 0xffff) < SASL_VERSION_STEP) {
> +-		char version[sizeof("xxx.xxx.xxxxx")];
> +-		sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff,
> +-			rc & 0xffff );
> +-
> +-		Debug( LDAP_DEBUG_ANY,
> +-		"ldap_int_sasl_init: SASL library version mismatch:"
> +-		" expected " SASL_VERSION_STRING ","
> +-		" got %s\n", version, 0, 0 );
> +-		return -1;
> +-	}
> +-	}
> +-#endif
> + 	if ( sasl_initialized ) {
> + 		return 0;
> + 	}
> +--- a/servers/slapd/sasl.c
> ++++ b/servers/slapd/sasl.c
> +@@ -1145,26 +1145,6 @@ int slap_sasl_init( void )
> + #endif
> + 
> + #ifdef HAVE_CYRUS_SASL
> +-#ifdef HAVE_SASL_VERSION
> +-	/* stringify the version number, sasl.h doesn't do it for us */
> +-#define	VSTR0(maj, min, pat)	#maj "." #min "." #pat
> +-#define	VSTR(maj, min, pat)	VSTR0(maj, min, pat)
> +-#define	SASL_VERSION_STRING	VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \
> +-				SASL_VERSION_STEP)
> +-
> +-	sasl_version( NULL, &rc );
> +-	if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) ||
> +-		(rc & 0xffff) < SASL_VERSION_STEP)
> +-	{
> +-		char version[sizeof("xxx.xxx.xxxxx")];
> +-		sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff,
> +-			rc & 0xffff );
> +-		Debug( LDAP_DEBUG_ANY, "slap_sasl_init: SASL library version mismatch:"
> +-			" expected %s, got %s\n",
> +-			SASL_VERSION_STRING, version, 0 );
> +-		return -1;
> +-	}
> +-#endif
> + 
> + 	sasl_set_mutex(
> + 		ldap_pvt_sasl_mutex_new,
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/evolution-ntlm.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/evolution-ntlm.patch
> new file mode 100644
> index 0000000..cd9bc26
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/evolution-ntlm.patch
> @@ -0,0 +1,222 @@
> +Patch from evolution-exchange (2.10.3).  The ldap_ntlm_bind function is
> +actually called by evolution-data-server, checked at version 1.12.2.
> +Without this patch, the Exchange addressbook integration uses simple binds
> +with cleartext passwords.
> +
> +Russ checked with openldap-software for upstream's opinion on this patch
> +on 2007-12-21.  Upstream had never received it as a patch submission and
> +given that it's apparently only for older Exchange servers that can't do
> +SASL and DIGEST-MD5, it's not very appealing.
> +
> +Bug#457374 filed against evolution-data-server asking if this support is
> +still required on 2007-12-21.
> +
> +--- a/include/ldap.h
> ++++ b/include/ldap.h
> +@@ -2517,5 +2517,25 @@ ldap_parse_deref_control LDAP_P((
> + 	LDAPControl	**ctrls,
> + 	LDAPDerefRes	**drp ));
> + 
> ++/*
> ++ * hacks for NTLM
> ++ */
> ++#define LDAP_AUTH_NTLM_REQUEST ((ber_tag_t) 0x8aU)
> ++#define LDAP_AUTH_NTLM_RESPONSE  ((ber_tag_t) 0x8bU)
> ++LDAP_F( int )
> ++ldap_ntlm_bind LDAP_P((
> ++      LDAP    *ld,
> ++      LDAP_CONST char *dn,
> ++      ber_tag_t tag,
> ++      struct berval *cred,
> ++      LDAPControl **sctrls,
> ++      LDAPControl **cctrls,
> ++      int   *msgidp ));
> ++LDAP_F( int )
> ++ldap_parse_ntlm_bind_result LDAP_P((
> ++      LDAP    *ld,
> ++      LDAPMessage *res,
> ++      struct berval *challenge));
> ++
> + LDAP_END_DECL
> + #endif /* _LDAP_H */
> +--- /dev/null
> ++++ b/libraries/libldap/ntlm.c
> +@@ -0,0 +1,138 @@
> ++/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */
> ++/*
> ++ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
> ++ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
> ++ */
> ++
> ++/* Mostly copied from sasl.c */
> ++
> ++#include "portable.h"
> ++
> ++#include <stdlib.h>
> ++#include <stdio.h>
> ++
> ++#include <ac/socket.h>
> ++#include <ac/string.h>
> ++#include <ac/time.h>
> ++#include <ac/errno.h>
> ++
> ++#include "ldap-int.h"
> ++
> ++int
> ++ldap_ntlm_bind(
> ++ LDAP    *ld,
> ++ LDAP_CONST char *dn,
> ++ ber_tag_t tag,
> ++ struct berval *cred,
> ++ LDAPControl **sctrls,
> ++ LDAPControl **cctrls,
> ++ int   *msgidp )
> ++{
> ++ BerElement  *ber;
> ++ int rc;
> ++ ber_int_t id;
> ++
> ++ Debug( LDAP_DEBUG_TRACE, "ldap_ntlm_bind\n", 0, 0, 0 );
> ++
> ++ assert( ld != NULL );
> ++ assert( LDAP_VALID( ld ) );
> ++ assert( msgidp != NULL );
> ++
> ++ if( msgidp == NULL ) {
> ++   ld->ld_errno = LDAP_PARAM_ERROR;
> ++   return ld->ld_errno;
> ++ }
> ++
> ++ /* create a message to send */
> ++ if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) {
> ++   ld->ld_errno = LDAP_NO_MEMORY;
> ++   return ld->ld_errno;
> ++ }
> ++
> ++ assert( LBER_VALID( ber ) );
> ++
> ++ LDAP_NEXT_MSGID( ld, id );
> ++ rc = ber_printf( ber, "{it{istON}" /*}*/,
> ++      id, LDAP_REQ_BIND,
> ++      ld->ld_version, dn, tag,
> ++      cred );
> ++
> ++ /* Put Server Controls */
> ++ if( ldap_int_put_controls( ld, sctrls, ber ) != LDAP_SUCCESS ) {
> ++   ber_free( ber, 1 );
> ++   return ld->ld_errno;
> ++ }
> ++
> ++ if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) {
> ++   ld->ld_errno = LDAP_ENCODING_ERROR;
> ++   ber_free( ber, 1 );
> ++   return ld->ld_errno;
> ++ }
> ++
> ++ /* send the message */
> ++ *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id );
> ++
> ++ if(*msgidp < 0)
> ++   return ld->ld_errno;
> ++
> ++ return LDAP_SUCCESS;
> ++}
> ++
> ++int
> ++ldap_parse_ntlm_bind_result(
> ++ LDAP    *ld,
> ++ LDAPMessage *res,
> ++ struct berval *challenge)
> ++{
> ++ ber_int_t errcode;
> ++ ber_tag_t tag;
> ++ BerElement  *ber;
> ++ ber_len_t len;
> ++
> ++ Debug( LDAP_DEBUG_TRACE, "ldap_parse_ntlm_bind_result\n", 0, 0, 0 );
> ++
> ++ assert( ld != NULL );
> ++ assert( LDAP_VALID( ld ) );
> ++ assert( res != NULL );
> ++
> ++ if ( ld == NULL || res == NULL ) {
> ++   return LDAP_PARAM_ERROR;
> ++ }
> ++
> ++ if( res->lm_msgtype != LDAP_RES_BIND ) {
> ++   ld->ld_errno = LDAP_PARAM_ERROR;
> ++   return ld->ld_errno;
> ++ }
> ++
> ++ if ( ld->ld_error ) {
> ++   LDAP_FREE( ld->ld_error );
> ++   ld->ld_error = NULL;
> ++ }
> ++ if ( ld->ld_matched ) {
> ++   LDAP_FREE( ld->ld_matched );
> ++   ld->ld_matched = NULL;
> ++ }
> ++
> ++ /* parse results */
> ++
> ++ ber = ber_dup( res->lm_ber );
> ++
> ++ if( ber == NULL ) {
> ++   ld->ld_errno = LDAP_NO_MEMORY;
> ++   return ld->ld_errno;
> ++ }
> ++
> ++ tag = ber_scanf( ber, "{ioa" /*}*/,
> ++      &errcode, challenge, &ld->ld_error );
> ++ ber_free( ber, 0 );
> ++
> ++ if( tag == LBER_ERROR ) {
> ++   ld->ld_errno = LDAP_DECODING_ERROR;
> ++   return ld->ld_errno;
> ++ }
> ++
> ++ ld->ld_errno = errcode;
> ++
> ++ return( ld->ld_errno );
> ++}
> ++
> +--- a/libraries/libldap/Makefile.in
> ++++ b/libraries/libldap/Makefile.in
> +@@ -27,7 +27,7 @@ SRCS	= bind.c open.c result.c error.c co
> + 	init.c options.c print.c string.c util-int.c schema.c \
> + 	charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \
> + 	tls2.c tls_o.c tls_g.c tls_m.c \
> +-	turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \
> ++	turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c ntlm.c \
> + 	assertion.c deref.c ldif.c fetch.c
> + 
> + OBJS	= bind.lo open.lo result.lo error.lo compare.lo search.lo \
> +@@ -40,7 +40,7 @@ OBJS	= bind.lo open.lo result.lo error.l
> + 	init.lo options.lo print.lo string.lo util-int.lo schema.lo \
> + 	charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \
> + 	tls2.lo tls_o.lo tls_g.lo tls_m.lo \
> +-	turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \
> ++	turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo ntlm.lo \
> + 	assertion.lo deref.lo ldif.lo fetch.lo
> + 
> + LDAP_INCDIR= ../../include       
> +--- a/libraries/libldap_r/Makefile.in
> ++++ b/libraries/libldap_r/Makefile.in
> +@@ -29,7 +29,7 @@ XXSRCS    = apitest.c test.c \
> + 	init.c options.c print.c string.c util-int.c schema.c \
> + 	charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \
> + 	tls2.c tls_o.c tls_g.c tls_m.c \
> +-	turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \
> ++	turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c ntlm.c \
> + 	assertion.c deref.c ldif.c fetch.c
> + SRCS	= threads.c rdwr.c rmutex.c tpool.c rq.c \
> + 	thr_posix.c thr_cthreads.c thr_thr.c thr_nt.c \
> +@@ -47,7 +47,7 @@ OBJS	= threads.lo rdwr.lo rmutex.lo tpoo
> + 	init.lo options.lo print.lo string.lo util-int.lo schema.lo \
> + 	charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \
> + 	tls2.lo tls_o.lo tls_g.lo tls_m.lo \
> +-	turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \
> ++	turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo ntlm.lo \
> + 	assertion.lo deref.lo ldif.lo fetch.lo
> + 
> + LDAP_INCDIR= ../../include       
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/fix-build-top-mk.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/fix-build-top-mk.patch
> new file mode 100644
> index 0000000..418fe35
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/fix-build-top-mk.patch
> @@ -0,0 +1,11 @@
> +--- a/build/top.mk
> ++++ b/build/top.mk
> +@@ -20,7 +20,7 @@
> + RELEASEDATE= @OPENLDAP_RELEASE_DATE@
> + 
> + @SET_MAKE@
> +-SHELL = /bin/sh
> ++SHELL = @SHELL@
> + 
> + top_builddir = @top_builddir@
> + 
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/fix-ftbfs-binutils-gold.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/fix-ftbfs-binutils-gold.patch
> new file mode 100644
> index 0000000..1f0ca88
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/fix-ftbfs-binutils-gold.patch
> @@ -0,0 +1,64 @@
> +--- a/configure.in
> ++++ b/configure.in
> +@@ -1214,7 +1214,7 @@ if test $ol_link_tls = no ; then
> + 				ol_with_tls=gnutls
> + 				ol_link_tls=yes
> + 
> +-				TLS_LIBS="-lgnutls"
> ++				TLS_LIBS="-lgnutls -lgcrypt"
> + 
> + 				AC_DEFINE(HAVE_GNUTLS, 1, 
> + 					[define if you have GNUtls])
> +--- a/libraries/libldap/Makefile.in
> ++++ b/libraries/libldap/Makefile.in
> +@@ -51,21 +51,21 @@ LIB_DEFS = -DLDAP_LIBRARY
> + XLIBS = $(LIBRARY) $(LDAP_LIBLBER_LA) $(LDAP_LIBLUTIL_A)
> + XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
> + NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
> +-UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
> ++UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(TLS_LIBS)
> + ifneq (,$(VERSION_OPTION))
> +   VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map
> + endif
> + 
> + apitest:	$(XLIBS) apitest.o
> +-	$(LTLINK) -o $@ apitest.o $(LIBS)
> ++	$(LTLINK) -o $@ apitest.o $(LIBS) $(TLS_LIBS)
> + dntest:	$(XLIBS) dntest.o
> +-	$(LTLINK) -o $@ dntest.o $(LIBS)
> ++	$(LTLINK) -o $@ dntest.o $(LIBS) $(TLS_LIBS)
> + ftest:	$(XLIBS) ftest.o
> +-	$(LTLINK) -o $@ ftest.o $(LIBS)
> ++	$(LTLINK) -o $@ ftest.o $(LIBS) $(TLS_LIBS)
> + ltest:	$(XLIBS) test.o
> +-	$(LTLINK) -o $@ test.o $(LIBS)
> ++	$(LTLINK) -o $@ test.o $(LIBS) $(TLS_LIBS)
> + urltest: $(XLIBS) urltest.o
> +-	$(LTLINK) -o $@ urltest.o $(LIBS)
> ++	$(LTLINK) -o $@ urltest.o $(LIBS) $(TLS_LIBS)
> + 
> + CFFILES=ldap.conf
> + 
> +--- a/libraries/libldap_r/Makefile.in
> ++++ b/libraries/libldap_r/Makefile.in
> +@@ -60,7 +60,7 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLBER_LA) $(
> + XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
> + XXXLIBS = $(LTHREAD_LIBS)
> + NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
> +-UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS)
> ++UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS) $(TLS_LIBS)
> + ifneq (,$(VERSION_OPTION))
> +   VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map"
> + endif
> +@@ -80,9 +80,9 @@ clean-local: FORCE
> + depend-common: .links
> + 
> + apitest:	$(XLIBS) apitest.o
> +-	$(LTLINK) -o $@ apitest.o $(LIBS)
> ++	$(LTLINK) -o $@ apitest.o $(LIBS) $(TLS_LIBS)
> + ltest:	$(XLIBS) test.o
> +-	$(LTLINK) -o $@ test.o $(LIBS)
> ++	$(LTLINK) -o $@ test.o $(LIBS) $(TLS_LIBS)
> + 
> + install-local: $(CFFILES) FORCE
> + 	-$(MKDIR) $(DESTDIR)$(libdir)
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/getaddrinfo-is-threadsafe.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/getaddrinfo-is-threadsafe.patch
> new file mode 100644
> index 0000000..ab6e2b7
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/getaddrinfo-is-threadsafe.patch
> @@ -0,0 +1,43 @@
> +Author: Steve Langasek <vorlon@debian.org>
> +
> +OpenLDAP upstream conservatively assumes that certain resolver functions
> +(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we
> +know that the glibc implementations of these functions are thread-safe, so
> +we should bypass the use of this mutex.  This fixes a locking problem when
> +an application uses libldap and libnss-ldap is also used for hosts
> +resolution.
> +
> +Closes Debian bug #340601.
> +
> +Not suitable for forwarding upstream; might be made suitable by adding a
> +configure-time check for glibc and disabling the mutex only on known
> +thread-safe implementations.
> +
> +--- a/libraries/libldap/os-ip.c
> ++++ b/libraries/libldap/os-ip.c
> +@@ -602,13 +602,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *
> + 	hints.ai_socktype = socktype;
> + 	snprintf(serv, sizeof serv, "%d", port );
> + 
> +-	/* most getaddrinfo(3) use non-threadsafe resolver libraries */
> +-	LDAP_MUTEX_LOCK(&ldap_int_resolv_mutex);
> +-
> + 	err = getaddrinfo( host, serv, &hints, &res );
> +-
> +-	LDAP_MUTEX_UNLOCK(&ldap_int_resolv_mutex);
> +-
> + 	if ( err != 0 ) {
> + 		osip_debug(ld, "ldap_connect_to_host: getaddrinfo failed: %s\n",
> + 			AC_GAI_STRERROR(err), 0, 0);
> +--- a/libraries/libldap/util-int.c
> ++++ b/libraries/libldap/util-int.c
> +@@ -431,9 +431,7 @@ int ldap_pvt_get_hname(
> + 	int rc;
> + #if defined( HAVE_GETNAMEINFO )
> + 
> +-	LDAP_MUTEX_LOCK( &ldap_int_resolv_mutex );
> + 	rc = getnameinfo( sa, len, name, namelen, NULL, 0, 0 );
> +-	LDAP_MUTEX_UNLOCK( &ldap_int_resolv_mutex );
> + 	if ( rc ) *err = (char *)AC_GAI_STRERROR( rc );
> + 	return rc;
> + 
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/heimdal-fix.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/heimdal-fix.patch
> new file mode 100644
> index 0000000..4aad47c
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/heimdal-fix.patch
> @@ -0,0 +1,23 @@
> +Author: Mattias Ellert <mattias.ellert@fysast.uu.se>
> +Description: adapt parameters of hdb_generate_key_set_password() to heimdal 1.6~git20120311
> + .
> + With version heimdal 1.6~git20120311 heimdal schanged the number of parameters
> + of function hdb_generate_key_set_password(), implementing a fallback to "default"
> + values when NULL-values are passed for these parameters.
> + .
> + This patch does exactly that.
> + .
> +Bug-Debian: 664930
> +Reviewed-by: Peter Marschall <peter@adpm.de>
> +
> +--- a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
> ++++ b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
> +@@ -470,7 +470,7 @@ static int smbk5pwd_exop_passwd(
> + 		}
> + 
> + 		ret = hdb_generate_key_set_password(context, ent.principal,
> +-			qpw->rs_new.bv_val, &ent.keys.val, &nkeys);
> ++			qpw->rs_new.bv_val, NULL, 0, &ent.keys.val, &nkeys);
> + 		ent.keys.len = nkeys;
> + 		hdb_seal_keys(context, db, &ent);
> + 		krb5_free_principal( context, ent.principal );
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/index-files-created-as-root.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/index-files-created-as-root.patch
> new file mode 100644
> index 0000000..47fc88a
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/index-files-created-as-root.patch
> @@ -0,0 +1,37 @@
> +Document in the man page that slapindex should be run as the same user
> +as slapd, and print a warning if it's run as root (since Debian defaults
> +to running slapd as openldap).
> +
> +Not suitable for upstream in this form.  This patch needs to be reworked
> +to check the BerkeleyDB database ownership and only warn if running as
> +root with a database that's not owned by root.
> +
> +Upstream ITS #5356 filed requesting better handling of this.  Current
> +upstream discussion leans towards putting the check into the database
> +backend and aborting if slapd is run as a different user than the database
> +owner, which is an even better fix.
> +
> +--- a/doc/man/man8/slapindex.8
> ++++ b/doc/man/man8/slapindex.8
> +@@ -148,6 +148,10 @@
> + should not be running (at least, not in read-write
> + mode) when you do this to ensure consistency of the database.
> + .LP
> ++slapindex ought to be run as the user specified for
> ++.BR slapd (8)
> ++to ensure correct database permissions.
> ++.LP
> + This command provides ample opportunity for the user to obtain
> + and drink their favorite beverage.
> + .SH EXAMPLES
> +--- a/servers/slapd/slapindex.c
> ++++ b/servers/slapd/slapindex.c
> +@@ -34,6 +34,8 @@
> + int
> + slapindex( int argc, char **argv )
> + {
> ++    if (geteuid() == 0)
> ++        fprintf( stderr, "\nWARNING!\nRunnig as root!\nThere's a fair chance slapd will fail to start.\nCheck file permissions!\n\n");
> + 	ID id;
> + 	int rc = EXIT_SUCCESS;
> + 	const char *progname = "slapindex";
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/install-strip.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/install-strip.patch
> new file mode 100644
> index 0000000..2992b70
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/install-strip.patch
> @@ -0,0 +1,14 @@
> +# This patch ensures that the install operations which strip
> +# programs and libraries (LTINSTALL) work in a cross build
> +# environment.
> +--- openldap-2.2.24/.pc/install-strip.patch/build/top.mk	2005-01-20 09:00:55.000000000 -0800
> ++++ openldap-2.2.24/build/top.mk	2005-04-16 13:48:20.536710376 -0700
> +@@ -116,7 +116,7 @@
> + LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \
> + 	$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD)
> + 
> +-LTINSTALL = $(LIBTOOL) --mode=install $(INSTALL) 
> ++LTINSTALL = STRIPPROG="" $(LIBTOOL) --mode=install $(top_srcdir)/contrib/ldapc++/install-sh -c
> + LTFINISH = $(LIBTOOL) --mode=finish
> + 
> + # Misc UNIX commands used in build environment
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/ldap-conf-tls-cacertdir.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/ldap-conf-tls-cacertdir.patch
> new file mode 100644
> index 0000000..e8aab91
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/ldap-conf-tls-cacertdir.patch
> @@ -0,0 +1,29 @@
> +--- a/doc/man/man5/ldap.conf.5
> ++++ b/doc/man/man5/ldap.conf.5
> +@@ -317,7 +317,7 @@ certificates in separate individual file
> + .B TLS_CACERT
> + is always used before
> + .B TLS_CACERTDIR.
> +-This parameter is ignored with GnuTLS.
> ++This parameter is ignored with GnuTLS. On Debian openldap is linked against GnuTLS.
> + 
> + When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
> + database.  If <path> contains a Mozilla NSS cert/key database and
> +@@ -428,7 +428,7 @@ This parameter is ignored with GnuTLS.
> + Specifies the file to obtain random bits from when /dev/[u]random is
> + not available. Generally set to the name of the EGD/PRNGD socket.
> + The environment variable RANDFILE can also be used to specify the filename.
> +-This parameter is ignored with GnuTLS and Mozilla NSS.
> ++This parameter is ignored with GnuTLS and Mozilla NSS. On Debian openldap is linked against GnuTLS.
> + .TP
> + .B TLS_REQCERT <level>
> + Specifies what checks to perform on server certificates in a TLS session,
> +@@ -461,7 +461,7 @@ Specifies if the Certificate Revocation
> + used to verify if the server certificates have not been revoked. This
> + requires
> + .B TLS_CACERTDIR
> +-parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS.
> ++parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS. On Debian openldap is linked against GnuTLS.
> + .B <level>
> + can be specified as one of the following keywords:
> + .RS
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/ldapi-socket-place.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/ldapi-socket-place.patch
> new file mode 100644
> index 0000000..a482bbf
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/ldapi-socket-place.patch
> @@ -0,0 +1,16 @@
> +Move the ldapi socket to /var/run/slapd from /var/run, since /var/run
> +is only writable by root and slapd runs as openldap.
> +
> +Debian-specific.
> +
> +--- a/include/ldap_defaults.h
> ++++ b/include/ldap_defaults.h
> +@@ -39,7 +39,7 @@
> + #define LDAP_ENV_PREFIX "LDAP"
> + 
> + /* default ldapi:// socket */
> +-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"
> ++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "slapd" LDAP_DIRSEP "ldapi"
> + 
> + /*
> +  * SLAPD DEFINITIONS
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/libldap-symbol-versions.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/libldap-symbol-versions.patch
> new file mode 100644
> index 0000000..fb28f49
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/libldap-symbol-versions.patch
> @@ -0,0 +1,161 @@
> +Add symbol versioning to the public LDAP libraries.  This is required for
> +library transitions, such as the current transition from 2.1 to 2.4,
> +since programs will sometimes have both libraries loaded by different
> +dependency chains during the transition.
> +
> +Not yet contributed upstream.
> +
> +Upstream ITS #5365 filed requesting symbol versioning for libldap and
> +libber.
> +
> +--- a/libraries/libldap_r/Makefile.in
> ++++ b/libraries/libldap_r/Makefile.in
> +@@ -61,6 +61,9 @@ XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
> + XXXLIBS = $(LTHREAD_LIBS)
> + NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
> + UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS)
> ++ifneq (,$(VERSION_OPTION))
> ++  VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map"
> ++endif
> + 
> + .links : Makefile
> + 	@for i in $(XXSRCS); do \
> +--- a/build/top.mk
> ++++ b/build/top.mk
> +@@ -104,6 +104,9 @@ LTFLAGS_MOD = $(@PLAT@_LTFLAGS_MOD)
> + # LINK_LIBS referenced in library and module link commands.
> + LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS)
> + 
> ++# option to pass to $(CC) to support library symbol versioning, if any
> ++VERSION_OPTION = @VERSION_OPTION@
> ++
> + LTSTATIC = @LTSTATIC@
> + 
> + LTLINK   = $(LIBTOOL) --mode=link \
> +@@ -113,7 +116,7 @@ LTCOMPILE_LIB = $(LIBTOOL) $(LTONLY_LIB)
> + 	$(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c
> + 
> + LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \
> +-	$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB)
> ++	$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(VERSION_FLAGS)
> + 
> + LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \
> + 	$(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c
> +--- a/build/openldap.m4
> ++++ b/build/openldap.m4
> +@@ -1136,3 +1136,54 @@ AC_DEFUN([OL_SSL_COMPAT],
> + #endif
> + 	], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])])
> + ])
> ++
> ++dnl ====================================================================
> ++dnl check for symbol versioning support
> ++AC_DEFUN([OL_SYMBOL_VERSIONING],
> ++[AC_CACHE_CHECK([for .symver assembler directive],
> ++	[ol_cv_asm_symver_directive],[
> ++cat > conftest.s <<EOF
> ++${libc_cv_dot_text}
> ++_sym:
> ++.symver _sym,sym@VERS
> ++EOF
> ++if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
> ++  ol_cv_asm_symver_directive=yes
> ++else
> ++  ol_cv_asm_symver_directive=no
> ++fi
> ++rm -f conftest*])
> ++AC_CACHE_CHECK([for ld --version-script],
> ++	[ol_cv_ld_version_script_option],[
> ++if test $ol_cv_asm_symver_directive = yes; then
> ++  cat > conftest.s <<EOF
> ++${libc_cv_dot_text}
> ++_sym:
> ++.symver _sym,sym@VERS
> ++EOF
> ++  cat > conftest.map <<EOF
> ++VERS_1 {
> ++	global: sym;
> ++};
> ++
> ++VERS_2 {
> ++	global: sym;
> ++} VERS_1;
> ++EOF
> ++  if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
> ++    if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared
> ++                                                 -o conftest.so conftest.o
> ++                                                 -Wl,--version-script,conftest.map
> ++                       1>&AS_MESSAGE_LOG_FD]);
> ++    then
> ++      ol_cv_ld_version_script_option=yes
> ++    else
> ++      ol_cv_ld_version_script_option=no
> ++    fi
> ++  else
> ++    ol_cv_ld_version_script_option=no
> ++  fi
> ++else
> ++  ol_cv_ld_version_script_option=no
> ++fi
> ++rm -f conftest*])])
> +--- a/configure.in
> ++++ b/configure.in
> +@@ -1909,6 +1909,13 @@ else
> + fi
> + AC_SUBST(LTSTATIC)dnl
> + 
> ++VERSION_OPTION=""
> ++OL_SYMBOL_VERSIONING
> ++if test $ol_cv_ld_version_script_option = yes ; then
> ++  VERSION_OPTION="-Wl,--version-script="
> ++fi
> ++AC_SUBST(VERSION_OPTION)
> ++
> + dnl ----------------------------------------------------------------
> + if test $ol_enable_wrappers != no ; then
> + 	AC_CHECK_HEADERS(tcpd.h,[
> +--- /dev/null
> ++++ b/libraries/libldap/libldap.map
> +@@ -0,0 +1,7 @@
> ++OPENLDAP_2.4_2 {
> ++  global:
> ++    ldap_*;
> ++    ldif_*;
> ++  local:
> ++    *;
> ++};
> +--- a/libraries/libldap/Makefile.in
> ++++ b/libraries/libldap/Makefile.in
> +@@ -52,6 +52,9 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLBER_LA) $(
> + XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
> + NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
> + UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
> ++ifneq (,$(VERSION_OPTION))
> ++  VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map
> ++endif
> + 
> + apitest:	$(XLIBS) apitest.o
> + 	$(LTLINK) -o $@ apitest.o $(LIBS)
> +--- a/libraries/liblber/Makefile.in
> ++++ b/libraries/liblber/Makefile.in
> +@@ -38,6 +38,9 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLUTIL_A)
> + XXLIBS = 
> + NT_LINK_LIBS = $(AC_LIBS)
> + UNIX_LINK_LIBS = $(AC_LIBS)
> ++ifneq (,$(VERSION_OPTION))
> ++  VERSION_FLAGS = "$(VERSION_OPTION)$(srcdir)/liblber.map"
> ++endif
> + 
> + dtest:    $(XLIBS) dtest.o
> + 	$(LTLINK) -o $@ dtest.o $(LIBS)
> +--- /dev/null
> ++++ b/libraries/liblber/liblber.map
> +@@ -0,0 +1,8 @@
> ++OPENLDAP_2.4_2 {
> ++  global:
> ++    ber_*;
> ++    der_alloc;
> ++    lutil_*;
> ++  local:
> ++    *;
> ++};
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/man-slapd.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/man-slapd.patch
> new file mode 100644
> index 0000000..5f55137
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/man-slapd.patch
> @@ -0,0 +1,60 @@
> +Patch the slapd man page to not refer to a header file that isn't
> +installed with the slapd package and to reference the correct path
> +for slapd.
> +
> +Debian-specific.
> +
> +--- a/doc/man/man8/slapd.8
> ++++ b/doc/man/man8/slapd.8
> +@@ -5,7 +5,7 @@
> + .SH NAME
> + slapd \- Stand-alone LDAP Daemon
> + .SH SYNOPSIS
> +-.B LIBEXECDIR/slapd 
> ++.B /usr/sbin/slapd 
> + [\c
> + .BR \-4 | \-6 ]
> + [\c
> +@@ -103,11 +103,10 @@
> + will not fork or disassociate from the invoking terminal.  Some general
> + operation and status messages are printed for any value of \fIdebug-level\fP.
> + \fIdebug-level\fP is taken as a bit string, with each bit corresponding to a
> +-different kind of debugging information.  See <ldap_log.h> for details.
> +-Comma-separated arrays of friendly names can be specified to select
> +-debugging output of the corresponding debugging information.
> +-All the names recognized by the \fIloglevel\fP directive 
> +-described in \fBslapd.conf\fP(5) are supported.
> ++different kind of debugging information.  Comma-separated arrays of friendly
> ++names can be specified to select debugging output of the corresponding
> ++debugging information.  All the names recognized by the \fIloglevel\fP
> ++directive described in \fBslapd.conf\fP(5) are supported.
> + If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed,
> + and slapd exits.
> + 
> +@@ -317,7 +316,7 @@
> + .LP
> + .nf
> + .ft tt
> +-	LIBEXECDIR/slapd
> ++	/usr/sbin/slapd
> + .ft
> + .fi
> + .LP
> +@@ -328,7 +327,7 @@
> + .LP
> + .nf
> + .ft tt
> +-	LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
> ++	/usr/sbin/slapd \-f /var/tmp/slapd.conf \-d 255
> + .ft
> + .fi
> + .LP
> +@@ -336,7 +335,7 @@
> + .LP
> + .nf
> + .ft tt
> +-	LIBEXECDIR/slapd \-Tt
> ++	/usr/sbin/slapd \-Tt
> + .ft
> + .fi
> + .LP
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/no-AM_INIT_AUTOMAKE.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/no-AM_INIT_AUTOMAKE.patch
> new file mode 100644
> index 0000000..8e7812d
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/no-AM_INIT_AUTOMAKE.patch
> @@ -0,0 +1,25 @@
> +Description: don't use AM_INIT_AUTOMAKE macro when we aren't using automake
> + Calling AM_INIT_AUTOMAKE() in configure.in serves no purpose if we're not
> + using automake, and it confuses autoreconf.  Use AC_INIT() instead.
> +Author: Steve Langasek <vorlon@debian.org>
> +
> +--- a/configure.in
> ++++ b/configure.in
> +@@ -26,7 +26,8 @@ dnl Configure.in for OpenLDAP
> + AC_COPYRIGHT([[Copyright 1998-2014 The OpenLDAP Foundation. All rights reserved.
> + Restrictions apply, see COPYRIGHT and LICENSE files.]])
> + AC_REVISION([$Id: 81bd528fb5194c83d688db355737b7715448b958 $])
> +-AC_INIT([OpenLDAP],,[http://www.openldap.org/its/])
> ++AC_INIT([OpenLDAP],[$OL_VERSION],[http://www.openldap.org/its/])
> ++AC_PROG_MAKE_SET
> + m4_define([AC_PACKAGE_BUGREPORT],[<http://www.openldap.org/its/>])
> + AC_CONFIG_SRCDIR(build/version.sh)dnl
> + dnl ----------------------------------------------------------------
> +@@ -69,7 +70,6 @@ dnl Determine host platform
> + dnl		we try not to use this for much
> + AC_CANONICAL_TARGET([])
> + 
> +-AM_INIT_AUTOMAKE([$OL_PACKAGE],[$OL_VERSION], [no defines])dnl
> + AC_SUBST(PACKAGE)dnl
> + AC_SUBST(VERSION)dnl
> + AC_DEFINE_UNQUOTED(OPENLDAP_PACKAGE,"$PACKAGE",Package)
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/no-bdb-ABI-second-guessing.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/no-bdb-ABI-second-guessing.patch
> new file mode 100644
> index 0000000..db76aa7
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/no-bdb-ABI-second-guessing.patch
> @@ -0,0 +1,42 @@
> +Author: Steve Langasek <vorlon@debian.org>
> +Description: don't second-guess BDB ABI
> + OpenLDAP upstream conservatively assumes that any change to the version
> + number of libdb can result in an API-breaking change that could impact
> + the database.  In Debian, we know that such changes require bumping the
> + library soname and changing the package name, and demand such rigor from
> + our package maintainers even when upstreams don't deliver; so any such
> + check in the source code works against the packaging system by forcing
> + database upgrades when we know none are required.  Disable this check
> + so we rely on the packaging system to do its job.
> +Bug-Debian: http://bugs.debian.org/651333
> +Forwarded: not-needed
> +
> +--- a/servers/slapd/back-bdb/init.c
> ++++ b/servers/slapd/back-bdb/init.c
> +@@ -762,7 +762,7 @@ bdb_back_initialize(
> + 	bi->bi_controls = controls;
> + 
> + 	{	/* version check */
> +-		int major, minor, patch, ver;
> ++		int major, minor, patch;
> + 		char *version = db_version( &major, &minor, &patch );
> + #ifdef HAVE_EBCDIC
> + 		char v2[1024];
> +@@ -776,17 +776,6 @@ bdb_back_initialize(
> + 		version = v2;
> + #endif
> + 
> +-		ver = (major << 24) | (minor << 16) | patch;
> +-		if( ver != DB_VERSION_FULL ) {
> +-			/* fail if a versions don't match */
> +-			Debug( LDAP_DEBUG_ANY,
> +-				LDAP_XSTRING(bdb_back_initialize) ": "
> +-				"BDB library version mismatch:"
> +-				" expected " DB_VERSION_STRING ","
> +-				" got %s\n", version, 0, 0 );
> +-			return -1;
> +-		}
> +-
> + 		Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_back_initialize)
> + 			": %s\n", version, 0, 0 );
> + 	}
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/sasl-default-path.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/sasl-default-path.patch
> new file mode 100644
> index 0000000..5ea240f
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/sasl-default-path.patch
> @@ -0,0 +1,55 @@
> +Add /etc/ldap/sasl2 to the SASL configuration search path.
> +
> +Not submitted upstream.  Somewhat Debian-specific and probably not of
> +interest upstream.
> +
> +--- a/include/ldap_defaults.h
> ++++ b/include/ldap_defaults.h
> +@@ -63,4 +63,6 @@
> + 	/* dn of the default "monitor" subentry */
> + #define SLAPD_MONITOR_DN		"cn=Monitor"
> + 
> ++#define SASL_CONFIGPATH                        LDAP_SYSCONFDIR LDAP_DIRSEP "sasl2"
> ++
> + #endif /* _LDAP_CONFIG_H */
> +--- a/servers/slapd/sasl.c
> ++++ b/servers/slapd/sasl.c
> +@@ -1103,12 +1103,38 @@ static const rewrite_mapper slapd_mapper
> + };
> + #endif
> + 
> ++static int
> ++slap_sasl_getconfpath( void * context, char ** path )
> ++{
> ++	char * sasl_default_configpath;
> ++	size_t len;
> ++
> ++#if SASL_VERSION_MAJOR >= 2
> ++	sasl_default_configpath = "/usr/lib/sasl2";
> ++#else
> ++	sasl_default_configpath = "/usr/lib/sasl";
> ++#endif
> ++
> ++	len = strlen(SASL_CONFIGPATH) + 1 /* colon */ +
> ++		strlen(sasl_default_configpath) + 1 /* \0 */;
> ++	*path = malloc( len );
> ++	if ( *path == NULL )
> ++		return SASL_FAIL;
> ++
> ++	if (snprintf( *path, len, "%s:%s", SASL_CONFIGPATH,
> ++				sasl_default_configpath ) != len-1 )
> ++		return SASL_FAIL;
> ++
> ++	return SASL_OK;
> ++}
> ++
> + int slap_sasl_init( void )
> + {
> + #ifdef HAVE_CYRUS_SASL
> + 	int rc;
> + 	static sasl_callback_t server_callbacks[] = {
> + 		{ SASL_CB_LOG, &slap_sasl_log, NULL },
> ++		{ SASL_CB_GETCONFPATH, &slap_sasl_getconfpath, NULL },
> + 		{ SASL_CB_GETOPT, &slap_sasl_getopt, NULL },
> + 		{ SASL_CB_LIST_END, NULL, NULL }
> + 	};
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/series b/meta-oe/recipes-support/openldap/openldap-2.4.39/series
> new file mode 100644
> index 0000000..2f47de3
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/series
> @@ -0,0 +1,21 @@
> +man-slapd 
> +evolution-ntlm
> +slapi-errorlog-file 
> +ldapi-socket-place 
> +wrong-database-location 
> +index-files-created-as-root 
> +sasl-default-path 
> +libldap-symbol-versions
> +getaddrinfo-is-threadsafe
> +do-not-second-guess-sonames
> +contrib-modules-use-dpkg-buildflags
> +smbk5pwd-makefile
> +autogroup-makefile
> +ldap-conf-tls-cacertdir
> +add-tlscacert-option-to-ldap-conf
> +fix-ftbfs-binutils-gold
> +fix-build-top-mk
> +no-AM_INIT_AUTOMAKE
> +switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
> +no-bdb-ABI-second-guessing
> +heimdal-fix
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/slapi-errorlog-file.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/slapi-errorlog-file.patch
> new file mode 100644
> index 0000000..4899451
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/slapi-errorlog-file.patch
> @@ -0,0 +1,16 @@
> +The slapi error log file defaults to /var/errors given our setting
> +of --localstatedir.  Move it to /var/log/slapi-errors instead.
> +
> +Debian-specific.
> +
> +--- a/servers/slapd/slapi/slapi_overlay.c
> ++++ b/servers/slapd/slapi/slapi_overlay.c
> +@@ -930,7 +930,7 @@ int slapi_over_config( BackendDB *be, Co
> + 		ldap_pvt_thread_mutex_init( &slapi_printmessage_mutex );
> + 
> + 		if ( slapi_log_file == NULL )
> +-			slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "errors" );
> ++			slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "log" LDAP_DIRSEP "slapi-errors" );
> + 
> + 		rc = slapi_int_init_object_extensions();
> + 		if ( rc != 0 )
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/smbk5pwd-makefile.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/smbk5pwd-makefile.patch
> new file mode 100644
> index 0000000..17d1b56
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/smbk5pwd-makefile.patch
> @@ -0,0 +1,53 @@
> +--- a/contrib/slapd-modules/smbk5pwd/Makefile
> ++++ b/contrib/slapd-modules/smbk5pwd/Makefile
> +@@ -14,17 +14,17 @@
> + 
> + LDAP_SRC = ../../..
> + LDAP_BUILD = ../../..
> +-LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
> +-LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \
> +-	$(LDAP_BUILD)/libraries/liblber/liblber.la
> ++LDAP_INC = -I$(LDAP_BUILD)/debian/build/include -I$(LDAP_BUILD)/debian/build/servers/slapd -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
> ++LDAP_LIB = $(LDAP_BUILD)/debian/build/libraries/libldap_r/libldap_r.la \
> ++	$(LDAP_BUILD)/debian/build/libraries/liblber/liblber.la
> + 
> + SSL_INC = 
> +-SSL_LIB = -lcrypto
> ++SSL_LIB = -lgcrypt
> + 
> +-HEIMDAL_INC = -I/usr/heimdal/include
> +-HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv
> ++HEIMDAL_INC = -I/usr/include
> ++HEIMDAL_LIB = -lkrb5 -lkadm5srv
> + 
> +-LIBTOOL = $(LDAP_BUILD)/libtool
> ++LIBTOOL = $(LDAP_BUILD)/debian/build/libtool
> + CC = gcc
> + OPT = -g -O2 -Wall
> + # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it.
> +@@ -35,13 +35,13 @@ LIBS = $(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_
> + PROGRAMS = smbk5pwd.la
> + LTVER = 0:0:0
> + 
> +-prefix=/usr/local
> ++prefix=/usr
> + exec_prefix=$(prefix)
> +-ldap_subdir=/openldap
> ++ldap_subdir=/ldap
> + 
> + libdir=$(exec_prefix)/lib
> + libexecdir=$(exec_prefix)/libexec
> +-moduledir = $(libexecdir)$(ldap_subdir)
> ++moduledir = $(libdir)$(ldap_subdir)
> + 
> + .SUFFIXES: .c .o .lo
> + 
> +@@ -55,7 +55,7 @@ smbk5pwd.la:	smbk5pwd.lo
> + 	-rpath $(moduledir) -module -o $@ $? $(LIBS)
> + 
> + clean:
> +-	rm -rf *.o *.lo *.la .libs
> ++	$(LIBTOOL) --mode=clean rm -f
> + 
> + install: $(PROGRAMS)
> + 	mkdir -p $(DESTDIR)$(moduledir)
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff.patch
> new file mode 100644
> index 0000000..f0dd4e1
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff.patch
> @@ -0,0 +1,40 @@
> +From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>
> +Date: Tue, 18 May 2010 17:47:05 +0200
> +Subject: Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL.    
> + Open all modules with RTLD_GLOBAL, needed so that back_perl can load
> + non-trivial Perl extensions that require symbols from back_perl.so itself.
> +Bug-Debian: http://bugs.debian.org/327585
> +
> +---
> +--- a/servers/slapd/module.c
> ++++ b/servers/slapd/module.c
> +@@ -117,6 +117,20 @@ int module_unload( const char *file_name
> + 	return -1;	/* not found */
> + }
> + 
> ++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
> ++{
> ++	lt_dlhandle handle = 0;
> ++	lt_dladvise advise;
> ++
> ++	if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
> ++			&& !lt_dladvise_global (&advise))
> ++		handle = lt_dlopenadvise (filename, advise);
> ++
> ++	lt_dladvise_destroy (&advise);
> ++
> ++	return handle;
> ++}
> ++
> + int module_load(const char* file_name, int argc, char *argv[])
> + {
> + 	module_loaded_t *module;
> +@@ -180,7 +194,7 @@ int module_load(const char* file_name, i
> + 	 * to calling Debug. This is because Debug is a macro that expands
> + 	 * into multiple function calls.
> + 	 */
> +-	if ((module->lib = lt_dlopenext(file)) == NULL) {
> ++	if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
> + 		error = lt_dlerror();
> + #ifdef HAVE_EBCDIC
> + 		strcpy( ebuf, error );
> diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/wrong-database-location.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/wrong-database-location.patch
> new file mode 100644
> index 0000000..25d96cb
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/wrong-database-location.patch
> @@ -0,0 +1,74 @@
> +Move the default slapd database location to /var/lib/ldap instead of
> +/var/openldap-data.
> +
> +Debian-specific.
> +
> +--- a/doc/man/man5/slapd-bdb.5
> ++++ b/doc/man/man5/slapd-bdb.5
> +@@ -131,7 +131,7 @@ Specify the directory where the BDB file
> + associated indexes live.
> + A separate directory must be specified for each database.
> + The default is
> +-.BR LOCALSTATEDIR/openldap\-data .
> ++.BR LOCALSTATEDIR/lib/ldap .
> + .TP
> + .B dirtyread
> + Allow reads of modified but not yet committed data.
> +--- a/doc/man/man5/slapd.conf.5
> ++++ b/doc/man/man5/slapd.conf.5
> +@@ -2007,7 +2007,7 @@ suffix    "dc=our\-domain,dc=com"
> + # The database directory MUST exist prior to
> + # running slapd AND should only be accessible
> + # by the slapd/tools. Mode 0700 recommended.
> +-directory LOCALSTATEDIR/openldap\-data
> ++directory LOCALSTATEDIR/lib/ldap
> + # Indices to maintain
> + index     objectClass  eq
> + index     cn,sn,mail   pres,eq,approx,sub
> +--- a/include/ldap_defaults.h
> ++++ b/include/ldap_defaults.h
> +@@ -47,7 +47,7 @@
> + 	/* location of the default slapd config file */
> + #define SLAPD_DEFAULT_CONFIGFILE	LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf"
> + #define SLAPD_DEFAULT_CONFIGDIR		LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d"
> +-#define SLAPD_DEFAULT_DB_DIR		LDAP_RUNDIR LDAP_DIRSEP "openldap-data"
> ++#define SLAPD_DEFAULT_DB_DIR		LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "ldap"
> + #define SLAPD_DEFAULT_DB_MODE		0600
> + #define SLAPD_DEFAULT_UCDATA		LDAP_DATADIR LDAP_DIRSEP "ucdata"
> + 	/* default max deref depth for aliases */
> +--- a/servers/slapd/Makefile.in
> ++++ b/servers/slapd/Makefile.in
> +@@ -445,9 +445,9 @@ install-conf: FORCE
> + 
> + install-db-config: FORCE
> + 	@-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir)
> +-	@-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data
> ++	@-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/ldap
> + 	$(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
> +-		$(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example
> ++		$(DESTDIR)$(localstatedir)/lib/ldap/DB_CONFIG.example
> + 	$(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
> + 		$(DESTDIR)$(sysconfdir)/DB_CONFIG.example
> + 
> +--- a/doc/man/man5/slapd-config.5
> ++++ b/doc/man/man5/slapd-config.5
> +@@ -2051,7 +2051,7 @@ olcSuffix: "dc=our\-domain,dc=com"
> + # The database directory MUST exist prior to
> + # running slapd AND should only be accessible
> + # by the slapd/tools. Mode 0700 recommended.
> +-olcDbDirectory: LOCALSTATEDIR/openldap\-data
> ++olcDbDirectory: LOCALSTATEDIR/lib/ldap
> + # Indices to maintain
> + olcDbIndex:     objectClass  eq
> + olcDbIndex:     cn,sn,mail   pres,eq,approx,sub
> +--- a/doc/man/man5/slapd-mdb.5
> ++++ b/doc/man/man5/slapd-mdb.5
> +@@ -52,7 +52,7 @@ Specify the directory where the LMDB fil
> + associated indexes live.
> + A separate directory must be specified for each database.
> + The default is
> +-.BR LOCALSTATEDIR/openldap\-data .
> ++.BR LOCALSTATEDIR/lib/ldap .
> + .TP
> + \fBenvflags \fR{\fBnosync\fR,\fBnometasync\fR,\fBwritemap\fR,\fBmapasync\fR,\fBnordahead\fR}
> + Specify flags for finer-grained control of the LMDB library's operation.
> diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.39.bb b/meta-oe/recipes-support/openldap/openldap_2.4.39.bb
> new file mode 100644
> index 0000000..3048c8e
> --- /dev/null
> +++ b/meta-oe/recipes-support/openldap/openldap_2.4.39.bb
> @@ -0,0 +1,182 @@
> +# OpenLDAP, a license free (see http://www.OpenLDAP.org/license.html)
> +#
> +DESCRIPTION = "OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol."
> +HOMEPAGE = "http://www.OpenLDAP.org/license.html"
> +# The OpenLDAP Public License - see the HOMEPAGE - defines
> +# the license.  www.openldap.org claims this is Open Source
> +# (see http://www.openldap.org), the license appears to be
> +# basically BSD.  opensource.org does not record this license
> +# at present (so it is apparently not OSI certified).
> +LICENSE = "OpenLDAP"
> +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=f2bdbaa4f50199a00b6de2ca7ec1db05"
> +SECTION = "libs"
> +
> +# patches taken from Debian
> +SRC_URI = "\
> +    ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${P}.tgz \
> +    file://man-slapd.patch \
> +    file://evolution-ntlm.patch \
> +    file://slapi-errorlog-file.patch \
> +    file://ldapi-socket-place.patch \
> +    file://wrong-database-location.patch \
> +    file://index-files-created-as-root.patch \
> +    file://sasl-default-path.patch \
> +    file://libldap-symbol-versions.patch \
> +    file://getaddrinfo-is-threadsafe.patch \
> +    file://do-not-second-guess-sonames.patch \
> +    file://contrib-modules-use-dpkg-buildflags.patch \
> +    file://smbk5pwd-makefile.patch \
> +    file://autogroup-makefile.patch \
> +    file://ldap-conf-tls-cacertdir.patch \
> +    file://add-tlscacert-option-to-ldap-conf.patch \
> +    file://fix-ftbfs-binutils-gold.patch \
> +    file://fix-build-top-mk.patch \
> +    file://no-AM_INIT_AUTOMAKE.patch \
> +    file://switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff.patch \
> +    file://no-bdb-ABI-second-guessing.patch \
> +    file://heimdal-fix.patch \
> +"
> +SRC_URI[md5sum] = "b0d5ee4b252c841dec6b332d679cf943"
> +SRC_URI[sha256sum] = "8267c87347103fef56b783b24877c0feda1063d3cb85d070e503d076584bf8a7"
> +
> +DEPENDS = "util-linux groff-native db"
> +
> +PR = "r0"
> +# The original top.mk used INSTALL, not INSTALL_STRIP_PROGRAM when
> +# installing .so and executables, this fails in cross compilation
> +# environments
> +SRC_URI += "file://install-strip.patch"
> +
> +# inherit autotools
> +inherit autotools-brokensep
> +
> +# CV SETTINGS
> +# Required to work round AC_FUNC_MEMCMP which gets the wrong answer
> +# when cross compiling (should be in site?)
> +EXTRA_OECONF += "ac_cv_func_memcmp_working=yes"
> +
> +# CONFIG DEFINITIONS
> +# The following is necessary because it cannot be determined for a
> +# cross compile automagically.  Select should yield fine on all OE
> +# systems...
> +EXTRA_OECONF += "--with-yielding-select=yes"
> +# Shared libraries are nice...
> +EXTRA_OECONF += "--enable-dynamic"
> +
> +PACKAGECONFIG ??= "openssl modules \
> +                   ldap meta monitor null passwd shell proxycache dnssrv \
> +		   bdb hdb mdb sasl \
> +"
> +#--with-tls              with TLS/SSL support auto|openssl|gnutls [auto]
> +PACKAGECONFIG[gnutls] = "--with-tls=gnutls,,gnutls"
> +PACKAGECONFIG[openssl] = "--with-tls=openssl,,openssl"
> +
> +PACKAGECONFIG[sasl] = "--with-cyrus-sasl,--without-cyrus-sasl,cyrus-sasl"
> +PACKAGECONFIG[modules] = "lt_cv_dlopen_self=yes --enable-modules,--disable-modules,libtool"
> +
> +# SLAPD options
> +#
> +# UNIX crypt(3) passwd support:
> +EXTRA_OECONF += "--enable-crypt"
> +
> +EXTRA_OECONF += "--enable-ipv6"
> +
> +# SLAPD BACKEND
> +#
> +# The backend must be set by the configuration.  This controls the
> +# required database, the default database, bdb, is turned off but
> +# can be turned back on again and it *is* below!  The monitor backend
> +# is also disabled.  If you try to change the backends but fail to
> +# enable a single one the build will fail in an obvious way.
> +#
> +# EXTRA_OECONF += "--disable-bdb --disable-hdb --disable-monitor"
> +#
> +# Backends="bdb dnssrv hdb ldap ldbm meta monitor null passwd perl shell sql"
> +#
> +# Note that multiple backends can be built.  The ldbm backend requires a
> +# build-time choice of database API.  The bdb backend forces this to be
> +# DB4.  To use the gdbm (or other) API the Berkely database module must
> +# be removed from the build.
> +md = "${libexecdir}/openldap"
> +#
> +#--enable-bdb          enable Berkeley DB backend no|yes|mod yes
> +# The Berkely DB is the standard choice.  This version of OpenLDAP requires
> +# the version 4 implementation or better.
> +PACKAGECONFIG[bdb] = "--enable-bdb=mod,--enable-bdb=no,db"
> +
> +#--enable-dnssrv       enable dnssrv backend no|yes|mod no
> +PACKAGECONFIG[dnssrv] = "--enable-dnssrv=mod,--enable-dnssrv=no"
> +
> +#--enable-hdb          enable Hierarchical DB backend no|yes|mod no
> +# This forces ldbm to use Berkeley too, remove to use gdbm
> +PACKAGECONFIG[hdb] = "--enable-hdb=mod,--enable-hdb=no,db"
> +
> +#--enable-ldap         enable ldap backend no|yes|mod no
> +PACKAGECONFIG[ldap] = "--enable-ldap=mod,--enable-ldap=no,"
> +
> +#--enable-ldbm         enable ldbm backend no|yes|mod no
> +# ldbm requires further specification of the underlying database API, because
> +# bdb is enabled above this must be set to berkeley, however the config
> +# defaults this correctly so --with-ldbm-api is *not* set.  The build will
> +# fail if bdb is removed, but no database is built to provide the
> +# support for ldbm
> +# guide.html:<P>back-ldbm was both slow and unreliable. Its byzantine indexing code was prone to spontaneous corruption, as were the underlying database libraries that were commonly used (e.g. GDBM or NDBM). back-bdb and back-hdb are superior in every aspect, with simplified indexing to avoid index corruption, fine-grained locking for greater concurrency, hierarchical caching for greater performance, streamlined on-disk format for greater efficiency and portability, and full transaction support for greater reliability.</P>
> +# configure: WARNING: unrecognized options: --disable-silent-rules, --enable-ldbm, --with-ldbm-api
> +#PACKAGECONFIG[ldbm] = "--enable-ldbm=mod --with-ldbm-api=gdbm,--enable-ldbm-no,gdbm"
> +
> +#--enable-meta         enable metadirectory backend no|yes|mod no
> +PACKAGECONFIG[meta] = "--enable-meta=mod,--enable-meta=no,"
> +
> +#--enable-monitor      enable monitor backend no|yes|mod yes
> +PACKAGECONFIG[monitor] = "--enable-monitor=mod,--enable-monitor=no,"
> +
> +#--enable-null         enable null backend no|yes|mod no
> +PACKAGECONFIG[null] = "--enable-null=mod,--enable-null=no,"
> +
> +#--enable-passwd       enable passwd backend no|yes|mod no
> +PACKAGECONFIG[passwd] = "--enable-passwd=mod,--enable-passwd=no,"
> +
> +# disabling perl support - host contamination issues
> +#
> +#--enable-perl         enable perl backend no|yes|mod no
> +#  This requires a loadable perl dynamic library, if enabled without
> +#  doing something appropriate (building perl?) the build will pick
> +#  up the build machine perl - not good (inherit perlnative?)
> +# PACKAGECONFIG[perl] = "--enable-perl=mod,--enable-perl=no,perl"
> +
> +#--enable-shell        enable shell backend no|yes|mod no
> +# configure: WARNING: Use of --without-threads is recommended with back-shell
> +PACKAGECONFIG[shell] = "--enable-shell=mod --without-threads,--enable-shell=no,"
> +
> +#--enable-sql          enable sql backend no|yes|mod no
> +# sql requires some sql backend which provides sql.h, sqlite* provides
> +# sqlite.h (which may be compatible but hasn't been tried.)
> +PACKAGECONFIG[sql] = "--enable-sql=mod,--enable-sql=no,sqlite3"
> +
> +#--enable-dyngroup     Dynamic Group overlay no|yes|mod no
> +#  This is a demo, Proxy Cache defines init_module which conflicts with the
> +#  same symbol in dyngroup
> +PACKAGECONFIG[dyngroup] = "--enable-dyngroup=mod,--enable-dyngroup=no,"
> +
> +#--enable-proxycache   Proxy Cache overlay no|yes|mod no
> +PACKAGECONFIG[proxycache] = "--enable-proxycache=mod,--enable-proxycache=no,"
> +
> +#--enable-mdb         enable mdb database backend no|yes|mod no
> +PACKAGECONFIG[mdb] = "--enable-mdb=mod,--enable-mdb=no,"
> +
> +CPPFLAGS_append = " -D_GNU_SOURCE"
> +
> +do_configure() {
> +    cp ${STAGING_DATADIR_NATIVE}/libtool/config/ltmain.sh ${S}/build
> +    rm -f ${S}/libtool
> +    rm -f ${S}/libtool
> +    aclocal
> +    libtoolize --force --copy
> +    gnu-configize
> +    autoconf
> +    oe_runconf
> +}
> +
> +FILES_${PN}-dev = "${includedir} ${libdir}/lib*.so ${libdir}/*.la ${libdir}/*.a ${libexecdir}/openldap/*.a ${libexecdir}/openldap/*.la ${libexecdir}/openldap/*.so"
> +FILES_${PN}-dbg += "${libexecdir}/openldap/.debug"
> +
> -- 
> 1.8.3.2
> 
> -- 
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel

Patch

diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/add-tlscacert-option-to-ldap-conf.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/add-tlscacert-option-to-ldap-conf.patch
new file mode 100644
index 0000000..e8e731a
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/add-tlscacert-option-to-ldap-conf.patch
@@ -0,0 +1,10 @@ 
+--- a/libraries/libldap/ldap.conf
++++ b/libraries/libldap/ldap.conf
+@@ -11,3 +11,7 @@
+ #SIZELIMIT	12
+ #TIMELIMIT	15
+ #DEREF		never
++
++# TLS certificates (needed for GnuTLS)
++TLS_CACERT	/etc/ssl/certs/ca-certificates.crt
++
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/autogroup-makefile.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/autogroup-makefile.patch
new file mode 100644
index 0000000..d3f56c3
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/autogroup-makefile.patch
@@ -0,0 +1,35 @@ 
+--- a/contrib/slapd-modules/autogroup/Makefile
++++ b/contrib/slapd-modules/autogroup/Makefile
+@@ -2,11 +2,11 @@
+ 
+ LDAP_SRC = ../../..
+ LDAP_BUILD = ../../..
+-LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
+-LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \
+-	$(LDAP_BUILD)/libraries/liblber/liblber.la
++LDAP_INC = -I$(LDAP_BUILD)/debian/build/include -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
++LDAP_LIB = $(LDAP_BUILD)/debian/build/libraries/libldap_r/libldap_r.la \
++	$(LDAP_BUILD)/debian/build/libraries/liblber/liblber.la
+ 
+-LIBTOOL = $(LDAP_BUILD)/libtool
++LIBTOOL = $(LDAP_BUILD)/debian/build/libtool
+ CC = gcc
+ OPT = -g -O2 -Wall
+ DEFS = 
+@@ -16,13 +16,13 @@ LIBS = $(LDAP_LIB)
+ PROGRAMS = autogroup.la
+ LTVER = 0:0:0
+ 
+-prefix=/usr/local
++prefix=/usr
+ exec_prefix=$(prefix)
+-ldap_subdir=/openldap
++ldap_subdir=/ldap
+ 
+ libdir=$(exec_prefix)/lib
+ libexecdir=$(exec_prefix)/libexec
+-moduledir = $(libexecdir)$(ldap_subdir)
++moduledir = $(libdir)$(ldap_subdir)
+ 
+ .SUFFIXES: .c .o .lo
+ 
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/contrib-modules-use-dpkg-buildflags.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/contrib-modules-use-dpkg-buildflags.patch
new file mode 100644
index 0000000..1b15529
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/contrib-modules-use-dpkg-buildflags.patch
@@ -0,0 +1,40 @@ 
+Description: pass CFLAGS to contrib builds
+ $(CFLAGS) is missing from the compiler invocations for autogroup and
+ smbk5pwd, which means they're not being hardened.
+Author: Simon Ruderich <simon@ruderich.org>
+Bug-Debian: http://bugs.debian.org/663724
+
+--- a/contrib/slapd-modules/autogroup/Makefile
++++ b/contrib/slapd-modules/autogroup/Makefile
+@@ -27,12 +27,12 @@ moduledir = $(libexecdir)$(ldap_subdir)
+ .SUFFIXES: .c .o .lo
+ 
+ .c.lo:
+-	$(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
++	$(LIBTOOL) --mode=compile $(CC) $(OPT) $(CFLAGS) $(DEFS) $(INCS) -c $<
+ 
+ all: $(PROGRAMS)
+ 
+ autogroup.la: autogroup.lo
+-	$(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++	$(LIBTOOL) --mode=link $(CC) $(OPT) $(LDFLAGS) -version-info $(LTVER) \
+ 	-rpath $(moduledir) -module -o $@ $? $(LIBS)
+ 
+ clean:
+--- a/contrib/slapd-modules/smbk5pwd/Makefile
++++ b/contrib/slapd-modules/smbk5pwd/Makefile
+@@ -46,12 +46,12 @@ moduledir = $(libexecdir)$(ldap_subdir)
+ .SUFFIXES: .c .o .lo
+ 
+ .c.lo:
+-	$(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
++	$(LIBTOOL) --mode=compile $(CC) $(OPT) $(CFLAGS) $(DEFS) $(INCS) -c $<
+ 
+ all: $(PROGRAMS)
+ 
+ smbk5pwd.la:	smbk5pwd.lo
+-	$(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++	$(LIBTOOL) --mode=link $(CC) $(OPT) $(LDFLAGS) -version-info $(LTVER) \
+ 	-rpath $(moduledir) -module -o $@ $? $(LIBS)
+ 
+ clean:
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/do-not-second-guess-sonames.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/do-not-second-guess-sonames.patch
new file mode 100644
index 0000000..31cf652
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/do-not-second-guess-sonames.patch
@@ -0,0 +1,68 @@ 
+Rip out code that second-guesses the libsasl soname / Debian shlibs.  If
+cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream
+there, not kludged around upstream here!
+
+Debian bug #546885
+
+Upstream ITS #6302 filed.
+
+--- a/libraries/libldap/cyrus.c
++++ b/libraries/libldap/cyrus.c
+@@ -74,28 +74,6 @@ int ldap_int_sasl_init( void )
+ 	/* XXX not threadsafe */
+ 	static int sasl_initialized = 0;
+ 
+-#ifdef HAVE_SASL_VERSION
+-	/* stringify the version number, sasl.h doesn't do it for us */
+-#define VSTR0(maj, min, pat)	#maj "." #min "." #pat
+-#define VSTR(maj, min, pat)	VSTR0(maj, min, pat)
+-#define SASL_VERSION_STRING	VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \
+-				SASL_VERSION_STEP)
+-	{ int rc;
+-	sasl_version( NULL, &rc );
+-	if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) ||
+-		(rc & 0xffff) < SASL_VERSION_STEP) {
+-		char version[sizeof("xxx.xxx.xxxxx")];
+-		sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff,
+-			rc & 0xffff );
+-
+-		Debug( LDAP_DEBUG_ANY,
+-		"ldap_int_sasl_init: SASL library version mismatch:"
+-		" expected " SASL_VERSION_STRING ","
+-		" got %s\n", version, 0, 0 );
+-		return -1;
+-	}
+-	}
+-#endif
+ 	if ( sasl_initialized ) {
+ 		return 0;
+ 	}
+--- a/servers/slapd/sasl.c
++++ b/servers/slapd/sasl.c
+@@ -1145,26 +1145,6 @@ int slap_sasl_init( void )
+ #endif
+ 
+ #ifdef HAVE_CYRUS_SASL
+-#ifdef HAVE_SASL_VERSION
+-	/* stringify the version number, sasl.h doesn't do it for us */
+-#define	VSTR0(maj, min, pat)	#maj "." #min "." #pat
+-#define	VSTR(maj, min, pat)	VSTR0(maj, min, pat)
+-#define	SASL_VERSION_STRING	VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \
+-				SASL_VERSION_STEP)
+-
+-	sasl_version( NULL, &rc );
+-	if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) ||
+-		(rc & 0xffff) < SASL_VERSION_STEP)
+-	{
+-		char version[sizeof("xxx.xxx.xxxxx")];
+-		sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff,
+-			rc & 0xffff );
+-		Debug( LDAP_DEBUG_ANY, "slap_sasl_init: SASL library version mismatch:"
+-			" expected %s, got %s\n",
+-			SASL_VERSION_STRING, version, 0 );
+-		return -1;
+-	}
+-#endif
+ 
+ 	sasl_set_mutex(
+ 		ldap_pvt_sasl_mutex_new,
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/evolution-ntlm.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/evolution-ntlm.patch
new file mode 100644
index 0000000..cd9bc26
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/evolution-ntlm.patch
@@ -0,0 +1,222 @@ 
+Patch from evolution-exchange (2.10.3).  The ldap_ntlm_bind function is
+actually called by evolution-data-server, checked at version 1.12.2.
+Without this patch, the Exchange addressbook integration uses simple binds
+with cleartext passwords.
+
+Russ checked with openldap-software for upstream's opinion on this patch
+on 2007-12-21.  Upstream had never received it as a patch submission and
+given that it's apparently only for older Exchange servers that can't do
+SASL and DIGEST-MD5, it's not very appealing.
+
+Bug#457374 filed against evolution-data-server asking if this support is
+still required on 2007-12-21.
+
+--- a/include/ldap.h
++++ b/include/ldap.h
+@@ -2517,5 +2517,25 @@ ldap_parse_deref_control LDAP_P((
+ 	LDAPControl	**ctrls,
+ 	LDAPDerefRes	**drp ));
+ 
++/*
++ * hacks for NTLM
++ */
++#define LDAP_AUTH_NTLM_REQUEST ((ber_tag_t) 0x8aU)
++#define LDAP_AUTH_NTLM_RESPONSE  ((ber_tag_t) 0x8bU)
++LDAP_F( int )
++ldap_ntlm_bind LDAP_P((
++      LDAP    *ld,
++      LDAP_CONST char *dn,
++      ber_tag_t tag,
++      struct berval *cred,
++      LDAPControl **sctrls,
++      LDAPControl **cctrls,
++      int   *msgidp ));
++LDAP_F( int )
++ldap_parse_ntlm_bind_result LDAP_P((
++      LDAP    *ld,
++      LDAPMessage *res,
++      struct berval *challenge));
++
+ LDAP_END_DECL
+ #endif /* _LDAP_H */
+--- /dev/null
++++ b/libraries/libldap/ntlm.c
+@@ -0,0 +1,138 @@
++/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */
++/*
++ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
++ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
++ */
++
++/* Mostly copied from sasl.c */
++
++#include "portable.h"
++
++#include <stdlib.h>
++#include <stdio.h>
++
++#include <ac/socket.h>
++#include <ac/string.h>
++#include <ac/time.h>
++#include <ac/errno.h>
++
++#include "ldap-int.h"
++
++int
++ldap_ntlm_bind(
++ LDAP    *ld,
++ LDAP_CONST char *dn,
++ ber_tag_t tag,
++ struct berval *cred,
++ LDAPControl **sctrls,
++ LDAPControl **cctrls,
++ int   *msgidp )
++{
++ BerElement  *ber;
++ int rc;
++ ber_int_t id;
++
++ Debug( LDAP_DEBUG_TRACE, "ldap_ntlm_bind\n", 0, 0, 0 );
++
++ assert( ld != NULL );
++ assert( LDAP_VALID( ld ) );
++ assert( msgidp != NULL );
++
++ if( msgidp == NULL ) {
++   ld->ld_errno = LDAP_PARAM_ERROR;
++   return ld->ld_errno;
++ }
++
++ /* create a message to send */
++ if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) {
++   ld->ld_errno = LDAP_NO_MEMORY;
++   return ld->ld_errno;
++ }
++
++ assert( LBER_VALID( ber ) );
++
++ LDAP_NEXT_MSGID( ld, id );
++ rc = ber_printf( ber, "{it{istON}" /*}*/,
++      id, LDAP_REQ_BIND,
++      ld->ld_version, dn, tag,
++      cred );
++
++ /* Put Server Controls */
++ if( ldap_int_put_controls( ld, sctrls, ber ) != LDAP_SUCCESS ) {
++   ber_free( ber, 1 );
++   return ld->ld_errno;
++ }
++
++ if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) {
++   ld->ld_errno = LDAP_ENCODING_ERROR;
++   ber_free( ber, 1 );
++   return ld->ld_errno;
++ }
++
++ /* send the message */
++ *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id );
++
++ if(*msgidp < 0)
++   return ld->ld_errno;
++
++ return LDAP_SUCCESS;
++}
++
++int
++ldap_parse_ntlm_bind_result(
++ LDAP    *ld,
++ LDAPMessage *res,
++ struct berval *challenge)
++{
++ ber_int_t errcode;
++ ber_tag_t tag;
++ BerElement  *ber;
++ ber_len_t len;
++
++ Debug( LDAP_DEBUG_TRACE, "ldap_parse_ntlm_bind_result\n", 0, 0, 0 );
++
++ assert( ld != NULL );
++ assert( LDAP_VALID( ld ) );
++ assert( res != NULL );
++
++ if ( ld == NULL || res == NULL ) {
++   return LDAP_PARAM_ERROR;
++ }
++
++ if( res->lm_msgtype != LDAP_RES_BIND ) {
++   ld->ld_errno = LDAP_PARAM_ERROR;
++   return ld->ld_errno;
++ }
++
++ if ( ld->ld_error ) {
++   LDAP_FREE( ld->ld_error );
++   ld->ld_error = NULL;
++ }
++ if ( ld->ld_matched ) {
++   LDAP_FREE( ld->ld_matched );
++   ld->ld_matched = NULL;
++ }
++
++ /* parse results */
++
++ ber = ber_dup( res->lm_ber );
++
++ if( ber == NULL ) {
++   ld->ld_errno = LDAP_NO_MEMORY;
++   return ld->ld_errno;
++ }
++
++ tag = ber_scanf( ber, "{ioa" /*}*/,
++      &errcode, challenge, &ld->ld_error );
++ ber_free( ber, 0 );
++
++ if( tag == LBER_ERROR ) {
++   ld->ld_errno = LDAP_DECODING_ERROR;
++   return ld->ld_errno;
++ }
++
++ ld->ld_errno = errcode;
++
++ return( ld->ld_errno );
++}
++
+--- a/libraries/libldap/Makefile.in
++++ b/libraries/libldap/Makefile.in
+@@ -27,7 +27,7 @@ SRCS	= bind.c open.c result.c error.c co
+ 	init.c options.c print.c string.c util-int.c schema.c \
+ 	charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \
+ 	tls2.c tls_o.c tls_g.c tls_m.c \
+-	turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \
++	turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c ntlm.c \
+ 	assertion.c deref.c ldif.c fetch.c
+ 
+ OBJS	= bind.lo open.lo result.lo error.lo compare.lo search.lo \
+@@ -40,7 +40,7 @@ OBJS	= bind.lo open.lo result.lo error.l
+ 	init.lo options.lo print.lo string.lo util-int.lo schema.lo \
+ 	charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \
+ 	tls2.lo tls_o.lo tls_g.lo tls_m.lo \
+-	turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \
++	turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo ntlm.lo \
+ 	assertion.lo deref.lo ldif.lo fetch.lo
+ 
+ LDAP_INCDIR= ../../include       
+--- a/libraries/libldap_r/Makefile.in
++++ b/libraries/libldap_r/Makefile.in
+@@ -29,7 +29,7 @@ XXSRCS    = apitest.c test.c \
+ 	init.c options.c print.c string.c util-int.c schema.c \
+ 	charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \
+ 	tls2.c tls_o.c tls_g.c tls_m.c \
+-	turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \
++	turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c ntlm.c \
+ 	assertion.c deref.c ldif.c fetch.c
+ SRCS	= threads.c rdwr.c rmutex.c tpool.c rq.c \
+ 	thr_posix.c thr_cthreads.c thr_thr.c thr_nt.c \
+@@ -47,7 +47,7 @@ OBJS	= threads.lo rdwr.lo rmutex.lo tpoo
+ 	init.lo options.lo print.lo string.lo util-int.lo schema.lo \
+ 	charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \
+ 	tls2.lo tls_o.lo tls_g.lo tls_m.lo \
+-	turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \
++	turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo ntlm.lo \
+ 	assertion.lo deref.lo ldif.lo fetch.lo
+ 
+ LDAP_INCDIR= ../../include       
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/fix-build-top-mk.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/fix-build-top-mk.patch
new file mode 100644
index 0000000..418fe35
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/fix-build-top-mk.patch
@@ -0,0 +1,11 @@ 
+--- a/build/top.mk
++++ b/build/top.mk
+@@ -20,7 +20,7 @@
+ RELEASEDATE= @OPENLDAP_RELEASE_DATE@
+ 
+ @SET_MAKE@
+-SHELL = /bin/sh
++SHELL = @SHELL@
+ 
+ top_builddir = @top_builddir@
+ 
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/fix-ftbfs-binutils-gold.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/fix-ftbfs-binutils-gold.patch
new file mode 100644
index 0000000..1f0ca88
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/fix-ftbfs-binutils-gold.patch
@@ -0,0 +1,64 @@ 
+--- a/configure.in
++++ b/configure.in
+@@ -1214,7 +1214,7 @@ if test $ol_link_tls = no ; then
+ 				ol_with_tls=gnutls
+ 				ol_link_tls=yes
+ 
+-				TLS_LIBS="-lgnutls"
++				TLS_LIBS="-lgnutls -lgcrypt"
+ 
+ 				AC_DEFINE(HAVE_GNUTLS, 1, 
+ 					[define if you have GNUtls])
+--- a/libraries/libldap/Makefile.in
++++ b/libraries/libldap/Makefile.in
+@@ -51,21 +51,21 @@ LIB_DEFS = -DLDAP_LIBRARY
+ XLIBS = $(LIBRARY) $(LDAP_LIBLBER_LA) $(LDAP_LIBLUTIL_A)
+ XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
+ NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
+-UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
++UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(TLS_LIBS)
+ ifneq (,$(VERSION_OPTION))
+   VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map
+ endif
+ 
+ apitest:	$(XLIBS) apitest.o
+-	$(LTLINK) -o $@ apitest.o $(LIBS)
++	$(LTLINK) -o $@ apitest.o $(LIBS) $(TLS_LIBS)
+ dntest:	$(XLIBS) dntest.o
+-	$(LTLINK) -o $@ dntest.o $(LIBS)
++	$(LTLINK) -o $@ dntest.o $(LIBS) $(TLS_LIBS)
+ ftest:	$(XLIBS) ftest.o
+-	$(LTLINK) -o $@ ftest.o $(LIBS)
++	$(LTLINK) -o $@ ftest.o $(LIBS) $(TLS_LIBS)
+ ltest:	$(XLIBS) test.o
+-	$(LTLINK) -o $@ test.o $(LIBS)
++	$(LTLINK) -o $@ test.o $(LIBS) $(TLS_LIBS)
+ urltest: $(XLIBS) urltest.o
+-	$(LTLINK) -o $@ urltest.o $(LIBS)
++	$(LTLINK) -o $@ urltest.o $(LIBS) $(TLS_LIBS)
+ 
+ CFFILES=ldap.conf
+ 
+--- a/libraries/libldap_r/Makefile.in
++++ b/libraries/libldap_r/Makefile.in
+@@ -60,7 +60,7 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLBER_LA) $(
+ XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
+ XXXLIBS = $(LTHREAD_LIBS)
+ NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
+-UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS)
++UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS) $(TLS_LIBS)
+ ifneq (,$(VERSION_OPTION))
+   VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map"
+ endif
+@@ -80,9 +80,9 @@ clean-local: FORCE
+ depend-common: .links
+ 
+ apitest:	$(XLIBS) apitest.o
+-	$(LTLINK) -o $@ apitest.o $(LIBS)
++	$(LTLINK) -o $@ apitest.o $(LIBS) $(TLS_LIBS)
+ ltest:	$(XLIBS) test.o
+-	$(LTLINK) -o $@ test.o $(LIBS)
++	$(LTLINK) -o $@ test.o $(LIBS) $(TLS_LIBS)
+ 
+ install-local: $(CFFILES) FORCE
+ 	-$(MKDIR) $(DESTDIR)$(libdir)
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/getaddrinfo-is-threadsafe.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/getaddrinfo-is-threadsafe.patch
new file mode 100644
index 0000000..ab6e2b7
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/getaddrinfo-is-threadsafe.patch
@@ -0,0 +1,43 @@ 
+Author: Steve Langasek <vorlon@debian.org>
+
+OpenLDAP upstream conservatively assumes that certain resolver functions
+(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we
+know that the glibc implementations of these functions are thread-safe, so
+we should bypass the use of this mutex.  This fixes a locking problem when
+an application uses libldap and libnss-ldap is also used for hosts
+resolution.
+
+Closes Debian bug #340601.
+
+Not suitable for forwarding upstream; might be made suitable by adding a
+configure-time check for glibc and disabling the mutex only on known
+thread-safe implementations.
+
+--- a/libraries/libldap/os-ip.c
++++ b/libraries/libldap/os-ip.c
+@@ -602,13 +602,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *
+ 	hints.ai_socktype = socktype;
+ 	snprintf(serv, sizeof serv, "%d", port );
+ 
+-	/* most getaddrinfo(3) use non-threadsafe resolver libraries */
+-	LDAP_MUTEX_LOCK(&ldap_int_resolv_mutex);
+-
+ 	err = getaddrinfo( host, serv, &hints, &res );
+-
+-	LDAP_MUTEX_UNLOCK(&ldap_int_resolv_mutex);
+-
+ 	if ( err != 0 ) {
+ 		osip_debug(ld, "ldap_connect_to_host: getaddrinfo failed: %s\n",
+ 			AC_GAI_STRERROR(err), 0, 0);
+--- a/libraries/libldap/util-int.c
++++ b/libraries/libldap/util-int.c
+@@ -431,9 +431,7 @@ int ldap_pvt_get_hname(
+ 	int rc;
+ #if defined( HAVE_GETNAMEINFO )
+ 
+-	LDAP_MUTEX_LOCK( &ldap_int_resolv_mutex );
+ 	rc = getnameinfo( sa, len, name, namelen, NULL, 0, 0 );
+-	LDAP_MUTEX_UNLOCK( &ldap_int_resolv_mutex );
+ 	if ( rc ) *err = (char *)AC_GAI_STRERROR( rc );
+ 	return rc;
+ 
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/heimdal-fix.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/heimdal-fix.patch
new file mode 100644
index 0000000..4aad47c
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/heimdal-fix.patch
@@ -0,0 +1,23 @@ 
+Author: Mattias Ellert <mattias.ellert@fysast.uu.se>
+Description: adapt parameters of hdb_generate_key_set_password() to heimdal 1.6~git20120311
+ .
+ With version heimdal 1.6~git20120311 heimdal schanged the number of parameters
+ of function hdb_generate_key_set_password(), implementing a fallback to "default"
+ values when NULL-values are passed for these parameters.
+ .
+ This patch does exactly that.
+ .
+Bug-Debian: 664930
+Reviewed-by: Peter Marschall <peter@adpm.de>
+
+--- a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
++++ b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
+@@ -470,7 +470,7 @@ static int smbk5pwd_exop_passwd(
+ 		}
+ 
+ 		ret = hdb_generate_key_set_password(context, ent.principal,
+-			qpw->rs_new.bv_val, &ent.keys.val, &nkeys);
++			qpw->rs_new.bv_val, NULL, 0, &ent.keys.val, &nkeys);
+ 		ent.keys.len = nkeys;
+ 		hdb_seal_keys(context, db, &ent);
+ 		krb5_free_principal( context, ent.principal );
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/index-files-created-as-root.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/index-files-created-as-root.patch
new file mode 100644
index 0000000..47fc88a
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/index-files-created-as-root.patch
@@ -0,0 +1,37 @@ 
+Document in the man page that slapindex should be run as the same user
+as slapd, and print a warning if it's run as root (since Debian defaults
+to running slapd as openldap).
+
+Not suitable for upstream in this form.  This patch needs to be reworked
+to check the BerkeleyDB database ownership and only warn if running as
+root with a database that's not owned by root.
+
+Upstream ITS #5356 filed requesting better handling of this.  Current
+upstream discussion leans towards putting the check into the database
+backend and aborting if slapd is run as a different user than the database
+owner, which is an even better fix.
+
+--- a/doc/man/man8/slapindex.8
++++ b/doc/man/man8/slapindex.8
+@@ -148,6 +148,10 @@
+ should not be running (at least, not in read-write
+ mode) when you do this to ensure consistency of the database.
+ .LP
++slapindex ought to be run as the user specified for
++.BR slapd (8)
++to ensure correct database permissions.
++.LP
+ This command provides ample opportunity for the user to obtain
+ and drink their favorite beverage.
+ .SH EXAMPLES
+--- a/servers/slapd/slapindex.c
++++ b/servers/slapd/slapindex.c
+@@ -34,6 +34,8 @@
+ int
+ slapindex( int argc, char **argv )
+ {
++    if (geteuid() == 0)
++        fprintf( stderr, "\nWARNING!\nRunnig as root!\nThere's a fair chance slapd will fail to start.\nCheck file permissions!\n\n");
+ 	ID id;
+ 	int rc = EXIT_SUCCESS;
+ 	const char *progname = "slapindex";
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/install-strip.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/install-strip.patch
new file mode 100644
index 0000000..2992b70
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/install-strip.patch
@@ -0,0 +1,14 @@ 
+# This patch ensures that the install operations which strip
+# programs and libraries (LTINSTALL) work in a cross build
+# environment.
+--- openldap-2.2.24/.pc/install-strip.patch/build/top.mk	2005-01-20 09:00:55.000000000 -0800
++++ openldap-2.2.24/build/top.mk	2005-04-16 13:48:20.536710376 -0700
+@@ -116,7 +116,7 @@
+ LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \
+ 	$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD)
+ 
+-LTINSTALL = $(LIBTOOL) --mode=install $(INSTALL) 
++LTINSTALL = STRIPPROG="" $(LIBTOOL) --mode=install $(top_srcdir)/contrib/ldapc++/install-sh -c
+ LTFINISH = $(LIBTOOL) --mode=finish
+ 
+ # Misc UNIX commands used in build environment
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/ldap-conf-tls-cacertdir.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/ldap-conf-tls-cacertdir.patch
new file mode 100644
index 0000000..e8aab91
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/ldap-conf-tls-cacertdir.patch
@@ -0,0 +1,29 @@ 
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -317,7 +317,7 @@ certificates in separate individual file
+ .B TLS_CACERT
+ is always used before
+ .B TLS_CACERTDIR.
+-This parameter is ignored with GnuTLS.
++This parameter is ignored with GnuTLS. On Debian openldap is linked against GnuTLS.
+ 
+ When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
+ database.  If <path> contains a Mozilla NSS cert/key database and
+@@ -428,7 +428,7 @@ This parameter is ignored with GnuTLS.
+ Specifies the file to obtain random bits from when /dev/[u]random is
+ not available. Generally set to the name of the EGD/PRNGD socket.
+ The environment variable RANDFILE can also be used to specify the filename.
+-This parameter is ignored with GnuTLS and Mozilla NSS.
++This parameter is ignored with GnuTLS and Mozilla NSS. On Debian openldap is linked against GnuTLS.
+ .TP
+ .B TLS_REQCERT <level>
+ Specifies what checks to perform on server certificates in a TLS session,
+@@ -461,7 +461,7 @@ Specifies if the Certificate Revocation
+ used to verify if the server certificates have not been revoked. This
+ requires
+ .B TLS_CACERTDIR
+-parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS.
++parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS. On Debian openldap is linked against GnuTLS.
+ .B <level>
+ can be specified as one of the following keywords:
+ .RS
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/ldapi-socket-place.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/ldapi-socket-place.patch
new file mode 100644
index 0000000..a482bbf
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/ldapi-socket-place.patch
@@ -0,0 +1,16 @@ 
+Move the ldapi socket to /var/run/slapd from /var/run, since /var/run
+is only writable by root and slapd runs as openldap.
+
+Debian-specific.
+
+--- a/include/ldap_defaults.h
++++ b/include/ldap_defaults.h
+@@ -39,7 +39,7 @@
+ #define LDAP_ENV_PREFIX "LDAP"
+ 
+ /* default ldapi:// socket */
+-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"
++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "slapd" LDAP_DIRSEP "ldapi"
+ 
+ /*
+  * SLAPD DEFINITIONS
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/libldap-symbol-versions.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/libldap-symbol-versions.patch
new file mode 100644
index 0000000..fb28f49
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/libldap-symbol-versions.patch
@@ -0,0 +1,161 @@ 
+Add symbol versioning to the public LDAP libraries.  This is required for
+library transitions, such as the current transition from 2.1 to 2.4,
+since programs will sometimes have both libraries loaded by different
+dependency chains during the transition.
+
+Not yet contributed upstream.
+
+Upstream ITS #5365 filed requesting symbol versioning for libldap and
+libber.
+
+--- a/libraries/libldap_r/Makefile.in
++++ b/libraries/libldap_r/Makefile.in
+@@ -61,6 +61,9 @@ XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
+ XXXLIBS = $(LTHREAD_LIBS)
+ NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
+ UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS)
++ifneq (,$(VERSION_OPTION))
++  VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map"
++endif
+ 
+ .links : Makefile
+ 	@for i in $(XXSRCS); do \
+--- a/build/top.mk
++++ b/build/top.mk
+@@ -104,6 +104,9 @@ LTFLAGS_MOD = $(@PLAT@_LTFLAGS_MOD)
+ # LINK_LIBS referenced in library and module link commands.
+ LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS)
+ 
++# option to pass to $(CC) to support library symbol versioning, if any
++VERSION_OPTION = @VERSION_OPTION@
++
+ LTSTATIC = @LTSTATIC@
+ 
+ LTLINK   = $(LIBTOOL) --mode=link \
+@@ -113,7 +116,7 @@ LTCOMPILE_LIB = $(LIBTOOL) $(LTONLY_LIB)
+ 	$(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c
+ 
+ LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \
+-	$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB)
++	$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(VERSION_FLAGS)
+ 
+ LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \
+ 	$(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c
+--- a/build/openldap.m4
++++ b/build/openldap.m4
+@@ -1136,3 +1136,54 @@ AC_DEFUN([OL_SSL_COMPAT],
+ #endif
+ 	], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])])
+ ])
++
++dnl ====================================================================
++dnl check for symbol versioning support
++AC_DEFUN([OL_SYMBOL_VERSIONING],
++[AC_CACHE_CHECK([for .symver assembler directive],
++	[ol_cv_asm_symver_directive],[
++cat > conftest.s <<EOF
++${libc_cv_dot_text}
++_sym:
++.symver _sym,sym@VERS
++EOF
++if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
++  ol_cv_asm_symver_directive=yes
++else
++  ol_cv_asm_symver_directive=no
++fi
++rm -f conftest*])
++AC_CACHE_CHECK([for ld --version-script],
++	[ol_cv_ld_version_script_option],[
++if test $ol_cv_asm_symver_directive = yes; then
++  cat > conftest.s <<EOF
++${libc_cv_dot_text}
++_sym:
++.symver _sym,sym@VERS
++EOF
++  cat > conftest.map <<EOF
++VERS_1 {
++	global: sym;
++};
++
++VERS_2 {
++	global: sym;
++} VERS_1;
++EOF
++  if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
++    if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared
++                                                 -o conftest.so conftest.o
++                                                 -Wl,--version-script,conftest.map
++                       1>&AS_MESSAGE_LOG_FD]);
++    then
++      ol_cv_ld_version_script_option=yes
++    else
++      ol_cv_ld_version_script_option=no
++    fi
++  else
++    ol_cv_ld_version_script_option=no
++  fi
++else
++  ol_cv_ld_version_script_option=no
++fi
++rm -f conftest*])])
+--- a/configure.in
++++ b/configure.in
+@@ -1909,6 +1909,13 @@ else
+ fi
+ AC_SUBST(LTSTATIC)dnl
+ 
++VERSION_OPTION=""
++OL_SYMBOL_VERSIONING
++if test $ol_cv_ld_version_script_option = yes ; then
++  VERSION_OPTION="-Wl,--version-script="
++fi
++AC_SUBST(VERSION_OPTION)
++
+ dnl ----------------------------------------------------------------
+ if test $ol_enable_wrappers != no ; then
+ 	AC_CHECK_HEADERS(tcpd.h,[
+--- /dev/null
++++ b/libraries/libldap/libldap.map
+@@ -0,0 +1,7 @@
++OPENLDAP_2.4_2 {
++  global:
++    ldap_*;
++    ldif_*;
++  local:
++    *;
++};
+--- a/libraries/libldap/Makefile.in
++++ b/libraries/libldap/Makefile.in
+@@ -52,6 +52,9 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLBER_LA) $(
+ XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
+ NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
+ UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
++ifneq (,$(VERSION_OPTION))
++  VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map
++endif
+ 
+ apitest:	$(XLIBS) apitest.o
+ 	$(LTLINK) -o $@ apitest.o $(LIBS)
+--- a/libraries/liblber/Makefile.in
++++ b/libraries/liblber/Makefile.in
+@@ -38,6 +38,9 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLUTIL_A)
+ XXLIBS = 
+ NT_LINK_LIBS = $(AC_LIBS)
+ UNIX_LINK_LIBS = $(AC_LIBS)
++ifneq (,$(VERSION_OPTION))
++  VERSION_FLAGS = "$(VERSION_OPTION)$(srcdir)/liblber.map"
++endif
+ 
+ dtest:    $(XLIBS) dtest.o
+ 	$(LTLINK) -o $@ dtest.o $(LIBS)
+--- /dev/null
++++ b/libraries/liblber/liblber.map
+@@ -0,0 +1,8 @@
++OPENLDAP_2.4_2 {
++  global:
++    ber_*;
++    der_alloc;
++    lutil_*;
++  local:
++    *;
++};
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/man-slapd.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/man-slapd.patch
new file mode 100644
index 0000000..5f55137
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/man-slapd.patch
@@ -0,0 +1,60 @@ 
+Patch the slapd man page to not refer to a header file that isn't
+installed with the slapd package and to reference the correct path
+for slapd.
+
+Debian-specific.
+
+--- a/doc/man/man8/slapd.8
++++ b/doc/man/man8/slapd.8
+@@ -5,7 +5,7 @@
+ .SH NAME
+ slapd \- Stand-alone LDAP Daemon
+ .SH SYNOPSIS
+-.B LIBEXECDIR/slapd 
++.B /usr/sbin/slapd 
+ [\c
+ .BR \-4 | \-6 ]
+ [\c
+@@ -103,11 +103,10 @@
+ will not fork or disassociate from the invoking terminal.  Some general
+ operation and status messages are printed for any value of \fIdebug-level\fP.
+ \fIdebug-level\fP is taken as a bit string, with each bit corresponding to a
+-different kind of debugging information.  See <ldap_log.h> for details.
+-Comma-separated arrays of friendly names can be specified to select
+-debugging output of the corresponding debugging information.
+-All the names recognized by the \fIloglevel\fP directive 
+-described in \fBslapd.conf\fP(5) are supported.
++different kind of debugging information.  Comma-separated arrays of friendly
++names can be specified to select debugging output of the corresponding
++debugging information.  All the names recognized by the \fIloglevel\fP
++directive described in \fBslapd.conf\fP(5) are supported.
+ If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed,
+ and slapd exits.
+ 
+@@ -317,7 +316,7 @@
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd
++	/usr/sbin/slapd
+ .ft
+ .fi
+ .LP
+@@ -328,7 +327,7 @@
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
++	/usr/sbin/slapd \-f /var/tmp/slapd.conf \-d 255
+ .ft
+ .fi
+ .LP
+@@ -336,7 +335,7 @@
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd \-Tt
++	/usr/sbin/slapd \-Tt
+ .ft
+ .fi
+ .LP
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/no-AM_INIT_AUTOMAKE.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/no-AM_INIT_AUTOMAKE.patch
new file mode 100644
index 0000000..8e7812d
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/no-AM_INIT_AUTOMAKE.patch
@@ -0,0 +1,25 @@ 
+Description: don't use AM_INIT_AUTOMAKE macro when we aren't using automake
+ Calling AM_INIT_AUTOMAKE() in configure.in serves no purpose if we're not
+ using automake, and it confuses autoreconf.  Use AC_INIT() instead.
+Author: Steve Langasek <vorlon@debian.org>
+
+--- a/configure.in
++++ b/configure.in
+@@ -26,7 +26,8 @@ dnl Configure.in for OpenLDAP
+ AC_COPYRIGHT([[Copyright 1998-2014 The OpenLDAP Foundation. All rights reserved.
+ Restrictions apply, see COPYRIGHT and LICENSE files.]])
+ AC_REVISION([$Id: 81bd528fb5194c83d688db355737b7715448b958 $])
+-AC_INIT([OpenLDAP],,[http://www.openldap.org/its/])
++AC_INIT([OpenLDAP],[$OL_VERSION],[http://www.openldap.org/its/])
++AC_PROG_MAKE_SET
+ m4_define([AC_PACKAGE_BUGREPORT],[<http://www.openldap.org/its/>])
+ AC_CONFIG_SRCDIR(build/version.sh)dnl
+ dnl ----------------------------------------------------------------
+@@ -69,7 +70,6 @@ dnl Determine host platform
+ dnl		we try not to use this for much
+ AC_CANONICAL_TARGET([])
+ 
+-AM_INIT_AUTOMAKE([$OL_PACKAGE],[$OL_VERSION], [no defines])dnl
+ AC_SUBST(PACKAGE)dnl
+ AC_SUBST(VERSION)dnl
+ AC_DEFINE_UNQUOTED(OPENLDAP_PACKAGE,"$PACKAGE",Package)
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/no-bdb-ABI-second-guessing.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/no-bdb-ABI-second-guessing.patch
new file mode 100644
index 0000000..db76aa7
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/no-bdb-ABI-second-guessing.patch
@@ -0,0 +1,42 @@ 
+Author: Steve Langasek <vorlon@debian.org>
+Description: don't second-guess BDB ABI
+ OpenLDAP upstream conservatively assumes that any change to the version
+ number of libdb can result in an API-breaking change that could impact
+ the database.  In Debian, we know that such changes require bumping the
+ library soname and changing the package name, and demand such rigor from
+ our package maintainers even when upstreams don't deliver; so any such
+ check in the source code works against the packaging system by forcing
+ database upgrades when we know none are required.  Disable this check
+ so we rely on the packaging system to do its job.
+Bug-Debian: http://bugs.debian.org/651333
+Forwarded: not-needed
+
+--- a/servers/slapd/back-bdb/init.c
++++ b/servers/slapd/back-bdb/init.c
+@@ -762,7 +762,7 @@ bdb_back_initialize(
+ 	bi->bi_controls = controls;
+ 
+ 	{	/* version check */
+-		int major, minor, patch, ver;
++		int major, minor, patch;
+ 		char *version = db_version( &major, &minor, &patch );
+ #ifdef HAVE_EBCDIC
+ 		char v2[1024];
+@@ -776,17 +776,6 @@ bdb_back_initialize(
+ 		version = v2;
+ #endif
+ 
+-		ver = (major << 24) | (minor << 16) | patch;
+-		if( ver != DB_VERSION_FULL ) {
+-			/* fail if a versions don't match */
+-			Debug( LDAP_DEBUG_ANY,
+-				LDAP_XSTRING(bdb_back_initialize) ": "
+-				"BDB library version mismatch:"
+-				" expected " DB_VERSION_STRING ","
+-				" got %s\n", version, 0, 0 );
+-			return -1;
+-		}
+-
+ 		Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_back_initialize)
+ 			": %s\n", version, 0, 0 );
+ 	}
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/sasl-default-path.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/sasl-default-path.patch
new file mode 100644
index 0000000..5ea240f
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/sasl-default-path.patch
@@ -0,0 +1,55 @@ 
+Add /etc/ldap/sasl2 to the SASL configuration search path.
+
+Not submitted upstream.  Somewhat Debian-specific and probably not of
+interest upstream.
+
+--- a/include/ldap_defaults.h
++++ b/include/ldap_defaults.h
+@@ -63,4 +63,6 @@
+ 	/* dn of the default "monitor" subentry */
+ #define SLAPD_MONITOR_DN		"cn=Monitor"
+ 
++#define SASL_CONFIGPATH                        LDAP_SYSCONFDIR LDAP_DIRSEP "sasl2"
++
+ #endif /* _LDAP_CONFIG_H */
+--- a/servers/slapd/sasl.c
++++ b/servers/slapd/sasl.c
+@@ -1103,12 +1103,38 @@ static const rewrite_mapper slapd_mapper
+ };
+ #endif
+ 
++static int
++slap_sasl_getconfpath( void * context, char ** path )
++{
++	char * sasl_default_configpath;
++	size_t len;
++
++#if SASL_VERSION_MAJOR >= 2
++	sasl_default_configpath = "/usr/lib/sasl2";
++#else
++	sasl_default_configpath = "/usr/lib/sasl";
++#endif
++
++	len = strlen(SASL_CONFIGPATH) + 1 /* colon */ +
++		strlen(sasl_default_configpath) + 1 /* \0 */;
++	*path = malloc( len );
++	if ( *path == NULL )
++		return SASL_FAIL;
++
++	if (snprintf( *path, len, "%s:%s", SASL_CONFIGPATH,
++				sasl_default_configpath ) != len-1 )
++		return SASL_FAIL;
++
++	return SASL_OK;
++}
++
+ int slap_sasl_init( void )
+ {
+ #ifdef HAVE_CYRUS_SASL
+ 	int rc;
+ 	static sasl_callback_t server_callbacks[] = {
+ 		{ SASL_CB_LOG, &slap_sasl_log, NULL },
++		{ SASL_CB_GETCONFPATH, &slap_sasl_getconfpath, NULL },
+ 		{ SASL_CB_GETOPT, &slap_sasl_getopt, NULL },
+ 		{ SASL_CB_LIST_END, NULL, NULL }
+ 	};
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/series b/meta-oe/recipes-support/openldap/openldap-2.4.39/series
new file mode 100644
index 0000000..2f47de3
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/series
@@ -0,0 +1,21 @@ 
+man-slapd 
+evolution-ntlm
+slapi-errorlog-file 
+ldapi-socket-place 
+wrong-database-location 
+index-files-created-as-root 
+sasl-default-path 
+libldap-symbol-versions
+getaddrinfo-is-threadsafe
+do-not-second-guess-sonames
+contrib-modules-use-dpkg-buildflags
+smbk5pwd-makefile
+autogroup-makefile
+ldap-conf-tls-cacertdir
+add-tlscacert-option-to-ldap-conf
+fix-ftbfs-binutils-gold
+fix-build-top-mk
+no-AM_INIT_AUTOMAKE
+switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
+no-bdb-ABI-second-guessing
+heimdal-fix
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/slapi-errorlog-file.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/slapi-errorlog-file.patch
new file mode 100644
index 0000000..4899451
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/slapi-errorlog-file.patch
@@ -0,0 +1,16 @@ 
+The slapi error log file defaults to /var/errors given our setting
+of --localstatedir.  Move it to /var/log/slapi-errors instead.
+
+Debian-specific.
+
+--- a/servers/slapd/slapi/slapi_overlay.c
++++ b/servers/slapd/slapi/slapi_overlay.c
+@@ -930,7 +930,7 @@ int slapi_over_config( BackendDB *be, Co
+ 		ldap_pvt_thread_mutex_init( &slapi_printmessage_mutex );
+ 
+ 		if ( slapi_log_file == NULL )
+-			slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "errors" );
++			slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "log" LDAP_DIRSEP "slapi-errors" );
+ 
+ 		rc = slapi_int_init_object_extensions();
+ 		if ( rc != 0 )
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/smbk5pwd-makefile.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/smbk5pwd-makefile.patch
new file mode 100644
index 0000000..17d1b56
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/smbk5pwd-makefile.patch
@@ -0,0 +1,53 @@ 
+--- a/contrib/slapd-modules/smbk5pwd/Makefile
++++ b/contrib/slapd-modules/smbk5pwd/Makefile
+@@ -14,17 +14,17 @@
+ 
+ LDAP_SRC = ../../..
+ LDAP_BUILD = ../../..
+-LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
+-LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \
+-	$(LDAP_BUILD)/libraries/liblber/liblber.la
++LDAP_INC = -I$(LDAP_BUILD)/debian/build/include -I$(LDAP_BUILD)/debian/build/servers/slapd -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
++LDAP_LIB = $(LDAP_BUILD)/debian/build/libraries/libldap_r/libldap_r.la \
++	$(LDAP_BUILD)/debian/build/libraries/liblber/liblber.la
+ 
+ SSL_INC = 
+-SSL_LIB = -lcrypto
++SSL_LIB = -lgcrypt
+ 
+-HEIMDAL_INC = -I/usr/heimdal/include
+-HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv
++HEIMDAL_INC = -I/usr/include
++HEIMDAL_LIB = -lkrb5 -lkadm5srv
+ 
+-LIBTOOL = $(LDAP_BUILD)/libtool
++LIBTOOL = $(LDAP_BUILD)/debian/build/libtool
+ CC = gcc
+ OPT = -g -O2 -Wall
+ # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it.
+@@ -35,13 +35,13 @@ LIBS = $(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_
+ PROGRAMS = smbk5pwd.la
+ LTVER = 0:0:0
+ 
+-prefix=/usr/local
++prefix=/usr
+ exec_prefix=$(prefix)
+-ldap_subdir=/openldap
++ldap_subdir=/ldap
+ 
+ libdir=$(exec_prefix)/lib
+ libexecdir=$(exec_prefix)/libexec
+-moduledir = $(libexecdir)$(ldap_subdir)
++moduledir = $(libdir)$(ldap_subdir)
+ 
+ .SUFFIXES: .c .o .lo
+ 
+@@ -55,7 +55,7 @@ smbk5pwd.la:	smbk5pwd.lo
+ 	-rpath $(moduledir) -module -o $@ $? $(LIBS)
+ 
+ clean:
+-	rm -rf *.o *.lo *.la .libs
++	$(LIBTOOL) --mode=clean rm -f
+ 
+ install: $(PROGRAMS)
+ 	mkdir -p $(DESTDIR)$(moduledir)
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff.patch
new file mode 100644
index 0000000..f0dd4e1
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff.patch
@@ -0,0 +1,40 @@ 
+From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>
+Date: Tue, 18 May 2010 17:47:05 +0200
+Subject: Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL.    
+ Open all modules with RTLD_GLOBAL, needed so that back_perl can load
+ non-trivial Perl extensions that require symbols from back_perl.so itself.
+Bug-Debian: http://bugs.debian.org/327585
+
+---
+--- a/servers/slapd/module.c
++++ b/servers/slapd/module.c
+@@ -117,6 +117,20 @@ int module_unload( const char *file_name
+ 	return -1;	/* not found */
+ }
+ 
++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
++{
++	lt_dlhandle handle = 0;
++	lt_dladvise advise;
++
++	if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
++			&& !lt_dladvise_global (&advise))
++		handle = lt_dlopenadvise (filename, advise);
++
++	lt_dladvise_destroy (&advise);
++
++	return handle;
++}
++
+ int module_load(const char* file_name, int argc, char *argv[])
+ {
+ 	module_loaded_t *module;
+@@ -180,7 +194,7 @@ int module_load(const char* file_name, i
+ 	 * to calling Debug. This is because Debug is a macro that expands
+ 	 * into multiple function calls.
+ 	 */
+-	if ((module->lib = lt_dlopenext(file)) == NULL) {
++	if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
+ 		error = lt_dlerror();
+ #ifdef HAVE_EBCDIC
+ 		strcpy( ebuf, error );
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/wrong-database-location.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/wrong-database-location.patch
new file mode 100644
index 0000000..25d96cb
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.39/wrong-database-location.patch
@@ -0,0 +1,74 @@ 
+Move the default slapd database location to /var/lib/ldap instead of
+/var/openldap-data.
+
+Debian-specific.
+
+--- a/doc/man/man5/slapd-bdb.5
++++ b/doc/man/man5/slapd-bdb.5
+@@ -131,7 +131,7 @@ Specify the directory where the BDB file
+ associated indexes live.
+ A separate directory must be specified for each database.
+ The default is
+-.BR LOCALSTATEDIR/openldap\-data .
++.BR LOCALSTATEDIR/lib/ldap .
+ .TP
+ .B dirtyread
+ Allow reads of modified but not yet committed data.
+--- a/doc/man/man5/slapd.conf.5
++++ b/doc/man/man5/slapd.conf.5
+@@ -2007,7 +2007,7 @@ suffix    "dc=our\-domain,dc=com"
+ # The database directory MUST exist prior to
+ # running slapd AND should only be accessible
+ # by the slapd/tools. Mode 0700 recommended.
+-directory LOCALSTATEDIR/openldap\-data
++directory LOCALSTATEDIR/lib/ldap
+ # Indices to maintain
+ index     objectClass  eq
+ index     cn,sn,mail   pres,eq,approx,sub
+--- a/include/ldap_defaults.h
++++ b/include/ldap_defaults.h
+@@ -47,7 +47,7 @@
+ 	/* location of the default slapd config file */
+ #define SLAPD_DEFAULT_CONFIGFILE	LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf"
+ #define SLAPD_DEFAULT_CONFIGDIR		LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d"
+-#define SLAPD_DEFAULT_DB_DIR		LDAP_RUNDIR LDAP_DIRSEP "openldap-data"
++#define SLAPD_DEFAULT_DB_DIR		LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "ldap"
+ #define SLAPD_DEFAULT_DB_MODE		0600
+ #define SLAPD_DEFAULT_UCDATA		LDAP_DATADIR LDAP_DIRSEP "ucdata"
+ 	/* default max deref depth for aliases */
+--- a/servers/slapd/Makefile.in
++++ b/servers/slapd/Makefile.in
+@@ -445,9 +445,9 @@ install-conf: FORCE
+ 
+ install-db-config: FORCE
+ 	@-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir)
+-	@-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data
++	@-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/ldap
+ 	$(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
+-		$(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example
++		$(DESTDIR)$(localstatedir)/lib/ldap/DB_CONFIG.example
+ 	$(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
+ 		$(DESTDIR)$(sysconfdir)/DB_CONFIG.example
+ 
+--- a/doc/man/man5/slapd-config.5
++++ b/doc/man/man5/slapd-config.5
+@@ -2051,7 +2051,7 @@ olcSuffix: "dc=our\-domain,dc=com"
+ # The database directory MUST exist prior to
+ # running slapd AND should only be accessible
+ # by the slapd/tools. Mode 0700 recommended.
+-olcDbDirectory: LOCALSTATEDIR/openldap\-data
++olcDbDirectory: LOCALSTATEDIR/lib/ldap
+ # Indices to maintain
+ olcDbIndex:     objectClass  eq
+ olcDbIndex:     cn,sn,mail   pres,eq,approx,sub
+--- a/doc/man/man5/slapd-mdb.5
++++ b/doc/man/man5/slapd-mdb.5
+@@ -52,7 +52,7 @@ Specify the directory where the LMDB fil
+ associated indexes live.
+ A separate directory must be specified for each database.
+ The default is
+-.BR LOCALSTATEDIR/openldap\-data .
++.BR LOCALSTATEDIR/lib/ldap .
+ .TP
+ \fBenvflags \fR{\fBnosync\fR,\fBnometasync\fR,\fBwritemap\fR,\fBmapasync\fR,\fBnordahead\fR}
+ Specify flags for finer-grained control of the LMDB library's operation.
diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.39.bb b/meta-oe/recipes-support/openldap/openldap_2.4.39.bb
new file mode 100644
index 0000000..3048c8e
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap_2.4.39.bb
@@ -0,0 +1,182 @@ 
+# OpenLDAP, a license free (see http://www.OpenLDAP.org/license.html)
+#
+DESCRIPTION = "OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol."
+HOMEPAGE = "http://www.OpenLDAP.org/license.html"
+# The OpenLDAP Public License - see the HOMEPAGE - defines
+# the license.  www.openldap.org claims this is Open Source
+# (see http://www.openldap.org), the license appears to be
+# basically BSD.  opensource.org does not record this license
+# at present (so it is apparently not OSI certified).
+LICENSE = "OpenLDAP"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=f2bdbaa4f50199a00b6de2ca7ec1db05"
+SECTION = "libs"
+
+# patches taken from Debian
+SRC_URI = "\
+    ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${P}.tgz \
+    file://man-slapd.patch \
+    file://evolution-ntlm.patch \
+    file://slapi-errorlog-file.patch \
+    file://ldapi-socket-place.patch \
+    file://wrong-database-location.patch \
+    file://index-files-created-as-root.patch \
+    file://sasl-default-path.patch \
+    file://libldap-symbol-versions.patch \
+    file://getaddrinfo-is-threadsafe.patch \
+    file://do-not-second-guess-sonames.patch \
+    file://contrib-modules-use-dpkg-buildflags.patch \
+    file://smbk5pwd-makefile.patch \
+    file://autogroup-makefile.patch \
+    file://ldap-conf-tls-cacertdir.patch \
+    file://add-tlscacert-option-to-ldap-conf.patch \
+    file://fix-ftbfs-binutils-gold.patch \
+    file://fix-build-top-mk.patch \
+    file://no-AM_INIT_AUTOMAKE.patch \
+    file://switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff.patch \
+    file://no-bdb-ABI-second-guessing.patch \
+    file://heimdal-fix.patch \
+"
+SRC_URI[md5sum] = "b0d5ee4b252c841dec6b332d679cf943"
+SRC_URI[sha256sum] = "8267c87347103fef56b783b24877c0feda1063d3cb85d070e503d076584bf8a7"
+
+DEPENDS = "util-linux groff-native db"
+
+PR = "r0"
+# The original top.mk used INSTALL, not INSTALL_STRIP_PROGRAM when
+# installing .so and executables, this fails in cross compilation
+# environments
+SRC_URI += "file://install-strip.patch"
+
+# inherit autotools
+inherit autotools-brokensep
+
+# CV SETTINGS
+# Required to work round AC_FUNC_MEMCMP which gets the wrong answer
+# when cross compiling (should be in site?)
+EXTRA_OECONF += "ac_cv_func_memcmp_working=yes"
+
+# CONFIG DEFINITIONS
+# The following is necessary because it cannot be determined for a
+# cross compile automagically.  Select should yield fine on all OE
+# systems...
+EXTRA_OECONF += "--with-yielding-select=yes"
+# Shared libraries are nice...
+EXTRA_OECONF += "--enable-dynamic"
+
+PACKAGECONFIG ??= "openssl modules \
+                   ldap meta monitor null passwd shell proxycache dnssrv \
+		   bdb hdb mdb sasl \
+"
+#--with-tls              with TLS/SSL support auto|openssl|gnutls [auto]
+PACKAGECONFIG[gnutls] = "--with-tls=gnutls,,gnutls"
+PACKAGECONFIG[openssl] = "--with-tls=openssl,,openssl"
+
+PACKAGECONFIG[sasl] = "--with-cyrus-sasl,--without-cyrus-sasl,cyrus-sasl"
+PACKAGECONFIG[modules] = "lt_cv_dlopen_self=yes --enable-modules,--disable-modules,libtool"
+
+# SLAPD options
+#
+# UNIX crypt(3) passwd support:
+EXTRA_OECONF += "--enable-crypt"
+
+EXTRA_OECONF += "--enable-ipv6"
+
+# SLAPD BACKEND
+#
+# The backend must be set by the configuration.  This controls the
+# required database, the default database, bdb, is turned off but
+# can be turned back on again and it *is* below!  The monitor backend
+# is also disabled.  If you try to change the backends but fail to
+# enable a single one the build will fail in an obvious way.
+#
+# EXTRA_OECONF += "--disable-bdb --disable-hdb --disable-monitor"
+#
+# Backends="bdb dnssrv hdb ldap ldbm meta monitor null passwd perl shell sql"
+#
+# Note that multiple backends can be built.  The ldbm backend requires a
+# build-time choice of database API.  The bdb backend forces this to be
+# DB4.  To use the gdbm (or other) API the Berkely database module must
+# be removed from the build.
+md = "${libexecdir}/openldap"
+#
+#--enable-bdb          enable Berkeley DB backend no|yes|mod yes
+# The Berkely DB is the standard choice.  This version of OpenLDAP requires
+# the version 4 implementation or better.
+PACKAGECONFIG[bdb] = "--enable-bdb=mod,--enable-bdb=no,db"
+
+#--enable-dnssrv       enable dnssrv backend no|yes|mod no
+PACKAGECONFIG[dnssrv] = "--enable-dnssrv=mod,--enable-dnssrv=no"
+
+#--enable-hdb          enable Hierarchical DB backend no|yes|mod no
+# This forces ldbm to use Berkeley too, remove to use gdbm
+PACKAGECONFIG[hdb] = "--enable-hdb=mod,--enable-hdb=no,db"
+
+#--enable-ldap         enable ldap backend no|yes|mod no
+PACKAGECONFIG[ldap] = "--enable-ldap=mod,--enable-ldap=no,"
+
+#--enable-ldbm         enable ldbm backend no|yes|mod no
+# ldbm requires further specification of the underlying database API, because
+# bdb is enabled above this must be set to berkeley, however the config
+# defaults this correctly so --with-ldbm-api is *not* set.  The build will
+# fail if bdb is removed, but no database is built to provide the
+# support for ldbm
+# guide.html:<P>back-ldbm was both slow and unreliable. Its byzantine indexing code was prone to spontaneous corruption, as were the underlying database libraries that were commonly used (e.g. GDBM or NDBM). back-bdb and back-hdb are superior in every aspect, with simplified indexing to avoid index corruption, fine-grained locking for greater concurrency, hierarchical caching for greater performance, streamlined on-disk format for greater efficiency and portability, and full transaction support for greater reliability.</P>
+# configure: WARNING: unrecognized options: --disable-silent-rules, --enable-ldbm, --with-ldbm-api
+#PACKAGECONFIG[ldbm] = "--enable-ldbm=mod --with-ldbm-api=gdbm,--enable-ldbm-no,gdbm"
+
+#--enable-meta         enable metadirectory backend no|yes|mod no
+PACKAGECONFIG[meta] = "--enable-meta=mod,--enable-meta=no,"
+
+#--enable-monitor      enable monitor backend no|yes|mod yes
+PACKAGECONFIG[monitor] = "--enable-monitor=mod,--enable-monitor=no,"
+
+#--enable-null         enable null backend no|yes|mod no
+PACKAGECONFIG[null] = "--enable-null=mod,--enable-null=no,"
+
+#--enable-passwd       enable passwd backend no|yes|mod no
+PACKAGECONFIG[passwd] = "--enable-passwd=mod,--enable-passwd=no,"
+
+# disabling perl support - host contamination issues
+#
+#--enable-perl         enable perl backend no|yes|mod no
+#  This requires a loadable perl dynamic library, if enabled without
+#  doing something appropriate (building perl?) the build will pick
+#  up the build machine perl - not good (inherit perlnative?)
+# PACKAGECONFIG[perl] = "--enable-perl=mod,--enable-perl=no,perl"
+
+#--enable-shell        enable shell backend no|yes|mod no
+# configure: WARNING: Use of --without-threads is recommended with back-shell
+PACKAGECONFIG[shell] = "--enable-shell=mod --without-threads,--enable-shell=no,"
+
+#--enable-sql          enable sql backend no|yes|mod no
+# sql requires some sql backend which provides sql.h, sqlite* provides
+# sqlite.h (which may be compatible but hasn't been tried.)
+PACKAGECONFIG[sql] = "--enable-sql=mod,--enable-sql=no,sqlite3"
+
+#--enable-dyngroup     Dynamic Group overlay no|yes|mod no
+#  This is a demo, Proxy Cache defines init_module which conflicts with the
+#  same symbol in dyngroup
+PACKAGECONFIG[dyngroup] = "--enable-dyngroup=mod,--enable-dyngroup=no,"
+
+#--enable-proxycache   Proxy Cache overlay no|yes|mod no
+PACKAGECONFIG[proxycache] = "--enable-proxycache=mod,--enable-proxycache=no,"
+
+#--enable-mdb         enable mdb database backend no|yes|mod no
+PACKAGECONFIG[mdb] = "--enable-mdb=mod,--enable-mdb=no,"
+
+CPPFLAGS_append = " -D_GNU_SOURCE"
+
+do_configure() {
+    cp ${STAGING_DATADIR_NATIVE}/libtool/config/ltmain.sh ${S}/build
+    rm -f ${S}/libtool
+    rm -f ${S}/libtool
+    aclocal
+    libtoolize --force --copy
+    gnu-configize
+    autoconf
+    oe_runconf
+}
+
+FILES_${PN}-dev = "${includedir} ${libdir}/lib*.so ${libdir}/*.la ${libdir}/*.a ${libexecdir}/openldap/*.a ${libexecdir}/openldap/*.la ${libexecdir}/openldap/*.so"
+FILES_${PN}-dbg += "${libexecdir}/openldap/.debug"
+