--- openldap-2.4.23.orig/debian/slapd.links +++ openldap-2.4.23/debian/slapd.links @@ -0,0 +1 @@ +usr/share/slapd/DB_CONFIG usr/share/doc/slapd/examples/DB_CONFIG --- openldap-2.4.23.orig/debian/changelog +++ openldap-2.4.23/debian/changelog @@ -0,0 +1,3143 @@ +openldap (2.4.23-0ubuntu3.5) maverick-security; urgency=low + + * SECURITY UPDATE: fix successful anonymous bind via chain overlay when + using forwarded authentication failures + - debian/patches/CVE-2011-1024 + - CVE-2011-1024 + * SECURITY UPDATE: verify password when authenticating to rootdn and using ndb + backend. Note: Ubuntu is not compiled with --enable-ndb by default + - debian/patches/CVE-2011-1025 + - CVE-2011-1025 + * SECURITY UPDATE: fix DoS when processing unauthenticated modrdn requests + and requestDN is empty + - debian/patches/CVE-2011-1081 + - CVE-2011-1081 + + -- Jamie Strandboge Wed, 16 Mar 2011 09:48:17 -0500 + +openldap (2.4.23-0ubuntu3.4) maverick-proposed; urgency=low + + * debian/patches/gssapi.diff: Update patch so that likewise-open is usable again. + (LP: #661547) + + -- Chuck Short Thu, 18 Nov 2010 14:38:18 -0500 + +openldap (2.4.23-0ubuntu3.3) maverick-proposed; urgency=low + + * debian/slapd.templates: amended typo in slapd/move_old_database + (LP: #666028) + + -- James Page Mon, 08 Nov 2010 10:00:58 +0000 + +openldap (2.4.23-0ubuntu3.2) maverick-proposed; urgency=low + + * debian/slapd.templates: re-add slapd/move_old_database template as it's + used during the package upgrade. Thanks to James Page for pointing it. + * debian/slapd.config: restore debconf question slapd/move_old_database. + + -- Mathias Gug Thu, 14 Oct 2010 16:56:38 -0400 + +openldap (2.4.23-0ubuntu3.1) maverick-proposed; urgency=low + + [ James Page ] + * Fixed install/upgrade process to dump/restore databases due + to uplift to libdb4.8-dev (LP: #658227) + + -- Mathias Gug Thu, 14 Oct 2010 14:50:49 -0400 + +openldap (2.4.23-0ubuntu3) maverick; urgency=low + + * debian/rules: move dh_apparmor before dh_installinit + + -- Jamie Strandboge Fri, 06 Aug 2010 17:34:21 -0500 + +openldap (2.4.23-0ubuntu2) maverick; urgency=low + + * convert to using dh_apparmor: + - debian/rules, debian/slapd.post{inst,rm}: use dh_apparmor + - debian/control: Build-Depends on debhelper 7.4.20ubuntu5 + * debian/apparmor-profile: use local include + + -- Jamie Strandboge Fri, 06 Aug 2010 15:08:55 -0500 + +openldap (2.4.23-0ubuntu1) maverick; urgency=low + + * New release, features include: + + Fixed libldap to return server's error code (ITS#6569) + + Fixed libldap memleaks (ITS#6568) + + Fixed liblutil off-by-one with delta (ITS#6541) + + Fixed slapd acls with glued databases (ITS#6468) + + Fixed slapd syncrepl rid logging (ITS#6533) + + Fixed slapd modrdn handling of invalid values (ITS#6570) + + Fixed slapd-bdb hasSubordinates computation (ITS#6549) + + Fixed slapd-bdb to use memcpy instead for strcpy (ITS#6474) + + Fixed slapd-bdb entry cache delete failure (ITS#6577) + + Fixed slapd-ldap to return control responses (ITS#6530) + + Fixed slapo-ppolicy to use Debug (ITS#6566) + + Fixed slapo-refint to zero out freed DN vals (ITS#6572) + + Fixed slapo-rwm to use Debug (ITS#6566) + + Fixed slapo-sssvlv to use Debug (ITS#6566) + + Fixed slapo-syncprov lost deletes in refresh phase (ITS#6555) + + Fixed slapo-valsort to use Debug (ITS#6566) + + Fixed contrib/nssov network.c missing patch (ITS#6562) + + Fixed test043 attribute sorting (ITS#6553) + + slapd-config(5) note default rootdn (ITS#6546) + * Rebased patches debian/patches/dropped nssov-build + * Resynchronize with Debian: + + debian/control: + - Bump standards-version to 3.9.0 + - Use libdb4.8-dev (LP: #572489) + + Added debian/patches/issue-6534-patch + + Added debian/patches/ldap-conf-tls-cacertdir + * Add ufw support, thanks to PatRiehecky (LP: #423246) + + [Adam Sommer] + * debian/rules, debian/slapd.py: Add apport hook. (LP: #610544) + + -- Chuck Short Wed, 28 Jul 2010 11:35:16 -0400 + +openldap (2.4.21-0ubuntu5) lucid; urgency=low + + * Fix local root connection access: replace olcAuthzRegexp mapping to + cn=localroot,cn=config with using the SASL dn directly in olcAccess. + Makes upgrades much simpler and robust (LP: #563829). + + -- Mathias Gug Fri, 23 Apr 2010 00:23:31 -0400 + +openldap (2.4.21-0ubuntu4) lucid; urgency=low + + [ Simon Olofsson ] + * debian/slapd.postinst: + - Show a message after successful migration (LP: #538848) + + [ Jorgen Rosink ] + * debian/slapd.init: add simple status checking with LSB compatible exit + codes (LP: #562377) + * debian/slapd.init.ldif: + - remove admin user in default config database (LP: #556176) + - in default config, add olcAccess entries giving access to controls + available and cn=subschema (LP: #427842) + + [ Scott Moser ] + * debian/slapd.scripts-common: Do not create /nonexistent directory + for openldap user's home (LP: #556176) + * debian/slapd.postinst: fix cn=config olcAccess migration (LP: #559070) + + -- Scott Moser Mon, 12 Apr 2010 16:16:47 -0400 + +openldap (2.4.21-0ubuntu3) lucid; urgency=low + + * debian/slapd.postinst, debian/slapd.scripts-common: Upgrade databases + before trying to convert to slapd.d, to avoid upgrade failure from hardy + (LP: #536958) + * debian/slapd.postinst: Add a {1} numeric index to olcAccess entry in + olcDatabase={0}config.ldif to avoid upgrade failures (LP: #538516, #526230) + + -- Thierry Carrez Mon, 29 Mar 2010 13:31:47 +0200 + +openldap (2.4.21-0ubuntu2) lucid; urgency=low + + * debian/apparmor-profile: Update apparmor profile. (LP: #508190) + + -- Chuck Short Tue, 09 Mar 2010 13:33:35 -0500 + +openldap (2.4.21-0ubuntu1) lucid; urgency=low + + * New upstream release. + * debian/rules, debian/schema/extra/: + Fix get-orig-source rule to supports extra schemas shipped as part of the + debian/schema/ directory. + + -- Mathias Gug Thu, 18 Feb 2010 00:58:13 -0500 + +openldap (2.4.18-0ubuntu2) lucid; urgency=low + + * debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise): + - Add --with-gssapi support + - Make guess_service_principal() more robust when determining principal + * Enable GSSAPI support (LP: #495418): + - debian/configure.options: Configure with --with-gssapi + - debian/control: Added libkrb5-dev as a build depend + + -- Thierry Carrez Fri, 11 Dec 2009 11:31:11 +0100 + +openldap (2.4.18-0ubuntu1) karmic; urgency=low + + * New upstream release: (LP: #419515): + + pcache overlay supports disconnected mode. + * Fix nss overlay load (LP: #417163). + + -- Mathias Gug Mon, 07 Sep 2009 13:41:10 -0400 + +openldap (2.4.17-1ubuntu3) karmic; urgency=low + + * Install a minimal slapd configuration instead of creating a default + database with a default DIT: + + Move openldap user home from /var/lib/ldap to /nonexistent. + + Remove all code and templates dealing with the default database and DIT + creation. + + Add an Authz map from root user (UID=0) to cn=localroot,cn=config and + grant all access to the latter in the cn=config database as well as the + default backend configuration. + * Add cn=localroot,cn=config authz mapping on upgrades. + + -- Mathias Gug Tue, 11 Aug 2009 14:48:56 -0400 + +openldap (2.4.17-1ubuntu2) karmic; urgency=low + + [ Thierry Carrez ] + * debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support + in the openldap library, as required by Likewise-Open (LP: #390579) + + [ Mathias Gug ] + * debian/patches/its6077-uniqueness-overlay: fixes some issues with the + uniqueness overlay. + * debian/patches/its6220-writetimeout-directive: fixes a problem with the + writetimeout directive being in effect even if it wasn't set, + closing connections incorrectly. + * debian/patches/its6222-dncachesize-parameter: fixes the behavior of the + dncachesize parameter that was added in RE24, so that if it is set to + "0" (now the default), it has an unlimited DN cache (RE23 always + had an unlimited DN cache). + + -- Mathias Gug Fri, 31 Jul 2009 13:43:46 -0400 + +openldap (2.4.17-1ubuntu1) karmic; urgency=low + + [ Steve Langasek ] + * Fix up the lintian warnings: + - add missing misc-depends on all packages + - slapd, libldap-2.4-2-dbg sections changed to 'debug' to match archive + overrides + - bump Standards-Version to 3.8.2, no changes required. + + [ Mathias Gug ] + * Resynchronise with Debian. Remaining changes: + - AppArmor support: + - debian/apparmor-profile: add AppArmor profile + - updated debian/slapd.README.Debian for note on AppArmor + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.postrm: remove symlink in force-complain/ on purge + - debian/rules: install apparmor profile. + - Don't use local statement in config script as it fails if /bin/sh + points to bash. + - debian/slapd.postinst, debian/slapd.script-common: set correct + ownership and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group + readable) and /var/run/slapd (world readable). + - Enable nssoverlay: + - debian/patches/nssov-build, debian/rules: Build and package the nss + overlay. + - debian/schema/misc.ldif: add ldif file for the misc schema which + defines rfc822MailMember (required by the nss overlay). + - debian/{control,rules}: enable PIE hardening + - Use cn=config as the default configuration backend instead of + slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade + asking the end user to enter a new password to control the access to + the cn=config tree. + - debian/slapd.postinst: create /var/run/slapd before updating its + permissions. + - debian/slapd.init: Correctly set slapd config backend option even if + the pidfile is configured in slapd default file. + * Dropped: + - Merged in Debian: + - Update priority of libldap-2.4-2 to match the archive override. + - Add the missing ldapexop and ldapurl tools to ldap-utils, as well as + the ldapurl(1) manpage. + - Bump build-dependency on debhelper to 6 instead of 5, since that's + what we're using. + - Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using + the built-in default of ldap:/// only. + - Fixed in upstream release: + - debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034 + failure when built with PIE. + - debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be + trusted. + - Update Apparmor profile support: don't support upgrade from pre-hardy + systems: + - debian/slapd.postinst: Reload AA profile on configuration + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/control: Conflicts with apparmor-profiles << + 2.1+1075-0ubuntu4 to make sure that if earlier version of + apparmor-profiles gets installed it won't overwrite our profile. + - follow ApparmorProfileMigration and force apparmor complain mode on + some upgrades + - debian/slapd.preinst: create symlink for force-complain on + pre-feisty upgrades, upgrades where apparmor-profiles profile is + unchanged (ie non-enforcing) and upgrades where apparmor profile + does not exist. + - debian/patches/autogen.sh: no longer needed with karmic libtool. + - Call libtoolize with the --install option to install + config.{guess,sub} files. + + -- Mathias Gug Thu, 30 Jul 2009 16:42:58 -0400 + +openldap (2.4.17-1) unstable; urgency=low + + * New upstream version. + - Fixes FTBFS on ia64 with -fPIE. Closes: #524770. + - Fixes some TLS issues with GnuTLS. Closes: #505191. + * Update priority of libldap-2.4-2 to match the archive override. + * Add the missing ldapexop and ldapurl tools to ldap-utils, as well as the + ldapurl(1) manpage. Thanks to Peter Marschall for the patch. + Closes: #496749. + * Bump build-dependency on debhelper to 6 instead of 5, since that's + what we're using. Closes: #498116. + * Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using + the built-in default of ldap:/// only. + * Build-depend on libltdl-dev | libltdl3-dev (>= 1.4.3), for the package + name change. Closes: #522965. + + [ Updated debconf translations ] + * Spanish, thanks to Francisco Javier Cuadrado . + Closes: #521804. + + -- Steve Langasek Tue, 28 Jul 2009 10:17:15 -0700 + +openldap (2.4.15-1.1ubuntu1) karmic; urgency=low + + * Resynchronise with Debian. Remaining changes: + - AppArmor support: + - debian/apparmor-profile: add AppArmor profile + - debian/slapd.postinst: Reload AA profile on configuration + - updated debian/slapd.README.Debian for note on AppArmor + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/control: Conflicts with apparmor-profiles << + 2.1+1075-0ubuntu4 to make sure that if earlier version of + apparmor-profiles gets installed it won't overwrite our profile. + - follow ApparmorProfileMigration and force apparmor complain mode on + some upgrades + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.preinst: create symlink for force-complain on + pre-feisty upgrades, upgrades where apparmor-profiles profile is + unchanged (ie non-enforcing) and upgrades where apparmor profile + does not exist. + - debian/slapd.postrm: remove symlink in force-complain/ on purge + - debian/patches/autogen.sh: + - Call libtoolize with the --install option to install + config.{guess,sub} files. + - Don't use local statement in config script as it fails if /bin/sh + points to bash. + - debian/slapd.postinst, debian/slapd.script-common: set correct + ownership and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group + readable) and /var/run/slapd (world readable). + - Enable nssoverlay: + - debian/patches/nssov-build, debian/rules: Build and package the nss + overlay. + - debian/schema/misc.ldif: add ldif file for the misc schema which + defines rfc822MailMember (required by the nss overlay). + - debian/{control,rules}: enable PIE hardening + - Use cn=config as the default configuration backend instead of + slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade + asking the end user to enter a new password to control the access to + the cn=config tree. + - Update priority of libldap-2.4-2 to match the archive override. + - Add the missing ldapexop and ldapurl tools to ldap-utils, as well as + the ldapurl(1) manpage. + - Bump build-dependency on debhelper to 6 instead of 5, since that's + what we're using. + - Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using + the built-in default of ldap:/// only. + - debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034 + failure when built with PIE. + - debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be + trusted. + - debian/slapd.postinst: create /var/run/slapd before updating its + permissions. + - debian/slapd.init: Correctly set slapd config backend option even if + the pidfile is configured in slapd default file. + * Drop patch to avoid the test suite on hppa, as hppa is EOL. + + -- Colin Watson Wed, 24 Jun 2009 10:45:20 +0100 + +openldap (2.4.15-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Change libltdl3-dev Build-Depends to libltdl-dev | libltdl3-dev + (Closes: #522965) + + -- Kurt Roeckx Sun, 19 Apr 2009 18:24:32 +0200 + +openldap (2.4.15-1ubuntu3) jaunty; urgency=low + + * No-change rebuild to fix lpia shared library dependencies. + + -- Colin Watson Thu, 19 Mar 2009 09:52:40 +0000 + +openldap (2.4.15-1ubuntu2) jaunty; urgency=low + + * debian/slapd.postinst: create /var/run/slapd before updating its + permissions (LP: #298928). + * debian/slapd.init: Correclty set slapd config backend option even if the + pidfile is configured in slapd default file (LP: #292364). + * debian/apparmor-profile: support multiple databases to be stored under + /var/lib/ldap/. (LP: #286614). + + -- Mathias Gug Fri, 13 Mar 2009 13:56:12 -0400 + +openldap (2.4.15-1ubuntu1) jaunty; urgency=low + + [ Steve Langasek ] + * Update priority of libldap-2.4-2 to match the archive override. + * Add the missing ldapexop and ldapurl tools to ldap-utils, as well as the + ldapurl(1) manpage. Thanks to Peter Marschall for the patch. + Closes: #496749. + * Bump build-dependency on debhelper to 6 instead of 5, since that's + what we're using. Closes: #498116. + * Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using + the built-in default of ldap:/// only. + + [ Mathias Gug ] + * Merge from debian unstable, remaining changes: + - Modify Maintainer value to match the DebianMaintainerField + speficication. + - AppArmor support: + - debian/apparmor-profile: add AppArmor profile + - debian/slapd.postinst: Reload AA profile on configuration + - updated debian/slapd.README.Debian for note on AppArmor + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmour-profiles gets + installed it won't overwrite our profile. + - follow ApparmorProfileMigration and force apparmor compalin mode on + some upgrades (LP: #203529) + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.preinst: create symlink for force-complain on pre-feisty + upgrades, upgrades where apparmor-profiles profile is unchanged (ie + non-enforcing) and upgrades where apparmor profile does not exist. + - debian/slapd.postrm: remove symlink in force-complain/ on purge + - debian/control: + - Build-depend on libltdl7-dev rather then libltdl3-dev. + - debian/patches/autogen.sh: + - Call libtoolize with the --install option to install config.{guess,sub} + files. + - Don't use local statement in config script as it fails if /bin/sh + points to bash (LP: #286063). + - Disable the testsuite on hppa. Allows building of packages on this + architecture again, once this package is in the archive. + LP: #288908. + - debian/slapd.postinst, debian/slapd.script-common: set correct ownership + and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and + /var/run/slapd (world readable). (LP: #257667). + - Enable nssoverlay: + - debian/patches/nssov-build, debian/rules: Build and package + the nss overlay. + - debian/schema/misc.ldif: add ldif file for the misc schema + which defines rfc822MailMember (required by the nss overlay). + - debian/{control,rules}: enable PIE hardening + - Use cn=config as the default configuration backend instead of + slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade + asking the end user to enter a new password to control the access to the + cn=config tree. + * Dropped: + - debian/patches/corrupt-contextCSN: The contextCSN can get corrupted at + times. (ITS: #5947) Fixed in new upstream version 2.4.15. + - debian/patches/fix-ucred-libc due to changes how newer glibc handle + the ucred struct now. Implemented in Debian. + * debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034 failure + when built with PIE. + * debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be + trusted (LP: #305264). + + -- Mathias Gug Fri, 06 Mar 2009 17:34:21 -0500 + +openldap (2.4.15-1) unstable; urgency=low + + * New upstream version + - Fixes a bug with the pcache overlay not returning cached entries + (closes: #497697) + - Update evolution-ntlm patch to apply to current Makefiles. + - (tentatively) drop gnutls-ciphers, since this bug was reported to be + fixed upstream in 2.4.8. The fix applied in 2.4.8 didn't match the + patch from the bug report, so this should be watched for regressions. + * Build against db4.7 instead of db4.2 at last! Closes: #421946. + * Build with --disable-ndb, to avoid a misbuild when libmysqlclient is + installed in the build environment. + * Add -D_GNU_SOURCE to CFLAGS, apparently required for building with + current headers in unstable + + -- Steve Langasek Tue, 24 Feb 2009 14:27:35 -0800 + +openldap (2.4.14-0ubuntu1) jaunty; urgency=low + + [ Steve Langasek ] + * New upstream version + - Fixes a bug with the pcache overlay not returning cached entries + (closes: #497697) + - Update evolution-ntlm patch to apply to current Makefiles. + - (tentatively) drop gnutls-ciphers, since this bug was reported to be + fixed upstream in 2.4.8. The fix applied in 2.4.8 didn't match the + patch from the bug report, so this should be watched for regressions. + * Build against db4.7 instead of db4.2 at last! Closes: #421946. + * Build with --disable-ndb, to avoid a misbuild when libmysqlclient is + installed in the build environment. + * New patch, no-crlcheck-for-gnutls, to fix a build failure when using + --with-tls=gnutls. + + [ Mathias Gug ] + * Merge from debian unstable, remaining changes: + - debian/apparmor-profile: add AppArmor profile + - debian/slapd.postinst: Reload AA profile on configuration + - updated debian/slapd.README.Debian for note on AppArmor + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmour-profiles gets + installed it won't overwrite our profile. + - Modify Maintainer value to match the DebianMaintainerField + speficication. + - follow ApparmorProfileMigration and force apparmor compalin mode on + some upgrades (LP: #203529) + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.preinst: create symlink for force-complain on pre-feisty + upgrades, upgrades where apparmor-profiles profile is unchanged (ie + non-enforcing) and upgrades where apparmor profile does not exist. + - debian/slapd.postrm: remove symlink in force-complain/ on purge + - debian/patches/fix-ucred-libc due to changes how newer glibc handle + the ucred struct now. + - debian/control: + - Build-depend on libltdl7-dev rather then libltdl3-dev. + - debian/patches/autogen.sh: + - Call libtoolize with the --install option to install config.{guess,sub} + files. + - Don't use local statement in config script as it fails if /bin/sh + points to bash (LP: #286063). + - Disable the testsuite on hppa. Allows building of packages on this + architecture again, once this package is in the archive. + LP: #288908. + - debian/slapd.postinst, debian/slapd.script-common: set correct ownership + and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and + /var/run/slapd (world readable). (LP: #257667). + - debian/patches/nssov-build, debian/rules: + Build and package the nss overlay. + debian/schema/misc.ldif: add ldif file for the misc schema, which defines + rfc822MailMember (required by the nss overlay). + - debian/{control,rules}: enable PIE hardening + - Use cn=config as the default configuration backend instead of + slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade + asking the end user to enter a new password to control the access to the + cn=config tree. + * debian/patches/corrupt-contextCSN: The contextCSN can get corrupted at + times. (ITS: #5947) + + -- Mathias Gug Wed, 18 Feb 2009 18:44:00 -0500 + +openldap (2.4.11-1) unstable; urgency=low + + * New upstream version (closes: #499560). + - Fixes a crash with syncrepl and delcsn (closes: #491066). + - Fix CRL handling with GnuTLS (closes: #498410). + - Drop patches no_backend_inter-linking, + CVE-2008-2952_BER-decoding-assertion, and gnutls-ssf, applied + upstream. + + [ Russ Allbery ] + * New patch, back-perl-init, which updates the calling conventions + around initialization and shutdown of the Perl interpreter to match + the current perlembed recommendations. Fixes probable hangs on HPPA + in back-perl. Thanks, Niko Tyni. (Closes: #495069) + + [ Steve Langasek ] + * Drop the conflict with libldap2, which is not the standard means of + handling symbol conflicts in Debian and which causes serious upgrade + problems from etch. Closes: #487211. + + -- Steve Langasek Sat, 11 Oct 2008 01:53:55 -0700 + +openldap (2.4.11-0ubuntu7) jaunty; urgency=low + + * Don't use local statement in config script as it fails if /bin/sh + points to bash (LP: #286063). + + -- Mathias Gug Tue, 04 Nov 2008 20:03:46 -0500 + +openldap (2.4.11-0ubuntu6) intrepid; urgency=low + + * Disable the testsuite on hppa. Allows building of packages on this + architecture again, once this package is in the archive. + LP: #288908. + + -- Matthias Klose Fri, 24 Oct 2008 23:22:33 +0200 + +openldap (2.4.11-0ubuntu5) intrepid; urgency=low + + * Don't set admin passwords in ldif files if adminpw is empty. + (LP: #273988 - LP: #276606). + + -- Mathias Gug Mon, 13 Oct 2008 19:31:15 -0400 + +openldap (2.4.11-0ubuntu4) intrepid; urgency=low + + * debian/slapd.postinst, debian/slapd.script-common: set correct ownership + and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and + /var/run/slapd (world readable). (LP: #257667). + * debian/slapd.script-common: + - Fix package reconfiguration: + + Remove slapd.d/ directory if it already exists when creating a new + configuration. + + Fix backup directory naming for multiple reconfiguration. + + -- Mathias Gug Wed, 24 Sep 2008 21:01:42 -0400 + +openldap (2.4.11-0ubuntu3) intrepid; urgency=low + + * debian/patches/nssov-build, debian/rules: + Build and package the nss overlay. + * debian/schema/misc.ldif: add ldif file for the misc schema, which defines + rfc822MailMember (required by the nss overlay). + + -- Mathias Gug Tue, 26 Aug 2008 18:42:54 -0400 + +openldap (2.4.11-0ubuntu2) intrepid; urgency=low + + * debian/{control,rules}: enable PIE hardening + + -- Kees Cook Wed, 20 Aug 2008 15:47:01 -0700 + +openldap (2.4.11-0ubuntu1) intrepid; urgency=low + + * New upstream version: + - Mainly bug fixes. + - New nss slapd overlay (not compiled by default). + * Use cn=config as the default configuration backend instead of + slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade + asking the end user to enter a new password to control the access to the + cn=config tree. + + -- Mathias Gug Mon, 11 Aug 2008 20:26:05 -0400 + +openldap (2.4.10-3ubuntu1) intrepid; urgency=low + + [ Mathias Gug ] + * Merge from debian unstable, remaining changes: + - debian/apparmor-profile: add AppArmor profile + - debian/slapd.postinst: Reload AA profile on configuration + - updated debian/slapd.README.Debian for note on AppArmor + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmour-profiles gets + installed it won't overwrite our profile. + - Modify Maintainer value to match the DebianMaintainerField + speficication. + - follow ApparmorProfileMigration and force apparmor compalin mode on + some upgrades (LP: #203529) + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.preinst: create symlink for force-complain on pre-feisty + upgrades, upgrades where apparmor-profiles profile is unchanged (ie + non-enforcing) and upgrades where apparmor profile does not exist. + - debian/slapd.postrm: remove symlink in force-complain/ on purge + - debian/patches/fix-ucred-libc due to changes how newer glibc handle + the ucred struct now. + - debian/patches/fix-unique-overlay-assertion.patch: + Fix another assertion error in unique overlay (LP: #243337). + Backport from head. + * Dropped - implemented in Debian: + - debian/patches/fix-gnutls-key-strength.patch: + Fix slapd handling of ssf using gnutls. (LP: #244925). + - debian/control: + Add time as build dependency: needed by make test. + * debian/control: + - Build-depend on libltdl7-dev rather then libltdl3-dev. + * debian/patches/autogen.sh: + - Call libtoolize with the --install option to install config.{guess,sub} + files. + + [ Jamie Strandboge ] + * adjust apparmor profile to allow gssapi (LP: #229252) + * adjust apparmor profile to allow cnconfig (LP: #243525) + + -- Mathias Gug Wed, 30 Jul 2008 19:46:02 -0400 + +openldap (2.4.10-3) unstable; urgency=low + + [ Steve Langasek ] + * New patch, CVE-2008-2952_BER-decoding-assertion, to fix a remote DoS + vulnerability in the BER decoder. Addresses CVE-2008-2952, + closes: #488710. + * debian/slapd.scripts-common, debian/slapd.postinst: drop + update_path_argsfile_pidfile function, not needed for updates from etch + or newer. + * Drop the code to check for and upgrade ldbm databases. The etch + release of slapd had already dropped support for them and direct + upgrades from sarge are not supported. + + [ Russ Allbery ] + * Apply upstream patch to convert GnuTLS cipher strength from bytes to + bits, as expected by OpenLDAP. (Closes: #473796) + * Add Build-Depends on time, used by the test suite and only a shell + built-in with bash. Thanks, Daniel Schepler. (Closes: #490754) + * Refresh all patches, convert all patches to -p1, and remove extraneous + Index: lines. (Closes: #485263) + * Unless DFSG_NONFREE is set, also check whether the upstream schemas + with RFC comments are included. + * Update standards version to 3.8.0. + - Include debian/README.source pointing to the quilt README.source. + - Wrap Uploaders for readability. + * Wrap slapd's Depends for readability. + + [ Updated debconf translations ] + * Swedish, thanks to Martin Ågren . + Closes: #492748. + + -- Steve Langasek Mon, 28 Jul 2008 15:26:06 -0700 + +openldap (2.4.10-2ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/apparmor-profile: add AppArmor profile + - debian/slapd.postinst: Reload AA profile on configuration + - updated debian/slapd.README.Debian for note on AppArmor + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmour-profiles gets + installed it won't overwrite our profile. + - Modify Maintainer value to match the DebianMaintainerField + speficication. + - follow ApparmorProfileMigration and force apparmor compalin mode on + some upgrades (LP: #203529) + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.preinst: create symlink for force-complain on pre-feisty + upgrades, upgrades where apparmor-profiles profile is unchanged (ie + non-enforcing) and upgrades where apparmor profile does not exist. + - debian/slapd.postrm: remove symlink in force-complain/ on purge + - debian/patches/fix-ucred-libc due to changes how newer glibc handle + the ucred struct now. + - debian/patches/fix-unique-overlay-assertion.patch: + Fix another assertion error in unique overlay (LP: #243337). + Backport from head. + - debian/patches/fix-gnutls-key-strength.patch: + Fix slapd handling of ssf using gnutls. (LP: #244925). + - debian/control: + Add time as build dependency: needed by make test. + * Dropped - implemented in Debian: + - debian/rules: + Support debuild nocheck option: don't run tests if nocheck is set. + + -- Mathias Gug Thu, 10 Jul 2008 14:45:49 -0400 + +openldap (2.4.10-2) unstable; urgency=low + + * Support DEB_BUILD_OPTIONS=nocheck to disable running the test suite at + build time + * Hack around glibc behavior when resolving localhost, by exporting + RESOLV_MULTI=off when invoking the test suite + * Reclaim the 'openldap' source package name; openldap2.3 has been a + misnomer for some time, causing undue confusion, so switch to a + permanent source package name that we won't need to change again later. + - Along the way, kill off non-DFSG-compliant schema files that snuck + back into the archive due to my bad merge of 2.4.10. + + -- Steve Langasek Sun, 06 Jul 2008 22:03:32 -0700 + +openldap2.3 (2.4.10-1ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/apparmor-profile: add AppArmor profile + - debian/slapd.postinst: Reload AA profile on configuration + - updated debian/slapd.README.Debian for note on AppArmor + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmour-profiles gets + installed it won't overwrite our profile. + - Modify Maintainer value to match the DebianMaintainerField + speficication. + - follow ApparmorProfileMigration and force apparmor compalin mode on + some upgrades (LP: #203529) + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.preinst: create symlink for force-complain on pre-feisty + upgrades, upgrades where apparmor-profiles profile is unchanged (ie + non-enforcing) and upgrades where apparmor profile does not exist. + - debian/slapd.postrm: remove symlink in force-complain/ on purge + - debian/patches/fix-ucred-libc due to changes how newer glibc handle + the ucred struct now. + - debian/patches/fix-unique-overlay-assertion.patch: + Fix another assertion error in unique overlay (LP: #243337). + Backport from head. + * debian/control: + - add time as build dependency: needed by make test. + * debian/rules: + - support debuild nocheck option: don't run tests if nocheck is set. + * debian/patches/fix-gnutls-key-strength.patch: + - fix slapd handling of ssf using gnutls. (LP: #244925). + * Dropped - accepted in Debian: + - debian/rules, debian/slapd.links: use hard links to slapd instead of + symlinks for slap* so these applications aren't confined by apparmor + (LP: #203898) + * Dropped - fixed in new upstream release: + - debian/patches/fix-assertion-io.patch: Fixes ber_flush2 assertion. + (LP: #215904) + - debian/patches/fix-dnpretty-assertion.patch: Fix dnPrettyNormal assertion + error. (LP: #234196) + - dropped debian/patches/fix-notify-crasher.patch: Fix modify timestamp crashes. + (LP: #220724) + - debian/patches/fix-syncrepl-oops: Fixes segmentation fault when using + syncrepl. (LP: #227178) + - dropped debian/patches/SECURITY_CVE-2008-0658.patch. Already applied + upstream. + + -- Mathias Gug Thu, 03 Jul 2008 14:15:08 -0400 + +openldap2.3 (2.4.10-1) unstable; urgency=low + + [ Steve Langasek ] + * New upstream release. + - Clean up ld_defconn if it was freed, fixing an assertion failure in + various clients. Closes: #469232. + - Fixes slapd syncrepl hang on back-config. Closes: #471253. + - Drop patch hurd-path-max, integrated upstream. + * Drop spurious build-dependency on heimdal-dev, introduced accidentally + as part of an aborted attempt to build the smbk5pwd overlay. + * Use hardlinks instead of symlinks for the various slap* commands; this + is functionally equivalent for us, and reduces divergence from + derivatives such as Ubuntu that use apparmor. Closes: #488409. + * New patch, no_backend_inter-linking, to fix the meta backend to not + try to look up symbols in external objects (back_ldap) that it + doesn't link against. + * Turn on 'make test' during builds, now that back_meta is fixed. + + [ Matthijs Mohlmann ] + * All manpages in category 5 were missing, wrong directory. + (Closes: #474976, #483631, #483633) + + -- Steve Langasek Mon, 30 Jun 2008 04:28:34 -0700 + +openldap2.3 (2.4.9-1ubuntu4) intrepid; urgency=low + + * debian/patches/fix-unique-overlay-assertion.patch: + - Fix another assertion error in unique overlay, backported from head. + (LP: #243337) Note: This patch will still be needed when moved to 2.4.10 + + -- Chuck Short Mon, 30 Jun 2008 18:49:52 +0000 + +openldap2.3 (2.4.9-1ubuntu3) intrepid; urgency=low + + * Drop spurious dependency on hiemdal-dev. Caused by an aborted attempt to + include the smbk5pwd overlay. + + -- Chuck Short Wed, 11 Jun 2008 21:25:40 +0000 + +openldap2.3 (2.4.9-1ubuntu2) intrepid; urgency=low + + * Rebuild for perl 5.10 transition (LP: #230016) + * debian/patches/fix-syncrepl-oops: Fixes segmentation fault when using + syncrepl. (LP: #227178) + + -- Chuck Short Mon, 09 Jun 2008 14:56:40 +0000 + +openldap2.3 (2.4.9-1ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/apparmor-profile: add AppArmor profile + - debian/slapd.postinst: Reload AA profile on configuration + - updated debian/slapd.README.Debian for note on AppArmor + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmour-profiles gets + installed it won't overwrite our profile. + - Modify Maintainer value to match the DebianMaintainerField + speficication. + - follow ApparmorProfileMigration and force apparmor compalin mode on + some upgrades (LP: #203529) + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.preinst: create symlink for force-complain on pre-feisty + upgrades, upgrades where apparmor-profiles profile is unchanged (ie + non-enforcing) and upgrades where apparmor profile does not exist. + - debian/slapd.postrm: remove symlink in force-complain/ on purge + - debian/rules, debian/slapd.links: use hard links to slapd instead of + symlinks for slap* so these applications aren't confined by apparmor + (LP: #203898) + - debian/patches/fix-assertion-io.patch: Fixes ber_flush2 assertion. + (LP: #215904) + - debian/patches/fix-dnpretty-assertion.patch: Fix dnPrettyNormal assertion + error. (LP: #234196) + - dropped debian/patches/fix-notify-crasher.patch: Fix modify timestamp crashes. + (LP: #220724) + - dropped debian/patches/SECURITY_CVE-2008-0658.patch. Already applied + upstream. + * Added debian/patches/fix-ucred-libc due to changes how newer glibc handle + the ucred struct now. + + -- Chuck Short Fri, 30 May 2008 17:09:53 +0100 + +openldap2.3 (2.4.9-1) unstable; urgency=low + + [ Updated debconf translations ] + * French, thanks to Christian Perrier . + Closes: #471792. + * Finnish, thanks to Esko Arajärvi . Closes: #475238. + * Czech, thanks to Miroslav Kure . + Closes: #480138. + * Basque, thanks to Piarres Beobide . + Closes: #480177. + * Vietnamese, thanks to Clytie Siddall . + Closes: #480181. + * Galician, thanks to Jacobo Tarrio . Closes: #480218. + * Japanese, thanks to Kenshi Muto . Closes: #480247. + * Italian, thanks to Luca Monducci . (Closes: #477718) + * Brazilian Portuguese, thanks to Eder L. Marques + (Closes: #480172) + * Portuguese, thanks to Tiago Fernandes + (Closes: #481126) + * Russian, thanks to Yuri Kozlov (Closes: #481214) + * Dutch, thanks to "cobaco (aka Bart Cornelis)" . + Closes: #483014. + + [ Matthijs Mohlmann ] + * New upstream release. + - Bad entryUUID no longer crashes slapd. (Closes: #471867) + - Fix assertion failure in some modify operations. (Closes: #474161) + - Mention index in slapd.conf's man page. (Closes: #414650) + - Fixes to slapd include handling. (Closes: #457261) + - Fix syncrepl cookie truncation. (Closes: #464024) + - Fix memory allocation in ldap_parse_page_control. (Closes: #464877) + - Fix slapd crash when accessed by multiple threads. (Closes: #479237) + * Acknowledge NMU. + (Closes: #474976, #471225, #475856, #474652, #465875) + * Bump Standards-Version to 3.7.3 + * Add versioned build dependency on libgnutls-dev (Closes: #466558) + * Bump debhelper compat level to 6. + + [ Russ Allbery ] + * Use MAXPATHLEN rather than PATH_MAX, since OpenLDAP defines the + former and the latter isn't defined on GNU Hurd. Thanks, Samuel + Thibault. (Closes: #475744) + + -- Matthijs Mohlmann Mon, 26 May 2008 22:34:16 +0200 + +openldap2.3 (2.4.7-6.3) unstable; urgency=low + + * Non-maintainer upload. + * Install all slapd relevant manpages into slapd package. + (closes: #474976) + * Make libldap-2.4-2 conflict against libldap2. (closes: #475856) + + -- Bastian Blank Tue, 29 Apr 2008 18:00:23 +0200 + +openldap2.3 (2.4.7-6.2) unstable; urgency=low + + * Non-maintainer upload to solve release goal issues. + * Add LSB dependency header to init.d scripts (Closes: #474652) + + -- Petter Reinholdtsen Wed, 16 Apr 2008 08:04:49 +0200 + +openldap2.3 (2.4.7-6.1) unstable; urgency=high + + * Non-maintainer upload by security team. + * Fix possible remote denial of service vulnerability in the BDB backend + via a modrdn operation with a NOOP control + (CVE-2008-0658; Closes: #465875). + + -- Nico Golde Tue, 04 Mar 2008 14:34:44 +0100 + +openldap2.3 (2.4.7-6ubuntu3) hardy; urgency=low + + * remove apparmor-profile workaround for Launchpad #202161 (it's now fixed + in klibc) + + -- Jamie Strandboge Mon, 07 Apr 2008 16:09:38 -0400 + +openldap2.3 (2.4.7-6ubuntu2) hardy; urgency=low + + * apparmor-profile workaround for Launchpad #202161 + * follow ApparmorProfileMigration and force apparmor complain mode on some + upgrades (LP: #203529) + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.preinst: create symlink for force-complain/ on pre-feisty + upgrades, upgrades where apparmor-profiles profile is unchanged (ie + non-enforcing) and upgrades where apparmor profile does not exist + - debian/slapd.postrm: remove symlink in force-complain/ on purge + * debian/rules, debian/slapd.links: use hard links to slapd instead of + symlinks for slap* so these applications aren't confined by apparmor + (LP: #203898) + + -- Jamie Strandboge Tue, 18 Mar 2008 13:53:23 -0400 + +openldap2.3 (2.4.7-6ubuntu1) hardy; urgency=low + + * Merge from Debian unstable, remaining changes: + + debian/patches/SECURITY_CVE-2008-0658.patch (LP: #197077) + slapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP 2.3.39 + allows remote authenticated users to cause a denial of service (daemon + crash) via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION) + control, a related issue to CVE-2007-6698. + + debian/apparmor-profile: add AppArmor profile + + debian/slapd.postinst: Reload AA profile on configuration + + updated debian/slapd.README.Debian for note on AppArmor + + debian/control: Replaces apparmor-profiles << 2.1+1075-0ubuntu4 as we + should now take control + + debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmor-profiles gets + installed it won't overwrite our profile + + Modify Maintainer value to match the DebianMaintainerField + specification. + + -- Steve Langasek Tue, 04 Mar 2008 01:59:51 +0000 + +openldap2.3 (2.4.7-6) unstable; urgency=low + + [ Updated debconf translations ] + * Dutch, thanks to Bart Cornelis . Closes: #452950. + * Brazilian Portuguese, thanks to Eder L. Marques . + Closes: #463460. + * German, thanks to Helge Kreutzmann . + Closes: #465784. + + [ Steve Langasek ] + * Relax build-dependency on libsasl2-dev now that the versioned dependency + is satisfied by all extant versions (including in oldstable), fixing a + lintian warning about versioned build-deps on Debian revisions. + * Avoid using a mutex around getaddrinfo() and getnameinfo() calls, which + are guaranteed by glibc to be threadsafe; this fixes a deadlock when + using nss_ldap for host lookups. Closes: #340601. + * debian/libldap2-dev.manpages: install all of man3/* instead of + enumerating specific manpages to install. Closes: #320073. + * Add new patch, sasl-cleartext-strncasecmp, to correct a regression that + prevented the use of the {CLEARTEXT} password scheme with SASL. + Closes LP: #191563. + * drop LGPL from debian/copyright; there is no longer any code under this + license in the package. + * Drop patch gnutls-altname-nulterminated; it's been determined that the + "length" discrepancy was a bug in gnutls, and fixed in that package. + * debian/configure.options: explicitly pass --with-odbc=unixodbc, so + that we depend on the right ODBC implementation when both happen to + be installed at build time. + + [ Russ Allbery ] + * Add a stamp file for the configure rule to avoid rerunning configure + needlessly. Closes: #465588. + * Don't create the openldap user if slapd has been configured to run as + a different user. If slapd has been configured to run as openldap, do + create the user on reconfigure. Closes: #452438. + * Reformat, reorganize, and update slapd's README.Debian. + - Include SASL configuration information. + - Remove LDBM information, since upstream no longer even ships LDBM + and the debconf prompting and maintainer scripts already take care + of any lingering databases. + - Document the differences between the Debian OpenLDAP packages and + upstream. + + -- Steve Langasek Thu, 28 Feb 2008 22:15:17 -0800 + +openldap2.3 (2.4.7-5ubuntu2) hardy; urgency=low + + * SECURITY UPDATE: + + debian/patches/SECURITY_CVE-2008-0658.patch (LP: #197077) + slapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP 2.3.39 + allows remote authenticated users to cause a denial of service (daemon crash) + via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION) control, a related + issue to CVE-2007-6698. + + * References + - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0658 + - http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5358 + + -- Emanuele Gentili Sun, 02 Mar 2008 16:34:30 +0100 + +openldap2.3 (2.4.7-5ubuntu1) hardy; urgency=low + + * add AppArmor profile + + debian/apparmor-profile + + debian/slapd.postinst: Reload AA profile on configuration + * updated debian/slapd.README.Debian for note on AppArmor + * debian/control: Replaces apparmor-profiles << 2.1+1075-0ubuntu4 as we + should now take control + * debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmor-profiles gets installed + it won't overwrite our profile + * Modify Maintainer value to match the DebianMaintainerField + specification. + + -- Jamie Strandboge Wed, 13 Feb 2008 17:15:41 +0000 + +openldap2.3 (2.4.7-5) unstable; urgency=low + + [ Updated debconf translations ] + * Finnish, thanks to Esko Arajärvi . Closes: #462688. + * Galician, thanks to Jacobo Tarrio . Closes: #462987. + * French, thanks to Christian Perrier . + Closes: #463149. + * Russian, thanks to Yuri Kozlov . Closes: #463442. + * Czech, thanks to Miroslav Kure . Closes: #463472. + * German, thanks to Helge Kreutzmann . + Closes: #464718. + + [ Steve Langasek ] + * Fix various regressions related to the introduction of GnuTLS: + - Add new patch, gnutls-ciphers, to fix support for specifying multiple + ciphers with TLSCipherSuite option in slapd.conf. Thanks to Kyle + Moffett for the patch. Closes LP: #188200. + - Add new patch, slapd-tlsverifyclient-default, to set the intended + default value of "TLSVerifyClient never" in the right place. + - Add new patch, gnutls-altname-nulterminated, to account for differences + in how the "length" is returned for commonName vs. subjectAltName. + - Comment out TLSCipherSuite settings on upgrade from all versions prior + to 2.4.7-5, and throw a debconf error to the user notifying them of + this, since all OpenSSL cipher suite values are incompatible with + GnuTLS. + Closes: #462588. + * Add new patch from upstream, entryCSN-backwards-compatibility, to support + auto-converting entryCSN attributes in a previously supported old format, + fixing an upgrade failure. Closes: #462099. + * Use --retry TERM/10 instead of --retry 10 when stopping slapd, since the + latter resorts to a SIGKILL and may corrupt backend data; whereas the + former will exit non-zero if slapd is still running but won't directly + cause data-loss. Thanks to Mark McDonald for the patch. LP: #92139. + * Fix manpage symlinks in libldap2-dev; thanks to Reuben Thomas for + reporting. Closes: #463971. + * Fix a superfluous space in the debconf templates, due to a trailing space + in the templates. Closes: #464719. + + -- Steve Langasek Sat, 09 Feb 2008 14:25:55 -0800 + +openldap2.3 (2.4.7-4) unstable; urgency=high + + [ Steve Langasek ] + * Build-conflict with libicu-dev, for consistent dependencies in all + build environments. + * Fix an oversight in the checkpoint migration, which caused the checkpoint + option to not be moved far enough down. Closes: #462304, LP: #185257. + * Build-depend on unixodbc instead of iODBC. + + [ Updated debconf translations ] + * Japanese, thanks to Kenshi Muto . Closes: #462191. + + -- Steve Langasek Fri, 25 Jan 2008 02:17:23 -0800 + +openldap2.3 (2.4.7-3) unstable; urgency=low + + * Add missing build-dependency on groff-base, to allow use of soelim during + build. + + -- Steve Langasek Mon, 21 Jan 2008 15:18:27 -0800 + +openldap2.3 (2.4.7-2) unstable; urgency=low + + * Temporarily drop slapi-dev from the package to get through NEW; this + functionality should be readded later, either by restoring the slapi-dev + package or by moving it to libldap2-dev, depending on the outcome of + discussion with the ftp-masters. + + -- Steve Langasek Mon, 21 Jan 2008 06:13:21 -0800 + +openldap2.3 (2.4.7-1) unstable; urgency=low + + [ Steve Langasek ] + * New upstream version; closes: #449354. + - remove another schema from upstream source, collective.schema, + that contains text from the IETF RFCs and include a stripped copy + in debian/schema. + - drop patches slurpd-in-spool and man-slurpd, since slurpd is no + longer provided upstream. + - libldap2.3-0 is now libldap2.4-2 + - build libldap2-dev from this source package now, superseding + openldap2; closes: #428385, #260118, #262539, #391899, #393215. + - lastmod and denyop have been moved to contrib upstream and are no + longer shipped as supported overlays + - drop dependency on libldap2 and take ownership of the + /etc/ldap/ldap.conf conffile, since libldap2 is now obsolete + - need to dump and reload databases again for the upgrade from 2.3.39. + - ldap_init(3) no longer attempts to document the internals of the + LDAP opaque type. Closes: #320072. + - ldap-utils utilities find LDAP servers via SRV records when given a + URL with -H and no host in the URL. Closes: #221173. + - if the old slapd.conf included any replica commands, automatically + enable syncprov for the corresponding database and print an error + with debconf. + * slapd.conf and DB_CONFIG are used in the postinst, they shouldn't be + shipped under doc/examples because /usr/share/doc can't be depended + on per policy; ship the files under /usr/share/slapd and symlink the + /other/ way, which also spares us from dh_compress trying to gzip + slapd.conf. Closes: #452749. + * Drop libldap.so as was done for libldap2, making it a link to + libldap_r.so to avoid unfortunate symbol collisions. + * Add new patch, libldap-symbol-versions, to build libldap and liblber + with symbol versions; needed to avoid segfaults when applications + manage to pull both libldap2 and the new libldap-2.4-2 into the same + process (as during a partial upgrade or the initial soname + transition), and also when the library soname changes again in the + future (as it's likely to do). + * Reintroduce add-autogen-sh patch, with build deps on libtool, automake, + and autoconf, required due to the previous patch; this time around, take + care to clean up the autogenerated files in the clean target as well + * Build-depend on libgnutls-dev instead of on libssl-dev, so that at long + last we can build the server and lib from the same source package again + without licensing problems. Closes: #457182, #407334, #428468, #381788. + Closes: #412706. + * slapd.prerm, slapd.postinst: drop no-longer-needed upgrade code for + openldap < 2.1.22 + * Ask about ldbm to bdb migration in the preinst, since there is no + guarantee that the debconf config script will be run before the unpack + phase. + * Don't stop slapd in the preinst by hand, the prerm already stops the + old slapd using the standard interfaces. + * Don't build with LAN Manager password support; these passwords are more + insecure than traditional Unix crypt, and only relevant when talking to + Windows 98. + * Move libslapi into the slapd package and provide a virtual package for + library dependencies, since this is expected to stay lockstep with the + server. + * Split slapi dev support into a new libslapi-dev package, as this is + unrelated to libldap; and drop libslapi.a since it would be insane to try + to statically link a dynamically-loaded slapi plugin. + * "checkpoint" directives are no longer supported as part of the backend + config, only as part of the database config; move the lines around in + slapd.conf on upgrade. + * "schemacheck" directives are no longer supported; comment them out + on upgrade since this option was set by default in sarge. + * Package description updates; thanks to Christian Perrier + and the Smith review project for these + improvements. + * Incorporate debconf template changes suggested by the debian-l10n-english + team as part of the Smith review project. Closes: #447224. + + [ Russ Allbery ] + * Removed fix_ldif and all remaining code to try running it on LDIF + dumps. Schema checking has been imposed since 2.1 and it's highly + unlikely that anyone still needs this. + * Move the checkpoint directive in the default slapd.conf below the + database and suffix directives for the primary database. This is now + required for OpenLDAP 2.4. + * Create /etc/ldap/slapd.conf owned by the openldap group and mode 640 + by default so that slapindex and friends can read it when run as the + openldap user. Fix permissions on upgrade if slapd.conf is owned by + root and mode 600. Closes: #432662. + * Drop slapd patch to read slapd.conf before dropping privileges, since + slapd.conf should now be readable by SLAPD_GROUP. + * If SLAPD_CONF is set to a directory in /etc/default/slapd, assume + the cn=config backend is used and start slapd with the appropriate + options. Based on a patch from Mike Burr. Closes: #411413. + * Rework slapd's README.Debian: + - Document the BerkeleyDB version. Closes: #438127. + - Document how to direct slapd's logs to another file. Closes: #258931. + - Remove obsolete information about TLS/SSL and OpenLDAP 2.0 upgrades. + - Recommend HDB instead of BDB. + - Generally reformat and reorganize. + * Patch cleanup: + - Combine the NTLM patches for Evolution into a single patch. + - Add explanatory comments to every patch. + - Refresh all patches to remove diff garbage and trailing whitespace. + * debian/rules cleanup: + - Fix patch dependencies for parallel build (hopefully). + - Tell configure the system type. + - Rewrite upstream_strip_nondfsg.sh as a get-orig-source target. + - Remove stamp files as the first step of the clean target. + - Add trivial build-arch and build-indep targets. + - Remove dead code and unnecessary comments. + * Remove postrm code to delete /var/lib/slapd/upgrade* flag files. We + haven't used those since the 2.1 upgrade. + * Update Vcs-* headers for new repository layout. + * Remove versioned dependency on an ancient dpkg-dev. + * Wrap and reorder Build-Depends for readability. + + [ Updated debconf translations ] + * Czech, thanks to Miroslav Kure . Closes: #458215. + * German, thanks to Helge Kreutzmann . + Closes: #452833. + * Spanish + * Finnish, thanks to Esko Arajärvi . Closes: #448061. + * French, thanks to Christian Perrier . + Closes: #452632. + * Galician, thanks to Jacobo Tarrio . + Closes: #451158. + * Italian, thanks to Luca Monducci . Closes: #449442. + * Japanese, thanks to Kenshi Muto . Closes: #451325. + * Dutch, thanks to Bart Cornelis . Closes: #448935. + * Brazilian Portuguese + * Portuguese, thanks to Tiago Fernandes . + Closes: #453341. + * Russian, thanks to Yuri Kozlov . Closes: #453318. + * Vietnamese, thanks to Clytie Siddall . + Closes: #453411. + + -- Steve Langasek Mon, 21 Jan 2008 04:58:24 -0800 + +openldap2.3 (2.3.39-1) unstable; urgency=medium + + * Medium severity due to denial of service fix. + * New upstream release. + - CVE-2007-5708: Fix remote denial of service attack in slapo-pcache + (the overlay for proxy caching). (Closes: #448644) + - Multiple additional more minor bug fixes. + * Document in the default slapd.conf that dbconfig options only generate + the DB_CONFIG file on first slapd start and have no effect afterwards + unless DB_CONFIG is removed. (Closes: #442191) + * Inline the checkpoint and BerkeleyDB backend settings in the default + slapd.conf rather than generating them dynamically in postinst. All + the allowable default database choices are now BerekelyDB variants and + will probably continue to be so for the forseeable future, and this is + easier to maintain. + * Drop debconf questions, warnings, and maintainer script functions + dealing with upgrades from OpenLDAP 2.1, which is now too hold for + supported direct upgrades. (Closes: #444806) + * Add a watch file. Thanks, Fernando Ribeiro. (Closes: #435290) + * Add Homepage, Vcs-Svn, and Vcs-Browser control fields. + + -- Russ Allbery Mon, 12 Nov 2007 16:00:47 -0800 + +openldap2.3 (2.3.38-1) unstable; urgency=low + + [ Steve Langasek ] + * Drop debian/patches/use-lpthread, which is no longer needed on mips* + because gcc has been fixed. + * Drop debian/patches/add-autogen-sh, also no longer needed now that + the above patch is gone. + + [ Matthijs Mohlmann ] + * Fix bashism in initscript. (Closes: #428883) + * Drop upstream patches ITS4924, ITS4925 and ITS4966. + * Add patch for objectClasses which causes slapd to crash. (Closes: #440632) + - CVE-2007-5707. + - Upstream bug ITS5119. + * Change default loglevel to none, to log high priority messages. + (Closes: #442000) + * Tighten up the build dependencies, now that autogen patch is removed. + + -- Matthijs Mohlmann Mon, 17 Sep 2007 22:58:54 +0200 + +openldap2.3 (2.3.35-2) unstable; urgency=low + + * Enable LAN Manager password support in slapd. (Closes: #245341) + * If automatic configuration is selected and slapd.conf doesn't exist + during an upgrade, treat this as a fresh installation rather than + aborting with an error. Also try to provide a better error message if + the user has deleted /etc/ldap/schema but we just generated a new + configuration that references it. These cases can occur if someone + removes (rather than purges) the package, manually deletes /etc/ldap, + and then reinstalls. (Closes: #205010) + * Don't fail in slapd's postrm if /etc/ldap/schema has already been + deleted. + * Remove slapd conflicts with libbind-dev and bind-dev. There no longer + appears to be anything in those packages that would break slapd's + resolver. (Closes: #225896) + * Add libldap-2.3-0-dbg and slapd-dbg packages with detached debugging + information. + * db_recover is no longer required after changing DB_CONFIG; slapd now + detects changes itself and does the right thing. Also note in + README.DB_CONFIG the existence of the dbconfig slapd.conf parameter + and slapd's DB_CONFIG writing support. (Closes: #412575) + * Add options to /etc/default/slapd to let the system administrator tell + the init script to not start slapd on boot. (Closes: #254999) + * Redirect fd 3 to /dev/null in the slapd init script for additional + robustness when debconf is running. (Closes: #227482) + * Add to /etc/default/slapd a commented-out example of how to change the + keytab file used for GSSAPI authentication. (Closes: #412017) + * Use variables in /etc/init.d/slapd for the paths to slapd and slurpd + so that someone who really wants to can override them in + /etc/default/slapd. (Closes: #403948) + * Allow people building packages for outside Debian to skip the checks + for non-DFSG-free material by setting a variable. Thanks, Peter + Marschall. (Closes: #427245) + * Remove duplicate libldap-2.3-0 dependencies. (Closes: #408987) + * Use binary:Version instead of Source-Version for the tight + dependencies between slapd and ldap-utils and libldap-2.3-0. + + -- Russ Allbery Mon, 11 Jun 2007 20:26:26 -0700 + +openldap2.3 (2.3.35-1) unstable; urgency=low + + * New upstream release with many bug fixes. + - Allow syncprov to follow aliases. (Closes: #422087) + * Apply upstream patches: + - ITS#4924: client crash on incorrectly tagged result from server. + - ITS#4925: NOOP modify with BDB backend crashed slapd. + - ITS#4966: Delete of valsort-controlled entries crashed slapd. + * Enable SLAPI support. (Closes: #390954) + * Re-enable use of the epoll system call since Debian no longer supports + 2.4 kernels. This means that the OpenLDAP packages will not work on + pre-2.6 kernels. + * Remove schema files that contain text from IETF RFCs from the upstream + source since that text is not DFSG-free. Instead, install stripped + versions of those schema files containing only the functional + interface specifications, a comment explaining why this is needed, and + a pointer to the relevant RFC. (Closes: #361846) + * Document the repackaging of the upstream source in debian/copyright. + * Update config.guess and config.sub during the build instead of in the + clean target and remove them in the clean target for a clean diff. + Build-depend on autotools-dev so that we can unconditionally copy over + the latest versions. + * Added commentary and upstream ITS numbers for several patches + applicable upstream. + * Use debian/compat rather than the deprecated DH_COMPAT rules setting. + * Update to debhelper compatibility level V5 (no changes required). + + -- Russ Allbery Wed, 30 May 2007 22:42:28 -0700 + +openldap2.3 (2.3.30-5) unstable; urgency=low + + [ Steve Langasek ] + * Add Portuguese debconf translation; thanks to Tiago Fernandes. + Closes: #409632. + * Re-add .la files to the slapd package, for greater compatibility + with upstream documentation. + + [ Russ Allbery ] + * When starting slapd, create a symlink from /var/run/ldapi to + /var/run/slapd/ldapi for compatibility with 2.1 client libraries. + Closes: #385809. + * Apply upstream patch to prevent a race condition in slapd when + shutting down connections. + * Update the Brazilian Portuguese debconf translation; thanks to Felipe + Augusto van de Wiel. + + -- Russ Allbery Thu, 8 Mar 2007 18:21:02 -0800 + +openldap2.3 (2.3.30-4) unstable; urgency=low + + * Ok, argh, it helps to check that the function being re-added to the + preinst hasn't been removed again from the common include. Re-add + break_on_ldbm_to_bdb_migration_disagree, because by all appearances + we /should/ be using this in the preinst. Closes: #411474. + + -- Steve Langasek Mon, 19 Feb 2007 03:55:22 -0800 + +openldap2.3 (2.3.30-3) unstable; urgency=medium + + [ Matthijs Mohlmann ] + * Added spanish translation. (Closes: #404250) + * Documentation updates backported from upstream. + * Fix a security bug in kerberos kbind code. (Only used when enabling with + --enable-kbind option) But better safe then sorry. + * Backported a mem leak fix on failed binds. + * Added patch from upstream that fixes a memory leak in ACLs that use sets. + + [ Steve Langasek ] + * *Really* abort in preinst if the user doesn't accept the upgrade + from ldbm to bdb. Closes: #392747. + * Set the name of debian/slapd.NEWS right so that it gets + installed in the binary package. Closes: #409923. + * Add Russian debconf translation; thanks to Yuri Kozlov. + Closes: #405706. + * Add Galician debconf translation; thanks to Jacobo Tarrio. + Closes: #407267. + + -- Steve Langasek Sun, 18 Feb 2007 16:47:16 -0800 + +openldap2.3 (2.3.30-2) unstable; urgency=low + + * Make sure that the pidfile directory doesn't exist in the init script. + (Closes: #402705) + + -- Matthijs Mohlmann Tue, 12 Dec 2006 21:34:44 +0100 + +openldap2.3 (2.3.30-1) unstable; urgency=low + + * New upstream release. + - Fixed authzTo/authzFrom URL matching. + - Fixed syncrepl consumer memory leaks. + - Fixed slapd-hdb livelock. + - Fixed slapo-ppolicy external quality check. + - Fixed ldapsearch(1) man page acknowledgement. + * Added patch to make sure that the pidfile directory exists. + (Closes: #390337) + * Do not ask the question allow ldap v2 logins when user wants manual + configuration. (Closes: #401003) + * Add patch to look also in /etc/ldap/sasl2 for sasl configuration. + (Closes: #398657) + * Removed db4.2-util recommend, the slapd binary includes checking code to + fix DB errors. + * Updated README in schema directory. It doesn't list collective.schema + anymore. (Closes: #287358) + * Updated manpages to point to right paths. (Closes: #398790) + + -- Matthijs Mohlmann Sat, 9 Dec 2006 20:50:58 +0100 + +openldap2.3 (2.3.29-1) unstable; urgency=medium + + [ Matthijs Mohlmann ] + * New upstream release. + - Fixes Denial of Service through a certain combination of LDAP BIND + requests (CVE-2006-5779) (Closes: #397673) + * LSB section added to the init script. + * Updated README.Debian about running as non-root user (Closes: #389369) + * Updated de translation (Closes: #396096) + * Added some documentation / warning when running slapindex as root. + * Remove drafts and rfc from the tarball. (Closes: #393404) + + -- Matthijs Mohlmann Sat, 11 Nov 2006 11:24:42 +0100 + +openldap2.3 (2.3.27-1) unstable; urgency=low + + [ Matthijs Mohlmann ] + * New upstream release. + * pidfile location is changed 3 years ago, when people are upgrading from + back then they have a broken slapd because the openldap user is not able + to write to /var/run. (Closes: #380687) + * Patches by Quanah Gibson-Mount + - Fix one time memleak on startup in the accesslog db. + * Changed priority of libldap-2.3-0 to optional as it is only used by slapd. + + [ Torsten Landschoff ] + * Remove RFC documents as they do not meet the DFSG. + + debian/rules: Check that the RFCs are gone to make sure it does not + get included again by accident. + + -- Matthijs Mohlmann Sat, 2 Sep 2006 00:33:44 +0200 + +openldap2.3 (2.3.25-1) unstable; urgency=low + + [ Matthijs Mohlmann ] + * New upstream release: + - Accepts 'require none' in slapd.conf (closes: #370023). + - Added patch to fix a bold issue in the manpage ldapsearch. Thanks to + Matt Kraai. (Closes: #355670) + * Added commented out rootdn parameter in slapd.conf. (Closes: #303245) + * Make the scripts output a bit more consistent. + * Fix a regression in the slapd packages. Data directory is /var/lib/ldap + and not /var/openldap-data, also adjust the manpages to reflect these + change. Thanks to Peter Marschall. (Closes: #368891) + * Removed script move_files, dh_install is used instead. (Closes: #368896) + * Dutch translation already updated. Closes: #375101) + * Documented that slapd is compiled with TCP wrappers (Closes: #351428) + * dpkg-reconfigure slapd now just reinstalls slapd and moves old databases + to /var/backups. Already done in previous version (Closes: #230366, #208056) + + [ Torsten Landschoff ] + * debian/libldap-2.3-0.install: Ignore version information when installing + libraries. This way it does not need updating for each new upstream + release. + + -- Matthijs Mohlmann Wed, 26 Jul 2006 18:05:40 +0200 + +openldap2.3 (2.3.24-2) unstable; urgency=low + + * Switch slapd from running as root to running as user. + (Closes: #292845, #261696) + * Changing configuration in slapd.conf by the postinst will now also follow + includes. (Closes: #304488) + * Patches by Quanah Gibson-Mount + - fix a lock bug with a virtual root entry in the BDB backend. + - fix boolean logic in the overlays. + - fix that slurpd can use ldaps. + - fix initialization of auditdb. + - fix TLS concurrency issues. + - fix exop password change that didn't reset pwdMustChange. + - fix syncrepl that fails when no rootdn is defined. + * Add dependency on adduser. + * Specify the PATH variable in the init script. (Closes: #367981) + * Added patch to read config before dropping privileges. + * epoll(4) system call is missing on kernels <2.6, this causes slapd to + not work on 2.4 kernels. Added patch that remove the #define in + portable.in (Closes: #369352, #372194, #373233) + * In 2.3.24 slapd won't segfault if the moduleload directive appears + somewhere else. (Closes: #349011) + * Removed fileutils dependency, it's superseeded in Sarge already. + (Closes: #370013) + * Use find in combination with mv to move an old directory away. + (Closes: #306435) + * Updated Dutch debconf translation (Closes: #365172) + * Added an example backup script that can be put into cron (Closes: #319477) + * Make the db directories 0700. On new installations this is the default. + (Closes: #354450) + * Get rid of a '.' in front of a domain. (Closes: #318143) + * Added shadowLastChange to the ACL in the default slapd.conf + (Closes: #370550) + * Updated Japanese translation (Closes: #378565) + + -- Matthijs Mohlmann Mon, 17 Jul 2006 18:22:45 +0200 + +openldap2.3 (2.3.24-1) unstable; urgency=low + + [ Matthijs Mohlmann ] + * New upstream version. (Closes: #369544) + * Update patch slurpd-in-spool. (Closes: #368586, #368709, #368889) + * Added slapi-errorlog-file to be into /var/log (Closes: #368895) + * Removed patch configure.in-fix, incorporated upstream. + * Move debian/configure.options.new to debian/configure.options. + * Added patch to put ldapi socket in /var/run/slapd. + * Removed bdb recovery from the init.d script. This was introduced to fix + bug #255276. Now that slapd has the ability to check and recover from bdb + failures, this function is not needed anymore. (Closes: #369484, #369093) + * Updated the lintian overrides. + + [ Torsten Landschoff ] + * Include man pages for accesslog and auditlog overlays, patch by + Peter Marschall (closes: #368888). + + -- Matthijs Mohlmann Thu, 1 Jun 2006 08:16:02 +0200 + +openldap2.3 (2.3.23-1) unstable; urgency=low + + [ Matthijs Mohlmann ] + * New upstream release. (Closes: #308906, #310282, #353877, #335618, #315158) + (Closes: #310282, #319155) + * OpenLDAP checks database before starting up. + (Closes: #190165, #195079, #294701, #308416) + * move_old_database_away isn't called in a while loop anymore (which would + kill debconf interaction) (Closes: #299100) + * BDB_CONFIG file will be installed on new installations (Closes: #301292) + * Move to dh_install. + * Move to quilt patch system. + * Fix manpage. + * Make ldiftopasswd and fix_ldif executable. (fixes lintian warnings) + * Wipe passwords after we created the initial configuration. + * The config scripts is runned twice, this causes the password in + slapd/internal/adminpw to be empty. This fixes the issue with having an + empty password in the ldap database. (Closes: #343113, #347725) + * Added #DEBHELPER# token to fix a lintian warning. + * bdb has changed between major versions, so dump the database and import it + again for versions before 2.3.19. + * Remove comments from debian/control (The out commented control information + is actually in debian/control.dev) + * Enable all backends and overlays with: --enable-backends=mod and + --enable-overlays=mod + * Add | debconf-2.0 to unblock cdebconf transition (Closes: #332053) + * Added Danish debconf translation (Closes: #353897) + * Updated French debconf translation (Closes: #320739) + * Updated Vietnamese debconf translation (Closes: #319706) + * Updated Czech debconf translation (Closes: #356554) + * Encode the organization to utf8 (Closes: #236097) + * Disabled the LDBM backend. Break in preinstallation if user doesn't want + to migrate to BDB backend. + * Removed choice for LDBM backend from slapd templates. And some explanation + in that question about the LDBM backend. + * Add sizelimit and tool-threads and some documentation to slapd.conf + (Closes: #327808) + * slapd.scripts-common had two functions with the same name. + * Don't return a error message if hostname fails. + * Backup the config only once on upgrade. + * For new installations do not install a DB_CONFIG file but use the + slapd.conf as file for BDB/HDB configuration parameters. See: slapd-bdb(5) + * Added various "exit 0" to the installation scripts. + * Add configure.in patch to fix C comparison what should be bash (ITS#4416) + * Raise debconf configuration level from low to medium for + slapd/no_configuration. + * Updated Standards-Version to 3.7.2.0 + * Added build-dependency on perl which is used in the debian/rules file. + Considered by lintian. + * Added lintian override for too-long-extended-description-in-templates, it + is an explanation about the backends. + + [ Steve Langasek ] + * debian/slapd.templates: Fix typo durin -> during; re-run + debconf-updatepo, fixing up the fuzzies (closes: #319596). + + [ Torsten Landschoff ] + * debian/slapd.scripts-common: Rename backend_supported to + upgrade_supported_from_backend for more clarity. + + -- Matthijs Mohlmann Sat, 13 May 2006 00:28:11 +0200 + +openldap2.2 (2.2.26-4) unstable; urgency=low + + * [l10n] Vietnamese translations by Clytie Siddall (closes: #316623). + * debian/slapd.templates: Fix typos occured -> occurred (closes: #316624). + * libraries/libldap/url.c: Apply patch from upstream CVS to fix URI + parsing (closes: #317100). + + -- Torsten Landschoff Tue, 19 Jul 2005 20:52:17 +0200 + +openldap2.2 (2.2.26-3) unstable; urgency=low + + * [SECURITY] Applied the patch available at + http://bugzilla.padl.com/show_bug.cgi?id=210 + to force libldap to really use TLS when requested in /etc/ldap/ldap.conf + (cf. CAN-2005-2069). Clients still will use libldap2 from openldap2 + source package so this is only to prepare unleashing the libraries of + OpenLDAP 2.2 for unstable... + + -- Torsten Landschoff Sun, 3 Jul 2005 10:41:37 +0200 + +openldap2.2 (2.2.26-2) unstable; urgency=low + + * Assembled changes from patches supplied by Peter Marschall (thanks, + Peter): + | debian/move_files: Move slapd and slurpd to /usr/sbin and adjust symlinks + (closes: #316354). + + debian/slapd.links: Remove symlinks from /usr/sbin to /usr/lib. + | debian/rules: Don't install cron jobs needed for GnuTLS as long as we are + using OpenSSL. + | debian/control: Remove build-dependencies needed for GnuTLS + (closes: #316355). + + Require libsasl >= 2.1.18 as recommended by OpenLDAP project. + | Update quicktool patch from Quanah Gibson-Mount (closes: #316361). + | debian/slapd.init: Use /bin/sh as shell when running db_recover + (closes: #316350). + | debian/configure.options: Enabled dynlist and proxycache overlays + (closes: #316351). + + * debian/po/de.po: Apply typo correction patch (closes: #313809). + * debian/po/fr.po: Apply updates by Christian Perrier (closes: #315122). + + -- Torsten Landschoff Fri, 1 Jul 2005 12:53:18 +0200 + +openldap2.2 (2.2.26-1) unstable; urgency=low + + * New upstream release. + * debian/slapd.init: Run db_recover as the user configured for slapd + (closes: #311331). + * debian/po/cs.po: Add Czech translation by Miroslav Kure (closes: #312064). + * Run debconf-updatepo, oh my :( + * Update configure via libtoolize -cf; aclocal-1.4; autoconf2.50. + * configure.in: Try to fix memcmp check (probably does not work anymore, but + we should have a working memcmp on all Debian systems anyway). + * debian/rules: Remove config.{sub,guess} before installing new versions + (just in case there were symlinks for them...). + + -- Torsten Landschoff Tue, 21 Jun 2005 12:06:40 +0200 + +openldap2.2 (2.2.23-8) unstable; urgency=low + + * debian/DB_CONFIG: Fixed the log cache configuration (used the wrong + command so there was about no effect). + + -- Torsten Landschoff Mon, 30 May 2005 08:48:10 +0200 + +openldap2.2 (2.2.23-7) unstable; urgency=low + + * debian/slapd.scripts-common: Install the default DB_CONFIG for each + database loaded from LDIF which didn't have a DB_CONFIG before. + * (automatic) Updated config.sub and config.guess from autotools-dev. + + -- Torsten Landschoff Mon, 30 May 2005 08:08:37 +0200 + +openldap2.2 (2.2.23-6) unstable; urgency=low + + Torsten Landschoff : + * debian/po/ja.po: Merge updates from Kenshi Muto (closes: #303505). + * debian/po/fr.po: Merge updates from Christian Perrier (closes: #306229). + * debian/slapd.scripts-common: If the user enters the empty value for + the database dumping directory use the default value. Seems like the + readline interface does not care about the default value + (closes: #308234). + * debian/slapd.postinst: Make sure the debhelper commands are executed + in all cases (closes: #310422). + * Merged suggested changes by Eugene Konev to automatically run + db_recover before starting slapd (closes: #255276). + + debian/slapd.init: Run db_recover if enabled and available and no + slapd process running. + + debian/slapd.default: Add configuration option to disable it. + * Applied and improved patch by Matthijs Mohlmann to support migration + from ldbm to bdb backend. + + debian/slapd.config: Ask if migration is wanted. + + debian/slapd.postinst: Update configuration from ldbm to bdb if yes. + + debian/slapd.scripts-common: Implemented some parts in their own + functions. + * Add a README.DB_CONFIG.gz and reference it where referring to BDB + configuration. + * Update default DB_CONFIG with some senseful values. + + Steve Langasek : + * libraries/libldap_r/Makefile.in: make sure the ximian-connector ntlm + patch is applied to libldap_r, not just to libldap + * debian/move_files: make libldap a symlink to libldap_r, as carrying + two versions of this library around is more trouble than it's worth, + and can cause glorious segfaults down the line + + -- Torsten Landschoff Mon, 30 May 2005 08:07:49 +0200 + +openldap2.2 (2.2.23-5) unstable; urgency=low + + Torsten Landschoff : + * debian/lintian-overrides: Add. Contains lintian warnings/errors to + override for each package (plus comments). + + debian/move_files: Automatically install applying overrides into + each package. + + Steve Langasek : + * configure.in: reinstate the remainder of the fix for 195990 from + 2.1.22-2: give preference to -lpthread over -pthread in configure.in, + because some archs (mipsel, at least) don't like -pthread. + + -- Steve Langasek Sun, 24 Apr 2005 05:01:02 -0700 + +openldap2.2 (2.2.23-4) unstable; urgency=low + + Torsten Landschoff : + * debian/control: Make the requirement for debconf a pre-dependency as + we are using it from the maintainer scripts. + * debian/slapd.preinst: Always use debconf (don't check for availability). + * debian/slapd.scripts-common: Remove the alert_user function which + was there to output an error message in case debconf is not available. + + Steve Langasek : + * debian/fix_ldif: Add code to fix up oddly formatted integer attribs; + limited use because it only fixes those attributes that we have + prior knowledge of (i.e., those in the default schemas we ship), but + it's something at least. Closes: #302629. + * debian/fix_ldif: Also change fix_ldif to not chew up everything that + has a # in the line: treat lines beginning with # as comments, but # + is a valid character in an attribute value. + * debian/rules: Fix the check for missing lib symbols to use + LD_LIBRARY_PATH, so the package builds on systems that don't already + have libldap-2.2-7 installed. Closes: #305785. + * debian/po/ja.po: Use the partial translation provided by Kenshi Muto. + + Stephen Frost : + * debian/slapd.scripts-common: Make sure - ends up at the end of the + bracket expression given to grep so it's not treated as a range + (closes: #302743). + + -- Steve Langasek Sat, 23 Apr 2005 22:01:20 -0700 + +openldap2.2 (2.2.23-3) unstable; urgency=low + + Steve Langasek + * libraries/libldap_r/Makefile.in: Code that uses pthreads *must* be + linked with -pthread, even if it's a library; without this, the + libldap_r library ends up with dangling unversioned reference to + pthread_create() which gets resolved to a wrong version that causes + segfaults on 64-bit platforms. Closes: #304549. + * debian/rules: error out on build if an installed library has + undefined symbols; future-proofing against a repeat of #304549. + * debian/slapd.postinst: don't dump and reload directories unless we + know we're upgrading from an incompatible version! Closes: #304840. + * debian/slapd.scripts-common: don't use merge_logical_lines for + functions that will be writing back to the config; the code is not + as pretty now, but the output is much less ugly. Closes: #303243. + * debian/slapd.examples, debian/slapd.scripts-common, + debian/slapd.links, debian/move_files: install DB_CONFIG in + /usr/share/slapd/ instead of /usr/share/doc/slapd/examples/; this + simplifies the code, and ensures users who don't install + /usr/share/doc aren't penalized. Create links for the DB_CONFIG and + slapd.confg templates to /usr/share/doc/slapd/examples, since these + are worthwhile examples as well. + * Updated maintainer scripts to keep DB_CONFIG for LDAP databases over + upgrades (closes: #265860). + * Move slappasswd to the slapd package, since it's now a symlink and + isn't actually useful without the slapd binary (closes: #304339). + + -- Torsten Landschoff Thu, 21 Apr 2005 01:29:57 +0200 + +openldap2.2 (2.2.23-2) unstable; urgency=low + + * debian/configure.options: Change localstatedir to /var from /var/run + as the current upstream version adds /run to that during runtime for + slapi sockets etc. Problem: The database location is specified relative + to localstatedir/openldap-data. Another thing to fix... + (closes: #298271, #304491). + * debian/slapd.scripts-common (load_databases): Reimplement automatic + fixing of LDIF data via the fix_ldif script. Only tried if an + initial slapadd using the original LDIF data fails. With this change + upgrading from woody for some simple cases does work again. + * Disabled the version check for Berkeley DB in upstream code. Any + libdb4.2 package should work but of course using the latest will give + you the best results (closes: #300851). + * debian/slapd.scripts-common (import_database): Removed, no longer used. + * debian/slapd.scripts-common: Store the diagnostic output from + slapadd and output it before aborting if the command failed. + * debian/po/fr.po: Use the translations provided by Christian Perrier + (closes: #304141). + * debian/slapd.scripts-common: Use the -q option during slapadd to + improve performance. + * debian/slapd.templates (slapd/dump_database_destdir): Apply rewording + changes from Thomas Prokosch. Gives the user more information about + the usage of that directory. + + Run debconf-updatepo to update the translation templates. + * debian/slapd.templates: Clean up the debconf templates of the slapd + packages by merging the changes suggested by Christian Perrier + (closes: #302829). Thanks, Christian! + + Changed the wording of some of the templates. + + Adapt to the DTSG (Debconf Templates Style Guide). + + Removed item slapd/admin which is not used anymore. + + Run debconf-updatepo and send new fr.po to Christian Perrier. + * debian/slapd.postinst: Make a backup copy of slapd.conf before changing + anything (closes: #304485). + * Trivial improvements: + + Don't ask to move contents of /var/lib/ldap if it does not even + exist (but also is not an empty directory...) in initial config. + + Move check for current installation status out of configure_dumping. + + -- Torsten Landschoff Thu, 14 Apr 2005 19:57:11 +0200 + +openldap2.2 (2.2.23-1) unstable; urgency=low + + * debian/slapd.scripts-common: Move all shell functions of the maintainer + scripts here to have it all in one place. + * Another pass over the maintainer scripts to remove cruft and tidy up + the code a bit. Fixed some bugs on the way. + * Test upgrade and installation revealed some bugs, mostly typos: + + return in shell actually is "return $?", not "return 0" as I though + + Referenced $src where $srcdir was meant. + + Only load old directories on upgrade and not during initial + installation. + + -- Torsten Landschoff Fri, 1 Apr 2005 18:50:21 +0200 + +openldap2.2 (2.2.23-0.pre6) experimental; urgency=low + + Torsten Landschoff : + * debian/slapd.postinst: Add a testing interface to test the helper + functions. + * debian/slapd.postinst: Make sure that debconf actually displays the + error message even if the user has already seen it before. + * debian/slapd.postinst (compute_backup_path): Make function more robust + in case we don't know the old version or the suffix of the database. + Converted the backup dir to a more simple scheme which should be save + against accidental overwriting. + * Rewrote part of the maintainer scripts for correct handling of + directory dumps in preinst. New debconf questions etc. + * Move the manpage of slappasswd to ldap-utils where slappasswd itself + is included (closes: #300212). + + debian/control: Add Replaces: slapd << 2.2.23-0.pre6 to ldap-utils. + + debian/move_files: Move slappasswd manpage into ldap-utils. + * debian/slapd.config: Don't fail if hostname is unset (pulled from + Ubuntu, thanks to Jeff Bailey). + * Applied patch by Quanah Gibson-Mount (directory administrator of Stanford) + to add -q option to some tools for quick operation without updating + logs. This is mostly for importing directories from LDIF backups. + * Go back to libdb4.2 as OpenLDAP is known to have problems with BDB 4.3. + + debian/control: Update dependencies for BDB 4.2. + + debian/slapd.scripts-common: Mark all databases before this version + as incompatible. + * Fix some bashisms in maintainer scripts. + * debian/slapd.postinst: Include the version of the backup in the + backup of a database directory. + + Carlo Contavalli : + * debian/slapd.init: Print command line if starting a daemon failed. + * debian/slapd.postinst: Handle hdb backend just as if it was bdb. + * debian/README.Debian: Add some notes about DB_CONFIG and how to run + slapd under a different uid/gid. + * Install an example DB_CONFIG file during initial configuration + + slapd.postinst: Add a function to implement this and hook it into + create_new_configuration. + + debian/DB_CONFIG: Example DB_CONFIG that is installed. + + debian/slapd.examples: Mark DB_CONFIG as an example. + * servers/slapd/daemon.c: Actually change the permissions of the + unix socket if requested using an ldapi url with x-mod. + * debian/slapd.scripts-common: change privileges of upgraded databases + as indicated by SLAPD_USER and SLAPD_GROUP variables. + * debian/slapd.scripts-common,slapd.postinst: corrected some minor + typos. + + -- Torsten Landschoff Fri, 1 Apr 2005 12:26:35 +0200 + +openldap2.2 (2.2.23-0.pre5) experimental; urgency=low + + * Apply NTLM patch from ximian-connector source package. + * debian/slapd.postinst: Fix small typo leading to upgrade failures. + Added some notes while wading through maintainer scripts. + * debian/slapd.postinst: Make slapadd more noisy, writing the new + directory to stderr if something goes wrong (should help for + bug #236097). + * Make slapd.init idempotent by adding --oknodo to start-stop-daemon + invocations (closes: #298741). Kudos to Bill Allombert for this + patch. + * slapd.postinst: Try to fix slapd.conf for syntactic and semantic changes + introduced upstream into 2.2.x. + * slapd.scripts-common: Make sure directories before 2.2.23 are dumped + and reloaded on upgrade. + + -- Torsten Landschoff Fri, 11 Mar 2005 18:54:57 +0100 + +openldap2.2 (2.2.23-0.pre4) experimental; urgency=low + + * Rename libldap2.2 to libldap-2.2-7 to match soname. Updated + debian/{control,rules,...}. + * Checked the usage of the ucdata files shipped with libldap2 before. + Actually they stem from liblunicode which is only linked to slapd. + Therefore those files are shipped with slapd now. This change is + relevant so that multiple libldap-2.2-x packages can coexist later. + * debian/control: Updated for slapd replacing files from libldap2. + * debian/control: Recommend db4.3-util instead of db4.2-util as we are + using the former version now for slapd. + * debian/control: Add Build-Depends for libperl-dev, this time for + real. I wonder what went wrong last time as it built correctly with + pdebuild (closes: #297123). + + -- Torsten Landschoff Mon, 28 Feb 2005 15:17:52 +0100 + +openldap2.2 (2.2.23-0.pre3) experimental; urgency=low + + * debian/slapd.prerm: Reformat and fix double stopping of slapd. Find + out which bug we are working around and document it. + * debian/configure.options: Enable ACI support (closes: #101602). + Looked through the source code and it seems to be properly + insulated to not make a difference when not used. + * .../Makefile.in: Remove -s option from install invocations and let + dh_strip handle stripping binaries (closes: #264448). + * debian/slapd.postinst: Code cleanup and reading, unused and duplicate + code removed. Main body still needs fixing. + * debian/slapd.postinst: Fixed chmod --reference calls to keep the + permissions of slapd.conf. Putting data into the file using shell + redirection recreates the file with default umask and owner, killing + the permissions we applied using chod --reference after creating the + file. Instead we change the permissions directly before renaming the + file now. Wrapped it into a function and update the owner as well. + How do we do this correctly for ACLs etc.!? Thanks to Carlo Contavalli + for pointing this out. + * servers/slapd/main.c: Log a warning if writing the pidfile or writing + the arguments file fails (closes: #261696). + * debian/control: Add missing build dependency for perl development + library (closes: #297123). + + -- Torsten Landschoff Sun, 27 Feb 2005 17:44:03 +0100 + +openldap2.2 (2.2.23-0.pre2) experimental; urgency=low + + * servers/slurpd/slurp.h: Relocate the default spool directory to + /var/spool/slurpd again. + * Merged some changes done by Fabio M. Di Nitto for the ubuntu + distribution (thanks, Fabio!): + + debian/slapd.{postinst,conf}: Checkpoint BDB databases every 512kb + or 30 minutes by default. + + debian/slapd.scripts-common: Make is_empty_dir less noisy on first + install (cosmetic). + * Applied some changes suggested by Ondrej Sury: + + debian/rules: Add MAKEVARS variable and set datadir = + /usr/share/libldap2.2/ucdata instead of changing build/top.mk as + suggested. + + debian/move_files: Install /usr/share/libldap2.2 into libldap2.2 + and remove duplicate ldap.conf manpage. + + debian/control: Let libldap2.2 dependon libldap2 for config files. + * Also in Ondrej's patch: + + doc/man/man8/slapd.8: Refer to slapd.conf instead of ldap.h for + loglevel documentation. Changed by ubuntu? I don't know... + * debian/slapd.README.Debian: Update TLS/SSL information. + + -- Torsten Landschoff Fri, 25 Feb 2005 14:44:59 +0100 + +openldap2.2 (2.2.23-0.pre1) experimental; urgency=low + + * Merge new upstream release 2.2.23. + * Change name of source package to openldap2.2. + * configure.in: Fix AC_LIBOBJ for configure2.50. + * Run libtoolize, aclocal-1.4 and autoconf2.50 to get a working + configure script. + * debian/slapd.init: Output failure reasons using "$failure" so that + no glob substitution is done. Had a hard time grokking why slapd + would mention the contents of the current directory in its error + message... + * debian/rules: Disable building -dev packages as we don't want + other packages to link against the new libraries before sarge. + Remove the binary-indep target from the binary dependends list. + * debian/control: Move packages that are no longer build into control-dev. + * debian/configure.options: Build against OpenSSL with --with-tls + (this can only be done for slapd itself, we need GnuTLS support + before enabling this for libldap2.2-dev). + * debian/control: Update build dependencies for libdb4.3 and OpenSSL. + + -- Torsten Landschoff Wed, 23 Feb 2005 19:29:38 +0100 + +openldap2 (2.2.18-0.pre2) experimental; urgency=low + + * debian/check_config: Make sasl2 check more robust against file + format changes in config.status. + * debian/libldap2.shlibs: Remove. + * Update configure script using libtoolize, aclocal-1.4 and autoconf2.50 + to fix wrong shared library dependency in libldap2.2 (depended on + libldap2 by linking against the system's liblber). + * debian/libldap2.README.Debian: Move to libldap2.2.README.Debian. + * Lintian cleanup: + + Run debconf-updatepo for debian/rules clean and manually as + requested. + + Update config.guess and config.sub in debian/rules clean as well. + First update done. + + debian/rules (install): Fix the manpage section of the admin commands + from 8C to 8. + + debian/rules (binary-arch): Run dh_fixperms to fix the permissions + on shared libraries. + + -- Torsten Landschoff Thu, 13 Jan 2005 11:53:28 +0100 + +openldap2 (2.2.18-0.pre1) experimental; urgency=low + + * New upstream release. + * Disable TLS for now. + * debian/rules: Don't run autoheader and autoconf. + * debian/configure.options: Recreated and updated for new setup. + * debian/rules: Move slapd, slurpd from /usr/lib to /usr/sbin. + * Rename library packages to include the OpenLDAP version. + * Remove /etc/ldap/ldap*.conf from libldap2.2 to avoid clash with + libldap2. Also add Replaces entry for libldap2 to allow overwriting + for now. Needs fixing... + * Instead of moving slapd from /usr/lib to /usr/sbin create a symlink. + Seems like slapadd etc. are now all included in the slapd binary + and all link to its binary. + * debian/rules: Run dh_link for arch dependend packages. + * configure: Fix broken libdb checking which forced static building of + back-bdb. + * debian/slapd.conf: Fix access directive to use "attrs=" instead of + "attribute=" which wasn't officially supported anyway. + + -- Torsten Landschoff Wed, 3 Nov 2004 09:57:14 +0100 + +openldap2 (2.1.30-3) unstable; urgency=high + + * Urgeny high since previous releases were hardly usable (at least + with TLS). + * Roland Bauerschmidt + + libraries/libldap/gnutls.c, libraries/libldap/tls.c, + include/ldap_pvt_gnutls.h: Use callback with + gnutls_certificate_set_params_function to generate dh_params and + rsa_params (this is also the way, it's done with OpenSSL). We need + GNUTLS 1.0.9 for this. With the new version of libgcrypt, we also + need to initialize threading explicitly. The previous + segmentation faults resulted from the *global* param structure + being recreated and freed for every session. Many thanks to + Matthias Urlichs who helped debugging a lot and also packaged + GNUTLS 1.0.16 very quickly... Closes: #244827. + + debian/control: Add build dependency to libgcrypt11-dev (we're + initializing it directly now) and change libgnutls10-dev to + libgnutls11-dev. + + libraries/libldap/gnutls.c: in tls_gnutls_need_{dh,rsa}_params + (formerly ldap_gnutls_need_...), create temp files more securely, + doing unlink before opening and opening them with O_EXCL. This is + necessary because under Linux 2.6 all threads have the same PID. + Thanks to Andrew Suffield for pointing this out. + + debian/slapd.cron.daily: cron job to remove GNUTLS rsa_export and + dh param cache files every day. + + debian/slapd.README.Debian: add note that we use GNUTLS rather + than OpenSSL. + + -- Roland Bauerschmidt Mon, 26 Jul 2004 18:41:23 +0200 + +openldap2 (2.1.30-2) unstable; urgency=low + + * Roland Bauerschmidt + + debian/slapd.scripts-common: add missing space before ! + Closes: #251036, #253633, #257513. + * Torsten Landschoff + + Applied patch by Ralf Hack to support non-standard config file + location in /etc/default/slapd (closes: #229195). + + Applied patch to fix handling of abandoned commands + (closes: #254183). Thanks to Peter Marschall for submitting it. + + Applied patch to fix memory leak after search (closes: #254184). + Thanks again, Peter! + + Applied trivial patch to support logging to DAEMON facility + as well as LOCAL* (closes: #254186). Here you are, Peter ;) + + -- Roland Bauerschmidt Fri, 09 Jul 2004 15:56:06 +0200 + +openldap2 (2.1.30-1) unstable; urgency=low + + * Torsten Landschoff : + + debian/control: Have slapd conflict with libltdl3 version 1.5.4-1 + as with that version loading of .so files is broken which breaks + slapd (closes: #249152). + + Applied patch to fix Perl backend (closes: #245347). Kudos + to Peter Marschall. + + debian/configure.options: Enable building of Perl backend. + + * Roland Bauerschmidt + + debian/slapd.templates: replace 'domain' with 'DNS domain name' + which is little more specific + + debian/slapd.config: check if the domain has a valid syntax to + prevent slapadd from failing. Closes: #235749. + + New upstream version with fix for NS-MTA-MD5 hash length + checking. Closes: #226583. + + -- Torsten Landschoff Mon, 24 May 2004 23:33:21 +0200 + +openldap2 (2.1.29-2) unstable; urgency=low + + * Roland Bauerschmidt + + debian/rules: Revert change to install ldapadd as symlink. + Somehow, with that change, ldapadd didn't get installed at all. + Closes: #243537. + + -- Roland Bauerschmidt Tue, 13 Apr 2004 19:49:55 +0200 + +openldap2 (2.1.29-1) unstable; urgency=low + + * Stephen Frost + + libraries/gnutls.c: Generate and store RSA/DH parameters, + based off a patch by Petr Vandrovec (though changed alot). + Closes: #234639, #234593 + + * Roland Bauerschmidt + + Merged new upstream release. + + debian/slapd.prerm: add #DEBHELPER# token. + + debian/control: have slapd depend on debconf (>= 0.5) to ensure + it supports the seen flag. + + debian/rules: ldapadd is installed as a hardlink to ldapmodify; + use a symlink instead. + + debian/slapd.{scripts-common,postinst,preinst,config}: Add new + function read_slapd_conf that evaluates include statements. + + -- Torsten Landschoff Mon, 12 Apr 2004 15:27:55 +0200 + +openldap2 (2.1.26-1) unstable; urgency=low + + * Torsten Landschoff : + + Merged new upstream release. + + debian/slapd.templates (slapd/purge_database): Set default value to + false. + + debian/slapd.config (manual_configuration_wanted): Don't exit + from the script directly if the user wants to configure + slapd manually (exit 0 -> return 0). + + Build-depend on libgnutls10-dev instead of libgnutls7-dev and + rebuild (closes: #233833). + + Move previous content of /var/lib/ldap away during creation of + an initial directory (closes: #228886, #233512). + + debian/slapd.postrm: Remove flag files in /var/lib/slapd on purge. + + Removed functionality (verbose error messages) from gnutls.c until + it compiled with libgnutls10-dev :-(( + + debian/slapd.postinst: Overwrite existing /etc/ldap/slapd.conf (only + reached during initial installation/dpkg-reconfigure). + + -- Torsten Landschoff Mon, 23 Feb 2004 09:36:32 +0100 + +openldap2 (2.1.25-1) unstable; urgency=low + + * Roland Bauerschmidt : + + New upstream version. + - Build against libdb4.2. Hopefully, this resolves the BDB + lock ups when configured improperly. + + debian/control: Have ldap-utils depend on the same version of + libldap2, and libldap2 conflict with ldap-utils (<= 2.1.23-1). + Closes: #216661. + + debian/slapd.{templates,config}: Check if there are slave + databases in slapd.conf lacking an updateref option, and warn + about it. Closes: #216797. + + debian/slapd.{templates,config,postinst,conf}: Ask which + database backend to use (BDB or LDBM). + + debian/slapd.README.Debian: cleanup + + servers/slapd/back-bdb/dbcache.c: Turn off subdatabases. This + is an incompatible database format change, but according to + Howard Chu "using them (subdatabases) is known to cause deadlocks + on multiprocessor machines, among other issues." + + debian/control: add Recommends: db4.2-util to slapd + + debian/control: add Recommends: libsasl2-modules to slapd and + ldap-utils. Closes: #224058. + + debian/slapd.{scripts-common,preinst,postinst}: Extended dump + and restore code to deal with different versions for different + backends. + + debian/control: Geez, centipede seems to have vanished a long + time ago. So don't claim it's included in the slapd package. + + debian/slapd.docs: created with servers/slapd/back-sql/ + rdbms_depends. Closes: #225807. + + * Torsten Landschoff : + + debian/move_files: Install slappasswd into ldap-utils instead + of slapd as it's useful without slapd as well (closes: #228705). + + debian/control: Make ldap-utils Replaces: slapd < 2.1.25 because + of that change. + + debian/control: Use libdb4.2-dev instead of libdb4.1-dev as a + number of problems seem to be related to DB 4.1. + + -- Torsten Landschoff Fri, 6 Feb 2004 20:48:22 +0100 + +openldap2 (2.1.23-1) unstable; urgency=low + + * Roland Bauerschmidt : + + New upstream version. + + Applied fix for admin password breakage from Michael Beattie + . Closes: #214270. + + Added Dutch Debconf template translation by cobaco@linux.be. + Closes: #215373. + + Bumped Standards-Version (no changes needed). + + * Torsten Landschoff : + + debian/move_files: Install slappasswd into ldap-utils instead + of slapd (closes: #228705). + + -- Roland Bauerschmidt Sat, 18 Oct 2003 19:56:54 +0200 + +openldap2 (2.1.22-3) unstable; urgency=low + + * Call perl -w to run debian/dh_installscripts-common. Closes: #214054. + + -- Roland Bauerschmidt Sat, 4 Oct 2003 14:22:11 +0200 + +openldap2 (2.1.22-2) unstable; urgency=high + + * Stephen Frost + + servers/slapd/daemon.c: Apply patch from head for select handling. + + debian/rules: Fix build options to optimize correctly and to use + DEB_BUILD_OPTIONS (Policy, 10.1). Closes: #202306 + + debian/slapd.conf: Add in ACL for root DSE explicitly. + + debian/slapd.init: Add --oknodo in stop_slurpd. Closes: #202592 + + debian/rules: Need quotes around $(CFLAGS) on configure line. + + debian/slapd.init: Remove \'s before quotes around pidfile. + + debian/slapd.init: Add support for -h slapd flag. Closes: #201991 + + debian/slapd.default: Add variable $SLAPD_SERVICES for slapd -h. + + libraries/libldap/tls.c: Apply patch from asuffield in #202741 to + fix subjectAltName usage. Closes: #202741 + + * Torsten Landschoff : + + Fix invocation of "head" in maintainer scripts and replace usage of + [ foo -a bar ] by [ foo ] && [ bar ] (closes: #203292). + + debian/slapd.postrm: Small cleanup, only remove the directory, not + the backups, on purge. + + debian/rules: Don't run the upstream install target if we did not + rebuild the whole tree. Makes debugging maintainer script much more + tolerable. + + debian/slapd.config: Cleaned up and restructured for readability. + + debian/slapd.templates: Replaced the invalid_suffix template with + invalid_config which is more general and can be used for any + inconsistency in the initial configuration. + + debian/slapd.postinst: Rewritten to eliminate all that spaghetti. + Did not yet implement all old features again... + - Now the #DEBHELPER# part is always reached so that the daemon + will be restarted even if no automatic configuration is wanted + (closes: #204008). + + Fixed the undefined symbols in libldap_r.so.2 (closes: #195990). + | configure.in: Try -lpthread before -pthread to link the thread + library. libtool does not pass -pthread through, -lpthread seems + to work though. + | libraries/libldap_r/Makefile.in: Add $(LTHREAD_LIBS) to + UNIX_LINK_LIBS so that pthread is linked when creating a shared library + as well. + + * Roland Bauerschmidt : + + debian/configure.options: change --localstatedir=/var/lib to + --localstatedir=/var/run. Since localstatedir isn't used anywhere + in the code, except for the ldapi socket (and examples in the + manpages which are correct at the moment anyway), all this change + does should be changing the default location of the ldapi socket + from /var/lib/ldapi to /var/run/ldapi. Closes: #160965. + + libraries/libldap/tls.c: In get_ca_list, walk through CACERTDIR + manually if building against GNUTLS (since there is no equivalent + to SSL_add_dir_cert_subjects_to_stack). Closes: #205609. + + debian/slapd.preinst: create /var/backups/ldap/$oldver with + permissions 0700. Also change permissions for /var/backups/ldap + to 0700 if it already exists. Closes: #209019. + + Added Japanese translation of Debconf templates by Kenshi Muto + . Closes: #210731. + + debian/slapd.{postinst,preinst,config}: Replaced duplicate + implementations of the same functions with one version and moved + those into debian/slapd.scripts-common which will be included by + debian/dh_installscripts-common. + + debian/slapd.preinst: before dumping the database, check if the + backend is supported + + debian/slapd.postinst: + - add -q to grep call for allow bind_v2 + - readded pre-2.1 (woody) upgrade path (that is, dumping, fixing + and reimporting the database) + + -- Roland Bauerschmidt Fri, 3 Oct 2003 15:35:29 +0200 + +openldap2 (2.1.22-1) unstable; urgency=low + + * Stephen Frost : + + New upstream version (minor changes). + + debian/control: Change build-deps to autoconf2.13, Closes: #201482 + + debian/rules: Add dh_compress -i for binary-indep. + + debian/slapd.postinst: Give variable for read (avoids bashism). + + configure/.in: Use upstream's version of back-meta/back-ldap fix. + + -- Stephen Frost Wed, 16 Jul 2003 08:42:23 -0400 + +openldap2 (2.1.21-2) unstable; urgency=low + + * Stephen Frost : + + debian/slapd.preinst: slapcat here if possible, if slapcat not + available then slapcat in postinst. Also remove old unused + function. + + debian/slapd.postinst: Check if slapcat in preinst worked and use + those results in preference. Also moved to using /var/backups/ldap. + + servers/slapd/daemon.c: Provide more information on socket/bind + failures. Patch submitted upstream. Closes: #94967. + + ./configure, ./configure.in: Fix check for back_ldap in back_meta. + back_ldap now included as module. back_ldap and back_meta appear + to load fine, though order may matter. Closes: #196995. + + debian/control: Add versioned Depends on perl, need recent version + for migration script. + + debian/slapd.{pre,post}inst: Allow for whitespace in postinst + before database definitions + + debian/control: Drop the libldap2-dev Depends that aren't actually + necessary. + + debian/slapd.preinst: Add create_sed_script to create the script to + deal with multi-line commands in slapd.conf. Modify things to use + sed script to preprocess slapd.conf before using it. Remove + support for whitespace preceeding commands. + + debian/slapd.postinst: Add create_sed_script here too and modify + everything to use it as necessary. Also change everything to + reference $SLAPD_CONF instead of /etc/ldap/slapd.conf everywhere. + Remove support for whitespace preceeding commands. + + debian/slapd.postinst: Removed all tabs. Changed all sed scripts + to used [:space:] instead of [space tab]. + + debian/slapd.postinst: Removed debugging statements from ldap_v2 + support handling code. + + debian/slapd.preinst: Changed to use mktemp for sed script. + + debian/slapd.postinst: Changed to use mktemp for sed script. + + debian/slapd.config: If no hostname set just use debian.org. + + contrib/ldapc++/config.{sub,guess}: Resync back to upstream, no + reason not to, we don't even build this stuff... + + debian/control: Change build-depends to libgnutls7-dev instead of + libssl-dev. + + debian/rules: Now run autoconf && autoheader to pick up on the + configure.in changes needed for GNU TLS. + + debian/copyright: Added Steve Langasek (SL) copyright statement. + + Patch from Steve Langasek for GNU TLS support, Closes: #198553 + | include/ldap_pvt_gnutls.h: Added for GNU TLS + | configure.in: Now uses GNU TLS where available. + | servers/slapd/schema_init.c: Modified for GNU TLS- some functions + removed because GNU TLS layer does not support them yet. + | build/install-sh: Added for new autoconf. + | libraries/libldap/Makefile.in: Changed to compile GNU TLS portions. + | libraries/libldap/getdn.c: Stub function added, GNU TLS layer does + not support TLS certificates for authentication yet. + | libraries/libldap/tls.c: Now calls GNU TLS functions instead of + OpenSSL. + | libraries/libldap/gnutls.c: Added to support GNU TLS in place of + OpenSSL for TLS connections. + | libraries/libldap_r/Makefile.in: Changed to compile GNU TLS portions. + + debian/slapd.postinst: remove temp file if upgrading or doing a + reconfigure but the OLDSUFFIX and basedn match so that we do not + move an empty file overtop of slapd.conf. Closes: #190797. + + debian/slapd.init: Inform user when not starting slapd due to + no configuration file found. Deals with users who select to not + configure slapd during installation. + + debian/slapd.init: Removed cat <<-EOF and got rid of associated + tabs; best to not depend on tab vs. space distinction. + + debian/slapd.config: Change debconf question names to be fully + qualified in the $var from the for loop- organization is under + shared/ and domain is under slapd/, not both under slapd/. + + debian/slapd.postrm: Can not depend on debconf being around in + postrm so check before attempting to source it. Also protect + against failure from db_get. + + debian/slapd.postinst: Check for old directory and move it out + of the way if it exists on new configure or reconfigure. + + debian/slapd.postinst: Fix db_input's for error messages, + should be high priority and need to || true them. + + debian/slapd.postinst: Do not error exit once we've told the + user about the problem, if there was one, with slapcat/slapadd. + + debian/slapd.postinst: Make sure we get the organization before + we attempt to fix_ldif on old slapcat output. Default to unknown + if the organization is not set. + + debian/slapd.postinst: Be sure that slapd has been stopped before + attempting to fix and slapadd old slapcat. + + debian/slapd.postinst: Do not use --exec with s-s-d in postinst. + + debian/slapd.postinst: grep calls need to be || true'd when no + matching lines found is possible (this case is handled). + + debian/slapd.postinst: Be very sure slapd has stopped before + attempting to upgrade database. + + debian/slapd.preinst: Use either the pidfile or exec if pidfile + is not available when stopping. Do not put \"\" around pidfile. + Use $oldver instead of $2. + + debian/slapd.config: Reask questions on a reconfigure. Use the + same logic as slapd.postinst for when to ask questions regarding + the db. Be sure to db_go after db_input's. + + debian/slapd.templates: Fix allow_bind_v2 short description to + make more sense since the default is off. + + debian/slapd.preinst: Use perl instead of sed for handling conf. + + debian/slapd.postinst: Use perl instead of sed for handling conf, + use old sed method to insert \n's, user invoke-rc.d when slapd + needs to be stopped. Assume preinst shuts slapd down for upgrade. + + debian/slapd.postinst: Only stop slapd on reconfigure. + + * Torsten Landschoff : + + doc/man/man8/slapd.8: Refer to slapd.conf(5) for a description of + the debugging level (closes: #176980). + + debian/move_files: Kill of the static archives of our backend + modules as they are of absolutely no use. + + * Steve Langasek : + + debian/slapd.postinst: Add a new function, get_database_list, that + prints out the list of configured databases from slapd.conf + one row at a time. Move all of the upgrade handling into a + loop, and iterate through the configured databases. Since the + while loop is in fact a subshell, be sure to handle errors + correctly. We also have to look at the configured directory + for each database, instead of assuming /var/lib/ldap. + Closes: #190155, #190156. + + debian/slapd.preinst: Simplify the handling of error status: if + the slapcat fails, just remove the ldif file. Also, add the + suffix to the name of the output file, and add the + get_database_list function here as well. + + * Roland Bauerschmidt : + + debian/rules: call dh_makeshlibs with -plibldap2 rather than just + with libldap2 + + debian/slapd.postinst: Add question about no configuration. + + debian/slapd.templates: Add template for no config question. + + debian/slapd.templates: Add template for invalid suffix. + + debian/slapd.config: Add no configuration option. Closes: #87986 + + debian/slapd.config: Complain to the user on invalid domain/org. + + -- Stephen Frost Tue, 15 Jul 2003 12:37:05 -0400 + +openldap2 (2.1.21-1) unstable; urgency=low + + * Torsten Landschoff : + + Merged new upstream release. + + * Stephen Frost : + + debian/control: Add libbind-dev and bind-dev to the conflicts for + slapd, the libs in them can end up being used even when not + compiled against causing getaddrinfo() to fail. Closes: #166777 + + debian/copyright: Flush out the copyright file to include all found + copyrights and updates to those. + + debian/copyright: Add clarification of MA license + + debian/copyright: Add clarification of JC license + + debian/slapd.templates: More clearly inform users of important + config change. Closes: #194192. + + debian/control: Remove patch from build-depends (dpkg-dev depends on it) + + debian/fix_ldif: Correctly handle base64-encoded DNs. Closes: #197014. + + debian/slapd.templates: Added templates for asking about LDAPv2 support + and telling the user of slapcat/slapadd failures during upgrade. + + debian/slapd.postinst: Added support for adding LDAPv2 support + + debian/slapd.postinst: Modified to handle slapcat/slapadd failure. + In the event of an upgrade failure the database will be left untouched + and the user notified. Closes: #192431 + + debian/slapd.postinst: Use ldif_dump_location in more places... + + debian/slapd.prerm: Check if upgrade failed and assume bad old init.d + script was used and attempt to shut down slapd with --oknodo in case + slapd isn't running. Closes: #193854. (Again) + + debian/slapd.conf: Add commented out allow line + + debian/rules: Tell dh_installinit to not touch slapd.prerm now. + + debian/slapd.postinst: Do a dry-run with slapadd first and check if + that worked or not. If it did not work then tell the user, otherwise + do a real slapadd which should work. + + debian/slapd.postinst: Make sure slapd is stopped before doing + slapadd/slapcat's and the like. (Note: The woody version does not + stop slapd). Closes: #189777. + + debian/slapd.postinst: Check if directories exist before attempting + to mkdir them. Closes: #189947 + + debian/slapd.README.debian: Add note about runlevel issue. + Closes: #175736 + + debian/move_files: Copy ldiftopasswd into /usr/share/slapd for users + to use, if they find it useful. Closes: #94963. + + debian/slapd.README.Debian: Added note about ldiftopasswd. + + * Roland Bauerschmidt : + + debian/slapd.postinst: fixed typos and check for the existence of + slapd.conf before reading it. + + -- Torsten Landschoff Thu, 19 Jun 2003 17:35:32 +0200 + +openldap2 (2.1.17-3) unstable; urgency=low + + * Stephen Frost : + + debian/slapd.init: Add --oknodo for stopping slapd. Closes: #192423, #193854. + + debian/slapd.init: Change START_SLURPD to SLURPD_START. Closes: #190724. + + debian/libldap2.shlibs: Bump to 2.1.17- 2.1.12 never hit the archive. + These should only be bumped when new symbols are added so we should + figure out a way to handle checking that. + + debian/slapd.dirs: Added /var/run/slapd for pidfile + + debian/slapd.conf: Moved pidfile to /var/run/slapd; Needed if running + non-root. + + debian/slapd.conf: Clean up config file, be more explicit about what + directives are 'general', 'backend', and 'database'. Moved and + commented out 'replogfile' since it is database specific, wasn't doing + anything where it was and use of it depends on slurpd usage. + I consider this solving #151511 since we don't ask if you want to use + replication anymore anyway. Closes: #151511 + + debian/copy_slapd_dev_files: Added to copy the include files for + building slapd back-ends. + + debian/control: Add warning about libslapd2-dev + + debian/control: Add build-depend on po-debconf for dh_installdebconf + + debian/slapd.default: Add option for settings SLAPD_CONF file + + debian/slapd.init: Changed to use SLAPD_CONF, setting it to + /etc/ldap/slapd.conf if it is not specified. Closes: #91318 + + debian/control: Added libslapd2-dev to control file. Closes: #192163. + + debian/rules: Added binary-indep to the binary: build line and flushed + it out to build the libslapd2-dev deb. Added -k to dh_clean since we're + building arch and indep debs now. + + Maintainer upload, acknowledge NMU. Closes: #98039. + + Add debian/po/fr.po from 194740. Closes: #194740 + + Add space before ']' on line 113 of postinst. Closes: #194192, #194943 + + * Torsten Landschoff : + + debian/control: Enforce libldap2 to be the same version as slapd + as slapd (legitimately) uses internal functions of that library + (closes: #190164). + + debian/slapd.postinst: Fix the regexp for finding the database + definitions. + + * Steve Langasek : + + debian/slapd.preinst: don't use debconf or ldapsearch in the + preinst, as this is a policy violation (even if a previous + version was installed, it could've been removed-but-not-purged). + Closes: #189811, #195029. + + debian/slapd.{pre,post}inst: dump & fix up the directory in the + postinst, not in the preinst -- using slapcat/slapadd, not + ldapmodify. This ensures that the dump will succeed whenever the + database is present, rather than depending on access to an admin + dn. Closes: #190085. + + debian/fix_ldif, debian/move_files, debian/copyright: add Dave + Horsfall's dn-fixing script, to handle objectClass upgrading + + debian/slapd.postinst: Skip the duplicate prompting for the + organization name; we're guaranteed to always have one. + + -- Torsten Landschoff Fri, 6 Jun 2003 16:56:16 +0200 + +openldap2 (2.1.17-2) unstable; urgency=low + + * The who-says-slavery-is-dead upload. + * Steve Langasek : + + debian/slapd.postinst: Fix the database regexp. + + debian/slapd.postinst: Only add moduleload lines *once* on upgrade + from 2.0. Wrap the backup code with a check for + /var/lib/slapd/upgrade_2.0, to guarantee idempotency. + Closes: #190401. + + debian/slapd.{config,templates,postinst}: On dpkg-reconfigure, + don't wipe out an existing config; only merge in any requested + changes. Also, prompt before wiping out the existing db. + Closes: #190799. + + debian/slapd.{postinst,examples},debian/rules: Move slapd.conf + from doc/slapd/examples to /usr/share/slapd, per policy. + + debian/slapd.postinst: make sure slapd.conf is always created + atomically. + + debian/slapd.postrm: If removing databases on package purge, + remove any database backups as well. + + * Torsten Landschoff : + + debian/configure.options: Disable ACIs because they are still + experimental. + + debian/control: Change section and priority of libldap2-dev to + libdevel and extra respectively (dinstall message). + + debian/slapd.preinst: Only query the object classes of the root + dn if there was no error parsing the config. + + Update templates for po-debconf using the patch submitted by + Andre Luis Lopes (closes: #189933). + + Use [[:space:]] instead of [\t ] in sed invocations since the + latter does not seem to work (reported by Daniel Lutz). + + debian/control: Add Replaces: entry for openldapd since ldif.5.gz + was included in the potato package of that name (closes: #190660). + + debian/control: Tighten the build dependency on libtldl3-dev as + versions before 1.4.3 required the .la file for dynamic binding + (thanks to Josip Rodin for pointing this out). + + -- Torsten Landschoff Sat, 19 Apr 2003 02:28:32 +0200 + +openldap2 (2.1.17-1) unstable; urgency=low + + * New upstream release. + * Torsten Landschoff : + + debian/slapd.init: Improve the error reporting. If nothing is output + by the failing command don't leave the user alone but print a hint + to look into the logfile etc. + + debian/control: Require at least version 2.1.3 of libsasl2-dev + as this is what the configure script checks for. Pointed out by + Norbert Tretkowski. + + debian/slapd.{pre,post}inst: Small cleanups, added some comments, + adapted for the removal of the .la files in slapd package. + + -- Torsten Landschoff Sat, 19 Apr 2003 01:59:26 +0200 + +openldap2.1 (2.1.16-1) unstable; urgency=low + + * New upstream release. + + build/top.mk: Remove patch to omit "-static" at linking time. Upstream + now respects the --enable-shared flag used at configuration time. + + debian/slapd.postinst: Automagically add the module load directives + after upgrade as needed. + + debian/slapd.config: + - Only ask questions to create a new directory on fresh install. + - Ask wether the right modules should automatically be loaded in + slapd.conf. + + debian/slapd.templates: Add the templates for autoloading modules + and fixing the directory. + + debian/slapd.preinst: New script to support upgrading from 2.0. + The old prerm did not stop the daemon so we have to do it here. + Also a first attempt to fix broken LDAP directories not acceptable + to 2.1. + - Conditionally load debconf when upgrading as it only has to + be available in that case. + + debian/slapd.preinst: Dump database before upgrade. + + debian/slapd.postinst: Recreate database from dump after upgrade. + Move old database out of the way. + + * Roland Bauerschmidt + + debian/slapd.README.Debian: mention that backend database modules are + now compiled as shared objects + + * Stephen Frost + + debian/slapd.conf: Drop the '.la' file extension + + debian/move_files: Drop and rm the .la files, they aren't necessary. + + debian/slapd.README.Debian: Dropped the .la from the module_load line. + + servers/slapd/daemon.c: check slapd_srvurls is not NULL before + deref; included in upstream CVS. + + servers/slapd/back-*/init.c: Change the munged symbol names to + init_module, they do not need to be munged, and cause problems when + they are and not using .la files (which cause other problems) + + servers/slapd/module.c: Change to use lt_dlopenext() so we don't + need the .la files + + -- Torsten Landschoff Wed, 26 Mar 2003 20:34:35 +0100 + +openldap2.1 (2.1.12-1) experimental; urgency=low + + * Initial release of OpenLDAP 2.1 packages. Closes: #167566, #178014. + - this includes support for the >= and <= operators. Closes: #159078. + - fixes various upstream bugs. Closes: #171008. + + * Torsten Landschoff + - debian/check_config: Added script to check if OpenLDAP was configured + the way we want it. + - Don't build special TLS packages anymore - SSL is enabled in the + stock ldap library. Everything else will just give me more headaches. + - Build against libsasl2 instead of libsasl1. Closes: #176462. + - debian/control: + - Build-depend on debhelper 4.0 as debian/rules uses DH_COMPAT=4. + - Depend on coreutils | fileutils. Closes: #175704, #185676. + - Make libldap2 conflict with libldap2-tls which is obsolete now. + - debian/rules: Move the long list of configure options to a new + file debian/configure.options and read $(CONFIG) from that file. + - configure with --enable-aci. Closes: #101602. + - debian/slapd.init: Rewrite and add comments. + - Add support for running as non-root (closes: #111765, #157037). + - servers/slapd/main.c (main): Remove pid file on exit (closes: #162284). + - servers/slurpd/slurp.h: Change the default spool directory to + /var/spool/slurpd (avoids passing it via -t in init.d). + - servers/{slapd,slurpd}/Makefile.in: Install binaries into sbindir + instead of libexecdir. + - debian/control: Add Stephen Frost to the Uploaders field. Thanks + for your help, Stephen! + - contrib/ldapc++/config.{guess,sub}: Replaced with current files from + autotools-dev (lintian). Not actually neccessary since this part of + the package is not currently built but I think this is the best way + to shut up lintian :) + - build/mod.mk: Use -m 644 instead of -m 755 in installing shared + libraries. Shared libraries should not be marked as executable + (lintian). + - debian/libldap2.conffiles: Remove, since we are using version 4 + of debhelper which tags everything in /etc as conffile by default. + - debian/rules: Change the mode of everything upstream installed into + /etc to 0644 as required by policy (lintian). + - debian/rules: Call dh_installdeb later in the binary target so that + the conffiles are already there for listing. Without this nothing in + /etc gets tagged as conffile... (lintian). + - debian/rules: Pass the start and stop priority of slapd to + dh_installinit in preparation for a postinst supported by debhelper. + - debian/rules: Call dh_installdirs again. + - Rewrite slapd.config, slapd.postinst, slapd.templates - a first try + in getting slapd to configure itself. Way to go. + + * Roland Bauerschmidt + - debian/control: + - build-depend on libdb4.1-dev instead of libdb4.0-dev + - conflict, replace, and provide libldap2-tls (libldap2) + - removed ldap-gateways binary package + - drop suggestion to obsolete openldap-guide. Closes: #171894, #146968. + - debian/rules: + - build with BDB backend + - run dh_installdeb + - only run dh_makeshlibs for libldap2 + - debian/slapd.dirs: added to create /var/lib/ldap and /var/spool/slurpd + - debian/slapd.postinst: + - properly remove temporary files on errors. Closes: #160412. + - install init.d link if slapd.conf already exists. Closes: #159542. + - run db_stop even if package isn't configured for the first time. This + prevents hanging during upgrades. + - added debian/slapd.default and use it from debian/slapd.init. + Closes: #160964, #176832. + - added debian/slapd.README.Debian + - added versioned dependency on coreutils to make lintian quiet. + - added debian/slapd.postrm + - remove slapd.conf when package is purged + - remove /var/lib/ldap when slapd/purge_database is true + - remove /etc/ldap/schema if empty. Closes: #185173. + - debian/templates: added slapd/purge_database template + - build/top.mk: link against libcrypt before other SECURITY_LIBS + - debian/libldap2.shlibs: tighten dependencies. Closes: #181168. + + * Stephen Frost + - debian/control: added libltdl2-dev and libslp-dev to the build-depends + - Correct typo for back-sql init routine; already in OpenLDAP upstream + CVS + - Correct free of SASL interact results; already in OpenLDAP upstream CVS + - Duplicate the DN from SASL to ensure '\0' termination; already in + OpenLDAP upstream CVS + - debian/control: added Replaces: slapd (<< 2.1) for ldap-utils due to + ldif.5 move. + - Add modulepath /usr/lib/ldap to default slapd config + - Add moduleload back_bdb to default slapd config + - Changed libexecdir to ${prefix}/lib + - Add usr/lib/ldap to slapd portion of move_files + - Modified backend types to be built as modules for dynamic loading + - Fixed pt_BR translation + + -- Roland Bauerschmidt Sat, 15 Mar 2003 21:35:24 +0100 + +openldap2 (2.0.27-3) unstable; urgency=high + + * [SECURITY]: Apply the patch used by SuSE in SuSE-SA:2002:047 + (or rather the parts of it not yet included upstream). + + -- Torsten Landschoff Fri, 20 Dec 2002 04:47:15 +0100 + +openldap2 (2.0.27-2) unstable; urgency=low + + * debian/control: Make libldap2-dev depend on libssl-dev and + libsasl-dev, since those libs are pulled via the libldap.la file + (closes: #164791). + * debian/control: Add shlibs:Depends to libldap2-tls as well. Most + of those depends are pulled via libldap2 but of course libssl + is not among those. (closes: #169950). + * debian/libldap2-tls: Remove old divertions on "configure" and not + on "upgrade" - the latter is not really called. + + -- Torsten Landschoff Fri, 22 Nov 2002 00:35:29 +0100 + +openldap2 (2.0.27-1) unstable; urgency=low + + * New upstream release. + + -- Torsten Landschoff Wed, 6 Nov 2002 01:12:06 +0100 + +openldap2 (2.0.23-14) unstable; urgency=low + + * debian/rules: Remove search paths from .la files using some perl + trickery (closes: #110479). + * debian/libldap2.README.debian: Document the NSS problem which stops /usr + from being unmounted cleanly when using libnss-ldap (for more info + see bug#159771). + + * Started cleaning up the maintainer scripts: + - Remove creation of the /usr/doc symlinks (lintian). + - Don't run ldconfig in prerm scripts (lintian). + + -- Torsten Landschoff Mon, 30 Sep 2002 12:10:05 +0200 + +openldap2 (2.0.23-13) unstable; urgency=low + + * As Ashley Clark found out the preinst of libldap-tls fails for a new + install. My fault - I did not check that (removing ldap is cumbersome + if you are using it... :) and the scripts were only checked without + "set -e" in effect. + + debian/libldap2-tls.preinst: Apply Ashley's patch (thanks a lot, + Ashley. closes: #162123). + + Coincidently the other installation scripts seem to be okay, the + failing command is in the middle of a pipe and therefore ignored. + + -- Torsten Landschoff Tue, 24 Sep 2002 12:56:18 +0200 + +openldap2 (2.0.23-12) unstable; urgency=low + + * Apply the patch from upstream ITS#2012 to support MD5 hashes. Problem + is that OpenSSL comes with its own version of the crypt() function + which is linked in instead of the system's version from libcrypt. + The patch changes the link order so that slapd takes the system's + implementation. + * debian/rules: Pass --enable-crypt-first to configure to enable the + patch (closes: #160763). + * Fix the diversion handling of libldap2-tls: + - preinst: Only install diversions that are not there. + - postrm: Remove this package's diversions. + - postinst: Remove obsolete diversions after upgrade. + - Removal of diversions is done in reverted order of the installation. + + * Enable DNSSRV support as requested by Turbo. No Kerberos for now, sorry. + * debian/control: Updates Standards-Version to 3.5.7 and fix running + of ldconfig in maintainer scripts. + + -- Torsten Landschoff Mon, 23 Sep 2002 12:18:40 +0200 + +openldap2 (2.0.23-11) unstable; urgency=low + + * debian/rules: Build with --with-tls (closes: #80591, #155937). + * debian/control: + + Add build dependency on libssl-dev. + + Specify Roland Bauerschmidt as co maintainer. + * Added the trickery to have libldap2 without TLS and libldap2-tls + with the TLS stuff. Otherwise we have to change the base system, + and god knows how long that would take. + + Most of the changes done by Roland Bauerschmidt. We now build the + source two times - with and without ssl. We mostly use the ssl enabled + stuff with the exception of a libldap2 package which does not have + support for that. If you need TLS support you have to install + libldap2-tls, which diverts the libraries from libldap2 out of the + way and replaces them with the TLS enabled version. + + -- Torsten Landschoff Thu, 29 Aug 2002 13:35:39 +0200 + +openldap2 (2.0.23-10) unstable; urgency=low + + * debian/control: Build depend on libdb4.0-dev instead of libdb3-dev. + This should fix the index corruption problems (closes: #152959). + + -- Torsten Landschoff Sun, 18 Aug 2002 19:47:02 +0200 + +openldap2 (2.0.23-9) unstable; urgency=low + + * debian/slapd.init: Wait for the daemons to actually terminate for + the stop action (which is used for restart) and trap all errors + (closes: #148033). + * debian/rules: Build with -D_FILE_OFFSET_BITS=64 to support files + bigger than 2GB on all architectures (closes: #155197). As off_t is + about never used in the source that should not create any problems. + * debian/control: Make libldap2-dev depend on libsasl-dev + (closes: #135223, #96957). + * doc/man/man1/ldapmodify.1: Fix typo (closes: #105905). + * debian/rules: Create symlinks for some manpages (closes: #99547). + * Fix spelling error in description of ldap-gateways (closes: #124859). + * debian/copyright: Include the full content of the LICENSE file + (closes: #151222). + + -- Torsten Landschoff Thu, 8 Aug 2002 15:54:46 +0200 + +openldap2 (2.0.23-8) unstable; urgency=low + + * New maintainer. + * debian/control: Build-Conflict with libbind-dev to use the right + resolver library everywhere (closes: #112459). Of course, the + real solution must be to fix the configure script to not detect + libbind-dev and use the right resolver all the time. But a work around + is better than nothing I would say... + + -- Torsten Landschoff Wed, 7 Aug 2002 14:53:39 +0200 + +openldap2 (2.0.23-7) unstable; urgency=low + + * Add Brazilian translation for debconf templates. Closes: Bug#114021 + * Fix hostless LDAP URLs, patch from Lamont Jones. Closes: Bug#140387 + + -- Wichert Akkerman Sat, 4 May 2002 20:05:32 +0200 + +openldap2 (2.0.23-6) unstable; urgency=high + + * Make slapd.config idempotent, so that calling it once (during + preconfiguration) and again (during postinst) doesn't break things. + Patch from Anthony Towns. Closes: Bug#137552). + + -- Wichert Akkerman Sun, 14 Apr 2002 19:10:50 +0200 + +openldap2 (2.0.23-5) unstable; urgency=high + + * Fix slurpd invocation in slapd.init. Closes: Bug#141959 + * Ask for admin DN when using LDIF initialization as well. + Lets hope this finally Closes: Bug#137552 + * Merge German translation for debconf templates. Closes: Bug#141712 + * Add Build-Depends on debconf-utils since we use debconf-mergetemplate + * Remove bogus error from slapd.init. Closes: Bug#137718 + + -- Wichert Akkerman Tue, 9 Apr 2002 14:49:27 +0200 + +openldap2 (2.0.23-4) unstable; urgency=high + + * Only show already-configured note on initial installs. Closes: Bug#137100 + * Supply -t option to slurpd when starting it, not when stopping it. + Closes: Bug#136240 + * Use db_input instead of db_get for notes in the slapd postinst. + * Only fetch password from debconf when not using ldif initialization. + Closes: Bug#138558,#137552 + * Check if slapd.conf exists in slapd postinst. Closes: Bug#138136 + + -- Wichert Akkerman Sat, 6 Apr 2002 23:02:42 +0200 + +openldap2 (2.0.23-3) unstable; urgency=high + + * If can not get a password for the admin entry when installing slapd + generate one randomly. Closes: Bug#134774 + * Bump shlibs dependency to 2.0.23 + + -- Wichert Akkerman Thu, 21 Feb 2002 23:23:57 +0100 + +openldap2 (2.0.23-2) unstable; urgency=high + + * Create /var/spool/slurpd and tell slurpd to use that as temporary + directory. Closes: Bug#134564 + * Improve debconf prompts a bit. Closes: Bug#134945 + * Properly set default value for domain + * Clear crypted password from debconf after creating the LDAP directory + + -- Wichert Akkerman Sun, 17 Feb 2002 16:07:18 +0100 + +openldap2 (2.0.23-1) unstable; urgency=high + + * Upstream updated config.{guess,sub} so we are back to zero patches + again. + * Apply fix from Klaus Duscher for the missing password problem: the + config script did not check if it was run twice without slapd.conf + being generated in between and would abort with a missing password + error. Closes: Bug#132566 + * Change slapd priority for boot sequence to start earlier and stop + later so people can use LDAP for NSS purposes. Closes: Bug#130277 + + -- Wichert Akkerman Sun, 17 Feb 2002 16:07:18 +0100 + +openldap2 (2.0.22-2) unstable; urgency=low + + * Update config.{guess,sub} again. Closes: Bug#131469 + + -- Wichert Akkerman Thu, 7 Feb 2002 22:33:01 +0100 + +openldap2 (2.0.22-1) unstable; urgency=low + + * New upstream version + * Build properly as non-native package + + -- Wichert Akkerman Wed, 6 Feb 2002 00:17:20 +0100 + +openldap2 (2.0.21-3) unstable; urgency=high + + * Add logic to config and postinst to configure replication as well + * Don't fail in slapd postinst if we can't stop slapd. Closes: Bug#131617 + * Change localstatedir to /var/lib + * Remove /var/lib/ldap when purging slapd + * Don't remove user-supplied ldif file after creating the directory + * Set default replogfile + * Fix typo in severity for no_password note + * Encrypt admin password and remove it from the debconf database + + -- Wichert Akkerman Thu, 31 Jan 2002 17:03:36 +0100 + +openldap2 (2.0.21-2) unstable; urgency=medium + + * Update config.{guess,sub} and forwarded upstream (ITS#1567). + Closes: Bug#131469 + * Remove -x from slapd postinst. Closes: Bug#131502 + + -- Wichert Akkerman Wed, 30 Jan 2002 10:53:45 +0100 + +openldap2 (2.0.21-1) unstable; urgency=high + + * New upstream version, + * Update copyright + * Update config.guess and config.sub + * Redone packaging, no more dbs or debhelper + * Drop all patches, they are either unnecessary or alternatives have + been made upstream + + -- Wichert Akkerman Tue, 29 Jan 2002 17:04:10 +0100 + +openldap2 (2.0.14-1) unstable; urgency=high + + * New upstream version, which includes a billion second bug. + Closes: Bug#111833 + * Drop 005_libldbm_dbopen, upgrading the database in place no longer works + with the new db-env code. + * Redo 008_porting_maxpathlen + + -- Wichert Akkerman Sat, 15 Sep 2001 13:39:46 +0200 + +openldap2 (2.0.11-2) unstable; urgency=low + + * Test if /etc/init.d/slapd is executable when purging slapd. + Closes: Bug#100938 + * Update 008_porting_maxpathlen. Closes: Bug#100584 + * Don't use four11 as referral example anymore. Closes: Bug#99998 + * Fix synopsis of slapindex manpage. Added to 002_man_fixes. + Closes: Bug#98805 + * Removed stray backup file from 002_man_fixes + + -- Wichert Akkerman Tue, 19 Jun 2001 01:01:17 +0200 + +openldap2 (2.0.11-1) unstable; urgency=low + + * New upstream version + * Add autoconf to Build-Depends. Closes: Bug#99440 + * Fix new db upgrade patch. Closes: Bug#98853 + + -- Wichert Akkerman Sun, 3 Jun 2001 00:25:47 +0200 + +openldap2 (2.0.10-2) unstable; urgency=low + + * Tighten shlibs dependency to >= 2.0.1-1. Closes: Bug#98683 + + -- Wichert Akkerman Fri, 25 May 2001 16:32:35 +0200 + +openldap2 (2.0.10-1) unstable; urgency=low + + * New upstream version + * New maintainer + * Remove useless LINE_WIDTH bit from patch 000_clients + * Patch 004_ssl_fix has been merged upstream, removed + * Redo 005_db3_upgrade + * Rediff all other patches + + -- Wichert Akkerman Thu, 24 May 2001 14:56:02 +0200 + +openldap2 (2.0.7-6) unstable; urgency=low + + * Make sure autoconf is run if configure.in is changed (for Hurd patch), + closes: #96145 + * Fix slapd.postinst in the case of using an ldif file, closes: #95600 + * Use a var for slapd.conf in slapd init script. Partially fixes bug + 91318. + * Fixed hurd patch for strrchr in replog.c, closes: #93605 + + -- Ben Collins Mon, 7 May 2001 23:00:27 -0400 + +openldap2 (2.0.7-5) unstable; urgency=low + + * Fixed db3 upgrade code, closes: #92331, #92916 + * m68k should compile fine with db3 now, closes: #90165 + * Included provided patch for Hurd compilation, closes: #88079 + + -- Ben Collins Wed, 4 Apr 2001 17:46:47 -0400 + +openldap2 (2.0.7-4) unstable; urgency=low + + * slapd.conf is no longer a conffile, and not provided by the package. + Instead, it is only generated. closes: #81359 + * Fixed by previous upload, closes: #71852, #78950, #82491 + * Actually install the netscape schema, closes: #90323 + * Add comment to README.Debian about being compiled with libwrap, + closes: #84954 + * Provide example sasl config file, closes: #90855 + * Conflict replace openldap-utils (ldap-utils), and libopenldap-dev + (libldap2-dev), closes: #71471 + * Revert to using some code to upgrade previous db's. Remove slapd's dep + on db3-util, and remove postinst code that upgrades the db's. + + -- Ben Collins Sat, 24 Mar 2001 21:59:20 -0500 + +openldap2 (2.0.7-3) unstable; urgency=low + + * netscape-profile.schema: new schema for old roaming support + * 004_ssl_fix.diff: Fix for SSL support (not compiled in, but some + people use it). + * slapd.config: FINALLY fix the "dc=" base bug. + * Build-Depend on libdb3-dev now that it is available. + * Now that we use db3, make sure we upgrade existing databases to the + db3 format with db3_upgrade. + + -- Ben Collins Sun, 11 Mar 2001 23:36:34 -0500 + +openldap2 (2.0.7-2) unstable; urgency=low + + * slapd.postinst: fix debhelper wraper so it gets the right @argv, + closes: #71854 + * sendmail appears to be compiled against glibc2.2/libdb2 now, + closes: #71602 + * %strace ldapsearch cn=admin | & grep /etc | grep ldap + open("/etc/ldap/ldap.conf", O_RDONLY) = 3 + closes: #71716 + * ldap_first_attribute.3: s/ber_free(3)/ber_free/. closes: #76719 + * init.d/slapd: fix reference to pidfile, and also remove the pidfile + after killing the daemon, closes: #77633, #77635 + * Fix fgets buffer size thinko in slurpd. closes: #78003 + * slapd.8: s/ldap.h/slapd.conf(5)/. closes: #80457 + + -- Ben Collins Sun, 31 Dec 2000 00:02:46 -0500 + +openldap2 (2.0.7-1) unstable; urgency=low + + * New upstream + * Removed hack for shlibs now that dpkg 1.7 is available, added dpkg-dev + 1.7.1 to build-depends. + * start using DH_COMPAT=2 + + -- Ben Collins Fri, 10 Nov 2000 18:53:25 -0500 + +openldap2 (2.0.2-2) unstable; urgency=low + + * Recompile against libdb2/glibc 2.1.94/sasl + + -- Ben Collins Wed, 27 Sep 2000 11:31:59 -0400 + +openldap2 (2.0.2-1) unstable; urgency=low + + * New upstream version, includes some patches from me that fix some + stability issues + * debian/control:Build-Depends: change libwrap-dev to libwrap0-dev for + clarity, closes: #71366 + * debian/rules: make sure mail500 docs do not get installed under bogus + subdirs, closes: #71473 + * debian/README.build,debian/scripts/dbs-build.mk: Fix and document + build system better, closes: #71584 + * debian/local/slapd.conf: Setup default ACL's to work with openldap2 + correctly, closes: #71127, #71131 + * debian/README: document how to access OpenLDAP 1 servers via + ldap-utils, closes: #71469 + * debian/rules:CFLAGS: add -I/usr/include/db2 to make sure we get the + right header, closes: #71470 + * I cannot reproduce this. In debian/rules I have done exactly what is + needed to keep it from happening, and sparc, i386 and powerpc builds + do not show it, closes: #71472 + + -- Ben Collins Wed, 13 Sep 2000 22:32:35 -0400 + +openldap2 (2.0.1-2) unstable; urgency=low + + * Fixed up depend for libldap2 on itself + + -- Ben Collins Wed, 6 Sep 2000 13:24:06 -0400 + +openldap2 (2.0.1-1) unstable; urgency=low + + * New upstream version + * Added libsasl-dev to build-deps, closes: #70923 + + -- Ben Collins Tue, 5 Sep 2000 06:49:05 -0400 + +openldap2 (2.0-1) unstable; urgency=low + + * Initial release of OpenLDAP 2 test code + + -- Ben Collins Tue, 29 Aug 2000 14:28:39 -0400 --- openldap-2.4.23.orig/debian/slapd.prerm +++ openldap-2.4.23/debian/slapd.prerm @@ -0,0 +1,11 @@ +#!/bin/sh + +set -e + +. /usr/share/debconf/confmodule + +#DEBHELPER# + +exit 0 + +# vim: set foldmethod=marker: --- openldap-2.4.23.orig/debian/libldap-2.4-2.links +++ openldap-2.4.23/debian/libldap-2.4-2.links @@ -0,0 +1 @@ +usr/lib/libldap_r-2.4.so.2 usr/lib/libldap-2.4.so.2 --- openldap-2.4.23.orig/debian/slapd.README.Debian +++ openldap-2.4.23/debian/slapd.README.Debian @@ -0,0 +1,198 @@ +Notes about Debian's slapd package +---------------------------------- + + Please see the bottom of this file for the ways in which the Debian + OpenLDAP packages differ from the upstream OpenLDAP releases. Please + report any bugs that may be related to those changes to Debian via + reportbug and not to upstream; upstream is not responsible for changes + made in the Debian package. + +Using BDB/HDB Backends + + HDB is the recommended database backend. It's the same as BDB but + allows some additional operations. + + slapd BDB and HDB backends rely on libdb to store data on your disks. + libdb uses a configuration file to tune database specific + parameters. This file is called DB_CONFIG, and should be created in each + directory containing one of your ldap databases, usually /var/lib/ldap. + + It is VERY IMPORTANT to correctly setup a DB_CONFIG file. It is not + just a matter of performance: depending on the version of slapd and + libdb being used, your slapd may just hang and stop answering queries. + + To correctly set up your DB_CONFIG file, please refer to + README.DB_CONFIG.gz in this directory. + +BerkeleyDB Version + + slapd has been built against version 4.2 of BerkeleyDB. This version is + faster and more stable than later versions for the use to which OpenLDAP + puts it. There are remaining performance problems with BerkeleyDB 4.6 + that have not yet been resolved, but it looks likely that eventually + slapd will be able to use 4.6. All intermediate versions (4.3 through + 4.5) either had serious stability bugs or serious performance issues. + + slapd will automatically handle database recovery, so you generally do + not need the BerkeleyDB 4.2 utilities. However, if you want to perform + other operations directly on the raw database without using the slapd + tools, install db4.2-util and use those BerkeleyDB utilities. Utilities + from other db*-util packages will not work correctly and may render the + database unusable by slapd. + +Logging + + slapd logs to the facility local4. If you want to direct slapd's logs to + a separate log file, add a line like: + + local4.debug /var/log/slapd.log + + to /etc/syslog.conf. You may also want to add ";local4.none" to the + catch-all entry that logs to /var/log/messages so that it doesn't + continue to receive slapd logs. + +SASL Configuration + + To enable GSSAPI (Kerberos) authentication to slapd, install either the + libsasl2-modules-gssapi-mit or libsasl2-modules-gssapi-heimdal packages + depending on which Kerberos implementation you want to use. + + SASL configuration files may be placed either in /usr/lib/sasl2 (the + standard path, but not a great place for configuration files) or in + /etc/ldap/sasl2. A SASL configuration file should be named after the + program that will use it. So, for instance, to configure SASL for + slapd, create a file named slapd.conf in /etc/ldap/sasl2 or in + /usr/lib/sasl2. + +TCP Wrappers + + The Debian slapd package is compiled with TCP wrappers. This means that + you are able to restrict access to the LDAP server using /etc/hosts.deny + or /etc/hosts.allow. + +Running slapd under a Different UID/GID + + By default, slapd runs as openldap in the openldap group. Keeping the + default is easiest. If for some reason you need to run slapd as a + different user: + + - Create the user/group for slapd -- usually: + + adduser --system --group --disabled-login + + - Stop slapd: + + /etc/init.d/slapd stop + + - Tell slapd to run under a different UID by editing /etc/default/slapd + and setting SLAPD_USER and SLAPD_GROUP. (For example, + SLAPD_USER="ldap", SLAPD_GROUP="ldap") + + - Tell linux slapd can access all database files -- usually: + + chown -R : /var/lib/ldap + + - Tell linux slapd can access configuration files -- usually: + + chgrp -R /etc/ldap/slapd.d + chmod -R g+rX /etc/ldap/slapd.d + + - Tell linux slapd can access /var/run/slapd and write a PID file: + + chgrp /var/run/slapd + chmod 0770 /var/run/slapd + + - Start slapd -- /etc/init.d/slapd start + + Once you have done so, remember to always run any utilities that access + or update the database (such as slapadd) as the same user that slapd is + running as. If you forget, you will need to redo the chown noted above. + +If slapd Depends on Other Service + + In the event that you are running slapd with a different back-end module + that depends on other programs (such as an SQL database) you may need to + adjust the runlevels of slapd to start after the SQL database. + +Creating NSS Flat Files from LDAP + + If you have need to create passwd/shadow/etc files from an LDAP + directory there is now a script included with these Debian packages + which may help you. The script is in /usr/share/slapd/ and is named + ldiftopasswd. In general you should be able to do: + + ldapsearch | ldiftopasswd + + and it will generate the files for you. You will need appropriate + privileges, of course, and appropriate arguments to ldapsearch. + +Modifications Compared to Upstream + + Compared to stock OpenLDAP as shipped by the OpenLDAP project, the + Debian packages make the following modifications. If you see any + problems caused by or related to these modifications, please report them + via the Debian bug tracking system using reportbug, not to the OpenLDAP + project. + + * The only LDAP library installed is libldap_r, which in the upstream + release is only used for slapd, and libldap is a symlink to it. This + library has thread safety for use with slapd, but that thread safety + is not checked for any application other than slapd by upstream. + Upstream does not support using libldap_r for programs other than + slapd. The current library installation strategy in the Debian + packages is an attempt to deal with problems caused by symbol + conflicts between libldap and libldap_r when both are pulled in by the + same process (most commonly by libnss-ldap) and the number of packages + that use libldap in threaded code expecting thread safety. + + * libldap and libber have symbol versioning added to prevent problems + during partial upgrades from older versions of the libraries. + + * slapindex has been patched to warn when run as root and the man page + has been patched to notify users that slapindex should be run as the + user slapd runs as. There is some upstream discussion of a better + fix. + + * slapd is configured to look in /etc/ldap/sasl2 in addition to + /usr/lib/sasl2 for SASL configuration files. + + * libldap has been patched to work around what may be a bug in GnuTLS in + calculating the length of subjectAltName in TLS certificates. See + . + + * The libldap library is patched to add two functions used by + evolution-exchange for NTLM authentication to Active Directory. See + . + + * Several paths have been adjusted to fit Debian file permissions and + for Filesystem Hierarchy Standard compliance, namely: + - The ldapi socket is in /var/run/slapd + - The slapi error log has been moved to /var/log/slapi-errors + - The slapd database location is /var/lib/ldap + + In addition, upstream patches from CVS may be applied to fix bugs in the + current release and will not be noted here unless they're not expected + to be in the next release. + + Finally, note that the Debian OpenLDAP packages have been compiled + against GnuTLS instead of OpenSSL to avoid licensing problems for + GPL-covered packages that use the LDAP libraries. This is a supported + configuration, but it's not widely used outside of Debian. + + For the exact patches applied to the upstream source and references to + the relevant upstream ITS numbers, Debian bugs, and upstream + synchronization status, see the debian/patches directory in the + openldap source package. + + -- Russ Allbery , Thu, 14 Feb 2008 18:47:07 -0800 + +Apparmor Profile +---------------- + + If your system uses AppArmor, please note that the shipped enforcing profile + works with the default installation, and changes in your configuration may + require changes to the installed apparmor profile. Please see + https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this + software. + + -- Jamie Strandboge , Mon, 4 Feb 2008 21:18:21 -0500 --- openldap-2.4.23.orig/debian/libldap-2.4-2.manpages +++ openldap-2.4.23/debian/libldap-2.4-2.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man5/ldap.conf.5 --- openldap-2.4.23.orig/debian/libldap-2.4-2.shlibs +++ openldap-2.4.23/debian/libldap-2.4-2.shlibs @@ -0,0 +1,3 @@ +liblber-2.4 2 libldap-2.4-2 (>= 2.4.7) +libldap-2.4 2 libldap-2.4-2 (>= 2.4.7) +libldap_r-2.4 2 libldap-2.4-2 (>= 2.4.7) --- openldap-2.4.23.orig/debian/dh_installscripts-common +++ openldap-2.4.23/debian/dh_installscripts-common @@ -0,0 +1,22 @@ +#!/usr/bin/perl -w + +use strict; +use Debian::Debhelper::Dh_Lib; + +init(); + +foreach my $package (@{$dh{DOPACKAGES}}) { + my $tmp=tmpdir($package); + my $ext=pkgext($package); + + if (! -d "$tmp/DEBIAN") { + next; + } + + foreach my $file (qw{postinst preinst prerm postrm config}) { + my $f="$tmp/DEBIAN/$file"; + if ($f) { + complex_doit("perl -pe 's~#SCRIPTSCOMMON#~qx{cat debian/${ext}scripts-common}~eg' -i $f"); + } + } +} --- openldap-2.4.23.orig/debian/slapd.ufw.profile +++ openldap-2.4.23/debian/slapd.ufw.profile @@ -0,0 +1,9 @@ +[OpenLDAP LDAP] +title=OpenLDAP with TLS +description=OpenLDAP is a free, fast, lightweight LDAP server +ports=389/tcp + +[OpenLDAP LDAPS] +title=OpenLDAP over SSL +description=OpenLDAP is a free, fast, lightweight LDAP server +ports=636/tcp --- openldap-2.4.23.orig/debian/libldap2-dev.dirs +++ openldap-2.4.23/debian/libldap2-dev.dirs @@ -0,0 +1,3 @@ +usr/lib +usr/include +usr/share/man --- openldap-2.4.23.orig/debian/control +++ openldap-2.4.23/debian/control @@ -0,0 +1,103 @@ +Source: openldap +Section: net +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian OpenLDAP Maintainers +Uploaders: Roland Bauerschmidt , + Stephen Frost , + Steve Langasek , + Torsten Landschoff , + Matthijs Mohlmann , + Russ Allbery +Build-Depends: debhelper (>= 7.4.20ubuntu5), libdb4.8-dev (>= 4.8.30), libgcrypt-dev, + libgnutls-dev (>= 1.7), unixodbc-dev, libncurses5-dev, libperl-dev (>= 5.8.0), + libsasl2-dev, libslp-dev, libltdl-dev | libltdl3-dev (>= 1.4.3), libkrb5-dev, + libwrap0-dev, perl, debconf-utils, po-debconf, quilt (>= 0.40), + autotools-dev, libtool, automake, autoconf, groff-base, time, + hardening-wrapper +Build-Conflicts: libbind-dev, bind-dev, libicu-dev +Standards-Version: 3.9.0 +Homepage: http://www.openldap.org/ +Vcs-Svn: svn://svn.debian.org/pkg-openldap/openldap/trunk +Vcs-Browser: http://svn.debian.org/wsvn/pkg-openldap/openldap/trunk + +Package: slapd +Section: net +Priority: optional +Architecture: any +Pre-Depends: debconf (>= 0.5) | debconf-2.0 +Depends: ${shlibs:Depends}, libldap-2.4-2 (= ${binary:Version}), + coreutils (>= 4.5.1-1), psmisc, perl (>> 5.8.0) | libmime-base64-perl, + adduser, ${misc:Depends}, libdb4.8 (>= 4.8.30) +Recommends: libsasl2-modules +Suggests: ldap-utils, ufw +Conflicts: umich-ldapd, ldap-server, libltdl3 (= 1.5.4-1) +Replaces: libldap2, ldap-utils (<< 2.2.23-3) +Provides: ldap-server, ${slapd:Provides} +Description: OpenLDAP server (slapd) + This is the OpenLDAP (Lightweight Directory Access Protocol) server + (slapd). The server can be used to provide a standalone directory + service. + +Package: ldap-utils +Section: net +Priority: optional +Architecture: any +Depends: ${shlibs:Depends}, libldap-2.4-2 (= ${binary:Version}), ${misc:Depends} +Recommends: libsasl2-modules +Conflicts: umich-ldap-utils, openldap-utils, ldap-client +Replaces: openldap-utils, slapd (<< 2.2.23-0.pre6), openldapd +Provides: ldap-client, openldap-utils +Description: OpenLDAP utilities + This package provides utilities from the OpenLDAP (Lightweight + Directory Access Protocol) package. These utilities can access a + local or remote LDAP server and contain all the client programs + required to access LDAP servers. + +Package: libldap-2.4-2 +Section: libs +Priority: standard +Architecture: any +Conflicts: ldap-utils (<= 2.1.23-1) +Depends: ${shlibs:Depends}, ${misc:Depends} +Replaces: libldap2, libldap-2.3-0 +Description: OpenLDAP libraries + These are the run-time libraries for the OpenLDAP (Lightweight Directory + Access Protocol) servers and clients. + +Package: libldap-2.4-2-dbg +Section: debug +Priority: extra +Architecture: any +Depends: libldap-2.4-2 (= ${binary:Version}), ${misc:Depends} +Description: Debugging information for OpenLDAP libraries + This package provides detached debugging information for the OpenLDAP + (Lightweight Directory Access Protocol) libraries. It is useful + primarily to permit better backtraces and crash dump analysis after + problems with the libraries. GDB will find this debug information + automatically. + +Package: libldap2-dev +Section: libdevel +Priority: extra +Architecture: any +Conflicts: libldap-dev, libopenldap-dev +Replaces: libopenldap-dev +Provides: libldap-dev +Depends: libldap-2.4-2 (= ${binary:Version}), ${misc:Depends} +Description: OpenLDAP development libraries + This package allows development of LDAP applications using the OpenLDAP + libraries. It includes headers, libraries and links to allow static and + dynamic linking. + +Package: slapd-dbg +Section: debug +Priority: extra +Architecture: any +Depends: slapd (= ${binary:Version}), ${misc:Depends} +Description: Debugging information for the OpenLDAP server (slapd) + This package provides detached debugging information for the OpenLDAP + (Lightweight Directory Access Protocol) server (slapd). It is useful + primarily to permit better backtraces and crash dump analysis after + problems with the libraries. GDB will find this debug information + automatically. --- openldap-2.4.23.orig/debian/slapd.scripts-common +++ openldap-2.4.23/debian/slapd.scripts-common @@ -0,0 +1,586 @@ +# -*- sh -*- +# This file can be included with #SCRIPTSCOMMON# + + +# ===== Dumping and reloading using LDIF files ========================= {{{ +# +# If incompatible changes are done to the database underlying a LDAP +# directory we need to dump the contents and reload the data into a newly +# created database after the new server was installed. The following +# functions deal with this functionality. + + +# ----- Configuration of this component -------------------------------- {{{ +# +# Dumping the database can have negative effects on the system we are +# running on. If there is a lot of data dumping it might fill a partition +# for example. Therefore we must give the user exact control over what we +# are doing. + +database_dumping_enabled() { # {{{ +# Check if the user has enabled database dumping for the current situation. +# Return success if yes. +# Usage: if database_dumping_enabled; then ... fi + + db_get slapd/dump_database + case "$RET" in + always) + ;; + "when needed") + database_format_changed || return 1 + ;; + never) + return 1 + ;; + *) + echo >&2 "Unknown value for slapd/dump_database: $RET" + echo >&2 "Please report!" + exit 1 + ;; + esac +} + +# }}} +database_format_changed() { # {{{ +# Check if the database format has changed since the old installed version +# Return success if yes. +# Usage: if database_format_changed; then + + if dpkg --compare-versions "$OLD_VERSION" lt-nl 2.4.23-0ubuntu3; then + return 0 + else + return 1 + fi +} + +# }}} +database_dumping_destdir() { # {{{ +# Figure out the directory we are dumping the database to and create it +# if it does not exist. +# Usage: destdir=`database_dumping_destdir` + + local dir + db_get slapd/dump_database_destdir + dir=`echo "$RET"|sed -e "s/VERSION/$OLD_VERSION/"` + mkdir -p -m 700 "$dir" + echo $dir +} + +# }}} +create_new_user() { # {{{ + if [ -z "`getent group openldap`" ]; then + addgroup --quiet --system openldap + fi + if [ -z "`getent passwd openldap`" ]; then + echo -n " Creating new user openldap... " >&2 + adduser --quiet --system --home /nonexistent --shell /bin/false \ + --ingroup openldap --disabled-password --disabled-login \ + --no-create-home \ + --gecos "OpenLDAP Server Account" openldap + echo "done." >&2 + fi +} +# }}} +update_permissions() { # {{{ + dir="$1" + [ -z "${SLAPD_USER}" ] || chown -R "${SLAPD_USER}" "${dir}" + [ -z "${SLAPD_GROUP}" ] || chgrp -R "${SLAPD_GROUP}" "${dir}" + chmod -R u=rwX,g=rX,o-rwx "${dir}" +} +# }}} +update_databases_permissions() { # {{{ + for suffix in `get_suffix`; do + dbdir=`get_directory $suffix` + update_permissions "$dbdir" + done +} +# }}} +# }}} +# ----- Dumping and loading the data ------------------------------------ {{{ + +dump_databases() { # {{{ +# If the user wants us to dump the databases they are dumped to the +# configured directory. + + local db suffix file dir failed slapcat_opts + + database_dumping_enabled || return 0 + + dir=`database_dumping_destdir` + echo >&2 " Dumping to $dir: " + for suffix in `get_suffix`; do + file="$dir/$suffix.ldif" + echo -n " - directory $suffix... " >&2 + # Need to support slapd.d migration from preinst + if [ -f "${SLAPD_CONF}" ]; then + slapcat_opts="-f ${SLAPD_CONF}" + else + slapcat_opts="-F ${SLAPD_CONF}" + fi + slapcat ${slapcat_opts} -b "$suffix" > "$file" || failed=1 + if [ "$failed" ]; then + rm -f "$file" + echo failed. >&2 + exit 1 + fi + echo "done." >&2 + done +} + +# }}} +load_databases() { # {{{ + local dir file db dbdir backupdir + + dir=`database_dumping_destdir` + echo >&2 " Loading from $dir: " + for suffix in `get_suffix`; do + dbdir=`get_directory $suffix` + if ! is_empty_dir "$dbdir"; then + echo >&2 \ + " Directory $dbdir for $suffix not empty, aborting." + exit 1 + fi + + file="$dir/$suffix.ldif" + echo -n " - directory $suffix... " >&2 + + # If there is an old DB_CONFIG file, restore it before + # running slapadd + backupdir=`compute_backup_path -n "$dbdir" "$suffix"` + if [ -e "$backupdir"/DB_CONFIG ]; then + cp -a "$backupdir"/DB_CONFIG "$dbdir"/ + else + copy_example_DB_CONFIG "$dbdir"/ + fi + + if [ -f "${SLAPD_CONF}" ]; then + slapadd_opts="-f ${SLAPD_CONF}" + else + slapadd_opts="-F ${SLAPD_CONF}" + fi + capture_diagnostics slapadd ${slapadd_opts} \ + -q -b "$suffix" -l "$file" || failed=1 + if [ "$failed" ]; then + rm -f "$dbdir"/* + echo failed. >&2 + echo >&2 + cat <<-EOF + Loading the database from the LDIF dump failed with the following + error while running slapadd: +EOF + release_diagnostics " " + exit 1 + fi + echo "done." >&2 + + if [ -n "$SLAPD_USER" ] || [ -n "$SLAPD_GROUP" ]; then + echo -n " - chowning database directory ($SLAPD_USER:$SLAPD_GROUP)... " + [ -z "$SLAPD_USER" ] || \ + chown -R "$SLAPD_USER" "$dbdir" + [ -z "$SLAPD_GROUP" ] || \ + chgrp -R "$SLAPD_GROUP" "$dbdir" + echo "done"; + fi + done +} + +# }}} +move_incompatible_databases_away() { # {{{ + echo >&2 " Moving old database directories to /var/backups:" + for suffix in `get_suffix`; do + dbdir=`get_directory $suffix` + move_old_database_away "$dbdir" "$suffix" + done +} + +# }}} +# }}} + +# {{{ +# The following two functions need to support slapd.conf installations +# as long as upgrading from slapd.conf environment is supported. +# They're used to dump database in preinst which may have a slapd.conf file. +get_suffix() { + if [ -f "${SLAPD_CONF}" ]; then + for f in `get_all_slapd_conf_files`; do + grep '^suffix ' ${f} | sed 's/^suffix[[:space:]]\+\(.\+\)/\1/' | sed 's/"//g' + done + else + grep -h olcSuffix ${SLAPD_CONF}/cn\=config/olcDatabase* | cut -d: -f 2 + fi +} +# }}} +get_directory() { # {{{ +# Returns the db directory for a given suffix + if [ -d "${SLAPD_CONF}" ] && echo `get_suffix` | grep -q "$1" ; then + grep "olcDbDirectory:" `grep -l "olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*` | cut -d: -f 2 | sed 's/^ *//g' + elif [ -f "${SLAPD_CONF}" ]; then + # Extract the directory for the given suffix ($1) + for f in `get_all_slapd_conf_files`; do + awk ' BEGIN { DB=0; SUF=""; DIR="" } ; + /^database/ { DB=1; SUF=""; DIR="" } ; + DB==1 && /^suffix[ \t]+"?'$1'"?$/ { SUF=$2 ; } ; + DB==1 && /^directory/ { DIR=$2 ;} ; + DB==1 && SUF!="" && DIR!="" { sub(/^"/,"",DIR) ; sub(/"$/,"",DIR) ; print DIR; SUF=""; DIR="" }' "${f}" + done + else + return 1 + fi +} +# }}} +# Returns the list of all the config files: slapd.conf and included files. +get_all_slapd_conf_files() { + echo ${SLAPD_CONF} + awk ' +BEGIN { I=0 } +/^include/ { + sub(/include/," "); + I=1; +} +I==1 && /^[ \t]+/ { + split($0,F) ; + for (f in F) + if (!match(F[f],/schema/)) { + print F[f] + } ; + next; +} +I==1 { I=0 } +' ${SLAPD_CONF} +} +# }}} + +# }}} + + +compute_backup_path() { # {{{ +# Compute the path to backup a database directory +# Usage: compute_backup_path [-n] + +# XXX: should ask the user via debconf + + local dirname basedn ok_exists + if [ "$1" = "-n" ]; then + ok_exists=yes + shift + fi + dirname="$1" + basedn="$2" + + # Computing the name of the backup directory from the old version, + # the suffix etc. all makes me feel worried. I'd rather have a + # directory name which is not going to exist. So the simple + # scheme we are using now is to compute the filename from the + # directory name and appending date and time. And we check if it + # exists to be really sure... -- Torsten + + local target + local id + id="$OLD_VERSION" + [ -n "$id" ] || id=`date +%Y%m%d-%H%M%S` + target="/var/backups/$basedn-$id.ldapdb" + # Configuration via dpkg-reconfigure. + # The backup directory already exists when reconfigured + # twice or more: append a timestamp. + if [ -e "${target}" ] && ([ "$MODE" = reconfigure ] || [ "$DEBCONF_RECONFIGURE" ]); then + target="$target-`date +%Y%m%d-%H%M%S`" + fi + if [ -e "$target" ] && [ -z "$ok_exists" ]; then + echo >&2 + echo >&2 " Backup path $target exists. Giving up..." + exit 1 + fi + + echo "$target" +} + +# }}} +move_old_database_away() { # {{{ +# Move the old database away if it is still there +# +# In fact this function makes sure that the database directory is empty +# and can be populated with a new database. If something is in the way +# it is moved to a backup directory if the user accepted the debconf +# option slapd/move_old_database. Otherwise we output a warning and let +# the user fix it himself. +# Usage: move_old_database_away [] + + local databasedir backupdir + databasedir="$1" + suffix="${2:-unknown}" + + if [ ! -e "$databasedir" ] || is_empty_dir "$databasedir"; then + return 0 + fi + + + # Note that we can't just move the database dir as it might be + # a mount point. Instead me move the content which might + # include mount points as well anyway, but it's much less likely. + db_get slapd/move_old_database + if [ "$RET" = true ]; then + backupdir=`compute_backup_path "$databasedir" "$suffix"` + echo -n " - directory $suffix... " >&2 + mkdir -p "$backupdir" + find "$databasedir" -mindepth 1 -maxdepth 1 \ + -exec mv {} "$backupdir" \; + echo done. >&2 + else + cat >&2 < + local directory srcdir + + directory="$1" + srcdir="/usr/share/slapd" + + if ! [ -f "${directory}/DB_CONFIG" ] && [ -d "$directory" ]; then + cp $srcdir/DB_CONFIG "${directory}/DB_CONFIG" + fi +} + +# }}} +create_new_configuration() { # {{{ +# Create a new configuration and directory + + if [ ! -d /var/lib/ldap ]; then + mkdir /var/lib/ldap + fi + update_permissions /var/lib/ldap + + if [ ! -d /var/run/slapd ]; then + mkdir /var/run/slapd + fi + update_permissions /var/run/slapd + # update_permissions doesn't allow a world readable dir. + # slapd run dir has the slapi socket and thus needs + # to be world accessible. + chmod 0755 /var/run/slapd + + local init_ldif + init_ldif="/usr/share/slapd/slapd.init.ldif" + echo -n " Creating initial slapd configuration... " >&2 + rm -rf "${SLAPD_CONF}" + mkdir "${SLAPD_CONF}" + capture_diagnostics slapadd -F "${SLAPD_CONF}" \ + -b "cn=config" -l ${init_ldif} || failed=1 + if [ "$failed" ]; then + cat <<-EOF +Loading the initial configuration from the ldif file (${init_ldif}) failed with the following +error while running slapadd: +EOF + release_diagnostics " " + exit 1 + fi + update_permissions "${SLAPD_CONF}" + echo "done." >&2 + +} +# }}} +configure_v2_protocol_support() { # {{{ +# Adds the "allow bind_v2" directive to the configuration if the user decided +# he wants to have ldap v2 enabled. + + db_get slapd/allow_ldap_v2 + if [ "$RET" != "true" ]; then return 0; fi + + echo -n " Enabling LDAPv2 support... " >&2 + + if [ -d "$SLAPD_CONF" ]; then + if ! grep -q -E '^olcAllows:[[:space:]]+bind_v2' "${SLAPD_CONF}/cn=config.ldif"; then + echo "olcAllows: bind_v2" >> "${SLAPD_CONF}/cn=config.ldif" + fi + return 0 + else + return 1 + fi + + echo . >&2 +} +# }}} +backup_config_once() { # {{{ +# Create a backup of the current configuration files. +# Usage: backup_config_once + + local backupdir + + if [ -z "$FLAG_CONFIG_BACKED_UP" ]; then + backupdir=`database_dumping_destdir` + if [ -e "$SLAPD_CONF" ]; then + cp -a "$SLAPD_CONF" "$backupdir" + fi + FLAG_CONFIG_BACKED_UP=yes + fi +} + +# }}} + + +previous_version_older() { # {{{ +# Check if the previous version is newer than the reference version passed. +# If we are not upgrading the previous version is assumed to be newer than +# any reference version. +# Usage: previous_version_older + + if dpkg --compare-versions "$OLD_VERSION" lt-nl "$1"; then + return 0 + else + return 1 + fi +} + +# }}} +previous_version_newer() { # {{{ +# Check if the previous version is newer than the reference version passed. +# If we are not upgrading the previous version is assumed to be newer than +# any reference version. +# Usage: previous_version_newer + + if dpkg --compare-versions "$OLD_VERSION" gt-nl "$1"; then + return 0 + else + return 1 + fi +} # }}} +upgrade_supported_from_backend() { # {{{ +# Check if upgrading a database in the named backend is supported by +# our scripts. +# Usage: if upgrade_supported_from_backend "backend"; then ... fi + + case "$1" in bdb|hdb) return 0; esac + return 1 +} + +# }}} +is_initial_configuration() { # {{{ +# Check if this is the initial configuration and not an upgrade of an +# existing configuration +# Usage: if is_initial_configuration "$@"; then ... fi from top level + + # Plain installation + if [ "$1" = configure ] && [ -z "$2" ]; then + return 0 + fi + # Configuration via dpkg-reconfigure + if [ "$1" = reconfigure ] || [ "$DEBCONF_RECONFIGURE" ]; then + return 0 + fi + # Upgrade but slapd.d doesn't exist. If the user is doing this + # intentionally because they want to put it somewhere else, they + # should select manual configuration in debconf. + if [ "$1" = configure ] && [ ! -e "$SLAPD_CONF" ]; then + return 0 + fi + return 1 +} + +# }}} +is_empty_dir() { # {{{ +# Check if a path refers to an empty directory +# Usage: if is_empty_dir "$dir"; then ... fi + + output=`find "$1" -type d -maxdepth 0 -empty 2>/dev/null` + if [ "$output" ]; then + return 0 + else + return 1 + fi +} + +# }}} + +# ===== Global variables ================================================ {{{ +# +# At some points we need to know which version we are upgrading from if +# any. More precisely we only care about the configuration and data we +# might have laying around. Some parts also want to know which mode the +# script is running in. + +MODE="$1" # install, upgrade, etc. - see debian-policy +OLD_VERSION="$2" + +# Source the init script configuration +# See example file debian/slapd.default for variables defined here +if [ -f "/etc/default/slapd" ]; then + . /etc/default/slapd +fi + +# Load the default location of the slapd config file +if [ -z "$SLAPD_CONF" ]; then + if previous_version_older 2.4.11-0ubuntu1 \ + && [ -f "/etc/ldap/slapd.conf" ] \ + && [ ! -e "/etc/ldap/slapd.d" ] ; then + SLAPD_CONF="/etc/ldap/slapd.conf" + else + SLAPD_CONF="/etc/ldap/slapd.d/" + fi +fi + +# }}} + +# ----- Handling diagnostic output ------------------------------------ {{{ +# +# Often you want to run a program while you are showing progress +# information to the user. If the program you are running outputs some +# diagnostics it will mess up your screen. +# +# This is what the following functions are designed for. When running the +# program, use capture_diagnostics to store what the program outputs to +# stderr and use release_diagnostics to write out the captured output. + + +capture_diagnostics() { # {{{ +# Run the command passed and capture the diagnostic output in a temporary +# file. You can dump that file using release_diagnostics. + + # Create the temporary file + local tmpfile + tmpfile=`mktemp` + exec 7<>"$tmpfile" + rm "$tmpfile" + + # Run the program and capture stderr. If the program fails the + # function fails with the same status. + "$@" 2>&7 || return $? +} + +# }}} +release_diagnostics() { # {{{ +# Dump the diagnostic output captured via capture_diagnostics, optionally +# prefixing each line. +# Usage: release_diagnostics "prefix" + + local script + script=' + seek STDIN, 0, 0; + print "$ARGV[0]$_" while ();'; + perl -e "$script" "$1" <&7 +} + +# }}} + + +# }}} + +# vim: set sw=8 foldmethod=marker: + --- openldap-2.4.23.orig/debian/libldap2-dev.manpages +++ openldap-2.4.23/debian/libldap2-dev.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man3/* --- openldap-2.4.23.orig/debian/README.source +++ openldap-2.4.23/debian/README.source @@ -0,0 +1,8 @@ +This package uses quilt to manage all modifications to the upstream +source. Changes are stored in the source package as diffs in +debian/patches and applied during the build. Please see: + + /usr/share/doc/quilt/README.source + +for more information on how to apply the patches, modify patches, or +remove a patch. --- openldap-2.4.23.orig/debian/rules +++ openldap-2.4.23/debian/rules @@ -0,0 +1,218 @@ +#!/usr/bin/make -f + +export DEB_BUILD_HARDENING=1 +#export DH_VERBOSE = 1 + +# Set this variable if you're building packages outside of Debian and don't +# want the checks for DFSG-freeness. +#DFSG_NONFREE = 1 + +CFLAGS = -Wall -g -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -DLDAP_CONNECTIONLESS +INSTALL = install +INSTALL_FILE = $(INSTALL) -p -o root -g root -m 644 +INSTALL_PROGRAM = $(INSTALL) -p -o root -g root -m 755 +INSTALL_SCRIPT = $(INSTALL) -p -o root -g root -m 755 +INSTALL_DIR = $(INSTALL) -p -d -o root -g root -m 755 + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif + +# Tell Autoconf the correct system types. +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) +ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) + SYSTEM = --build $(DEB_HOST_GNU_TYPE) +else + SYSTEM = --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) +endif + +CONFIG = $(shell grep -v "^\#" debian/configure.options) + +installdir := $(CURDIR)/debian/install +tmpdir := $(CURDIR)/debian/tmp +builddir := $(CURDIR)/debian/build +slapddir := $(CURDIR)/debian/slapd/usr/sbin + +MAKEVARS := DESTDIR=$(installdir) STRIP= + +# Include the quilt patch system. +include /usr/share/quilt/quilt.make + +# These variables are used only by get-orig-source, which will normally only +# be run by maintainers. +VERSION = 2.4.23 +URL = http://www.openldap.org/software/download/OpenLDAP/openldap-release/ + +# Download the upstream source and make changes as required for DFSG reasons. +# Assumes wget is available, as this is generally only used by the package +# maintainers. +get-orig-source: + @if [ ! -d "debian/schema" ] ; then \ + echo 'Run this from the top directory of the Debian source' >&2; \ + exit 1; \ + fi + wget $(URL)/openldap-$(VERSION).tgz + tar xzf openldap-$(VERSION).tgz + rm -r openldap-$(VERSION)/doc/drafts + rm -r openldap-$(VERSION)/doc/rfc + set -e; for schema in debian/schema/*.schema debian/schema/*.ldif ; do \ + file=`basename "$$schema"`; \ + rm openldap-$(VERSION)/servers/slapd/schema/$$file; \ + done + mv openldap-$(VERSION) openldap_$(VERSION).orig + tar cf openldap_$(VERSION).orig.tar openldap_$(VERSION).orig + rm -r openldap_$(VERSION).orig + gzip -9 openldap_$(VERSION).orig.tar + +configure: configure-stamp +configure-stamp: $(QUILT_STAMPFN) + # Check if we include the RFCs, Internet-Drafts, or upstream schemas + # with RFC text (which are non DFSG-free). You can set DFSG_NONFREE + # to build the packages from the unchanged upstream sources but Debian + # can not ship the RFCs in main so this test is here to make sure it + # does not get in by accident again. -- Torsten + if [ -z "$(DFSG_NONFREE)" ]; then \ + if [ -e doc/drafts ]; then exit 1; fi; \ + if [ -e doc/rfc ]; then exit 1; fi; \ + if [ -e servers/slapd/schema/core.schema ]; then exit 1; fi; \ + fi + + # Copy our stripped schema versions into where upstream expects them. + if [ -z "$(DFSG_NONFREE)" ]; then \ + set -e; for s in `find debian/schema/ -type f -a -name "*schema" -o -name "*ldif"` ; do \ + cp $$s servers/slapd/schema/`basename $$s`; \ + done; \ + fi + + cp -f /usr/share/misc/config.* build/ + cp -f /usr/share/misc/config.* contrib/ldapc++/ + cp -f /usr/share/misc/config.* contrib/slapd-modules/nssov/nss-pam-ldapd/ + mkdir -p $(builddir) + chmod 755 $(CURDIR)/autogen.sh + ./autogen.sh + cd $(builddir) && CFLAGS="$(CFLAGS)" $(CURDIR)/configure \ + $(CONFIG) $(SYSTEM) + perl debian/check_config + $(MAKE) -C $(builddir) depend + touch $@ + +build: build-arch build-indep +build-arch: build-stamp +build-indep: +build-stamp: configure-stamp + $(MAKE) -C $(builddir) $(MAKEVARS) + $(MAKE) -C contrib/slapd-modules/nssov/ $(MAKEVARS) nssov.la +ifeq (,$(findstring nocheck,$(DEB_BUILD_OPTIONS))) + RESOLV_MULTI=off $(MAKE) -C $(builddir) test +endif + touch $@ + +# Check all built libraries for unresolved symbols except for the libslapi +# library. It is a special case since the SLAPI interface depends on symbols +# defined in slapd itself. Those symbols will remain unresolved until the +# plugin is loaded into slapd. +install: install-stamp +install-stamp: build-stamp + $(MAKE) -C $(builddir) $(MAKEVARS) install + for F in $(installdir)/usr/lib/*.so.*.*.*; do \ + if echo "$$F" | grep -q libslapi ; then \ + continue; \ + fi; \ + if LD_LIBRARY_PATH=$(installdir)/usr/lib ldd -d -r $$F 2>&1 | grep '^undefined symbol:'; then \ + echo; \ + echo "library $$F has undefined references. Please fix this before continuing."; \ + exit 1; \ + fi; \ + done + # Upstream installs schema files in mode 0444 - policy wants 0644 + find $(installdir)/etc -type f|xargs chmod 0644 + # Upstream manpages are section 8C but installed as section 8 + find $(installdir)/usr/share/man -name \*.8 \ + | xargs perl -pi -e 's#(\.TH \w+ 8)C#$$1#' + touch $@ + +binary: binary-arch binary-indep +binary-indep: +binary-arch: install-stamp + dh_testdir + dh_testroot + dh_clean -k + + dh_installdirs -a + cp -al $(installdir) $(tmpdir) + + dh_install -a + chmod 0755 $(CURDIR)/debian/slapd/usr/share/slapd/ldiftopasswd + + # install AppArmor profile + install -D -m 644 $(CURDIR)/debian/apparmor-profile $(CURDIR)/debian/slapd/etc/apparmor.d/usr.sbin.slapd + + # install Apport hook + install -D -m 644 $(CURDIR)/debian/slapd.py $(CURDIR)/debian/slapd/usr/share/apport/package-hooks/slapd.py + + # install ufw profile + install -D -m 644 $(CURDIR)/debian/slapd.ufw.profile $(CURDIR)/debian/slapd/etc/ufw/applications.d/slapd + + dh_installchangelogs -a + dh_installdocs -a + dh_installexamples -a + dh_installman -a + dh_apparmor -pslapd --profile-name=usr.sbin.slapd + dh_installinit -Xslapd.prerm -a -- "defaults 19 80" + dh_installdebconf -a + dh_strip -plibldap-2.4-2 --dbg-package=libldap-2.4-2-dbg + dh_strip -pslapd --dbg-package=slapd-dbg + dh_strip -pldap-utils + dh_link -a + + # hardlink these so not confined by apparmor + for f in slapacl slapadd slapauth slapcat slapdn slapindex slappasswd slaptest ; do \ + ln -f $(slapddir)/slapd $(slapddir)/$$f ; \ + done ; + + dh_compress -a + dh_fixperms -a + # ideally we would do this and not have any libldap-2.4.so.2 links + # at all, but that requires adjusting the build scripts first to + # link against libldap_r, otherwise dh_shlibdeps fails + #dh_makeshlibs -plibldap-2.4-2 -V 'libldap-2.4-2 (>= 2.4.7)' + echo "slapd:Provides=$$(objdump -p debian/slapd/usr/lib/libslapi-*.so.* \ + | sed -ne '/SONAME/ { s/[[:space:]]*SONAME[[:space:]]*//; \ + s/\.so\./-/; p; q }' \ + )" >> debian/slapd.substvars + dh_makeshlibs -pslapd -X/usr/lib/ldap/ -V "$$(sed -ne's/slapd:Provides=//p' debian/slapd.substvars)" + dh_installdeb -a + perl -w debian/dh_installscripts-common -p slapd + dh_shlibdeps -a -L libldap-2.4-2 -l $(installdir)/usr/lib + # Strip duplicate dependency out of substvars. + sed -i -e 's/ libldap-2.4-2,//' debian/*.substvars + dh_gencontrol -a + dh_md5sums -a + dh_builddeb -a + +clean: unpatch + dh_testdir + dh_testroot + rm -f install-stamp build-stamp configure-stamp + # Update translation templates for debconf + debconf-updatepo + # Remove our stripped schema from the upstream source area. + if [ -z "$(DFSG_NONFREE)" ]; then \ + set -e; for s in debian/schema/*.schema debian/schema/*.ldif; do \ + rm -f servers/slapd/schema/`basename $$s`; \ + done; \ + fi + # Remove updated config.guess and config.sub for a clean diff. + rm -f build/config.sub build/config.guess + rm -f contrib/ldapc++/config.sub contrib/ldapc++/config.guess + rm -f contrib/slapd-modules/nssov/nss-pam-ldapd/config.sub contrib/slapd-modules/nssov/nss-pam-ldapd/config.guess + rm -rf $(builddir) $(builddir_notls) $(installdir) + rm -rf build/ltmain.sh autom4te.cache configure aclocal.m4 + + dh_clean + +.PHONY: binary binary-arch binary-indep build build-arch build-indep clean +.PHONY: install --- openldap-2.4.23.orig/debian/libldap-2.4-2.install +++ openldap-2.4.23/debian/libldap-2.4-2.install @@ -0,0 +1,5 @@ +debian/tmp/usr/lib/liblber-2.4.so.2 usr/lib +debian/tmp/usr/lib/liblber-2.4.so.2.*.* usr/lib +debian/tmp/usr/lib/libldap_r-2.4.so.2 usr/lib +debian/tmp/usr/lib/libldap_r-2.4.so.2.*.* usr/lib +debian/tmp/etc/ldap/ldap.conf etc/ldap --- openldap-2.4.23.orig/debian/libldap-2.4-2.README.Debian +++ openldap-2.4.23/debian/libldap-2.4-2.README.Debian @@ -0,0 +1,22 @@ +Notes about Debian's libldap2 package +------------------------------------- + +It has been reported that using libnss-ldap can cause a failure to +unmount /usr on system shutdown. The reason is that the nss module +uses libldap from /usr and is used by the shell in the system +scripts executed on shutdown/reboot. + +More precisely bash uses the getpwuid function to get the data of +the current user which pulls in the nss modules which includes +the ldap libraries if you are using that module. + +Possible solutions to this problem are: + +a) use another shell that does not utilize getpwuid for getting info + about the current user (take dash for example). +b) make sure that the nsswitch.conf is replaced by a version which does + not mention ldap before the system is shut down (and have a startup + script that installs the "full" version of that file). +c) move the libraries to /lib (not recommended). + + -- Torsten Landschoff Mon, 30 Sep 2002 11:06:22 +0200 --- openldap-2.4.23.orig/debian/copyright +++ openldap-2.4.23/debian/copyright @@ -0,0 +1,468 @@ +This package was downloaded from: + + + +The upstream distribution has been repackaged to remove the RFCs and +Internet-Drafts included in the upstream distribution, since the Internet +Society license does not meet the Debian Free Software Guidelines. The +schema files that contain verbatim text from RFCs or Internet-Drafts have +similarly been removed and are replaced during the package build with +versions stripped of the literal RFC or Internet-Draft text. + +Copyright: + +Copyright 1998-2007 The OpenLDAP Foundation +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. A copy of this license is available at +http://www.OpenLDAP.org/license.html or in file LICENSE in the +top-level directory of the distribution (included at the end of +this file). + +OpenLDAP is a registered trademark of the OpenLDAP Foundation. + +Individual files and/or contributed packages may be copyright by +other parties and subject to additional restrictions. + +This work is derived from the University of Michigan LDAP v3.3 +distribution. Information concerning this software is available +at: http://www.umich.edu/~dirsvcs/ldap/ + +This work also contains materials derived from public sources. + +Additional Information about OpenLDAP can be obtained at: + http://www.openldap.org/ + +or by sending e-mail to: + info@OpenLDAP.org + +--- + +The OpenLDAP Public License + Version 2.7, 7 September 2001 + +Redistribution and use of this software and associated documentation +("Software"), with or without modification, are permitted provided +that the following conditions are met: + +1. Redistributions of source code must retain copyright statements + and notices, + +2. Redistributions in binary form must reproduce applicable copyright + statements and notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution, and + +3. Redistributions must contain a verbatim copy of this document. + +The OpenLDAP Foundation may revise this license from time to time. +Each revision is distinguished by a version number. You may use +this Software under terms of this license revision or under the +terms of any subsequent revision of the license. + +THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS +CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) +OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + +The names of the authors and copyright holders must not be used in +advertising or otherwise to promote the sale, use or other dealing +in this Software without specific, written prior permission. Title +to copyright in this Software shall at all times remain with +copyright holders. + +--- +Noted above is that various files can be copyrighted individually. +The licenses found in the OpenLDAP tree are as follows: + +CRL +----------------------------------- +# Copyright 1999 Computing Research Labs, New Mexico State University +# +# Permission is hereby granted, free of charge, to any person obtaining a +# copy of this software and associated documentation files (the "Software"), +# to deal in the Software without restriction, including without limitation +# the rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Software, and to permit persons to whom the +# Software is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +# THE COMPUTING RESEARCH LAB OR NEW MEXICO STATE UNIVERSITY BE LIABLE FOR ANY +# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT +# OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR +# THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +----------------------------------- + + +FSF +----------------------------------- +# Copyright (C) 1994, 1995-8, 1999, 2001 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +----------------------------------- + + +HC +----------------------------------- + * Permission is granted to anyone to use this software for any purpose + * on any computer system, and to alter it and redistribute it, subject + * to the following restrictions: + * + * 1. The author is not responsible for the consequences of use of this + * software, no matter how awful, even if they arise from flaws in it. + * + * 2. The origin of this software must not be misrepresented, either by + * explicit claim or by omission. Since few users ever read sources, + * credits should appear in the documentation. + * + * 3. Altered versions must be plainly marked as such, and must not be + * misrepresented as being the original software. Since few users + * ever read sources, credits should appear in the + * documentation. + * + * 4. This notice may not be removed or altered. + +----------------------------------- + + +IBM +----------------------------------- + * Portions Copyright (c) 1995 by International Business Machines, Inc. + * + * International Business Machines, Inc. (hereinafter called IBM) grants + * permission under its copyrights to use, copy, modify, and distribute this + * Software with or without fee, provided that the above copyright notice and + * all paragraphs of this notice appear in all copies, and that the name of IBM + * not be used in connection with the marketing of any product incorporating + * the Software or modifications thereof, without specific, written prior + * permission. + * + * To the extent it has a right to do so, IBM grants an immunity from suit + * under its patents, if any, for the use, sale or manufacture of products to + * the extent that such products are used for performing Domain Name System + * dynamic updates in TCP/IP networks by means of the Software. No immunity is + * granted for any product per se or for any other function of any product. + * + * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL, + * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN + * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. + +----------------------------------- + + +IS +----------------------------------- +# Full Copyright Statement +# +# Copyright (C) The Internet Society (1999). All Rights Reserved. +# +# This document and translations of it may be copied and furnished to +# others, and derivative works that comment on or otherwise explain it +# or assist in its implementation may be prepared, copied, published +# and distributed, in whole or in part, without restriction of any +# kind, provided that the above copyright notice and this paragraph are +# included on all such copies and derivative works. However, this +# document itself may not be modified in any way, such as by removing +# the copyright notice or references to the Internet Society or other +# Internet organizations, except as needed for the purpose of +# developing Internet standards in which case the procedures for +# copyrights defined in the Internet Standards process must be +# followed, or as required to translate it into languages other than +# English. +# +# The limited permissions granted above are perpetual and will not be +# revoked by the Internet Society or its successors or assigns. +# +# This document and the information contained herein is provided on an +# "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +# TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +# BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +# HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +# MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +This license was present in the copies of several schema files and one +LDIF file as distributed upstream. The relevant content has been removed +except where it is purely functional (descriptions of an LDAP schema). +The copyright notice has been retained with a clarifying comment. The +provisions in the above license that prohibit modification therefore +should no longer apply to any files distributed with the Debian package. + +Several files in libraries/libldap also reference this license as the +copyright on ABNF sequences embedded as comments in those files. These +too are purely functional interface specifications distributed as part of +the LDAP protocol standard and do not contain creative work such as +free-form text. +----------------------------------- + + +ISC +----------------------------------- + * Copyright (c) 1996, 1998 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + +----------------------------------- + + +JC +----------------------------------- + * This software is not subject to any license of Silicon Graphics + * Inc. or Purdue University. + * + * Redistribution and use in source and binary forms are permitted + * without restriction or fee of any kind as long as this notice + * is preserved. + +The following is additional information from Juan C. Gomez on how +this license is to be interpreted: +----- +Local-Date: Fri, 06 Jun 2003 13:18:52 -0400 +Date: Fri, 6 Jun 2003 10:18:52 -0700 +From: Juan Gomez +To: Stephen Frost +X-Mailer: Lotus Notes Release 5.0.2a (Intl) 23 November 1999 +Subject: Re: Juan C. Gomez license in OpenLDAP Source + +Stephen, + +"There is no restriction on modifications and derived works" on the work I +did for the openldap server as long as this is consistent with the openldap +license. Please forward this email to Kurt so he does the appropriate +changes to the files to reflect this. + + +Regards, Juan +----------------------------------- + + +MA +----------------------------------- + * Copyright (c) 2000, Mark Adamson, Carnegie Mellon. All rights reserved. + * This software is not subject to any license of Carnegie Mellon University. + * + * Redistribution and use in source and binary forms are permitted without + * restriction or fee of any kind as long as this notice is preserved. + * + * The name "Carnegie Mellon" must not be used to endorse or promote + * products derived from this software without prior written permission. + +The following is additional information from Mark Adamson on how this license +is to be interpreted: +------ +Local-Date: Thu, 05 Jun 2003 16:53:32 -0400 +Date: Thu, 5 Jun 2003 16:53:32 -0400 (EDT) +From: Mark Adamson +To: Stephen Frost +Subject: Re: Mark Adamson license in OpenLDAP source + +Hi Stephen, + + I don't see how this conflicts with the Debian FSG. The first statement +in the copyright pertaining to CMU say only that we don't license out the +software. The second mention denies the right to say things like, +"Now! Powered by software from Carnegie Mellon!" There is no restriction +on modifications and derived works. + +-Mark +------ +----------------------------------- + + +MIT +----------------------------------- +# Copyright 1991 by the Massachusetts Institute of Technology +# +# Permission to use, copy, modify, distribute, and sell this software and its +# documentation for any purpose is hereby granted without fee, provided that +# the above copyright notice appear in all copies and that both that +# copyright notice and this permission notice appear in supporting +# documentation, and that the name of M.I.T. not be used in advertising or +# publicity pertaining to distribution of the software without specific, +# written prior permission. M.I.T. makes no representations about the +# suitability of this software for any purpose. It is provided "as is" +# without express or implied warranty. + +----------------------------------- + + +OL2 +----------------------------------- +Copyright 1999-2001 The OpenLDAP Foundation, Redwood City, +California, USA. All Rights Reserved. Permission to copy and +distribute verbatim copies of this document is granted. +----------------------------------- + + +PM +----------------------------------- + * Copyright (C) 2000 Pierangelo Masarati, + * All rights reserved. + * + * Permission is granted to anyone to use this software for any purpose + * on any computer system, and to alter it and redistribute it, subject + * to the following restrictions: + * + * 1. The author is not responsible for the consequences of use of this + * software, no matter how awful, even if they arise from flaws in it. + * + * 2. The origin of this software must not be misrepresented, either by + * explicit claim or by omission. Since few users ever read sources, + * credits should appear in the documentation. + * + * 3. Altered versions must be plainly marked as such, and must not be + * misrepresented as being the original software. Since few users + * ever read sources, credits should appear in the documentation. + * + * 4. This notice may not be removed or altered. + * +----------------------------------- + + +PM2 +----------------------------------- + * Redistribution and use in source and binary forms are permitted only + * as authorized by the OpenLDAP Public License. A copy of this + * license is available at http://www.OpenLDAP.org/license.html or + * in file LICENSE in the top-level directory of the distribution. +----------------------------------- + + +UoC +----------------------------------- + * Redistribution and use in source and binary forms are permitted + * provided that the above copyright notice and this paragraph are + * duplicated in all such forms and that any documentation, + * advertising materials, and other materials related to such + * distribution and use acknowledge that the software was developed + * by the University of California, Berkeley. The name of the + * University may not be used to endorse or promote products derived + * from this software without specific prior written permission. + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + +NOTE: The Regents have since retroactively removed the advertising +clause from above. + +----------------------------------- + + +UoC2 +----------------------------------- + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + +NOTE: The Regents have since retroactively removed the advertising +clause from above. +See: +ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change + +----------------------------------- + + +UoM +----------------------------------- + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and that due credit is given + * to the University of Michigan at Ann Arbor. The name of the University + * may not be used to endorse or promote products derived from this + * software without specific prior written permission. This software + * is provided ``as is'' without express or implied warranty. +--- +After discussing this license with the OpenLDAP Foundation we received +clarification on it: +--- + + * To: Stephen Frost + * Subject: Re: OpenLDAP Licenseing issues + * From: "Kurt D. Zeilenga" + * Date: Wed, 28 May 2003 10:55:44 -0700 + * Cc: Steve Langasek ,debian-legal@lists.debian.org, openldap-devel@OpenLDAP.org + * In-reply-to: <20030528162613.GB8524@ns.snowman.net> + * Message-id: <5.2.0.9.0.20030528094229.02924780@127.0.0.1> + * Old-return-path: + +Steven, + +The OpenLDAP Foundation believes it the Regents' statement grants a +license to redistribute derived works and is confident that the University, +who is quite aware of our actions (as they actively participate in them), +does not consider our actions to infringe on their rights. You are +welcomed to your opinions. I suggest, however, that before you rely +on your or other people's opinions (including ours), that you consult +with a lawyer familiar with applicable law and the particulars of your +situation. + +The Foundation sees no reason for it to expend its limited resources +seeking clarifications which it believes are unnecessary. You are, +of course, welcomed to expend time and energy seeking clarifications +you think are necessary. I suggest you contact University's general +counsel office (http://www.umich.edu/~vpgc/). + +Regards, Kurt +----------------------------------- + + --- openldap-2.4.23.orig/debian/ldiftopasswd +++ openldap-2.4.23/debian/ldiftopasswd @@ -0,0 +1,174 @@ +#!/usr/bin/perl -w +# +# +# Comments on usage from the email we received: +# I showed a friend the following script. He said I should submit it for +# inclusion in openldap, because it might useful for others. +# +# The attached perl script, when used like +# +# ldapsearch | ldiftopasswd +# +# will automatically: +# +# 1. create /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow +# +# 2. append /etc/passwd.top, /etc/shadow.top, /etc/group.top, and /etc/gshadow.top to respective files. +# +# 3. use data from ldap to create the files (note: gshadow isn't really +# supported, because I don't use it, nor could I find any +# documentation. Adding support for other files should be easy). +# +# (of course you need access to all fields including the password field +# for this, so use correct parameters to ldapsearch). +# +# This could be useful for instance on laptop computers where you don't +# want to run a slave slapd server for some reason (perhaps memory +# constraints). +# ---------------------------------------- +use strict; +use Getopt::Long; +use MIME::Base64; +use IO::File; + +my $passwdfile="/etc/passwd"; +my $shadowfile="/etc/shadow"; +my $groupfile="/etc/group"; +my $gshadowfile="/etc/gshadow"; +my $help; +GetOptions ( + '--passwd=s',\$passwdfile, + '--shadow=s',\$shadowfile, + '--group=s',\$groupfile, + '--gshadow=s',\$gshadowfile, + '--help',\$help, + ) or die "Bad options\n"; + +if ($help or $#ARGV != -1) { + print STDERR "usage: $0 [etcfile=filename] [--help]\n"; + exit 255; +} + +sub start_file($) { + my ($file) = @_; + my $outhandle = new IO::File; + $outhandle->open(">$file") or die "Cannot open $file for writing"; + + open(TMP,"<$file.top") or die "cannot open $file.top for reading"; + while () { $outhandle->print($_); } + close(TMP) or die "cannot close $file for reading"; + + return($outhandle); +} + +my $PASSWD = start_file($passwdfile); +my $SHADOW = start_file($shadowfile); +my $GROUP = start_file($groupfile); +my $GSHADOW = start_file($gshadowfile); + +sub dopasswd($) { + my ($record) = @_; + my $userPassword="*"; + + $PASSWD->print( + $record->{"uid"},":", + "x",":", + $record->{"uidNumber"},":", + $record->{"gidNumber"},":", + $record->{"gecos"},":", + $record->{"homeDirectory"},":", + $record->{"loginShell"},"\n"); + + if (defined($record->{"userPassword"}) && + $record->{"userPassword"} =~ /^{(crypt)}(.*)$/) + { $userPassword = $2; } + + $SHADOW->print( + $record->{"uid"},":", + $userPassword,":", + $record->{"shadowLastChange"} || "10706",":", + $record->{"shadowMin"} || "0",":", + $record->{"shadowMax"} || "99999",":", + $record->{"shadowWarning"} || "7",":", + $record->{"shadowInactive"} || "",":", + $record->{"shadowExpire"} || "",":", + "","\n"); +} + +sub dogroup($) { + my ($record) = @_; + my $userPassword="*"; + + my $members=""; + if (defined($record->{"memberUid"})) { + $members = join(",",@{$record->{"memberUid"}}); + } + + $GROUP->print( + $record->{"cn"},":", + "x",":", + $record->{"gidNumber"},":", + $members,"\n"); + + if (defined($record->{"userPassword"}) && + $record->{"userPassword"} =~ /^{(crypt)}(.*)$/) + { $userPassword = $2; } + +# !FIXME! +# $GSHADOW->print +# $record->{"cn"},":", +# "*",":", +# "",":", +# "","\n"; +} + + +my %record; +my $user=0; +my $group=0; + +while (<>) { + if (/^$/) { + if ($user) { + dopasswd(\%record); + } + if ($group) { + dogroup(\%record); + } + + $user = $group = 0; + %record=(); + } + elsif (/^objectClass: posixAccount$/) { + $user = 1; + } + elsif (/^objectClass: posixGroup$/) { + $group = 1; + } + elsif (/^(uid|uidNumber|gidNumber|gecos|homeDirectory|loginShell): (.*)$/) { + if (!defined($record{$1})) { $record{$1} = $2; } + } + elsif (/^(userPassword|shadowLastChange|shadowMin|shadowMax|shadowWarning|shadowInactive|shadowExpire): (.*)$/) { + if (!defined($record{$1})) { $record{$1} = $2; } + } + elsif (/^(cn): (.*)$/) { + if (!defined($record{$1})) { $record{$1} = $2; } + } + elsif (/^(uniqueMember): (.*)$/) { + push @{$record{$1}},$2; + if ($2 =~ /uid=([a-zA-Z]*),/) { + push @{$record{"memberUid"}},$1; + } + } + elsif (/^(memberUid): (.*)$/) { + push @{$record{$1}},$2; + } + elsif (/^(userPassword):: (.*)$/) { + $record{$1} = decode_base64($2); + } +} + +$PASSWD->close or die "Cannot close $passwdfile for writing"; +$SHADOW->close or die "Cannot close $shadowfile for writing"; +$GROUP->close or die "Cannot close $groupfile for writing"; +$GSHADOW->close or die "Cannot close $gshadowfile for writing"; --- openldap-2.4.23.orig/debian/libldap2-dev.install +++ openldap-2.4.23/debian/libldap2-dev.install @@ -0,0 +1,11 @@ +debian/tmp/usr/include/lber.h usr/include +debian/tmp/usr/include/lber_types.h usr/include +debian/tmp/usr/include/ldap_cdefs.h usr/include +debian/tmp/usr/include/ldap_features.h usr/include +debian/tmp/usr/include/ldap.h usr/include +debian/tmp/usr/include/ldap_schema.h usr/include +debian/tmp/usr/include/ldap_utf8.h usr/include +debian/tmp/usr/lib/liblber.a usr/lib +debian/tmp/usr/lib/liblber.so usr/lib +debian/tmp/usr/lib/libldap_r.a usr/lib +debian/tmp/usr/lib/libldap_r.so usr/lib --- openldap-2.4.23.orig/debian/watch +++ openldap-2.4.23/debian/watch @@ -0,0 +1,5 @@ +# debian/watch -- Rules for uscan to find new upstream versions. + +version=3 +http://www.openldap.org/software/download/ \ + (?:.*/)?openldap-?_?([\d+\.]+)\.tgz --- openldap-2.4.23.orig/debian/slapd.py +++ openldap-2.4.23/debian/slapd.py @@ -0,0 +1,49 @@ +#!/usr/bin/python + +'''apport hook for slapd + +(c) 2010 Adam Sommer. +Author: Adam Sommer + +This program is free software; you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation; either version 2 of the License, or (at your +option) any later version. See http://www.gnu.org/copyleft/gpl.html for +the full text of the license. +''' + +from apport.hookutils import * +import os + +# Scrub olcRootPW attribute and credentials strings if necessary. +def scrub_pass_strings(config): + olcrootpw_regex = re.compile('olcRootPW:.*') + olcrootpw_string = olcrootpw_regex.search(config) + if olcrootpw_string: + config = config.replace(olcrootpw_string.group(0), 'olcRootPW: @@APPORTREPLACED@@') + + credentials_regex = re.compile('credentials=.* ') + credentials_string = credentials_regex.search(config) + if credentials_string: + config = config.replace(credentials_string.group(0), 'credentials=@@APPORTREPLACED@@ ') + + return config + +def add_info(report, ui): + response = ui.yesno("The contents of your /etc/ldap/slapd.d directory " + "may help developers diagnose your bug more " + "quickly. However, it may contain sensitive " + "information. Do you want to include it in your " + "bug report?") + + if response == None: # user cancelled + raise StopIteration + + elif response == True: + # Get the cn=config tree. + cn_config = root_command_output(['/usr/bin/ldapsearch', '-Q', '-LLL', '-Y EXTERNAL', '-H ldapi:///', '-b cn=config']) + report['CNConfig'] = scrub_pass_strings(cn_config) + + # Get slapd messages from /var/log/syslog + slapd_re = re.compile('slapd', re.IGNORECASE) + report['SysLog'] = recent_syslog(slapd_re) --- openldap-2.4.23.orig/debian/slapd.backup +++ openldap-2.4.23/debian/slapd.backup @@ -0,0 +1,62 @@ +#!/bin/bash +# +# Backup LDAP directories +# +# This script can be put in cron to create backups. +# +# Author: Matthijs Mohlmann +# Date: Sat, 15 Jul 2006 21:13:14 +0200 +# License: GPLv2 + +# Make sure the backups are secured. +umask 077 + +BACKUPDIR="/var/backups/slapd" +DEFAULTS="/etc/default/slapd" + +# Check if there is a directory slapd, otherwise create it. +if [ ! -d "$BACKUPDIR" ]; then + mkdir -p -m 0700 "$BACKUPDIR" +fi + +# Load default settings. +if [ -e "$DEFAULTS" ]; then + . "$DEFAULTS" +fi + +# Specify a slapd.conf if not specified. +if [ -z "$SLAPD_CONF" ]; then + SLAPD_CONF="/etc/ldap/slapd.conf" +fi + +# Set IFS to end of line. +ORIGIFS=$IFS +IFS=`echo -en "\n\b"` + +# Backup recursive through all configfiles all suffix's in the form: +# suffix.ldif in /var/backups/slapd +function backupDirectories() { + local conf=$1 + local directory="" + local include="" + + suffix=`grep "^suffix" $conf | sed -e "s/\(^suffix\s\+\|\"\|\'\)//g"` + for directory in "$suffix"; do + if [ ! -z "$suffix" ]; then + slapcat -l "$BACKUPDIR/$suffix.ldif" -b "$suffix" + fi + done + + includes=`grep "^include" $conf | awk '{print $2}'` + for include in $includes; do + backupDirectories "$include" + done +} + +backupDirectories "$SLAPD_CONF" + +# Put IFS back. +IFS=$ORIGIFS + +exit 0 + --- openldap-2.4.23.orig/debian/slapd.init +++ openldap-2.4.23/debian/slapd.init @@ -0,0 +1,230 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: slapd +# Required-Start: $remote_fs $network $syslog +# Required-Stop: $remote_fs $network $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: OpenLDAP standalone server (Lightweight Directory Access Protocol) +### END INIT INFO + +# Specify path variable +PATH=/sbin:/usr/sbin:/bin:/usr/bin + +# Kill me on all errors +set -e + +# Set the paths to slapd as a variable so that someone who really +# wants to can override the path in /etc/default/slapd. +SLAPD=/usr/sbin/slapd + +# Stop processing if slapd is not there +[ -x $SLAPD ] || exit 0 + +# debconf may have this file descriptor open and it makes things work a bit +# more reliably if we redirect it as a matter of course. db_stop will take +# care of this, but this won't hurt. +exec 3>/dev/null + +# Source the init script configuration +if [ -f "/etc/default/slapd" ]; then + . /etc/default/slapd +fi + +# Load the default location of the slapd config file +if [ -z "$SLAPD_CONF" ]; then + SLAPD_CONF="/etc/ldap/slapd.d/" +fi + +# Stop processing if the config file is not there +if [ ! -r "$SLAPD_CONF" ]; then + cat <&2 +No configuration directory was found for slapd at $SLAPD_CONF. +If you have moved the slapd configuration directory please modify +/etc/default/slapd to reflect this. If you chose to not +configure slapd during installation then you need to do so +prior to attempting to start slapd. +EOF + exit 0 # Should this be 1? +fi + +# Find out the name of slapd's pid file +if [ -z "$SLAPD_PIDFILE" ]; then + # If using old one-file configuration scheme + if [ -f "$SLAPD_CONF" ] ; then + SLAPD_PIDFILE=`sed -ne 's/^pidfile[[:space:]]\+\(.\+\)/\1/p' \ + "$SLAPD_CONF"` + # Else, if using new directory configuration scheme + elif [ -d "$SLAPD_CONF" ] ; then + SLAPD_PIDFILE=`sed -ne \ + 's/^olcPidFile:[[:space:]]\+\(.\+\)[[:space:]]*/\1/p' \ + "$SLAPD_CONF"/'cn=config.ldif'` + fi +fi + +# Set the correct config option according to the configuration backend. +if [ -d "$SLAPD_CONF" ] ; then + SLAPD_OPTIONS="-F $SLAPD_CONF $SLAPD_OPTIONS" +else + SLAPD_OPTIONS="-f $SLAPD_CONF $SLAPD_OPTIONS" +fi + +# XXX: Breaks upgrading if there is no pidfile (invoke-rc.d stop will fail) +# -- Torsten +if [ -z "$SLAPD_PIDFILE" ]; then + cat <&2 +The pidfile for slapd is neither specified in "$SLAPD_CONF" nor +in /etc/default/slapd. Consequently, slapd will not be started. +EOF + exit 1 +fi + +# Make sure the pidfile directory exists with correct permissions +piddir=`dirname "$SLAPD_PIDFILE"` +if [ ! -d "$piddir" ]; then + mkdir -p "$piddir" + [ -z "$SLAPD_USER" ] || chown -R "$SLAPD_USER" "$piddir" + [ -z "$SLAPD_GROUP" ] || chgrp -R "$SLAPD_GROUP" "$piddir" +fi + +# Pass the user and group to run under to slapd +if [ "$SLAPD_USER" ]; then + SLAPD_OPTIONS="-u $SLAPD_USER $SLAPD_OPTIONS" +fi + +if [ "$SLAPD_GROUP" ]; then + SLAPD_OPTIONS="-g $SLAPD_GROUP $SLAPD_OPTIONS" +fi + +# Check whether we were configured to not start the services. +check_for_no_start() { + if [ -n "$SLAPD_NO_START" ]; then + echo 'Not starting slapd: SLAPD_NO_START set in /etc/default/slapd' >&2 + exit 0 + fi + if [ -n "$SLAPD_SENTINEL_FILE" ] && [ -e "$SLAPD_SENTINEL_FILE" ]; then + echo "Not starting slapd: $SLAPD_SENTINEL_FILE exists" >&2 + exit 0 + fi +} + +# Tell the user that something went wrong and give some hints for +# resolving the problem. +report_failure() { + if [ -n "$reason" ]; then + echo " - failed: " + echo "$reason" + else + echo " - failed." + cat <&1`" + else + reason="`start-stop-daemon --start --quiet --oknodo \ + --pidfile "$SLAPD_PIDFILE" \ + --exec $SLAPD -- -h "$SLAPD_SERVICES" $SLAPD_OPTIONS 2>&1`" + fi + + # Backward compatibility with OpenLDAP 2.1 client libraries. + if [ ! -h /var/run/ldapi ] && [ ! -e /var/run/ldapi ] ; then + ln -s slapd/ldapi /var/run/ldapi + fi +} + +# Stop the slapd daemon and capture the error message (if any) to +# $reason. +stop_slapd() { + echo -n " slapd" + reason="`start-stop-daemon --stop --quiet --oknodo --retry TERM/10 \ + --pidfile "$SLAPD_PIDFILE" \ + --exec $SLAPD 2>&1`" +} + +# Start the OpenLDAP daemons +start_ldap() { + echo -n "Starting OpenLDAP:" + trap 'report_failure' 0 + start_slapd + trap "-" 0 + echo . +} + +# Stop the OpenLDAP daemons +stop_ldap() { + echo -n "Stopping OpenLDAP:" + trap 'report_failure' 0 + stop_slapd + trap "-" 0 + echo . +} + +# Check OpenLDAP status +status_slapd() { + # No PID + if [ ! -f $SLAPD_PIDFILE ]; then + echo "OpenLDAP is NOT running" + exit 3 + fi + + # Bogus PID + for pid in $(cat $SLAPD_PIDFILE) ; do + if ! ps --noheaders p "$pid" | grep $SLAPD > /dev/null ; then + echo "OpenLDAP is NOT running, bogus pidfile found: '$SLAPD_PIDFILE'" + exit 1 + fi + done + + # Running PID + echo "OpenLDAP is running" + exit 0 +} + +case "$1" in + start) + check_for_no_start + start_ldap ;; + stop) + stop_ldap ;; + restart|force-reload) + check_for_no_start + stop_ldap + start_ldap + ;; + status) + status_slapd ;; + *) + echo "Usage: $0 {start|stop|restart|force-reload|status}" + exit 1 + ;; +esac --- openldap-2.4.23.orig/debian/ldap-utils.install +++ openldap-2.4.23/debian/ldap-utils.install @@ -0,0 +1,10 @@ +debian/tmp/usr/bin/ldapadd usr/bin +debian/tmp/usr/bin/ldapdelete usr/bin +debian/tmp/usr/bin/ldapmodrdn usr/bin +debian/tmp/usr/bin/ldapsearch usr/bin +debian/tmp/usr/bin/ldapcompare usr/bin +debian/tmp/usr/bin/ldapmodify usr/bin +debian/tmp/usr/bin/ldappasswd usr/bin +debian/tmp/usr/bin/ldapwhoami usr/bin +debian/tmp/usr/bin/ldapexop usr/bin +debian/tmp/usr/bin/ldapurl usr/bin --- openldap-2.4.23.orig/debian/slapd.init.ldif +++ openldap-2.4.23/debian/slapd.init.ldif @@ -0,0 +1,41 @@ +# Global config: +dn: cn=config +objectClass: olcGlobal +cn: config +# Where the pid file is put. The init.d script +# will not stop the server if you change this. +olcPidFile: /var/run/slapd/slapd.pid +# List of arguments that were passed to the server +olcArgsFile: /var/run/slapd/slapd.args +# Read slapd.conf(5) for possible values +olcLogLevel: none +# The tool-threads parameter sets the actual amount of cpu's that is used +# for indexing. +olcToolThreads: 1 + +# Frontend settings +dn: olcDatabase={-1}frontend,cn=config +objectClass: olcDatabaseConfig +objectClass: olcFrontendConfig +olcDatabase: {-1}frontend +# The maximum number of entries that is returned for a search operation +olcSizeLimit: 500 +# Allow unlimited access to local connection from the local root user +olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break +olcAccess: {1}to dn.base="" by * read +olcAccess: {2}to dn.base="cn=subschema" by * read + +# Config db settings +dn: olcDatabase=config,cn=config +objectClass: olcDatabaseConfig +olcDatabase: config +# Allow unlimited access to local connection from the local root user +olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break + +# Load schemas +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +include: file:///etc/ldap/schema/core.ldif + --- openldap-2.4.23.orig/debian/DB_CONFIG +++ openldap-2.4.23/debian/DB_CONFIG @@ -0,0 +1,78 @@ +# WARNING: Before tuning the following parameters, _PLEASE READ_ +# /usr/share/doc/slapd/README.DB_CONFIG.gz + +# Set the database in memory cache size. +# +# set_cachesize +# Sets the database in memory cache size. +# Database entries and indexes will be stored in this cache to +# avoid disk access during database read and write operations. +# Tuning this value can greatly effect your database performance. +# The parameters are: +# : The number of gigabytes of memory to allocate to the cache. +# : The number of bytes of memory to allocate to the cache. +# : The number of cache segments to use. If this value is set to +# 0 or 1 then Berkeley DB will try to allocate one contiguous section +# of memory for the cache. If this value is greater than 1, the cache +# will be split into that number of segments. +#set_cachesize 0 52428800 0 + +# For the Debian package we use 2MB as default but be sure to update this +# value if you have plenty of RAM +set_cachesize 0 2097152 0 + +# Sets the database startup flags. +# +# set_flags +# There are various flag options that may be set. The DB_TXN_NOSYNC flag +# tells the database not to immediately flush transaction buffers to disk. +# Setting this flag can help speed up database access during periods of +# database write activity BUT at expense of data safety. Enable it only +# to load data with slapadd, while slapd is not running. +#set_flags DB_TXN_NOSYNC + + +# Set the maximum in memory cache in for database file name caching. +# +# set_lg_regionmax +# This value should be increased as the number of database files increases +# (tables and indexes). +#set_lg_regionmax 1048576 + +# Set the maximum size of log files in . +# +# set_lg_max +# Logs will be rotated when amount of data have been written to +# one log file. This value should be at least four times the size of +# set_lg_bsize. +#set_lg_max 10485760 + +# Set the in memory cache for log information. +# +# set_lg_bsize +# When amount of logging information have been written to this +# cache it will be flushed to disk. +#set_lg_bsize 2097152 +# For the Debian package we use 512kByte which should suffice for typical +# directory usage (read often, write seldom) +set_lg_bsize 524288 + +# Set the log file directory to . +# +# set_lg_dir /usr/local/var/openldap-logs +# Log files should preferably be on a different disk than the +# database files. This both improves reliability (for disastrous +# recovery) and speed of the database. +#set_lg_dir + + +# Sven Hartge reported that he had to set this value incredibly high +# to get slapd running at all. See http://bugs.debian.org/303057 +# for more information. + +# Number of objects that can be locked at the same time. +set_lk_max_objects 5000 +# Number of locks (both requested and granted) +set_lk_max_locks 5000 +# Number of lockers +set_lk_max_lockers 5000 --- openldap-2.4.23.orig/debian/slapd.default +++ openldap-2.4.23/debian/slapd.default @@ -0,0 +1,47 @@ +# Location of the slapd configuration to use. If using the cn=config +# backend to store configuration in LDIF, set this variable to the +# directory containing the cn=config data; otherwise set it to the location +# of your slapd.conf file. If empty, use the compiled-in default +# (/etc/ldap/slapd.d). +SLAPD_CONF= + +# System account to run the slapd server under. If empty the server +# will run as root. +SLAPD_USER="openldap" + +# System group to run the slapd server under. If empty the server will +# run in the primary group of its user. +SLAPD_GROUP="openldap" + +# Path to the pid file of the slapd server. If not set the init.d script +# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by +# default) +SLAPD_PIDFILE= + +# slapd normally serves ldap only on all TCP-ports 389. slapd can also +# service requests on TCP-port 636 (ldaps) and requests via unix +# sockets. +# Example usage: +# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" +SLAPD_SERVICES="ldap:/// ldapi:///" + +# If SLAPD_NO_START is set, the init script will not start or restart +# slapd (but stop will still work). Uncomment this if you are +# starting slapd via some other means or if you don't want slapd normally +# started at boot. +#SLAPD_NO_START=1 + +# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, +# the init script will not start or restart slapd (but stop will still +# work). Use this for temporarily disabling startup of slapd (when doing +# maintenance, for example, or through a configuration management system) +# when you don't want to edit a configuration file. +SLAPD_SENTINEL_FILE=/etc/ldap/noslapd + +# For Kerberos authentication (via SASL), slapd by default uses the system +# keytab file (/etc/krb5.keytab). To use a different keytab file, +# uncomment this line and change the path. +#export KRB5_KTNAME=/etc/krb5.keytab + +# Additional options to pass to slapd +SLAPD_OPTIONS="" --- openldap-2.4.23.orig/debian/slapd.dirs +++ openldap-2.4.23/debian/slapd.dirs @@ -0,0 +1,5 @@ +var/lib/slapd +usr/share/slapd +usr/share/lintian/overrides +etc/ldap/sasl2 +etc/apparmor.d/force-complain --- openldap-2.4.23.orig/debian/slapd.examples +++ openldap-2.4.23/debian/slapd.examples @@ -0,0 +1 @@ +debian/slapd.backup --- openldap-2.4.23.orig/debian/libldap2-dev.links +++ openldap-2.4.23/debian/libldap2-dev.links @@ -0,0 +1,12 @@ +usr/share/man/man3/lber-encode.3 usr/share/man/man3/ber_put_bitstring.3 +usr/share/man/man3/lber-encode.3 usr/share/man/man3/ber_put_boolean.3 +usr/share/man/man3/lber-encode.3 usr/share/man/man3/ber_start_seq.3 +usr/share/man/man3/lber-memory.3 usr/share/man/man3/ber_memalloc.3 +usr/share/man/man3/lber-memory.3 usr/share/man/man3/ber_memcalloc.3 +usr/share/man/man3/lber-memory.3 usr/share/man/man3/ber_memfree.3 +usr/share/man/man3/lber-memory.3 usr/share/man/man3/ber_memrealloc.3 +usr/share/man/man3/lber-types.3 usr/share/man/man3/ber_int_t.3 +usr/share/man/man3/lber-types.3 usr/share/man/man3/ber_len_t.3 +usr/share/man/man3/lber-types.3 usr/share/man/man3/ber_tag_t.3 +usr/lib/libldap_r.so usr/lib/libldap.so +usr/lib/libldap_r.a usr/lib/libldap.a --- openldap-2.4.23.orig/debian/slapd.install +++ openldap-2.4.23/debian/slapd.install @@ -0,0 +1,9 @@ +debian/tmp/etc/ldap/schema etc/ldap +debian/tmp/usr/lib/slapd usr/sbin +debian/tmp/usr/lib/ldap/*.so* usr/lib/ldap +debian/tmp/usr/lib/ldap/*.la usr/lib/ldap +debian/tmp/usr/lib/libslapi-*.so.* usr/lib +debian/lintian-overrides/slapd usr/share/lintian/overrides +debian/ldiftopasswd usr/share/slapd +debian/DB_CONFIG usr/share/slapd +debian/slapd.init.ldif usr/share/slapd --- openldap-2.4.23.orig/debian/configure.options +++ openldap-2.4.23/debian/configure.options @@ -0,0 +1,192 @@ +#`configure' configures this package to adapt to many kinds of systems. +# +#Usage: ./configure [OPTION]... [VAR=VALUE]... +# +#To assign environment variables (e.g., CC, CFLAGS...), specify them as +#VAR=VALUE. See below for descriptions of some of the useful variables. +# +#Defaults for the options are specified in brackets. +# +#Configuration: +# -h, --help display this help and exit +# --help=short display options specific to this package +# --help=recursive display the short help of all the included packages +# -V, --version display version information and exit +# -q, --quiet, --silent do not print `checking...' messages +# --cache-file=FILE cache test results in FILE [disabled] +# -C, --config-cache alias for `--cache-file=config.cache' +# -n, --no-create do not create output files +# --srcdir=DIR find the sources in DIR [configure dir or `..'] +# +#Installation directories: +# --prefix=PREFIX install architecture-independent files in PREFIX +# [/usr/local] +--prefix=/usr +# --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX +# [PREFIX] +# +#By default, `make install' will install all the files in +#`/usr/local/bin', `/usr/local/lib' etc. You can specify +#an installation prefix other than `/usr/local' using `--prefix', +#for instance `--prefix=$HOME'. +# +#For better control, use the options below. +# +#Fine tuning of the installation directories: +# --bindir=DIR user executables [EPREFIX/bin] +# --sbindir=DIR system admin executables [EPREFIX/sbin] +# --libexecdir=DIR program executables [EPREFIX/libexec] +--libexecdir='${prefix}/lib' +# --datadir=DIR read-only architecture-independent data [PREFIX/share] +# --sysconfdir=DIR read-only single-machine data [PREFIX/etc] +--sysconfdir=/etc +# --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] +# --localstatedir=DIR modifiable single-machine data [PREFIX/var] +--localstatedir=/var +# --libdir=DIR object code libraries [EPREFIX/lib] +# --includedir=DIR C header files [PREFIX/include] +# --oldincludedir=DIR C header files for non-gcc [/usr/include] +# --infodir=DIR info documentation [PREFIX/info] +# --mandir=DIR man documentation [PREFIX/man] +--mandir='${prefix}/share/man' +# +#Program names: +# --program-prefix=PREFIX prepend PREFIX to installed program names +# --program-suffix=SUFFIX append SUFFIX to installed program names +# --program-transform-name=PROGRAM run sed PROGRAM on installed program names +# +#System types: +# --build=BUILD configure for building on BUILD [guessed] +# --host=HOST cross-compile to build programs to run on HOST [BUILD] +# --target=TARGET configure for building compilers for TARGET [HOST] +# +#Optional Features: +# --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) +# --enable-FEATURE[=ARG] include FEATURE [ARG=yes] +# --enable-debug enable debugging no|yes|traditional [yes] +--enable-debug +# --enable-dynamic enable linking built binaries with dynamic libs [no] +--enable-dynamic +# --enable-syslog enable syslog support [auto] +--enable-syslog +# --enable-proctitle enable proctitle support [yes] +--enable-proctitle +# --enable-ipv6 enable IPv6 support [auto] +--enable-ipv6 +# --enable-local enable AF_LOCAL (AF_UNIX) socket support [auto] +--enable-local +# +#SLAPD (Standalone LDAP Daemon) Options: +# --enable-slapd enable building slapd [yes] +--enable-slapd +# --enable-dynacl enable run-time loadable ACL support (experimental) [no] +# --enable-aci enable per-object ACIs (experimental) no|yes|mod [no] +--enable-aci +# --enable-cleartext enable cleartext passwords [yes] +--enable-cleartext +# --enable-crypt enable crypt(3) passwords [no] +--enable-crypt +# --enable-lmpasswd enable LAN Manager passwords [no] +--disable-lmpasswd +# --enable-spasswd enable (Cyrus) SASL password verification [no] +--enable-spasswd +# --enable-modules enable dynamic module support [no] +--enable-modules +# --enable-rewrite enable DN rewriting in back-ldap and rwm overlay [auto] +--enable-rewrite +# --enable-rlookups enable reverse lookups of client hostnames [no] +--enable-rlookups +# --enable-slapi enable SLAPI support (experimental) [no] +--enable-slapi +# --enable-slp enable SLPv2 support [no] +--enable-slp +# --enable-wrappers enable tcp wrapper support [no] +--enable-wrappers +# +#SLAPD Backend Options: +# --enable-backends enable all available backends no|yes|mod +--enable-backends=mod +# --enable-bdb enable Berkeley DB backend no|yes|mod [yes] +# --enable-dnssrv enable dnssrv backend no|yes|mod [no] +# --enable-hdb enable Hierarchical DB backend no|yes|mod [yes] +# --enable-ldap enable ldap backend no|yes|mod [no] +# --enable-meta enable metadirectory backend no|yes|mod [no] +# --enable-monitor enable monitor backend no|yes|mod [yes] +# --enable-null enable null backend no|yes|mod [no] +# --enable-passwd enable passwd backend no|yes|mod [no] +# --enable-perl enable perl backend no|yes|mod [no] +# --enable-relay enable relay backend no|yes|mod [yes] +# --enable-shell enable shell backend no|yes|mod [no] +# --enable-sock enable sock backend no|yes|mod [no] +# --enable-sql enable sql backend no|yes|mod [no] +--disable-ndb +# +#SLAPD Overlay Options: +# --enable-overlays enable all available overlays no|yes|mod +--enable-overlays=mod +# --enable-accesslog In-Directory Access Logging overlay no|yes|mod [no] +# --enable-auditlog Audit Logging overlay no|yes|mod [no] +# --enable-constraint Attribute Constraint overlay no|yes|mod [no] +# --enable-dds Dynamic Directory Services overlay no|yes|mod [no] +# --enable-dyngroup Dynamic Group overlay no|yes|mod [no] +# --enable-dynlist Dynamic List overlay no|yes|mod [no] +# --enable-memberof Reverse Group Membership overlay no|yes|mod [no] +# --enable-ppolicy Password Policy overlay no|yes|mod [no] +# --enable-proxycache Proxy Cache overlay no|yes|mod [no] +# --enable-refint Referential Integrity overlay no|yes|mod [no] +# --enable-retcode Return Code testing overlay no|yes|mod [no] +# --enable-rwm Rewrite/Remap overlay no|yes|mod [no] +# --enable-seqmod Sequential Modify overlay no|yes|mod [yes] +# --enable-syncprov Syncrepl Provider overlay no|yes|mod [yes] +# --enable-translucent Translucent Proxy overlay no|yes|mod [no] +# --enable-unique Attribute Uniqueness overlay no|yes|mod [no] +# --enable-valsort Value Sorting overlay no|yes|mod [no] +# +#Library Generation & Linking Options +# --enable-static[=PKGS] +# build static libraries [default=yes] +# --enable-shared[=PKGS] +# build shared libraries [default=yes] +# --enable-fast-install[=PKGS] +# optimize for fast installation [default=yes] +# --disable-dependency-tracking speeds up one-time build +# --enable-dependency-tracking do not reject slow dependency extractors +# --disable-libtool-lock avoid locking (might break parallel builds) +# +#Optional Packages: +# --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] +# --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) +# --with-subdir=DIR change default subdirectory used for installs +--with-subdir=ldap +# --with-cyrus-sasl with Cyrus SASL support [auto] +--with-cyrus-sasl +# --with-fetch with fetch(3) URL support [auto] +# --with-threads with threads [auto] +--with-threads +--with-gssapi +# --with-tls with TLS/SSL support auto|openssl|gnutls [auto] +--with-tls=gnutls +# --with-yielding-select with implicitly yielding select [auto] +# --with-mp with multiple precision statistics auto|longlong|long|bignum|gmp [auto] +# --with-odbc with specific ODBC support iodbc|unixodbc|auto [auto] +--with-odbc=unixodbc +# --with-gnu-ld assume the C compiler uses GNU ld [default=no] +# --with-pic try to use only PIC/non-PIC objects [default=use +# both] +# --with-tags[=TAGS] +# include additional configurations [automatic] +# +#See INSTALL file for further details. +# +#Some influential environment variables: +# CC C compiler command +# CFLAGS C compiler flags +# LDFLAGS linker flags, e.g. -L if you have libraries in a +# nonstandard directory +# CPPFLAGS C/C++ preprocessor flags, e.g. -I if you have +# headers in a nonstandard directory +# CPP C preprocessor +# +#Use these variables to override the choices made by `configure' or to help +#it to find libraries and programs with nonstandard names/locations. +# --- openldap-2.4.23.orig/debian/slapi-dev.install +++ openldap-2.4.23/debian/slapi-dev.install @@ -0,0 +1,2 @@ +debian/tmp/usr/include/slapi-plugin.h usr/include +debian/tmp/usr/lib/libslapi.so usr/lib --- openldap-2.4.23.orig/debian/check_config +++ openldap-2.4.23/debian/check_config @@ -0,0 +1,17 @@ +#! /usr/bin/perl -w + +$| = 1; + +print "Reading configuration... "; +open CONF, "; +close CONF; +print "done\n"; + +print "Checking if sasl2 was found... "; +if (not grep /SASL_LIBS.*-lsasl2/, @CONF) { + print "no\n"; + die "SASL2 support not enabled"; +} +print "okay\n"; --- openldap-2.4.23.orig/debian/slapd.manpages +++ openldap-2.4.23/debian/slapd.manpages @@ -0,0 +1,2 @@ +debian/tmp/usr/share/man/man5/slap*.5 +debian/tmp/usr/share/man/man8/slap*.8 --- openldap-2.4.23.orig/debian/slapd.postrm +++ openldap-2.4.23/debian/slapd.postrm @@ -0,0 +1,39 @@ +#!/bin/sh + +set -e + +# Load debconf if available (might have been removed before purging +# slapd) + +if [ -e "/usr/share/debconf/confmodule" ]; then + . /usr/share/debconf/confmodule +fi + +# Check if the user wants the database removed on purging slapd +remove_database_on_purge() { + db_get slapd/purge_database || RET=false + if [ "$RET" = "true" ]; then + return 0 + else + return 1 + fi +} + +if [ "$1" = "purge" ]; then + echo -n "Removing slapd configuration... " + rm -f /etc/ldap/slapd.conf /etc/ldap/slapd.conf.old 2>/dev/null || true + rm -rf /etc/ldap/slapd.d/ 2>/dev/null || true + rmdir /etc/ldap/schema || true + echo done + + if remove_database_on_purge; then + echo -n "Purging OpenLDAP database... " + rm -rf /var/lib/ldap || true + echo done + fi +fi + +#DEBHELPER# + +exit 0 + --- openldap-2.4.23.orig/debian/slapd.postinst +++ openldap-2.4.23/debian/slapd.postinst @@ -0,0 +1,123 @@ +#! /bin/bash + +set -e + +. /usr/share/debconf/confmodule + +# This will be replaced with debian/slapd.scripts-common which includes +# various helper functions and $OLD_VERSION and $SLAPD_CONF +#SCRIPTSCOMMON# + +postinst_initial_configuration() { # {{{ +# Configure slapd for the first time (when first installed) +# Usage: postinst_initial_configuration + + if manual_configuration_wanted; then + echo " Omitting slapd configuration as requested." >&2 + else + create_new_configuration + configure_v2_protocol_support + fi +} + +# }}} +postinst_upgrade_configuration() { # {{{ +# Handle upgrading slapd from some older version +# Usage: postinst_upgrade_configuration + + # Better back up the config file in any case + echo -n " Backing up $SLAPD_CONF in `database_dumping_destdir`... " >&2 + backup_config_once + echo done. >&2 + + if database_format_changed; then + # During upgrading we have to load the old data + move_incompatible_databases_away + load_databases + fi + + # Migrate from slapd.conf to slapd.d/. + if previous_version_older 2.4.11-0ubuntu1 && [ -f "${SLAPD_CONF}" ]; then + # Initial migration + mkdir /etc/ldap/slapd.d/ + capture_diagnostics slaptest -f ${SLAPD_CONF} -F /etc/ldap/slapd.d/ || failed=1 + if [ "$failed" ]; then + echo failed. >&2 + echo >&2 + cat <<-EOF +Migrating slapd.conf file (${SLAPD_CONF}) to slapd.d failed with the following error while running slaptest: +EOF + release_diagnostics " " + rm -rf /etc/ldap/slapd.d/ + exit 1 + fi + echo " Successfully migrated ${SLAPD_CONF} configuration file to /etc/ldap/slapd.d/ directory. " >&2 + mv ${SLAPD_CONF} ${SLAPD_CONF}.old + SLAPD_CONF=/etc/ldap/slapd.d + # Fix SLAPD_CONF setting in slapd default file + sed -i "s|^SLAPD_CONF=.\+|SLAPD_CONF=${SLAPD_CONF}|" /etc/default/slapd + fi + + configure_v2_protocol_support + + # fix systems incorrectly upgraded by 2.4.21-0ubuntu3 (LP: #559070) + cfg_ldif="${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"; + if [ "$OLD_VERSION" = "2.4.21-0ubuntu3" -a -f "${cfg_ldif}" ]; then + sed -i "/^olcAccess: {0}to \*[ ]* by \* none/d;" "${cfg_ldif}" + fi + + # Grant manage access to connections made by the root user via + # SASL EXTERNAL + if previous_version_older 2.4.21-0ubuntu5 ; then + if [ -d "$SLAPD_CONF" ]; then + # Stick the new olcAccess at the begining of the + # olcAccess list (using an index of 0 *and* + # adding it as early as possible in the ldif file) + # to make sure that local root has access to the + # database no matter what other acls say. + sed -i 's/^\(olcDatabase: {-1}frontend\)/\0\nolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break/' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif" + sed -i 's/^\(olcDatabase: {0}config\)/\0\nolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break/' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif" + fi + fi + + # Update permissions of all database directories and /var/run/slapd + update_databases_permissions + if [ ! -d "/var/run/slapd" ]; then + mkdir -p "/var/run/slapd" + fi + update_permissions /var/run/slapd + # update_permissions doesn't allow a world readable dir. + # slapd run dir has the slapi socket and thus needs + # to be world accessible. + chmod 0755 /var/run/slapd + + # Versions prior to 2.4.7-1 could create a slapd.conf that wasn't + # readable by the openldap user. + update_permissions "${SLAPD_CONF}" + +} + +# }}} + +# Create a new user. Don't create the user, however, if the local +# administrator has already customized slapd to run as a different user. +if [ "$MODE" = "configure" ] || [ "$MODE" = "reconfigure" ] ; then + if [ "openldap" = "$SLAPD_USER" ] ; then + create_new_user + fi +fi + +# Configuration. +if is_initial_configuration "$@"; then + postinst_initial_configuration +else + postinst_upgrade_configuration +fi + +db_stop || true + +#DEBHELPER# + +exit 0 + +# vim: set sw=8 foldmethod=marker: --- openldap-2.4.23.orig/debian/slapd.templates +++ openldap-2.4.23/debian/slapd.templates @@ -0,0 +1,54 @@ +Template: slapd/no_configuration +Type: boolean +Default: false +_Description: Omit OpenLDAP server configuration? + If you enable this option, no initial configuration or database will be + created for you. + +Template: slapd/dump_database +Type: select +__Choices: always, when needed, never +Default: when needed +_Description: Dump databases to file on upgrade: + Before upgrading to a new version of the OpenLDAP server, the data from + your LDAP directories can be dumped into plain text files in the + standard LDAP Data Interchange Format. + . + Selecting "always" will cause the databases to be dumped + unconditionally before an upgrade. Selecting "when needed" will only + dump the database if the new version is incompatible with the old + database format and it needs to be reimported. If you select "never", + no dump will be done. + +Template: slapd/dump_database_destdir +Type: string +Default: /var/backups/slapd-VERSION +_Description: Directory to use for dumped databases: + Please specify the directory where the LDAP databases will be exported. + In this directory, several LDIF files will be created which correspond + to the search bases located on the server. Make sure you have enough + free space on the partition where the directory is located. The first + occurrence of the string "VERSION" is replaced with the server version + you are upgrading from. + +Template: slapd/purge_database +Type: boolean +Default: false +_Description: Do you want the database to be removed when slapd is purged? + +Template: slapd/move_old_database +Type: boolean +Default: true +_Description: Do you want to backup the old database when slapd is upgraded? + If you disable this option upgrades which change the underlying BDB + format may fail. + +Template: slapd/allow_ldap_v2 +Type: boolean +Default: false +_Description: Allow LDAPv2 protocol? + The obsolete LDAPv2 protocol is disabled by default in slapd. Programs + and users should upgrade to LDAPv3. If you have old programs which + can't use LDAPv3, you should select this option and 'olcAllows: bind_v2' + will be added to your cn=config directory. + --- openldap-2.4.23.orig/debian/slapd.config +++ openldap-2.4.23/debian/slapd.config @@ -0,0 +1,101 @@ +#! /bin/sh + +set -e + +# Load debconf +. /usr/share/debconf/confmodule + +# This will be replaced with debian/slapd.scripts-common which includes +# various helper functions and $OLD_VERSION and $SLAPD_CONF +#SCRIPTSCOMMON# + +# Check if the user wants to configure slapd manually +want_manual_configuration() { + db_input medium slapd/no_configuration || true + db_go || true + db_get slapd/no_configuration + no_configuration="$RET" + + if [ "$no_configuration" = "true" ]; then + return 0 + fi + return 1 +} + +# Query the information we need to create an initial directory +query_initial_config() { + db_input low slapd/purge_database || true + # XXX - should be done more general, but for now this should do + # the trick + if [ -e "/var/lib/ldap" ] && ! is_empty_dir /var/lib/ldap; then + db_input low slapd/move_old_database || true + fi + db_go || true +} + +configure_allow_v2_binds() { # {{{ +# Ask if the user would like their package to support LDAPv2.. +# This was the default in older versions but we want to ask +# for new installs too in case the user needs it.. + + db_input medium slapd/allow_ldap_v2 || true +} +# }}} + +# ----- Configuration of LDIF dumping and reloading--------------------- {{{ +# +# Dumping the database can have negative effects on the system we are +# running on. If there is a lot of data dumping it might fill a partition +# for example. Therefore we must give the user exact control over what we +# are doing. + +configure_dumping() { # {{{ +# Ask the user for the configuration of the dumping component +# Usage: configure_dumping + + # Look if the user wants to migrate to the BDB backend + if ! database_dumping_enabled; then + return 0 + fi + + # Configure if and where to dump the LDAP databases + db_input medium slapd/dump_database || true + db_go || true + db_get slapd/dump_database + + # Abort if the user does not want dumping + if [ "$RET" = never ]; then + return 0 + fi + + db_input medium slapd/dump_database_destdir || true + db_go || true + + # If the user entered the empty value, go back to the default + db_get slapd/dump_database_destdir + if [ "$RET" = "" ]; then + db_reset slapd/dump_database_destdir + fi +} + +# }}} +# }}} + +# Create an initial directory on fresh install +if is_initial_configuration "$@"; then + if ! want_manual_configuration; then + query_initial_config + configure_allow_v2_binds + fi +fi + +# Configure the dumping and v2 binds components if we are upgrading some older +# version. +if [ "$1" = configure ] && [ -n "$2" ]; then + configure_dumping + configure_allow_v2_binds +fi + +db_go || true + +exit 0 --- openldap-2.4.23.orig/debian/slapd.NEWS +++ openldap-2.4.23/debian/slapd.NEWS @@ -0,0 +1,10 @@ +openldap2.3 (2.3.20-1) unstable; urgency=low + + The Debian slapd package no longer includes support for the LDBM backend. + It has been disabled as a result of concerns over data loss and lack of + upstream support. For more information, see: + http://www.openldap.org/faq/index.cgi?_highlightWords=ldbm&file=756 + The BDB backend is now the main backend to use. This backend is supported + upstream and has several fixes included for known problems. + + -- Matthijs Mohlmann Sun, 26 Feb 2006 20:05:44 +0100 --- openldap-2.4.23.orig/debian/apparmor-profile +++ openldap-2.4.23/debian/apparmor-profile @@ -0,0 +1,54 @@ +# vim:syntax=apparmor +# Last Modified: Fri Jan 4 15:18:13 2008 +# Author: Jamie Strandboge + +#include + +/usr/sbin/slapd { + #include + #include + + #include + /etc/ssl/private/ r, + /etc/ssl/private/* r, + + /etc/sasldb2 r, + + capability dac_override, + capability net_bind_service, + capability setgid, + capability setuid, + + /etc/gai.conf r, + /etc/hosts.allow r, + /etc/hosts.deny r, + + # ldap files + /etc/ldap/** kr, + /etc/ldap/slapd.d/** rw, + + # kerberos/gssapi + /dev/tty rw, + /etc/krb5.keytab kr, + /var/tmp/ rw, + /var/tmp/** rw, + + # the databases and logs + /var/lib/ldap/ r, + /var/lib/ldap/** rwk, + + # lock file + /var/lib/ldap/alock kw, + + # pid files and sockets + /var/run/slapd/* w, + /var/run/nslcd/* w, + + /usr/lib/ldap/ r, + /usr/lib/ldap/* mr, + + /usr/sbin/slapd mr, + + # Site-specific additions and overrides. See local/README for details. + #include +} --- openldap-2.4.23.orig/debian/ldap-utils.dirs +++ openldap-2.4.23/debian/ldap-utils.dirs @@ -0,0 +1,2 @@ +usr/bin +usr/share/man --- openldap-2.4.23.orig/debian/README.DB_CONFIG +++ openldap-2.4.23/debian/README.DB_CONFIG @@ -0,0 +1,187 @@ +For good performance using the BDB backend, a good DB_CONFIG file in the +database directory (usually /var/lib/ldap) is crucial. The following two +articles should help you to determine a good configuration for your +requirements. A standard DB_CONFIG is installed but it may not be adequate +for your system. + +The current version of OpenLDAP supports putting DB_CONFIG parameters into +slapd.conf instead by prefixing those options with dbconfig. See the +slapd-bdb(5) man page for more information. If there is no DB_CONFIG file +when slapd starts and there are dbconfig lines in slapd.conf, slapd will +write out a DB_CONFIG file with those settings before initializing the +database. + +With the current version of OpenLDAP, any changes to DB_CONFIG will take +effect automatically after restarting slapd. Running db_recover is no +longer required. + + -- Torsten Landschoff Sun, 29 May 2005 18:08:10 +0200 + Russ Allbery Fri, 01 Jun 2007 23:57:33 -0700 + +How do I configure the BDB backend? +----------------------------------- +(Taken from http://www.openldap.org/faq/data/cache/893.html, author unknown) + +The BDB backend ("back-bdb") uses a lot of special features of Sleepycat's +Berkeley DB library, and there are a lot of details that must be set correctly +to get the best results from it. Even though the LDBM backend ("back-ldbm") can +use the BerkeleyDB library, the BDB and LDBM backends have some very important +differences, as already noted in (Xref) What are the different backends? What +are their differences?. + +Because back-bdb is transaction-based and uses write-ahead logging to ensure +data consistency, it has much heavier I/O demands than back-ldbm. Also, the +transaction log files accumulate as data is written to the directory, and these +log files must be cleaned out periodically. Otherwise the log files will +consume enormous amounts of disk space. The cleanup procedures are described in +(Xref) How to maintain Berkeley DB (logs etc.) ?. + +The information needed to fully understand things and to properly configure +back-bdb is divided among the slapd-bdb(5) manual page and the SleepyCat +BerkeleyDB documentation (http://www.sleepycat.com/docs/). + +You should read the entire slapd-bdb(5) manpage before proceeding. The only +mandatory keyword is "directory" for setting the location of the database +files. The other keywords control tradeoffs between data reliability, +performance, and memory use. To ensure that committed transactions actually get +flushed to disk, you should use the "checkpoint" keyword, otherwise your data +is vulnerable to loss due to system failures. See the SleepyCat documentation +for more information about checkpoints. (In fact, you should read all of +chapter 9 "Berkeley DB Transactional Data Store Applications" in the SleepyCat +reference manual. At least, read sections 1-3 and 13-24.) + +The "dbnosync" keyword is provided for compatibility with back-ldbm; the +preferred method of setting this is to use the BDB DB_CONFIG file option +set_flags DB_TXN_NOSYNC. The "lockdetect" keyword is also deprecated, you +should instead use the BDB DB_CONFIG file set_lk_detect keyword. (It's safe to +leave this at the default setting.) + +A number of important items must be configured in the BDB DB_CONFIG file and +not in slapd.conf. You should, at least, read about these items: + +set_cachesize + The BDB library maintains its own cache separate from the back-bdb entry + cache. You must set this cache to a size appropriate for your database and + physical memory size. Note that this is a persistent setting - after you + set it the first time, further changes will be ignored until you recreate + the environment using db_recover. +set_lg_dir + Set the directory for storing transaction logs. For best performance, + the transaction logs must be located on a different physical disk from + the database files. +set_lg_bsize + Set the buffer size for the transaction log. Larger is better, but it + doesn't have much effect unless you're also using the DB_TXN_NOSYNC + option. With a default log file size of 10MB I usually set this to 2MB. + The default is only 32K, which is too small for back-bdb. + +On a very busy system you might see error messages talking about running out of +locks, lockers, or lock objects. Usually the default values are plenty, and in +older versions of the BDB library the errors were more likely due to library +bugs than actual system load. However, it is possible that you have actually +run out of lock resources due to heavy system usage. If this happens, you +should read about the set_lk_max_lockers, set_lk_max_locks, and +set_lk_max_objects keywords. + +How do I determine the proper BDB/HDB database cache size? +---------------------------------------------------------- +(Taken from http://www.openldap.org/faq/data/cache/1075.html, written by +hyc@openldap.org, Kurt@OpenLDAP.org) + +Not having a proper database cache size will cause performance issues. (Note: +in older versions of Berkeley DB, an improper database case size could also +cause the server to hang.) + +These issues are not an indication of corruption occurring in the database. It +is merely the fact that the cache is thrashing itself that causes +performance/response time to slowdown. If you take the time to read and +understand the Berkeley DB documentation, measure the library performance using +db_stat, and tune your settings, you will avoid these problems. + +It is not absolutely necessary to configure a BerkeleyDB cache equal in size to +your entire database. All that you need is a cache that's large enough for your +"working set." That means, large enough to hold all of the most frequently +accessed data, plus a few less-frequently accessed items. + +You should really read the BDB documentation referenced above, but let me spell +out what that really means here, in detail. The discussion here is focused on +back-bdb and back-hdb, but most of it also applies to back-ldbm when using +BerkeleyDB as the underlying database engine. + +Start with the most obvious - the back-bdb database lives in two main files, +dn2id.bdb and id2entry.bdb. These are B-tree databases. We have never +documented the back-bdb internal layout before, because it didn't seem like +something anyone should have to worry about, nor was it necessarily cast in +stone. But here's how it works today, in OpenLDAP 2.1 and 2.2. (All of the +database files in back-ldbm are B-trees by default.) + +A B-tree is a balanced tree; it stores data in its leaf nodes and bookkeeping +data in its interior nodes. (If you don't know what tree data structures look +like in general, Google for some references, because that's getting far too +elementary for the purposes of this discussion.) + +For decent performance, you need enough cache memory to contain all the nodes +along the path from the root of the tree down to the particular data item +you're accessing. That's enough cache for a single search. For the general +case, you want enough cache to contain all the internal nodes in the database. +"db_stat -d" will tell you how many internal pages are present in a database. +You should check this number for both dn2id and id2entry. + +Also note that id2entry always uses 16KB per "page", while dn2id uses whatever +the underlying filesystem uses, typically 4 or 8KB. To avoid thrashing the +cache and triggering these infinite hang bugs in BDB 4.1.25, your cache must be +at least as large as the number of internal pages in both the dn2id and +id2entry databases, plus some extra space to accomodate the actual leaf data +pages. + +For example, in my OpenLDAP 2.2 test database, I have an input LDIF file that's +about 360MB. With the back-hdb backend this creates a dn2id.bdb that's 68MB, +and an id2entry that's 800MB. db_stat tells me that dn2id uses 4KB pages, has +433 internal pages, and 6378 leaf pages. The id2entry uses 16KB pages, has 52 +internal pages, and 45912 leaf pages. In order to efficiently retrieve any +single entry in this database, the cache should be at least + +(433+1) * 4KB + (52+1) * 16KB in size: 1736KB + 848KB =~ 2.5MB. + +This doesn't take into account other library overhead, so this is even lower +than the barest minimum. The default cache size, when nothing is configured, is +only 256KB. If you tried to do much of anything with this database and only +default settings, BDB 4.1.25 would lock up in an infinite loop. + +This 2.5MB number also doesn't take indexing into account. Each indexed +attribute uses another database file of its own, using a Hash structure. +(Again, in back-ldbm, the indexes also use B-trees by default, so this part of +the discussion doesn't apply unless back-ldbm was explicitly compiled to use +Hashes instead. Also, in OpenLDAP 2.2 onward, all of the indexes use B-trees, +there are no more Hash database files. So just use the B-tree information above +and ignore this Hash discussion.) + +Unlike the B-trees, where you only need to touch one data page to find an entry +of interest, doing an index lookup generally touches multiple keys, and the +point of a hash structure is that the keys are evenly distributed across the +data space. That means there's no convenient compact subset of the database +that you can keep in the cache to insure quick operation, you can pretty much +expect references to be scattered across the whole thing. My strategy here +would be to provide enough cache for at least 50% of all of the hash data. +(Number of hash buckets + number of overflow pages + number of duplicate pages) +* page size / 2. + +The objectClass index for my example database is 5.9MB and uses 3 hash buckets +and 656 duplicate pages. So ( 3 + 656 ) * 4KB / 2 =~ 1.3MB. + +With only this index enabled, I'd figure at least a 4MB cache for this backend. +(Of course you're using a single cache shared among all of the database files, +so the cache pages will most likely get used for something other than what you +accounted for, but this gives you a fighting chance.) + +With this 4MB cache I can slapcat this entire database on my 1.3GHz PIII in 1 +minute, 40 seconds. With the cache doubled to 8MB, it still takes the same +1:40s. Once you've got enough cache to fit the B-tree internal pages, +increasing it further won't have any effect until the cache really is large +enough to hold 100% of the data pages. I don't have enough free RAM to hold all +the 800MB id2entry data, so 4MB is good enough. + +With back-bdb and back-hdb you can use "db_stat -m" to check how well the +database cache is performing. Unfortunately you can't do this with back-ldbm, +as the statistics are not accessible when slapd is running, nor are they saved +anywhere when slapd is stopped. (Yet another reason not to use back-ldbm.) --- openldap-2.4.23.orig/debian/ldap-utils.manpages +++ openldap-2.4.23/debian/ldap-utils.manpages @@ -0,0 +1,10 @@ +debian/tmp/usr/share/man/man1/ldapcompare.1 +debian/tmp/usr/share/man/man1/ldapdelete.1 +debian/tmp/usr/share/man/man1/ldapmodify.1 +debian/tmp/usr/share/man/man1/ldapmodrdn.1 +debian/tmp/usr/share/man/man1/ldappasswd.1 +debian/tmp/usr/share/man/man1/ldapsearch.1 +debian/tmp/usr/share/man/man1/ldapwhoami.1 +debian/tmp/usr/share/man/man1/ldapurl.1 +debian/tmp/usr/share/man/man1/ldapadd.1 +debian/tmp/usr/share/man/man5/ldif.5 --- openldap-2.4.23.orig/debian/libldap-2.4-2.postinst +++ openldap-2.4.23/debian/libldap-2.4-2.postinst @@ -0,0 +1,13 @@ +#!/bin/sh +# +# Run ldconfig after installing the shared library. We have to do this +# manually rather than letting dh_makeshlibs deal with it because +# dh_makeshlibs can't cope with the trick we're pulling with libldap_r. + +if [ "$1" = "configure" ]; then + ldconfig +fi + +#DEBHELPER# + +exit 0 --- openldap-2.4.23.orig/debian/TODO +++ openldap-2.4.23/debian/TODO @@ -0,0 +1,32 @@ +openldap2.2 (2.2.23-4) unstable; urgency=low + + * debian/slapd.NEWS: Summarize the upstream changes and make clear that + the upgrade may be problemated. Sketch the upgrade procedure. + * debian/README.Debian: Explain what to check for if upgrading fails and + how to recover. + * CARLO: debian/slapd.scripts-common: Handle all UTF-8 supported characters + in organization field by converting the locale specific input into + utf-8 and base64 encoding the result (closes: #236097). + * Maintainer scripts: Handle the configuration to enable ldif dumping + correctly: Dump if requested and only slapadd the data if it is + supposed to be there. + * Check ITS#3267 (possible data loss) and apply the patch to the + package. + * CARLO: Escape special chars in the names of backup LDIF files using + the %xx syntax. + * Check lintian warning: Postinst uses db_input. I think the usage is + okay as it is an error message IIRC which is also output using cat + in case debconf is not available. + + -- Torsten Landschoff Sun, 3 Apr 2005 20:24:52 +0200 + +openldap2.2 (2.2.23-5) unstable; urgency=low + + * Refactoring of the maintainer scripts. Goals: + + No more direct access to global variables but accessor functions + to check for invalid uses. Example: Don't use $OLD_VERSION but + `get_previous_version`. That way invalid uses can easily be flagged + if that information is not available anymore. + * Remove perl script to hash a password and use slappasswd instead. + + -- Torsten Landschoff Sun, 3 Apr 2005 20:24:52 +0200 --- openldap-2.4.23.orig/debian/slapd.preinst +++ openldap-2.4.23/debian/slapd.preinst @@ -0,0 +1,22 @@ +#! /bin/sh + +set -e + +. /usr/share/debconf/confmodule + +# This will be replaced with debian/slapd.scripts-common which includes +# various helper functions and $OLD_VERSION and $SLAPD_CONF +#SCRIPTSCOMMON# + +# If we are upgrading from an old version then stop slapd and attempt to +# slapcat out the data so we can use it in postinst to do the upgrade + +if [ "$MODE" = upgrade ]; then + dump_databases +fi + +#DEBHELPER# + +exit 0 + +# vim: set sw=8 foldmethod=marker: --- openldap-2.4.23.orig/debian/slapd.docs +++ openldap-2.4.23/debian/slapd.docs @@ -0,0 +1 @@ +debian/README.DB_CONFIG --- openldap-2.4.23.orig/debian/USE-CASES +++ openldap-2.4.23/debian/USE-CASES @@ -0,0 +1,7 @@ +Some ideas what to check and what the desired results would be: + +- running dpkg-reconfigure with an already configured slapd + + Should either backup the database or ask before killing it. + Same for slapd.conf. Neither old configuration or old database + should be lost without the user confirming that this is what he wants. --- openldap-2.4.23.orig/debian/compat +++ openldap-2.4.23/debian/compat @@ -0,0 +1 @@ +6 --- openldap-2.4.23.orig/debian/patches/evolution-ntlm +++ openldap-2.4.23/debian/patches/evolution-ntlm @@ -0,0 +1,230 @@ +Patch from evolution-exchange (2.10.3). The ldap_ntlm_bind function is +actually called by evolution-data-server, checked at version 1.12.2. +Without this patch, the Exchange addressbook integration uses simple binds +with cleartext passwords. + +Russ checked with openldap-software for upstream's opinion on this patch +on 2007-12-21. Upstream had never received it as a patch submission and +given that it's apparently only for older Exchange servers that can't do +SASL and DIGEST-MD5, it's not very appealing. + +Bug#457374 filed against evolution-data-server asking if this support is +still required on 2007-12-21. + +Index: trunk/include/ldap.h +=================================================================== +--- trunk.orig/include/ldap.h ++++ trunk/include/ldap.h +@@ -2461,5 +2461,25 @@ + LDAPControl **ctrls, + LDAPDerefRes **drp )); + ++/* ++ * hacks for NTLM ++ */ ++#define LDAP_AUTH_NTLM_REQUEST ((ber_tag_t) 0x8aU) ++#define LDAP_AUTH_NTLM_RESPONSE ((ber_tag_t) 0x8bU) ++LDAP_F( int ) ++ldap_ntlm_bind LDAP_P(( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ ber_tag_t tag, ++ struct berval *cred, ++ LDAPControl **sctrls, ++ LDAPControl **cctrls, ++ int *msgidp )); ++LDAP_F( int ) ++ldap_parse_ntlm_bind_result LDAP_P(( ++ LDAP *ld, ++ LDAPMessage *res, ++ struct berval *challenge)); ++ + LDAP_END_DECL + #endif /* _LDAP_H */ +Index: trunk/libraries/libldap/ntlm.c +=================================================================== +--- /dev/null ++++ trunk/libraries/libldap/ntlm.c +@@ -0,0 +1,138 @@ ++/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */ ++/* ++ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. ++ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file ++ */ ++ ++/* Mostly copied from sasl.c */ ++ ++#include "portable.h" ++ ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#include "ldap-int.h" ++ ++int ++ldap_ntlm_bind( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ ber_tag_t tag, ++ struct berval *cred, ++ LDAPControl **sctrls, ++ LDAPControl **cctrls, ++ int *msgidp ) ++{ ++ BerElement *ber; ++ int rc; ++ ber_int_t id; ++ ++ Debug( LDAP_DEBUG_TRACE, "ldap_ntlm_bind\n", 0, 0, 0 ); ++ ++ assert( ld != NULL ); ++ assert( LDAP_VALID( ld ) ); ++ assert( msgidp != NULL ); ++ ++ if( msgidp == NULL ) { ++ ld->ld_errno = LDAP_PARAM_ERROR; ++ return ld->ld_errno; ++ } ++ ++ /* create a message to send */ ++ if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) { ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } ++ ++ assert( LBER_VALID( ber ) ); ++ ++ LDAP_NEXT_MSGID( ld, id ); ++ rc = ber_printf( ber, "{it{istON}" /*}*/, ++ id, LDAP_REQ_BIND, ++ ld->ld_version, dn, tag, ++ cred ); ++ ++ /* Put Server Controls */ ++ if( ldap_int_put_controls( ld, sctrls, ber ) != LDAP_SUCCESS ) { ++ ber_free( ber, 1 ); ++ return ld->ld_errno; ++ } ++ ++ if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) { ++ ld->ld_errno = LDAP_ENCODING_ERROR; ++ ber_free( ber, 1 ); ++ return ld->ld_errno; ++ } ++ ++ /* send the message */ ++ *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id ); ++ ++ if(*msgidp < 0) ++ return ld->ld_errno; ++ ++ return LDAP_SUCCESS; ++} ++ ++int ++ldap_parse_ntlm_bind_result( ++ LDAP *ld, ++ LDAPMessage *res, ++ struct berval *challenge) ++{ ++ ber_int_t errcode; ++ ber_tag_t tag; ++ BerElement *ber; ++ ber_len_t len; ++ ++ Debug( LDAP_DEBUG_TRACE, "ldap_parse_ntlm_bind_result\n", 0, 0, 0 ); ++ ++ assert( ld != NULL ); ++ assert( LDAP_VALID( ld ) ); ++ assert( res != NULL ); ++ ++ if ( ld == NULL || res == NULL ) { ++ return LDAP_PARAM_ERROR; ++ } ++ ++ if( res->lm_msgtype != LDAP_RES_BIND ) { ++ ld->ld_errno = LDAP_PARAM_ERROR; ++ return ld->ld_errno; ++ } ++ ++ if ( ld->ld_error ) { ++ LDAP_FREE( ld->ld_error ); ++ ld->ld_error = NULL; ++ } ++ if ( ld->ld_matched ) { ++ LDAP_FREE( ld->ld_matched ); ++ ld->ld_matched = NULL; ++ } ++ ++ /* parse results */ ++ ++ ber = ber_dup( res->lm_ber ); ++ ++ if( ber == NULL ) { ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } ++ ++ tag = ber_scanf( ber, "{ioa" /*}*/, ++ &errcode, challenge, &ld->ld_error ); ++ ber_free( ber, 0 ); ++ ++ if( tag == LBER_ERROR ) { ++ ld->ld_errno = LDAP_DECODING_ERROR; ++ return ld->ld_errno; ++ } ++ ++ ld->ld_errno = errcode; ++ ++ return( ld->ld_errno ); ++} ++ +Index: trunk/libraries/libldap/Makefile.in +=================================================================== +--- trunk.orig/libraries/libldap/Makefile.in ++++ trunk/libraries/libldap/Makefile.in +@@ -27,7 +27,7 @@ + init.c options.c print.c string.c util-int.c schema.c \ + charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \ + tls2.c tls_o.c tls_g.c tls_m.c \ +- turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \ ++ turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c ntlm.c \ + assertion.c deref.c + + OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \ +@@ -40,7 +40,7 @@ + init.lo options.lo print.lo string.lo util-int.lo schema.lo \ + charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \ + tls2.lo tls_o.lo tls_g.lo tls_m.lo \ +- turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \ ++ turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo ntlm.lo \ + assertion.lo deref.lo + + LDAP_INCDIR= ../../include +Index: trunk/libraries/libldap_r/Makefile.in +=================================================================== +--- trunk.orig/libraries/libldap_r/Makefile.in ++++ trunk/libraries/libldap_r/Makefile.in +@@ -29,7 +29,7 @@ + init.c options.c print.c string.c util-int.c schema.c \ + charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \ + tls2.c tls_o.c tls_g.c tls_m.c \ +- turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \ ++ turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c ntlm.c \ + assertion.c deref.c + SRCS = threads.c rdwr.c rmutex.c tpool.c rq.c \ + thr_posix.c thr_cthreads.c thr_thr.c thr_lwp.c thr_nt.c \ +@@ -47,7 +47,7 @@ + init.lo options.lo print.lo string.lo util-int.lo schema.lo \ + charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \ + tls2.lo tls_o.lo tls_g.lo tls_m.lo \ +- turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \ ++ turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo ntlm.lo \ + assertion.lo deref.lo + + LDAP_INCDIR= ../../include --- openldap-2.4.23.orig/debian/patches/slapi-errorlog-file +++ openldap-2.4.23/debian/patches/slapi-errorlog-file @@ -0,0 +1,16 @@ +The slapi error log file defaults to /var/errors given our setting +of --localstatedir. Move it to /var/log/slapi-errors instead. + +Debian-specific. + +--- openldap.orig/servers/slapd/slapi/slapi_overlay.c ++++ openldap/servers/slapd/slapi/slapi_overlay.c +@@ -927,7 +927,7 @@ + ldap_pvt_thread_mutex_init( &slapi_printmessage_mutex ); + + if ( slapi_log_file == NULL ) +- slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "errors" ); ++ slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "log" LDAP_DIRSEP "slapi-errors" ); + + rc = slapi_int_init_object_extensions(); + if ( rc != 0 ) --- openldap-2.4.23.orig/debian/patches/sasl-default-path +++ openldap-2.4.23/debian/patches/sasl-default-path @@ -0,0 +1,59 @@ +Add /etc/ldap/sasl2 to the SASL configuration search path. + +Not submitted upstream. Somewhat Debian-specific and probably not of +interest upstream. + +Index: openldap/include/ldap_defaults.h +=================================================================== +--- openldap.orig/include/ldap_defaults.h ++++ openldap/include/ldap_defaults.h +@@ -63,4 +63,6 @@ + /* dn of the default "monitor" subentry */ + #define SLAPD_MONITOR_DN "cn=Monitor" + ++#define SASL_CONFIGPATH LDAP_SYSCONFDIR LDAP_DIRSEP "sasl2" ++ + #endif /* _LDAP_CONFIG_H */ +Index: openldap/servers/slapd/sasl.c +=================================================================== +--- openldap.orig/servers/slapd/sasl.c ++++ openldap/servers/slapd/sasl.c +@@ -1093,12 +1093,38 @@ + }; + #endif + ++static int ++slap_sasl_getconfpath( void * context, char ** path ) ++{ ++ char * sasl_default_configpath; ++ size_t len; ++ ++#if SASL_VERSION_MAJOR >= 2 ++ sasl_default_configpath = "/usr/lib/sasl2"; ++#else ++ sasl_default_configpath = "/usr/lib/sasl"; ++#endif ++ ++ len = strlen(SASL_CONFIGPATH) + 1 /* colon */ + ++ strlen(sasl_default_configpath) + 1 /* \0 */; ++ *path = malloc( len ); ++ if ( *path == NULL ) ++ return SASL_FAIL; ++ ++ if (snprintf( *path, len, "%s:%s", SASL_CONFIGPATH, ++ sasl_default_configpath ) != len-1 ) ++ return SASL_FAIL; ++ ++ return SASL_OK; ++} ++ + int slap_sasl_init( void ) + { + #ifdef HAVE_CYRUS_SASL + int rc; + static sasl_callback_t server_callbacks[] = { + { SASL_CB_LOG, &slap_sasl_log, NULL }, ++ { SASL_CB_GETCONFPATH, &slap_sasl_getconfpath, NULL }, + { SASL_CB_GETOPT, &slap_sasl_getopt, NULL }, + { SASL_CB_LIST_END, NULL, NULL } + }; --- openldap-2.4.23.orig/debian/patches/CVE-2011-1081 +++ openldap-2.4.23/debian/patches/CVE-2011-1081 @@ -0,0 +1,21 @@ +Origin: cvs PatchSet 24550 from OPENLDAP_REL_ENG_2_4 +Description: fix DoS when processing unauthenticated modrdn requests and + requestDN is empty +Bug: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6768 +Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=674985#c1 + +Index: openldap-2.4.23/servers/slapd/modrdn.c +=================================================================== +--- openldap-2.4.23.orig/servers/slapd/modrdn.c 2011-03-16 09:44:03.000000000 -0500 ++++ openldap-2.4.23/servers/slapd/modrdn.c 2011-03-16 09:44:07.000000000 -0500 +@@ -392,7 +392,9 @@ + LDAPRDN new_rdn = NULL; + + assert( !BER_BVISEMPTY( &op->oq_modrdn.rs_newrdn ) ); +- assert( !op->orr_deleteoldrdn || !BER_BVISEMPTY( &op->o_req_dn ) ); ++ ++ /* if requestDN is empty, silently reset deleteOldRDN */ ++ if ( BER_BVISEMPTY( &op->o_req_dn ) ) op->orr_deleteoldrdn = 0; + + if ( ldap_bv2rdn_x( &op->oq_modrdn.rs_newrdn, &new_rdn, + (char **)&rs->sr_text, LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx ) ) { --- openldap-2.4.23.orig/debian/patches/series +++ openldap-2.4.23/debian/patches/series @@ -0,0 +1,18 @@ +nssov-build +man-slapd +evolution-ntlm +add-autogen-sh +slapi-errorlog-file +ldapi-socket-place +wrong-database-location +index-files-created-as-root +sasl-default-path +libldap-symbol-versions +getaddrinfo-is-threadsafe +gssapi.diff +smbk5pwd-makefile +issue-6534-patch +ldap-conf-tls-cacertdir +CVE-2011-1024 +CVE-2011-1025 +CVE-2011-1081 --- openldap-2.4.23.orig/debian/patches/CVE-2011-1024 +++ openldap-2.4.23/debian/patches/CVE-2011-1024 @@ -0,0 +1,44 @@ +Origin: cvs PatchSet 24620 from OPENLDAP_REL_ENG_2_4 +Description: fix successful anonymous bind via chain overlay when using + forwarded authentication failures +Bug: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6607 + +Index: openldap-2.4.23/servers/slapd/back-ldap/chain.c +=================================================================== +--- openldap-2.4.23.orig/servers/slapd/back-ldap/chain.c 2011-03-16 09:21:55.000000000 -0500 ++++ openldap-2.4.23/servers/slapd/back-ldap/chain.c 2011-03-16 09:22:02.000000000 -0500 +@@ -854,6 +854,7 @@ + + /* we need this to know if back-ldap returned any result */ + lb.lb_lc = lc; ++ sc2.sc_next = sc->sc_next; + sc2.sc_private = &lb; + sc2.sc_response = ldap_chain_cb_response; + op->o_callback = &sc2; +@@ -947,6 +948,7 @@ + + case LDAP_SUCCESS: + case LDAP_REFERRAL: ++ sr_err = rs->sr_err; + /* slapd-ldap sent response */ + if ( !op->o_abandon && lb.lb_status != LDAP_CH_RES ) { + /* FIXME: should we send response? */ +@@ -974,7 +976,7 @@ + default: + #endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */ + if ( LDAP_CHAIN_RETURN_ERR( lc ) ) { +- rs->sr_err = rc; ++ sr_err = rs->sr_err = rc; + rs->sr_type = sr_type; + + } else { +@@ -992,7 +994,8 @@ + } + + if ( lb.lb_status == LDAP_CH_NONE && rc != SLAPD_ABANDON ) { +- op->o_callback = NULL; ++ /* give the remaining callbacks a chance */ ++ op->o_callback = sc->sc_next; + rc = rs->sr_err = slap_map_api2result( rs ); + send_ldap_result( op, rs ); + } --- openldap-2.4.23.orig/debian/patches/wrong-database-location +++ openldap-2.4.23/debian/patches/wrong-database-location @@ -0,0 +1,73 @@ +Move the default slapd database location to /var/lib/ldap instead of +/var/openldap-data. + +Debian-specific. + +Index: openldap/doc/man/man5/slapd-bdb.5 +=================================================================== +--- openldap.orig/doc/man/man5/slapd-bdb.5 ++++ openldap/doc/man/man5/slapd-bdb.5 +@@ -133,7 +133,7 @@ + associated indexes live. + A separate directory must be specified for each database. + The default is +-.BR LOCALSTATEDIR/openldap\-data . ++.BR LOCALSTATEDIR/lib/ldap . + .TP + .B dirtyread + Allow reads of modified but not yet committed data. +Index: openldap/doc/man/man5/slapd.conf.5 +=================================================================== +--- openldap.orig/doc/man/man5/slapd.conf.5 ++++ openldap/doc/man/man5/slapd.conf.5 +@@ -1850,7 +1850,7 @@ + # The database directory MUST exist prior to + # running slapd AND should only be accessible + # by the slapd/tools. Mode 0700 recommended. +-directory LOCALSTATEDIR/openldap\-data ++directory LOCALSTATEDIR/lib/ldap + # Indices to maintain + index objectClass eq + index cn,sn,mail pres,eq,approx,sub +Index: openldap/include/ldap_defaults.h +=================================================================== +--- openldap.orig/include/ldap_defaults.h ++++ openldap/include/ldap_defaults.h +@@ -47,7 +47,7 @@ + /* location of the default slapd config file */ + #define SLAPD_DEFAULT_CONFIGFILE LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf" + #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d" +-#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data" ++#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "ldap" + #define SLAPD_DEFAULT_DB_MODE 0600 + #define SLAPD_DEFAULT_UCDATA LDAP_DATADIR LDAP_DIRSEP "ucdata" + /* default max deref depth for aliases */ +Index: openldap/servers/slapd/Makefile.in +=================================================================== +--- openldap.orig/servers/slapd/Makefile.in ++++ openldap/servers/slapd/Makefile.in +@@ -430,9 +430,9 @@ + + install-db-config: FORCE + @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir) +- @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data ++ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/ldap + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ +- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example ++ $(DESTDIR)$(localstatedir)/lib/ldap/DB_CONFIG.example + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ + $(DESTDIR)$(sysconfdir)/DB_CONFIG.example + +Index: openldap/doc/man/man5/slapd-config.5 +=================================================================== +--- openldap.orig/doc/man/man5/slapd-config.5 ++++ openldap/doc/man/man5/slapd-config.5 +@@ -1885,7 +1885,7 @@ + # The database directory MUST exist prior to + # running slapd AND should only be accessible + # by the slapd/tools. Mode 0700 recommended. +-olcDbDirectory: LOCALSTATEDIR/openldap\-data ++olcDbDirectory: LOCALSTATEDIR/lib/ldap + # Indices to maintain + olcDbIndex: objectClass eq + olcDbIndex: cn,sn,mail pres,eq,approx,sub --- openldap-2.4.23.orig/debian/patches/libldap-symbol-versions +++ openldap-2.4.23/debian/patches/libldap-symbol-versions @@ -0,0 +1,160 @@ +Add symbol versioning to the public LDAP libraries. This is required for +library transitions, such as the current transition from 2.1 to 2.4, +since programs will sometimes have both libraries loaded by different +dependency chains during the transition. + +Not yet contributed upstream. + +Upstream ITS #5365 filed requesting symbol versioning for libldap and +libber. + +--- openldap.orig/libraries/libldap_r/Makefile.in ++++ openldap/libraries/libldap_r/Makefile.in +@@ -57,6 +57,9 @@ + XXXLIBS = $(LTHREAD_LIBS) + NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) + UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS) ++ifneq (,$(VERSION_OPTION)) ++ VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map" ++endif + + .links : Makefile + @for i in $(XXSRCS); do \ +--- openldap.orig/build/top.mk ++++ openldap/build/top.mk +@@ -103,6 +103,9 @@ + # LINK_LIBS referenced in library and module link commands. + LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS) + ++# option to pass to $(CC) to support library symbol versioning, if any ++VERSION_OPTION = @VERSION_OPTION@ ++ + LTSTATIC = @LTSTATIC@ + + LTLINK = $(LIBTOOL) --mode=link \ +@@ -112,7 +115,7 @@ + $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c + + LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \ +- $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) ++ $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(VERSION_FLAGS) + + LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \ + $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c +--- openldap.orig/build/openldap.m4 ++++ openldap/build/openldap.m4 +@@ -1312,3 +1312,54 @@ + #endif + ], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])]) + ]) ++ ++dnl ==================================================================== ++dnl check for symbol versioning support ++AC_DEFUN([OL_SYMBOL_VERSIONING], ++[AC_CACHE_CHECK([for .symver assembler directive], ++ [ol_cv_asm_symver_directive],[ ++cat > conftest.s <&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then ++ ol_cv_asm_symver_directive=yes ++else ++ ol_cv_asm_symver_directive=no ++fi ++rm -f conftest*]) ++AC_CACHE_CHECK([for ld --version-script], ++ [ol_cv_ld_version_script_option],[ ++if test $ol_cv_asm_symver_directive = yes; then ++ cat > conftest.s < conftest.map <&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then ++ if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared ++ -o conftest.so conftest.o ++ -Wl,--version-script,conftest.map ++ 1>&AS_MESSAGE_LOG_FD]); ++ then ++ ol_cv_ld_version_script_option=yes ++ else ++ ol_cv_ld_version_script_option=no ++ fi ++ else ++ ol_cv_ld_version_script_option=no ++ fi ++else ++ ol_cv_ld_version_script_option=no ++fi ++rm -f conftest*])]) +--- openldap.orig/configure.in ++++ openldap/configure.in +@@ -1863,6 +1863,13 @@ + fi + AC_SUBST(LTSTATIC)dnl + ++VERSION_OPTION="" ++OL_SYMBOL_VERSIONING ++if test $ol_cv_ld_version_script_option = yes ; then ++ VERSION_OPTION="-Wl,--version-script=" ++fi ++AC_SUBST(VERSION_OPTION) ++ + dnl ---------------------------------------------------------------- + if test $ol_enable_wrappers != no ; then + AC_CHECK_HEADERS(tcpd.h,[ +--- /dev/null ++++ openldap/libraries/libldap/libldap.map +@@ -0,0 +1,6 @@ ++OPENLDAP_2.4_2 { ++ global: ++ ldap_*; ++ local: ++ *; ++}; +--- openldap.orig/libraries/libldap/Makefile.in ++++ openldap/libraries/libldap/Makefile.in +@@ -48,6 +48,9 @@ + XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS) + NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) + UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) ++ifneq (,$(VERSION_OPTION)) ++ VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map ++endif + + apitest: $(XLIBS) apitest.o + $(LTLINK) -o $@ apitest.o $(LIBS) +--- openldap.orig/libraries/liblber/Makefile.in ++++ openldap/libraries/liblber/Makefile.in +@@ -38,6 +38,9 @@ + XXLIBS = + NT_LINK_LIBS = $(AC_LIBS) + UNIX_LINK_LIBS = $(AC_LIBS) ++ifneq (,$(VERSION_OPTION)) ++ VERSION_FLAGS = "$(VERSION_OPTION)$(srcdir)/liblber.map" ++endif + + dtest: $(XLIBS) dtest.o + $(LTLINK) -o $@ dtest.o $(LIBS) +--- /dev/null ++++ openldap/libraries/liblber/liblber.map +@@ -0,0 +1,8 @@ ++OPENLDAP_2.4_2 { ++ global: ++ ber_*; ++ der_alloc; ++ lutil_*; ++ local: ++ *; ++}; --- openldap-2.4.23.orig/debian/patches/index-files-created-as-root +++ openldap-2.4.23/debian/patches/index-files-created-as-root @@ -0,0 +1,37 @@ +Document in the man page that slapindex should be run as the same user +as slapd, and print a warning if it's run as root (since Debian defaults +to running slapd as openldap). + +Not suitable for upstream in this form. This patch needs to be reworked +to check the BerkeleyDB database ownership and only warn if running as +root with a database that's not owned by root. + +Upstream ITS #5356 filed requesting better handling of this. Current +upstream discussion leans towards putting the check into the database +backend and aborting if slapd is run as a different user than the database +owner, which is an even better fix. + +--- openldap.orig/doc/man/man8/slapindex.8 ++++ openldap/doc/man/man8/slapindex.8 +@@ -131,6 +131,10 @@ + should not be running (at least, not in read-write + mode) when you do this to ensure consistency of the database. + .LP ++slapindex ought to be run as the user specified for ++.BR slapd (8) ++to ensure correct database permissions. ++.LP + This command provides ample opportunity for the user to obtain + and drink their favorite beverage. + .SH EXAMPLES +--- openldap.orig/servers/slapd/slapindex.c ++++ openldap/servers/slapd/slapindex.c +@@ -34,6 +34,8 @@ + int + slapindex( int argc, char **argv ) + { ++ if (geteuid() == 0) ++ fprintf( stderr, "\nWARNING!\nRunnig as root!\nThere's a fair chance slapd will fail to start.\nCheck file permissions!\n\n"); + ID id; + int rc = EXIT_SUCCESS; + const char *progname = "slapindex"; --- openldap-2.4.23.orig/debian/patches/smbk5pwd-makefile +++ openldap-2.4.23/debian/patches/smbk5pwd-makefile @@ -0,0 +1,56 @@ +Index: b/contrib/slapd-modules/smbk5pwd/Makefile +=================================================================== +--- a/contrib/slapd-modules/smbk5pwd/Makefile ++++ b/contrib/slapd-modules/smbk5pwd/Makefile +@@ -12,30 +12,30 @@ + # top-level directory of the distribution or, alternatively, at + # . + +-LIBTOOL=../../../libtool ++LIBTOOL=../../../debian/build/libtool + OPT=-g -O2 + CC=gcc + + # Omit DO_KRB5 or DO_SAMBA if you don't want to support it. + DEFS=-DDO_KRB5 -DDO_SAMBA + +-HEIMDAL_INC=-I/usr/heimdal/include ++HEIMDAL_INC=-I/usr/include + SSL_INC= +-LDAP_INC=-I../../../include -I../../../servers/slapd ++LDAP_INC=-I../../../debian/build/include -I../../../debian/build/servers/slapd -I../../../include -I../../../servers/slapd + INCS=$(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC) + +-HEIMDAL_LIB=-L/usr/heimdal/lib -lkrb5 -lkadm5srv +-SSL_LIB=-lcrypto +-LDAP_LIB=-lldap_r -llber ++HEIMDAL_LIB=-lkrb5 -lkadm5srv ++SSL_LIB=-lgcrypt ++LDAP_LIB=-lldap_r -llber -L../../../debian/build/libraries/libldap_r -L../../../debian/build/libraries/liblber + LIBS=$(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB) + +-prefix=/usr/local ++prefix=/usr + exec_prefix=$(prefix) +-ldap_subdir=/openldap ++ldap_subdir=/ldap + + libdir=$(exec_prefix)/lib + libexecdir=$(exec_prefix)/libexec +-moduledir = $(libexecdir)$(ldap_subdir) ++moduledir = $(libdir)$(ldap_subdir) + + all: smbk5pwd.la + +@@ -48,8 +48,9 @@ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + + clean: +- rm -f smbk5pwd.lo smbk5pwd.la ++ $(LIBTOOL) --mode=clean rm -f + +-install: smbk5pwd.la ++install: all + mkdir -p $(DESTDIR)$(moduledir) + $(LIBTOOL) --mode=install cp smbk5pwd.la $(DESTDIR)$(moduledir) ++ --- openldap-2.4.23.orig/debian/patches/CVE-2011-1025 +++ openldap-2.4.23/debian/patches/CVE-2011-1025 @@ -0,0 +1,29 @@ +Origin: cvs PatchSets 24176 and 24177 from HEAD +Description: verify password when authenticating to rootdn and using ndb + backend +Bug: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6661 + +Index: openldap-2.4.23/servers/slapd/back-ndb/bind.cpp +=================================================================== +--- openldap-2.4.23.orig/servers/slapd/back-ndb/bind.cpp 2011-03-16 09:35:42.000000000 -0500 ++++ openldap-2.4.23/servers/slapd/back-ndb/bind.cpp 2011-03-16 09:37:17.000000000 -0500 +@@ -42,11 +42,17 @@ + op->o_req_dn.bv_val, 0, 0); + + /* allow noauth binds */ +- switch ( be_rootdn_bind( op, NULL ) ) { ++ rs->sr_err = be_rootdn_bind( op, NULL ); ++ switch ( rs->sr_err ) { + case SLAP_CB_CONTINUE: + break; + +- default: ++ case LDAP_INVALID_CREDENTIALS: ++ send_ldap_result( op, rs ); ++ /* fallthru */ ++ ++ case LDAP_SUCCESS: ++ /* frontend will send result */ + return rs->sr_err; + } + --- openldap-2.4.23.orig/debian/patches/gssapi.diff +++ openldap-2.4.23/debian/patches/gssapi.diff @@ -0,0 +1,167 @@ +Index: openldap-2.4.23/configure.in +=================================================================== +--- openldap-2.4.23.orig/configure.in 2010-07-28 11:20:57.054712043 -0400 ++++ openldap-2.4.23/configure.in 2010-07-28 11:21:15.542403952 -0400 +@@ -242,6 +242,8 @@ + auto, [auto yes no] ) + OL_ARG_WITH(fetch,[ --with-fetch with fetch(3) URL support], + auto, [auto yes no] ) ++OL_ARG_WITH(gssapi,[ --with-gssapi with GSSAPI support], ++ auto, [auto yes no] ) + OL_ARG_WITH(threads,[ --with-threads with threads], + auto, [auto nt posix mach pth lwp yes no manual] ) + OL_ARG_WITH(tls,[ --with-tls with TLS/SSL support auto|openssl|gnutls], +@@ -584,6 +586,7 @@ + KRB4_LIBS= + KRB5_LIBS= + SASL_LIBS= ++GSSAPI_LIBS= + TLS_LIBS= + MODULES_LIBS= + SLAPI_LIBS= +@@ -1148,6 +1151,63 @@ + fi + + dnl ---------------------------------------------------------------- ++dnl GSSAPI ++ol_link_gssapi=no ++ ++case $ol_with_gssapi in yes | auto) ++ ++ ol_header_gssapi=no ++ AC_CHECK_HEADERS(gssapi/gssapi.h) ++ if test $ac_cv_header_gssapi_gssapi_h = yes ; then ++ ol_header_gssapi=yes ++ else ++ AC_CHECK_HEADERS(gssapi.h) ++ if test $ac_cv_header_gssapi_h = yes ; then ++ ol_header_gssapi=yes ++ fi ++ ++ dnl## not every gssapi has gss_oid_to_str() ++ dnl## as it's not defined in the GSSAPI V2 API ++ dnl## anymore ++ saveLIBS="$LIBS" ++ LIBS="$LIBS $GSSAPI_LIBS" ++ AC_CHECK_FUNCS(gss_oid_to_str) ++ LIBS="$saveLIBS" ++ fi ++ ++ if test $ol_header_gssapi = yes ; then ++ dnl## we check for gss_wrap ++ dnl## as it's new to the GSSAPI V2 API ++ AC_CHECK_LIB(gssapi, gss_wrap, ++ [ol_link_gssapi=yes;GSSAPI_LIBS="-lgssapi"], ++ [ol_link_gssapi=no]) ++ if test $ol_link_gssapi != yes ; then ++ AC_CHECK_LIB(gssapi_krb5, gss_wrap, ++ [ol_link_gssapi=yes;GSSAPI_LIBS="-lgssapi_krb5"], ++ [ol_link_gssapi=no]) ++ fi ++ if test $ol_link_gssapi != yes ; then ++ AC_CHECK_LIB(gss, gss_wrap, ++ [ol_link_gssapi=yes;GSSAPI_LIBS="-lgss"], ++ [ol_link_gssapi=no]) ++ fi ++ fi ++ ++ ;; ++esac ++ ++WITH_GSSAPI=no ++if test $ol_link_gssapi = yes; then ++ AC_DEFINE(HAVE_GSSAPI, 1, [define if you have GSSAPI]) ++ WITH_GSSAPI=yes ++elif test $ol_with_gssapi = auto ; then ++ AC_MSG_WARN([Could not locate GSSAPI package]) ++ AC_MSG_WARN([GSSAPI authentication not supported!]) ++elif test $ol_with_gssapi = yes ; then ++ AC_MSG_ERROR([GSSAPI detection failed]) ++fi ++ ++dnl ---------------------------------------------------------------- + dnl TLS/SSL + + if test $ol_with_tls = yes ; then +@@ -1902,6 +1962,13 @@ + fi + AC_SUBST(VERSION_OPTION) + ++VERSION_OPTION="" ++OL_SYMBOL_VERSIONING ++if test $ol_cv_ld_version_script_option = yes ; then ++ VERSION_OPTION="-Wl,--version-script=" ++fi ++AC_SUBST(VERSION_OPTION) ++ + dnl ---------------------------------------------------------------- + if test $ol_enable_wrappers != no ; then + AC_CHECK_HEADERS(tcpd.h,[ +@@ -3112,6 +3179,7 @@ + AC_SUBST(KRB4_LIBS) + AC_SUBST(KRB5_LIBS) + AC_SUBST(SASL_LIBS) ++AC_SUBST(GSSAPI_LIBS) + AC_SUBST(TLS_LIBS) + AC_SUBST(MODULES_LIBS) + AC_SUBST(SLAPI_LIBS) +Index: openldap-2.4.23/include/ldap.h +=================================================================== +--- openldap-2.4.23.orig/include/ldap.h 2010-07-28 11:20:37.000000000 -0400 ++++ openldap-2.4.23/include/ldap.h 2010-07-28 11:21:15.542403952 -0400 +@@ -1216,6 +1216,16 @@ + struct berval **servercredp, + int freeit )); + ++/* ++ * in gssapi.c: ++ */ ++LDAP_F( int ) ++ldap_gssapi_bind_s LDAP_P(( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ LDAP_CONST char *creds)); ++ ++ + #if LDAP_DEPRECATED + /* + * in bind.c: +Index: openldap-2.4.23/include/portable.hin +=================================================================== +--- openldap-2.4.23.orig/include/portable.hin 2010-04-19 15:22:30.000000000 -0400 ++++ openldap-2.4.23/include/portable.hin 2010-07-28 11:21:15.542403952 -0400 +@@ -253,6 +253,18 @@ + /* Define to 1 if you have the header file. */ + #undef HAVE_GRP_H + ++/* define if you have GSSAPI */ ++#undef HAVE_GSSAPI ++ ++/* Define to 1 if you have the header file. */ ++#undef HAVE_GSSAPI_GSSAPI_H ++ ++/* Define to 1 if you have the header file. */ ++#undef HAVE_GSSAPI_H ++ ++/* Define to 1 if you have the `gss_oid_to_str' function. */ ++#undef HAVE_GSS_OID_TO_STR ++ + /* Define to 1 if you have the `hstrerror' function. */ + #undef HAVE_HSTRERROR + +Index: openldap-2.4.23/build/top.mk +=================================================================== +--- openldap-2.4.23.orig/build/top.mk 2010-07-28 11:20:57.000000000 -0400 ++++ openldap-2.4.23/build/top.mk 2010-07-28 11:21:15.542403952 -0400 +@@ -190,9 +190,10 @@ + KRB5_LIBS = @KRB5_LIBS@ + KRB_LIBS = @KRB4_LIBS@ @KRB5_LIBS@ + SASL_LIBS = @SASL_LIBS@ ++GSSAPI_LIBS = @GSSAPI_LIBS@ + TLS_LIBS = @TLS_LIBS@ + AUTH_LIBS = @AUTH_LIBS@ +-SECURITY_LIBS = $(SASL_LIBS) $(KRB_LIBS) $(TLS_LIBS) $(AUTH_LIBS) ++SECURITY_LIBS = $(SASL_LIBS) $(KRB_LIBS) $(GSSAPI_LIBS) $(TLS_LIBS) $(AUTH_LIBS) + ICU_LIBS = @ICU_LIBS@ + + MODULES_CPPFLAGS = @SLAPD_MODULES_CPPFLAGS@ --- openldap-2.4.23.orig/debian/patches/ldapi-socket-place +++ openldap-2.4.23/debian/patches/ldapi-socket-place @@ -0,0 +1,16 @@ +Move the ldapi socket to /var/run/slapd from /var/run, since /var/run +is only writable by root and slapd runs as openldap. + +Debian-specific. + +--- openldap.orig/include/ldap_defaults.h ++++ openldap/include/ldap_defaults.h +@@ -39,7 +39,7 @@ + #define LDAP_ENV_PREFIX "LDAP" + + /* default ldapi:// socket */ +-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" ++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "slapd" LDAP_DIRSEP "ldapi" + + /* + * SLAPD DEFINITIONS --- openldap-2.4.23.orig/debian/patches/nssov-build +++ openldap-2.4.23/debian/patches/nssov-build @@ -0,0 +1,45 @@ +diff -Naurp openldap-2.4.23.orig//contrib/slapd-modules/nssov/Makefile openldap-2.4.23//contrib/slapd-modules/nssov/Makefile +--- openldap-2.4.23.orig//contrib/slapd-modules/nssov/Makefile 2010-04-15 17:32:56.000000000 -0400 ++++ openldap-2.4.23//contrib/slapd-modules/nssov/Makefile 2010-07-29 12:28:18.191705597 -0400 +@@ -17,26 +17,26 @@ LDAPSRC=../../.. + + # Path to the OpenLDAP object tree - same as above unless + # you're doing out-of-tree builds. +-LDAPOBJ=../../.. ++LDAPOBJ=../../../debian/build + + LIBTOOL=$(LDAPOBJ)/libtool + OPT=-g -O2 + CC=gcc + +-LDAP_INC=-I$(LDAPOBJ)/include -I$(LDAPSRC)/include -I$(LDAPSRC)/servers/slapd ++LDAP_INC=-I../../../debian/build/include -I../../../debian/build/servers/slapd -I../../../include -I../../../servers/slapd + NLDAPD_INC=-Inss-pam-ldapd + INCS=$(LDAP_INC) $(NLDAPD_INC) + +-LDAP_LIB=-lldap_r -llber ++LDAP_LIB=-lldap_r -llber -L../../../debian/build/libraries/libldap_r -L../../../debian/build/libraries/liblber + LIBS=$(LDAP_LIB) + +-prefix=/usr/local ++prefix=/usr + exec_prefix=$(prefix) +-ldap_subdir=/openldap ++ldap_subdir=/ldap + + libdir=$(exec_prefix)/lib + libexecdir=$(exec_prefix)/libexec +-moduledir = $(libexecdir)$(ldap_subdir) ++moduledir = $(libdir)$(ldap_subdir) + sysconfdir = $(prefix)/etc$(ldap_subdir) + schemadir = $(sysconfdir)/schema + +@@ -59,7 +59,7 @@ $(OBJS): nssov.h + + nssov.la: $(OBJS) $(XOBJS) + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info 0:0:0 \ +- -rpath $(libdir) -module -o $@ $(OBJS) $(XOBJS) $(LIBS) ++ -rpath $(moduledir) -module -o $@ $(OBJS) $(XOBJS) $(LIBS) + + install: nssov.la + mkdir -p $(DESTDIR)$(moduledir) --- openldap-2.4.23.orig/debian/patches/getaddrinfo-is-threadsafe +++ openldap-2.4.23/debian/patches/getaddrinfo-is-threadsafe @@ -0,0 +1,55 @@ +Author: Steve Langasek + +OpenLDAP upstream conservatively assumes that certain resolver functions +(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we +know that the glibc implementations of these functions are thread-safe, so +we should bypass the use of this mutex. This fixes a locking problem when +an application uses libldap and libnss-ldap is also used for hosts +resolution. + +Closes Debian bug #340601. + +Not suitable for forwarding upstream; might be made suitable by adding a +configure-time check for glibc and disabling the mutex only on known +thread-safe implementations. + +Index: trunk/libraries/libldap/os-ip.c +=================================================================== +--- trunk.orig/libraries/libldap/os-ip.c ++++ trunk/libraries/libldap/os-ip.c +@@ -477,17 +477,8 @@ + hints.ai_socktype = socktype; + snprintf(serv, sizeof serv, "%d", port ); + +-#ifdef LDAP_R_COMPILE +- /* most getaddrinfo(3) use non-threadsafe resolver libraries */ +- ldap_pvt_thread_mutex_lock(&ldap_int_resolv_mutex); +-#endif +- + err = getaddrinfo( host, serv, &hints, &res ); + +-#ifdef LDAP_R_COMPILE +- ldap_pvt_thread_mutex_unlock(&ldap_int_resolv_mutex); +-#endif +- + if ( err != 0 ) { + osip_debug(ld, "ldap_connect_to_host: getaddrinfo failed: %s\n", + AC_GAI_STRERROR(err), 0, 0); +Index: trunk/libraries/libldap/util-int.c +=================================================================== +--- trunk.orig/libraries/libldap/util-int.c ++++ trunk/libraries/libldap/util-int.c +@@ -224,13 +224,7 @@ + int rc; + #if defined( HAVE_GETNAMEINFO ) + +-#if defined( LDAP_R_COMPILE ) +- ldap_pvt_thread_mutex_lock( &ldap_int_resolv_mutex ); +-#endif + rc = getnameinfo( sa, len, name, namelen, NULL, 0, 0 ); +-#if defined( LDAP_R_COMPILE ) +- ldap_pvt_thread_mutex_unlock( &ldap_int_resolv_mutex ); +-#endif + if ( rc ) *err = (char *)AC_GAI_STRERROR( rc ); + return rc; + --- openldap-2.4.23.orig/debian/patches/issue-6534-patch +++ openldap-2.4.23/debian/patches/issue-6534-patch @@ -0,0 +1,13 @@ +Index: b/libraries/liblutil/detach.c +=================================================================== +--- a/libraries/liblutil/detach.c 2010-07-12 12:05:35.000000000 +0200 ++++ b/libraries/liblutil/detach.c 2010-07-12 12:07:36.000000000 +0200 +@@ -128,7 +128,7 @@ + + #ifdef HAVE_SETSID + (void) setsid(); +-#elif TIOCNOTTY ++#elif defined(TIOCNOTTY) + if ( (sd = open( "/dev/tty", O_RDWR )) != -1 ) { + (void) ioctl( sd, TIOCNOTTY, NULL ); + (void) close( sd ); --- openldap-2.4.23.orig/debian/patches/add-autogen-sh +++ openldap-2.4.23/debian/patches/add-autogen-sh @@ -0,0 +1,38 @@ +Add an autogen.sh script to run all of the autotools in the right order +to regenerate the build machinery. Needed since we have patches that +modify the source for Autoconf. + +Debian-specific. + +--- /dev/null ++++ openldap/autogen.sh +@@ -0,0 +1,29 @@ ++#!/bin/sh ++# ++# autogen.sh ++ ++LIBTOOL=`which libtoolize` ++AUTOCONF=`which autoconf` ++ACLOCAL=`which aclocal` ++ ++if [ ! -x $LIBTOOL ]; then ++ echo "libtool doesn't exist! Please install libtool" ++ exit 1 ++fi ++ ++if [ ! -x $ACLOCAL ]; then ++ echo "aclocal doesn't exist! Please install automake" ++ exit 1 ++fi ++ ++if [ ! -x $AUTOCONF ]; then ++ echo "autoconf doesn't exist! Please install autoconf" ++ exit 1 ++fi ++ ++$LIBTOOL --copy --force ++$ACLOCAL ++$AUTOCONF ++ ++exit 0 ++ --- openldap-2.4.23.orig/debian/patches/man-slapd +++ openldap-2.4.23/debian/patches/man-slapd @@ -0,0 +1,62 @@ +Patch the slapd man page to not refer to a header file that isn't +installed with the slapd package and to reference the correct path +for slapd. + +Debian-specific. + +Index: openldap/doc/man/man8/slapd.8 +=================================================================== +--- openldap.orig/doc/man/man8/slapd.8 ++++ openldap/doc/man/man8/slapd.8 +@@ -5,7 +5,7 @@ + .SH NAME + slapd \- Stand-alone LDAP Daemon + .SH SYNOPSIS +-.B LIBEXECDIR/slapd ++.B /usr/sbin/slapd + [\c + .BR \-4 | \-6 ] + [\c +@@ -103,11 +103,10 @@ + will not fork or disassociate from the invoking terminal. Some general + operation and status messages are printed for any value of \fIdebug-level\fP. + \fIdebug-level\fP is taken as a bit string, with each bit corresponding to a +-different kind of debugging information. See for details. +-Comma-separated arrays of friendly names can be specified to select +-debugging output of the corresponding debugging information. +-All the names recognized by the \fIloglevel\fP directive +-described in \fBslapd.conf\fP(5) are supported. ++different kind of debugging information. Comma-separated arrays of friendly ++names can be specified to select debugging output of the corresponding ++debugging information. All the names recognized by the \fIloglevel\fP ++directive described in \fBslapd.conf\fP(5) are supported. + If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed, + and slapd exits. + +@@ -301,7 +300,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd ++ /usr/sbin/slapd + .ft + .fi + .LP +@@ -312,7 +311,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255 ++ /usr/sbin/slapd \-f /var/tmp/slapd.conf \-d 255 + .ft + .fi + .LP +@@ -320,7 +319,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-Tt ++ /usr/sbin/slapd \-Tt + .ft + .fi + .LP --- openldap-2.4.23.orig/debian/patches/ldap-conf-tls-cacertdir +++ openldap-2.4.23/debian/patches/ldap-conf-tls-cacertdir @@ -0,0 +1,31 @@ +Index: b/doc/man/man5/ldap.conf.5 +=================================================================== +--- a/doc/man/man5/ldap.conf.5 2010-07-12 12:07:32.000000000 +0200 ++++ b/doc/man/man5/ldap.conf.5 2010-07-12 12:07:37.000000000 +0200 +@@ -317,7 +317,7 @@ + .B TLS_CACERT + is always used before + .B TLS_CACERTDIR. +-This parameter is ignored with GNUtls. ++This parameter is ignored with GNUtls. On Debian openldap is linked against GNUtls. + .TP + .B TLS_CERT + Specifies the file that contains the client certificate. +@@ -368,7 +368,7 @@ + Specifies the file to obtain random bits from when /dev/[u]random is + not available. Generally set to the name of the EGD/PRNGD socket. + The environment variable RANDFILE can also be used to specify the filename. +-This parameter is ignored with GNUtls. ++This parameter is ignored with GNUtls. On Debian openldap is linked against GNUtls. + .TP + .B TLS_REQCERT + Specifies what checks to perform on server certificates in a TLS session, +@@ -401,7 +401,7 @@ + used to verify if the server certificates have not been revoked. This + requires + .B TLS_CACERTDIR +-parameter to be set. This parameter is ignored with GNUtls. ++parameter to be set. This parameter is ignored with GNUtls. On Debian openldap is linked against GNUtls. + .B + can be specified as one of the following keywords: + .RS --- openldap-2.4.23.orig/debian/lintian-overrides/slapd +++ openldap-2.4.23/debian/lintian-overrides/slapd @@ -0,0 +1,12 @@ +# db_input is used for telling the user when something goes wrong during +# configuration. That's a perfectly valid reason to use debconf in postinst. +# -- Torsten +slapd: postinst-uses-db-input + +# The extended description is needed in slapd/backend. It explains a lot about +# the different backends. +slapd: too-long-extended-description-in-templates slapd/backend + +# libslapi is a special case, used only for writing extension modules for +# slapd, and is therefore shipped with slapd. +slapd: package-name-doesnt-match-sonames libslapi-2.4-2 --- openldap-2.4.23.orig/debian/schema/README +++ openldap-2.4.23/debian/schema/README @@ -0,0 +1,15 @@ +This directory contains stripped versions of schema files that the +OpenLDAP distribution includes in servers/slapd/schema. The original +versions as distributed upstream contain text from the RFCs embedded as +comments, and that text is covered by the Internet Society license which +does not meet the Debian Free Software Guidelines. (It doesn't permit +creation and distribution of modified versions.) Accordingly, Debian +cannot include the original versions of these files in Debian packages. + +Instead, in this directory are equivalent versions of those files with all +of the text taken from IETF RFCs or Internet-Drafts removed and only the +functional schema definition retained. + +Where possible, the schema files as distributed by the OpenLDAP project +are retained. This is only done where RFC or Internet-Draft text is +embedded in the schema file and covered by the Internet Society license. --- openldap-2.4.23.orig/debian/schema/collective.schema +++ openldap-2.4.23/debian/schema/collective.schema @@ -0,0 +1,65 @@ +# collective.schema -- Collective attribute schema +# $OpenLDAP: pkg/ldap/servers/slapd/schema/collective.schema,v 1.12.2.2 2007/08/31 23:14:06 quanah Exp $ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2007 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . +# + +# The version of this file as distributed by the OpenLDAP Foundation +# contains text from an IETF RFC explaining the schema. Unfortunately, +# that text is covered by a license that doesn't meet Debian's Free +# Software Guidelines. This is a stripped version of the schema that +# contains only the functional schema definition, not the text of the +# RFC. +# +# For an explanation of this schema, see RFC 3671, at (among other +# places): http://www.ietf.org/rfc/rfc3671.txt + +attributeType ( 2.5.4.7.1 NAME 'c-l' + SUP l COLLECTIVE ) + +attributeType ( 2.5.4.8.1 NAME 'c-st' + SUP st COLLECTIVE ) + +attributeType ( 2.5.4.9.1 NAME 'c-street' + SUP street COLLECTIVE ) + +attributeType ( 2.5.4.10.1 NAME 'c-o' + SUP o COLLECTIVE ) + +attributeType ( 2.5.4.11.1 NAME 'c-ou' + SUP ou COLLECTIVE ) + +attributeType ( 2.5.4.16.1 NAME 'c-PostalAddress' + SUP postalAddress COLLECTIVE ) + +attributeType ( 2.5.4.17.1 NAME 'c-PostalCode' + SUP postalCode COLLECTIVE ) + +attributeType ( 2.5.4.18.1 NAME 'c-PostOfficeBox' + SUP postOfficeBox COLLECTIVE ) + +attributeType ( 2.5.4.19.1 NAME 'c-PhysicalDeliveryOfficeName' + SUP physicalDeliveryOfficeName COLLECTIVE ) + +attributeType ( 2.5.4.20.1 NAME 'c-TelephoneNumber' + SUP telephoneNumber COLLECTIVE ) + +attributeType ( 2.5.4.21.1 NAME 'c-TelexNumber' + SUP telexNumber COLLECTIVE ) + +attributeType ( 2.5.4.23.1 NAME 'c-FacsimileTelephoneNumber' + SUP facsimileTelephoneNumber COLLECTIVE ) + +attributeType ( 2.5.4.25.1 NAME 'c-InternationalISDNNumber' + SUP internationalISDNNumber COLLECTIVE ) + --- openldap-2.4.23.orig/debian/schema/cosine.schema +++ openldap-2.4.23/debian/schema/cosine.schema @@ -0,0 +1,404 @@ +# RFC1274: Cosine and Internet X.500 schema +# $OpenLDAP: pkg/ldap/servers/slapd/schema/cosine.schema,v 1.19.2.5 2007/01/02 21:44:09 kurt Exp $ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2007 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +# RFC1274: Cosine and Internet X.500 schema +# +# This file contains LDAPv3 schema derived from X.500 COSINE "pilot" +# schema. As this schema was defined for X.500(89), some +# oddities were introduced in the mapping to LDAPv3. The +# mappings were based upon: draft-ietf-asid-ldapv3-attributes-03.txt +# (a work in progress) +# +# Note: It seems that the pilot schema evolved beyond what was +# described in RFC1274. However, this document attempts to describes +# RFC1274 as published. +# +# Depends on core.schema + +# The version of this file as distributed by the OpenLDAP Foundation +# contains text from an IETF RFC explaining the schema. Unfortunately, +# that text is covered by a license that doesn't meet Debian's Free +# Software Guidelines. This is a stripped version of the schema that +# contains only the functional schema definition, not the text of the +# RFC. +# +# For an explanation of this schema, see RFC 1274, at (among other +# places): http://www.ietf.org/rfc/rfc1274.txt + +#(in core.schema) +##attributetype ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) +## EQUALITY caseIgnoreMatch +## SUBSTR caseIgnoreSubstringsMatch +## SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 0.9.2342.19200300.100.1.2 NAME 'textEncodedORAddress' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +#(in core.schema) +##attributetype ( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbox' ) +## EQUALITY caseIgnoreIA5Match +## SUBSTR caseIgnoreIA5SubstringsMatch +## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) + +attributetype ( 0.9.2342.19200300.100.1.4 NAME 'info' + DESC 'RFC1274: general information' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} ) + +attributetype ( 0.9.2342.19200300.100.1.5 + NAME ( 'drink' 'favouriteDrink' ) + DESC 'RFC1274: favorite drink' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber' + DESC 'RFC1274: room number' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 0.9.2342.19200300.100.1.7 NAME 'photo' + DESC 'RFC1274: photo (G3 fax)' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.23{25000} ) + +attributetype ( 0.9.2342.19200300.100.1.8 NAME 'userClass' + DESC 'RFC1274: category of user' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 0.9.2342.19200300.100.1.9 NAME 'host' + DESC 'RFC1274: host computer' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 0.9.2342.19200300.100.1.10 NAME 'manager' + DESC 'RFC1274: DN of manager' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) + +attributetype ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier' + DESC 'RFC1274: unique identifier of document' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle' + DESC 'RFC1274: title of document' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion' + DESC 'RFC1274: version of document' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor' + DESC 'RFC1274: DN of author of document' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) + +attributetype ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation' + DESC 'RFC1274: location of document original' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 0.9.2342.19200300.100.1.20 + NAME ( 'homePhone' 'homeTelephoneNumber' ) + DESC 'RFC1274: home telephone number' + EQUALITY telephoneNumberMatch + SUBSTR telephoneNumberSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 ) + +attributetype ( 0.9.2342.19200300.100.1.21 NAME 'secretary' + DESC 'RFC1274: DN of secretary' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) + +attributetype ( 0.9.2342.19200300.100.1.22 NAME 'otherMailbox' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.39 ) + +## Deprecated in favor of modifyTimeStamp +#attributetype ( 0.9.2342.19200300.100.1.23 NAME 'lastModifiedTime' +# DESC 'RFC1274: time of last modify, replaced by modifyTimestamp' +# OBSOLETE +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.53 +# USAGE directoryOperation ) + +## Deprecated in favor of modifiersName +#attributetype ( 0.9.2342.19200300.100.1.24 NAME 'lastModifiedBy' +# DESC 'RFC1274: last modifier, replaced by modifiersName' +# OBSOLETE +# EQUALITY distinguishedNameMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 +# USAGE directoryOperation ) + +##(in core.schema) +##attributetype ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domainComponent' ) +## EQUALITY caseIgnoreIA5Match +## SUBSTR caseIgnoreIA5SubstringsMatch +## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +## incorrect syntax? +attributetype ( 0.9.2342.19200300.100.1.26 NAME 'aRecord' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +## missing from RFC1274 +## incorrect syntax? +attributetype ( 0.9.2342.19200300.100.1.27 NAME 'mDRecord' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +## incorrect syntax!! +attributetype ( 0.9.2342.19200300.100.1.28 NAME 'mXRecord' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +## incorrect syntax!! +attributetype ( 0.9.2342.19200300.100.1.29 NAME 'nSRecord' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +## incorrect syntax!! +attributetype ( 0.9.2342.19200300.100.1.30 NAME 'sOARecord' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +## incorrect syntax!! +attributetype ( 0.9.2342.19200300.100.1.31 NAME 'cNAMERecord' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +#attributetype ( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain' +# EQUALITY caseIgnoreIA5Match +# SUBSTR caseIgnoreIA5SubstringsMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 0.9.2342.19200300.100.1.38 NAME 'associatedName' + DESC 'RFC1274: DN of entry associated with domain' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) + +attributetype ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress' + DESC 'RFC1274: home postal address' + EQUALITY caseIgnoreListMatch + SUBSTR caseIgnoreListSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) + +attributetype ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle' + DESC 'RFC1274: personal title' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 0.9.2342.19200300.100.1.41 + NAME ( 'mobile' 'mobileTelephoneNumber' ) + DESC 'RFC1274: mobile telephone number' + EQUALITY telephoneNumberMatch + SUBSTR telephoneNumberSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 ) + +attributetype ( 0.9.2342.19200300.100.1.42 + NAME ( 'pager' 'pagerTelephoneNumber' ) + DESC 'RFC1274: pager telephone number' + EQUALITY telephoneNumberMatch + SUBSTR telephoneNumberSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 ) + +attributetype ( 0.9.2342.19200300.100.1.43 + NAME ( 'co' 'friendlyCountryName' ) + DESC 'RFC1274: friendly country name' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + +attributetype ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier' + DESC 'RFC1274: unique identifer' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus' + DESC 'RFC1274: organizational status' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 0.9.2342.19200300.100.1.46 NAME 'janetMailbox' + DESC 'RFC1274: Janet mailbox' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) + +attributetype ( 0.9.2342.19200300.100.1.47 + NAME 'mailPreferenceOption' + DESC 'RFC1274: mail preference option' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) + +attributetype ( 0.9.2342.19200300.100.1.48 NAME 'buildingName' + DESC 'RFC1274: name of building' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 0.9.2342.19200300.100.1.49 NAME 'dSAQuality' + DESC 'RFC1274: DSA Quality' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.19 SINGLE-VALUE ) + +attributetype ( 0.9.2342.19200300.100.1.50 NAME 'singleLevelQuality' + DESC 'RFC1274: Single Level Quality' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SINGLE-VALUE ) + +attributetype ( 0.9.2342.19200300.100.1.51 NAME 'subtreeMinimumQuality' + DESC 'RFC1274: Subtree Mininum Quality' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SINGLE-VALUE ) + +attributetype ( 0.9.2342.19200300.100.1.52 NAME 'subtreeMaximumQuality' + DESC 'RFC1274: Subtree Maximun Quality' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SINGLE-VALUE ) + +attributetype ( 0.9.2342.19200300.100.1.53 NAME 'personalSignature' + DESC 'RFC1274: Personal Signature (G3 fax)' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.23 ) + +attributetype ( 0.9.2342.19200300.100.1.54 NAME 'dITRedirect' + DESC 'RFC1274: DIT Redirect' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) + +attributetype ( 0.9.2342.19200300.100.1.55 NAME 'audio' + DESC 'RFC1274: audio (u-law)' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.4{25000} ) + +attributetype ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher' + DESC 'RFC1274: publisher of document' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + +#objectclass ( 0.9.2342.19200300.100.4.3 NAME 'pilotObject' +# DESC 'RFC1274: pilot object' +# SUP top AUXILIARY +# MAY ( info $ photo $ manager $ uniqueIdentifier $ +# lastModifiedTime $ lastModifiedBy $ dITRedirect $ audio ) +# ) + +objectclass ( 0.9.2342.19200300.100.4.4 + NAME ( 'pilotPerson' 'newPilotPerson' ) + SUP person STRUCTURAL + MAY ( userid $ textEncodedORAddress $ rfc822Mailbox $ + favouriteDrink $ roomNumber $ userClass $ + homeTelephoneNumber $ homePostalAddress $ secretary $ + personalTitle $ preferredDeliveryMethod $ businessCategory $ + janetMailbox $ otherMailbox $ mobileTelephoneNumber $ + pagerTelephoneNumber $ organizationalStatus $ + mailPreferenceOption $ personalSignature ) + ) + +objectclass ( 0.9.2342.19200300.100.4.5 NAME 'account' + SUP top STRUCTURAL + MUST userid + MAY ( description $ seeAlso $ localityName $ + organizationName $ organizationalUnitName $ host ) + ) + +objectclass ( 0.9.2342.19200300.100.4.6 NAME 'document' + SUP top STRUCTURAL + MUST documentIdentifier + MAY ( commonName $ description $ seeAlso $ localityName $ + organizationName $ organizationalUnitName $ + documentTitle $ documentVersion $ documentAuthor $ + documentLocation $ documentPublisher ) + ) + +objectclass ( 0.9.2342.19200300.100.4.7 NAME 'room' + SUP top STRUCTURAL + MUST commonName + MAY ( roomNumber $ description $ seeAlso $ telephoneNumber ) + ) + +objectclass ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' + SUP top STRUCTURAL + MUST commonName + MAY ( description $ seeAlso $ telephonenumber $ + localityName $ organizationName $ organizationalUnitName ) + ) + +objectclass ( 0.9.2342.19200300.100.4.13 NAME 'domain' + SUP top STRUCTURAL + MUST domainComponent + MAY ( associatedName $ organizationName $ description $ + businessCategory $ seeAlso $ searchGuide $ userPassword $ + localityName $ stateOrProvinceName $ streetAddress $ + physicalDeliveryOfficeName $ postalAddress $ postalCode $ + postOfficeBox $ streetAddress $ + facsimileTelephoneNumber $ internationalISDNNumber $ + telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ + preferredDeliveryMethod $ destinationIndicator $ + registeredAddress $ x121Address ) + ) + +objectclass ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart' + SUP domain STRUCTURAL + MAY ( commonName $ surname $ description $ seeAlso $ telephoneNumber $ + physicalDeliveryOfficeName $ postalAddress $ postalCode $ + postOfficeBox $ streetAddress $ + facsimileTelephoneNumber $ internationalISDNNumber $ + telephoneNumber $ teletexTerminalIdentifier $ + telexNumber $ preferredDeliveryMethod $ destinationIndicator $ + registeredAddress $ x121Address ) + ) + +objectclass ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain' + SUP domain STRUCTURAL + MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ + SOARecord $ CNAMERecord ) + ) + +objectclass ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' + DESC 'RFC1274: an object related to an domain' + SUP top AUXILIARY + MUST associatedDomain ) + +objectclass ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' + SUP country STRUCTURAL + MUST friendlyCountryName ) + +## (in core.schema) +## objectclass ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' +## SUP top AUXILIARY +## MUST userPassword ) + +objectclass ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' + SUP ( organization $ organizationalUnit ) STRUCTURAL + MAY buildingName ) + +objectclass ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' + SUP dsa STRUCTURAL + MAY dSAQuality ) + +objectclass ( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData' + SUP top AUXILIARY + MUST dsaQuality + MAY ( subtreeMinimumQuality $ subtreeMaximumQuality ) + ) --- openldap-2.4.23.orig/debian/schema/core.ldif +++ openldap-2.4.23/debian/schema/core.ldif @@ -0,0 +1,600 @@ +# OpenLDAP Core schema +# $OpenLDAP: pkg/ldap/servers/slapd/schema/core.ldif,v 1.1.2.5 2007/01/02 21:44:09 kurt Exp $ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2007 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . +# + +# The version of this file as distributed by the OpenLDAP Foundation +# contains text claiming copyright by the Internet Society and including +# the IETF RFC license, which does not meet Debian's Free Software +# Guidelines. However, apart from short and obvious comments, the text of +# this file is purely a functional interface specification, which is not +# subject to that license and is not copyrightable under US law. +# +# The license statement is retained below so as not to remove credit, but +# as best as we can determine, it is not applicable to the contents of +# this file. + +## Portions Copyright (C) The Internet Society (1997-2003). +## All Rights Reserved. +## +## This document and translations of it may be copied and furnished to +## others, and derivative works that comment on or otherwise explain it +## or assist in its implementation may be prepared, copied, published +## and distributed, in whole or in part, without restriction of any +## kind, provided that the above copyright notice and this paragraph are +## included on all such copies and derivative works. However, this +## document itself may not be modified in any way, such as by removing +## the copyright notice or references to the Internet Society or other +## Internet organizations, except as needed for the purpose of +## developing Internet standards in which case the procedures for +## copyrights defined in the Internet Standards process must be +## followed, or as required to translate it into languages other than +## English. +## +## The limited permissions granted above are perpetual and will not be +## revoked by the Internet Society or its successors or assigns. +## +## This document and the information contained herein is provided on an +## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +# +# +# +# Includes LDAPv3 schema items from: +# RFC 2252/2256 (LDAPv3) +# +# Select standard track schema items: +# RFC 1274 (uid/dc) +# RFC 2079 (URI) +# RFC 2247 (dc/dcObject) +# RFC 2587 (PKI) +# RFC 2589 (Dynamic Directory Services) +# +# Select informational schema items: +# RFC 2377 (uidObject) +# +# +# Standard attribute types from RFC 2256 +# +dn: cn=core,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: core +# +# system schema +#olcAttributeTypes: ( 2.5.4.0 NAME 'objectClass' +# DESC 'RFC2256: object classes of the entity' +# EQUALITY objectIdentifierMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) +# +# system schema +#olcAttributeTypes: ( 2.5.4.1 NAME ( 'aliasedObjectName' 'aliasedEntryName' ) +# DESC 'RFC2256: name of aliased object' +# EQUALITY distinguishedNameMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) +# +olcAttributeTypes: ( 2.5.4.2 NAME 'knowledgeInformation' + DESC 'RFC2256: knowledge information' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) +# +# system schema +#olcAttributeTypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' ) +# DESC 'RFC2256: common name(s) for which the entity is known by' +# SUP name ) +# +olcAttributeTypes: ( 2.5.4.4 NAME ( 'sn' 'surname' ) + DESC 'RFC2256: last (family) name(s) for which the entity is known by' + SUP name ) +# +olcAttributeTypes: ( 2.5.4.5 NAME 'serialNumber' + DESC 'RFC2256: serial number of the entity' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} ) +# +olcAttributeTypes: ( 2.5.4.6 NAME ( 'c' 'countryName' ) + DESC 'RFC2256: ISO-3166 country 2-letter code' + SUP name SINGLE-VALUE ) +# +olcAttributeTypes: ( 2.5.4.7 NAME ( 'l' 'localityName' ) + DESC 'RFC2256: locality which this object resides in' + SUP name ) +# +olcAttributeTypes: ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' ) + DESC 'RFC2256: state or province which this object resides in' + SUP name ) +# +olcAttributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetAddress' ) + DESC 'RFC2256: street address of this object' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) +# +olcAttributeTypes: ( 2.5.4.10 NAME ( 'o' 'organizationName' ) + DESC 'RFC2256: organization this object belongs to' + SUP name ) +# +olcAttributeTypes: ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) + DESC 'RFC2256: organizational unit this object belongs to' + SUP name ) +# +olcAttributeTypes: ( 2.5.4.12 NAME 'title' + DESC 'RFC2256: title associated with the entity' + SUP name ) +# +# system schema +#olcAttributeTypes: ( 2.5.4.13 NAME 'description' +# DESC 'RFC2256: descriptive information' +# EQUALITY caseIgnoreMatch +# SUBSTR caseIgnoreSubstringsMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) +# +# Deprecated by enhancedSearchGuide +olcAttributeTypes: ( 2.5.4.14 NAME 'searchGuide' + DESC 'RFC2256: search guide, deprecated by enhancedSearchGuide' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) +# +olcAttributeTypes: ( 2.5.4.15 NAME 'businessCategory' + DESC 'RFC2256: business category' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) +# +olcAttributeTypes: ( 2.5.4.16 NAME 'postalAddress' + DESC 'RFC2256: postal address' + EQUALITY caseIgnoreListMatch + SUBSTR caseIgnoreListSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) +# +olcAttributeTypes: ( 2.5.4.17 NAME 'postalCode' + DESC 'RFC2256: postal code' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) +# +olcAttributeTypes: ( 2.5.4.18 NAME 'postOfficeBox' + DESC 'RFC2256: Post Office Box' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) +# +olcAttributeTypes: ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' + DESC 'RFC2256: Physical Delivery Office Name' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) +# +olcAttributeTypes: ( 2.5.4.20 NAME 'telephoneNumber' + DESC 'RFC2256: Telephone Number' + EQUALITY telephoneNumberMatch + SUBSTR telephoneNumberSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) +# +olcAttributeTypes: ( 2.5.4.21 NAME 'telexNumber' + DESC 'RFC2256: Telex Number' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) +# +olcAttributeTypes: ( 2.5.4.22 NAME 'teletexTerminalIdentifier' + DESC 'RFC2256: Teletex Terminal Identifier' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) +# +olcAttributeTypes: ( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' ) + DESC 'RFC2256: Facsimile (Fax) Telephone Number' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) +# +olcAttributeTypes: ( 2.5.4.24 NAME 'x121Address' + DESC 'RFC2256: X.121 Address' + EQUALITY numericStringMatch + SUBSTR numericStringSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} ) +# +olcAttributeTypes: ( 2.5.4.25 NAME 'internationaliSDNNumber' + DESC 'RFC2256: international ISDN number' + EQUALITY numericStringMatch + SUBSTR numericStringSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) +# +olcAttributeTypes: ( 2.5.4.26 NAME 'registeredAddress' + DESC 'RFC2256: registered postal address' + SUP postalAddress + SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) +# +olcAttributeTypes: ( 2.5.4.27 NAME 'destinationIndicator' + DESC 'RFC2256: destination indicator' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} ) +# +olcAttributeTypes: ( 2.5.4.28 NAME 'preferredDeliveryMethod' + DESC 'RFC2256: preferred delivery method' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 + SINGLE-VALUE ) +# +olcAttributeTypes: ( 2.5.4.29 NAME 'presentationAddress' + DESC 'RFC2256: presentation address' + EQUALITY presentationAddressMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 + SINGLE-VALUE ) +# +olcAttributeTypes: ( 2.5.4.30 NAME 'supportedApplicationContext' + DESC 'RFC2256: supported application context' + EQUALITY objectIdentifierMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) +# +olcAttributeTypes: ( 2.5.4.31 NAME 'member' + DESC 'RFC2256: member of a group' + SUP distinguishedName ) +# +olcAttributeTypes: ( 2.5.4.32 NAME 'owner' + DESC 'RFC2256: owner (of the object)' + SUP distinguishedName ) +# +olcAttributeTypes: ( 2.5.4.33 NAME 'roleOccupant' + DESC 'RFC2256: occupant of role' + SUP distinguishedName ) +# +# system schema +#olcAttributeTypes: ( 2.5.4.34 NAME 'seeAlso' +# DESC 'RFC2256: DN of related object' +# SUP distinguishedName ) +# +# system schema +#olcAttributeTypes: ( 2.5.4.35 NAME 'userPassword' +# DESC 'RFC2256/2307: password of user' +# EQUALITY octetStringMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) +# +# Must be transferred using ;binary +# with certificateExactMatch rule (per X.509) +olcAttributeTypes: ( 2.5.4.36 NAME 'userCertificate' + DESC 'RFC2256: X.509 user certificate, use ;binary' + EQUALITY certificateExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) +# +# Must be transferred using ;binary +# with certificateExactMatch rule (per X.509) +olcAttributeTypes: ( 2.5.4.37 NAME 'cACertificate' + DESC 'RFC2256: X.509 CA certificate, use ;binary' + EQUALITY certificateExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) +# +# Must be transferred using ;binary +olcAttributeTypes: ( 2.5.4.38 NAME 'authorityRevocationList' + DESC 'RFC2256: X.509 authority revocation list, use ;binary' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) +# +# Must be transferred using ;binary +olcAttributeTypes: ( 2.5.4.39 NAME 'certificateRevocationList' + DESC 'RFC2256: X.509 certificate revocation list, use ;binary' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) +# +# Must be stored and requested in the binary form +olcAttributeTypes: ( 2.5.4.40 NAME 'crossCertificatePair' + DESC 'RFC2256: X.509 cross certificate pair, use ;binary' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 ) +# +# 2.5.4.41 is defined above as it's used for subtyping +#olcAttributeTypes: ( 2.5.4.41 NAME 'name' +# EQUALITY caseIgnoreMatch +# SUBSTR caseIgnoreSubstringsMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) +# +olcAttributeTypes: ( 2.5.4.42 NAME ( 'givenName' 'gn' ) + DESC 'RFC2256: first name(s) for which the entity is known by' + SUP name ) +# +olcAttributeTypes: ( 2.5.4.43 NAME 'initials' + DESC 'RFC2256: initials of some or all of names, but not the surname(s).' + SUP name ) +# +olcAttributeTypes: ( 2.5.4.44 NAME 'generationQualifier' + DESC 'RFC2256: name qualifier indicating a generation' + SUP name ) +# +olcAttributeTypes: ( 2.5.4.45 NAME 'x500UniqueIdentifier' + DESC 'RFC2256: X.500 unique identifier' + EQUALITY bitStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) +# +olcAttributeTypes: ( 2.5.4.46 NAME 'dnQualifier' + DESC 'RFC2256: DN qualifier' + EQUALITY caseIgnoreMatch + ORDERING caseIgnoreOrderingMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) +# +olcAttributeTypes: ( 2.5.4.47 NAME 'enhancedSearchGuide' + DESC 'RFC2256: enhanced search guide' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) +# +olcAttributeTypes: ( 2.5.4.48 NAME 'protocolInformation' + DESC 'RFC2256: protocol information' + EQUALITY protocolInformationMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 ) +# +# 2.5.4.49 is defined above as it's used for subtyping +#olcAttributeTypes: ( 2.5.4.49 NAME 'distinguishedName' +# EQUALITY distinguishedNameMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +# +olcAttributeTypes: ( 2.5.4.50 NAME 'uniqueMember' + DESC 'RFC2256: unique member of a group' + EQUALITY uniqueMemberMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) +# +olcAttributeTypes: ( 2.5.4.51 NAME 'houseIdentifier' + DESC 'RFC2256: house identifier' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) +# +# Must be transferred using ;binary +olcAttributeTypes: ( 2.5.4.52 NAME 'supportedAlgorithms' + DESC 'RFC2256: supported algorithms' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 ) +# +# Must be transferred using ;binary +olcAttributeTypes: ( 2.5.4.53 NAME 'deltaRevocationList' + DESC 'RFC2256: delta revocation list; use ;binary' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) +# +olcAttributeTypes: ( 2.5.4.54 NAME 'dmdName' + DESC 'RFC2256: name of DMD' + SUP name ) +# +olcAttributeTypes: ( 2.5.4.65 NAME 'pseudonym' + DESC 'X.520(4th): pseudonym for the object' + SUP name ) +# +# Standard object classes from RFC2256 +# +# system schema +#olcObjectClasses: ( 2.5.6.1 NAME 'alias' +# DESC 'RFC2256: an alias' +# SUP top STRUCTURAL +# MUST aliasedObjectName ) +# +olcObjectClasses: ( 2.5.6.2 NAME 'country' + DESC 'RFC2256: a country' + SUP top STRUCTURAL + MUST c + MAY ( searchGuide $ description ) ) +# +olcObjectClasses: ( 2.5.6.3 NAME 'locality' + DESC 'RFC2256: a locality' + SUP top STRUCTURAL + MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) ) +# +olcObjectClasses: ( 2.5.6.4 NAME 'organization' + DESC 'RFC2256: an organization' + SUP top STRUCTURAL + MUST o + MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ + x121Address $ registeredAddress $ destinationIndicator $ + preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationaliSDNNumber $ + facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ + postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) +# +olcObjectClasses: ( 2.5.6.5 NAME 'organizationalUnit' + DESC 'RFC2256: an organizational unit' + SUP top STRUCTURAL + MUST ou + MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ + x121Address $ registeredAddress $ destinationIndicator $ + preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationaliSDNNumber $ + facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ + postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) +# +olcObjectClasses: ( 2.5.6.6 NAME 'person' + DESC 'RFC2256: a person' + SUP top STRUCTURAL + MUST ( sn $ cn ) + MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) +# +olcObjectClasses: ( 2.5.6.7 NAME 'organizationalPerson' + DESC 'RFC2256: an organizational person' + SUP person STRUCTURAL + MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ + preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationaliSDNNumber $ + facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ + postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) ) +# +olcObjectClasses: ( 2.5.6.8 NAME 'organizationalRole' + DESC 'RFC2256: an organizational role' + SUP top STRUCTURAL + MUST cn + MAY ( x121Address $ registeredAddress $ destinationIndicator $ + preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ + seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ + postOfficeBox $ postalCode $ postalAddress $ + physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) +# +olcObjectClasses: ( 2.5.6.9 NAME 'groupOfNames' + DESC 'RFC2256: a group of names (DNs)' + SUP top STRUCTURAL + MUST ( member $ cn ) + MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) +# +olcObjectClasses: ( 2.5.6.10 NAME 'residentialPerson' + DESC 'RFC2256: an residential person' + SUP person STRUCTURAL + MUST l + MAY ( businessCategory $ x121Address $ registeredAddress $ + destinationIndicator $ preferredDeliveryMethod $ telexNumber $ + teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ + facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ + postOfficeBox $ postalCode $ postalAddress $ + physicalDeliveryOfficeName $ st $ l ) ) +# +olcObjectClasses: ( 2.5.6.11 NAME 'applicationProcess' + DESC 'RFC2256: an application process' + SUP top STRUCTURAL + MUST cn + MAY ( seeAlso $ ou $ l $ description ) ) +# +olcObjectClasses: ( 2.5.6.12 NAME 'applicationEntity' + DESC 'RFC2256: an application entity' + SUP top STRUCTURAL + MUST ( presentationAddress $ cn ) + MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ + description ) ) +# +olcObjectClasses: ( 2.5.6.13 NAME 'dSA' + DESC 'RFC2256: a directory system agent (a server)' + SUP applicationEntity STRUCTURAL + MAY knowledgeInformation ) +# +olcObjectClasses: ( 2.5.6.14 NAME 'device' + DESC 'RFC2256: a device' + SUP top STRUCTURAL + MUST cn + MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) ) +# +olcObjectClasses: ( 2.5.6.15 NAME 'strongAuthenticationUser' + DESC 'RFC2256: a strong authentication user' + SUP top AUXILIARY + MUST userCertificate ) +# +olcObjectClasses: ( 2.5.6.16 NAME 'certificationAuthority' + DESC 'RFC2256: a certificate authority' + SUP top AUXILIARY + MUST ( authorityRevocationList $ certificateRevocationList $ + cACertificate ) MAY crossCertificatePair ) +# +olcObjectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' + DESC 'RFC2256: a group of unique names (DN and Unique Identifier)' + SUP top STRUCTURAL + MUST ( uniqueMember $ cn ) + MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) +# +olcObjectClasses: ( 2.5.6.18 NAME 'userSecurityInformation' + DESC 'RFC2256: a user security information' + SUP top AUXILIARY + MAY ( supportedAlgorithms ) ) +# +olcObjectClasses: ( 2.5.6.16.2 NAME 'certificationAuthority-V2' + SUP certificationAuthority + AUXILIARY MAY ( deltaRevocationList ) ) +# +olcObjectClasses: ( 2.5.6.19 NAME 'cRLDistributionPoint' + SUP top STRUCTURAL + MUST ( cn ) + MAY ( certificateRevocationList $ authorityRevocationList $ + deltaRevocationList ) ) +# +olcObjectClasses: ( 2.5.6.20 NAME 'dmd' + SUP top STRUCTURAL + MUST ( dmdName ) + MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ + x121Address $ registeredAddress $ destinationIndicator $ + preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ + street $ postOfficeBox $ postalCode $ postalAddress $ + physicalDeliveryOfficeName $ st $ l $ description ) ) +# +# +# Object Classes from RFC 2587 +# +olcObjectClasses: ( 2.5.6.21 NAME 'pkiUser' + DESC 'RFC2587: a PKI user' + SUP top AUXILIARY + MAY userCertificate ) +# +olcObjectClasses: ( 2.5.6.22 NAME 'pkiCA' + DESC 'RFC2587: PKI certificate authority' + SUP top AUXILIARY + MAY ( authorityRevocationList $ certificateRevocationList $ + cACertificate $ crossCertificatePair ) ) +# +olcObjectClasses: ( 2.5.6.23 NAME 'deltaCRL' + DESC 'RFC2587: PKI user' + SUP top AUXILIARY + MAY deltaRevocationList ) +# +# +# Standard Track URI label schema from RFC 2079 +# system schema +#olcAttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' +# DESC 'RFC2079: Uniform Resource Identifier with optional label' +# EQUALITY caseExactMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +# +olcObjectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' + DESC 'RFC2079: object that contains the URI attribute type' + MAY ( labeledURI ) + SUP top AUXILIARY ) +# +# +# Derived from RFC 1274, but with new "short names" +# +#olcAttributeTypes: ( 0.9.2342.19200300.100.1.1 +# NAME ( 'uid' 'userid' ) +# DESC 'RFC1274: user identifier' +# EQUALITY caseIgnoreMatch +# SUBSTR caseIgnoreSubstringsMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) +# +olcAttributeTypes: ( 0.9.2342.19200300.100.1.3 + NAME ( 'mail' 'rfc822Mailbox' ) + DESC 'RFC1274: RFC822 Mailbox' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +# +olcObjectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' + DESC 'RFC1274: simple security object' + SUP top AUXILIARY + MUST userPassword ) +# +# RFC 1274 + RFC 2247 +olcAttributeTypes: ( 0.9.2342.19200300.100.1.25 + NAME ( 'dc' 'domainComponent' ) + DESC 'RFC1274/2247: domain component' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +# +# RFC 2247 +olcObjectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' + DESC 'RFC2247: domain component object' + SUP top AUXILIARY MUST dc ) +# +# RFC 2377 +olcObjectClasses: ( 1.3.6.1.1.3.1 NAME 'uidObject' + DESC 'RFC2377: uid object' + SUP top AUXILIARY MUST uid ) +# +# From COSINE Pilot +olcAttributeTypes: ( 0.9.2342.19200300.100.1.37 + NAME 'associatedDomain' + DESC 'RFC1274: domain associated with object' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +# RFC 2459 -- deprecated in favor of 'mail' (in cosine.schema) +olcAttributeTypes: ( 1.2.840.113549.1.9.1 + NAME ( 'email' 'emailAddress' 'pkcs9email' ) + DESC 'RFC3280: legacy attribute for email addresses in DNs' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) +# --- openldap-2.4.23.orig/debian/schema/ppolicy.schema +++ openldap-2.4.23/debian/schema/ppolicy.schema @@ -0,0 +1,149 @@ +# $OpenLDAP: pkg/ldap/servers/slapd/schema/ppolicy.schema,v 1.2.2.4 2007/01/02 21:44:09 kurt Exp $ +## This work is part of OpenLDAP Software . +## +## Copyright 2004-2007 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . +# +## Portions Copyright (C) The Internet Society (2004). +## Please see full copyright statement below. + +# Definitions from Draft behera-ldap-password-policy-07 (a work in progress) +# Password Policy for LDAP Directories +# With extensions from Hewlett-Packard: +# pwdCheckModule etc. + +# Contents of this file are subject to change (including deletion) +# without notice. +# +# Not recommended for production use! +# Use with extreme caution! + +# The version of this file as distributed by the OpenLDAP Foundation +# contains text from an IETF Internet-Draft explaining the schema. +# Unfortunately, that text is covered by a license that doesn't meet +# Debian's Free Software Guidelines. This is a stripped version of the +# schema that contains only the functional schema definition, not the text +# of the Internet-Draft. +# +# For an explanation of this schema, see +# draft-behera-ldap-password-policy-08.txt. + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1 + NAME 'pwdAttribute' + EQUALITY objectIdentifierMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2 + NAME 'pwdMinAge' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3 + NAME 'pwdMaxAge' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4 + NAME 'pwdInHistory' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5 + NAME 'pwdCheckQuality' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6 + NAME 'pwdMinLength' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7 + NAME 'pwdExpireWarning' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8 + NAME 'pwdGraceAuthNLimit' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9 + NAME 'pwdLockout' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10 + NAME 'pwdLockoutDuration' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11 + NAME 'pwdMaxFailure' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12 + NAME 'pwdFailureCountInterval' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13 + NAME 'pwdMustChange' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14 + NAME 'pwdAllowUserChange' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15 + NAME 'pwdSafeModify' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.4754.1.99.1 + NAME 'pwdCheckModule' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + DESC 'Loadable module that instantiates "check_password() function' + SINGLE-VALUE ) + +objectclass ( 1.3.6.1.4.1.4754.2.99.1 + NAME 'pwdPolicyChecker' + SUP top + AUXILIARY + MAY ( pwdCheckModule ) ) + +objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1 + NAME 'pwdPolicy' + SUP top + AUXILIARY + MUST ( pwdAttribute ) + MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ + pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout + $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ + pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) ) --- openldap-2.4.23.orig/debian/schema/java.schema +++ openldap-2.4.23/debian/schema/java.schema @@ -0,0 +1,109 @@ +# java.schema -- Java Object Schema +# $OpenLDAP: pkg/ldap/servers/slapd/schema/java.schema,v 1.5.2.3 2007/01/02 21:44:09 kurt Exp $ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2007 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . +# +# Java Object Schema (defined in RFC 2713) +# depends upon core.schema +# + +# The version of this file as distributed by the OpenLDAP Foundation +# contains text from an IETF RFC explaining the schema. Unfortunately, +# that text is covered by a license that doesn't meet Debian's Free +# Software Guidelines. This is a stripped version of the schema that +# contains only the functional schema definition, not the text of the +# RFC. +# +# For an explanation of this schema, see RFC 2713, at (among other +# places): http://www.ietf.org/rfc/rfc2713.txt + +attributetype ( 1.3.6.1.4.1.42.2.27.4.1.6 + NAME 'javaClassName' + DESC 'Fully qualified name of distinguished Java class or interface' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.42.2.27.4.1.7 + NAME 'javaCodebase' + DESC 'URL(s) specifying the location of class definition' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.42.2.27.4.1.13 + NAME 'javaClassNames' + DESC 'Fully qualified Java class or interface name' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + +attributetype ( 1.3.6.1.4.1.42.2.27.4.1.8 + NAME 'javaSerializedData' + DESC 'Serialized form of a Java object' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.42.2.27.4.1.10 + NAME 'javaFactory' + DESC 'Fully qualified Java class name of a JNDI object factory' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.42.2.27.4.1.11 + NAME 'javaReferenceAddress' + DESC 'Addresses associated with a JNDI Reference' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + +attributetype ( 1.3.6.1.4.1.42.2.27.4.1.12 + NAME 'javaDoc' + DESC 'The Java documentation for the class' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +objectclass ( 1.3.6.1.4.1.42.2.27.4.2.1 + NAME 'javaContainer' + DESC 'Container for a Java object' + SUP top + STRUCTURAL + MUST cn ) + +objectclass ( 1.3.6.1.4.1.42.2.27.4.2.4 + NAME 'javaObject' + DESC 'Java object representation' + SUP top + ABSTRACT + MUST javaClassName + MAY ( javaClassNames $ javaCodebase $ + javaDoc $ description ) ) + +objectclass ( 1.3.6.1.4.1.42.2.27.4.2.5 + NAME 'javaSerializedObject' + DESC 'Java serialized object' + SUP javaObject + AUXILIARY + MUST javaSerializedData ) + +objectclass ( 1.3.6.1.4.1.42.2.27.4.2.8 + NAME 'javaMarshalledObject' + DESC 'Java marshalled object' + SUP javaObject + AUXILIARY + MUST javaSerializedData ) + +objectclass ( 1.3.6.1.4.1.42.2.27.4.2.7 + NAME 'javaNamingReference' + DESC 'JNDI reference' + SUP javaObject + AUXILIARY + MAY ( javaReferenceAddress $ javaFactory ) ) --- openldap-2.4.23.orig/debian/schema/corba.schema +++ openldap-2.4.23/debian/schema/corba.schema @@ -0,0 +1,61 @@ +# corba.schema -- Corba Object Schema +# depends upon core.schema +# $OpenLDAP: pkg/ldap/servers/slapd/schema/corba.schema,v 1.4.2.3 2007/01/02 21:44:09 kurt Exp $ +# $OpenLDAP: pkg/ldap/servers/slapd/schema/corba.schema,v 1.4.2.3 2007/01/02 21:44:09 kurt Exp $ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2007 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . +# + +# The version of this file as distributed by the OpenLDAP Foundation +# contains text from an IETF RFC explaining the schema. Unfortunately, +# that text is covered by a license that doesn't meet Debian's Free +# Software Guidelines. This is a stripped version of the schema that +# contains only the functional schema definition, not the text of the +# RFC. +# +# For an explanation of this schema, see RFC 2714, at (among other +# places): http://www.ietf.org/rfc/rfc2714.txt + +attributetype ( 1.3.6.1.4.1.42.2.27.4.1.14 + NAME 'corbaIor' + DESC 'Stringified interoperable object reference of a CORBA object' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.42.2.27.4.1.15 + NAME 'corbaRepositoryId' + DESC 'Repository ids of interfaces implemented by a CORBA object' + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + +objectclass ( 1.3.6.1.4.1.42.2.27.4.2.10 + NAME 'corbaContainer' + DESC 'Container for a CORBA object' + SUP top + STRUCTURAL + MUST cn ) + +objectclass ( 1.3.6.1.4.1.42.2.27.4.2.9 + NAME 'corbaObject' + DESC 'CORBA object representation' + SUP top + ABSTRACT + MAY ( corbaRepositoryId $ description ) ) + +objectclass ( 1.3.6.1.4.1.42.2.27.4.2.11 + NAME 'corbaObjectReference' + DESC 'CORBA interoperable object reference' + SUP corbaObject + AUXILIARY + MUST corbaIor ) --- openldap-2.4.23.orig/debian/schema/core.schema +++ openldap-2.4.23/debian/schema/core.schema @@ -0,0 +1,603 @@ +# OpenLDAP Core schema +# $OpenLDAP: pkg/ldap/servers/slapd/schema/core.schema,v 1.79.2.8 2007/01/02 21:44:09 kurt Exp $ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2007 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . +# + +# The version of this file as distributed by the OpenLDAP Foundation +# contains text claiming copyright by the Internet Society and including +# the IETF RFC license, which does not meet Debian's Free Software +# Guidelines. However, apart from short and obvious comments, the text of +# this file is purely a functional interface specification, which is not +# subject to that license and is not copyrightable under US law. +# +# The license statement is retained below so as not to remove credit, but +# as best as we can determine, it is not applicable to the contents of +# this file. + +## Portions Copyright (C) The Internet Society (1997-2003). +## All Rights Reserved. +## +## This document and translations of it may be copied and furnished to +## others, and derivative works that comment on or otherwise explain it +## or assist in its implementation may be prepared, copied, published +## and distributed, in whole or in part, without restriction of any +## kind, provided that the above copyright notice and this paragraph are +## included on all such copies and derivative works. However, this +## document itself may not be modified in any way, such as by removing +## the copyright notice or references to the Internet Society or other +## Internet organizations, except as needed for the purpose of +## developing Internet standards in which case the procedures for +## copyrights defined in the Internet Standards process must be +## followed, or as required to translate it into languages other than +## English. +## +## The limited permissions granted above are perpetual and will not be +## revoked by the Internet Society or its successors or assigns. +## +## This document and the information contained herein is provided on an +## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +# +# +# Includes LDAPv3 schema items from: +# RFC 2252/2256 (LDAPv3) +# +# Select standard track schema items: +# RFC 1274 (uid/dc) +# RFC 2079 (URI) +# RFC 2247 (dc/dcObject) +# RFC 2587 (PKI) +# RFC 2589 (Dynamic Directory Services) +# +# Select informational schema items: +# RFC 2377 (uidObject) + +# +# Standard attribute types from RFC 2256 +# + +# system schema +#attributetype ( 2.5.4.0 NAME 'objectClass' +# DESC 'RFC2256: object classes of the entity' +# EQUALITY objectIdentifierMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) + +# system schema +#attributetype ( 2.5.4.1 NAME ( 'aliasedObjectName' 'aliasedEntryName' ) +# DESC 'RFC2256: name of aliased object' +# EQUALITY distinguishedNameMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) + +attributetype ( 2.5.4.2 NAME 'knowledgeInformation' + DESC 'RFC2256: knowledge information' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) + +# system schema +#attributetype ( 2.5.4.3 NAME ( 'cn' 'commonName' ) +# DESC 'RFC2256: common name(s) for which the entity is known by' +# SUP name ) + +attributetype ( 2.5.4.4 NAME ( 'sn' 'surname' ) + DESC 'RFC2256: last (family) name(s) for which the entity is known by' + SUP name ) + +attributetype ( 2.5.4.5 NAME 'serialNumber' + DESC 'RFC2256: serial number of the entity' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} ) + +attributetype ( 2.5.4.6 NAME ( 'c' 'countryName' ) + DESC 'RFC2256: ISO-3166 country 2-letter code' + SUP name SINGLE-VALUE ) + +attributetype ( 2.5.4.7 NAME ( 'l' 'localityName' ) + DESC 'RFC2256: locality which this object resides in' + SUP name ) + +attributetype ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' ) + DESC 'RFC2256: state or province which this object resides in' + SUP name ) + +attributetype ( 2.5.4.9 NAME ( 'street' 'streetAddress' ) + DESC 'RFC2256: street address of this object' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) + +attributetype ( 2.5.4.10 NAME ( 'o' 'organizationName' ) + DESC 'RFC2256: organization this object belongs to' + SUP name ) + +attributetype ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) + DESC 'RFC2256: organizational unit this object belongs to' + SUP name ) + +attributetype ( 2.5.4.12 NAME 'title' + DESC 'RFC2256: title associated with the entity' + SUP name ) + +# system schema +#attributetype ( 2.5.4.13 NAME 'description' +# DESC 'RFC2256: descriptive information' +# EQUALITY caseIgnoreMatch +# SUBSTR caseIgnoreSubstringsMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) + +# Deprecated by enhancedSearchGuide +attributetype ( 2.5.4.14 NAME 'searchGuide' + DESC 'RFC2256: search guide, deprecated by enhancedSearchGuide' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 ) + +attributetype ( 2.5.4.15 NAME 'businessCategory' + DESC 'RFC2256: business category' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) + +attributetype ( 2.5.4.16 NAME 'postalAddress' + DESC 'RFC2256: postal address' + EQUALITY caseIgnoreListMatch + SUBSTR caseIgnoreListSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) + +attributetype ( 2.5.4.17 NAME 'postalCode' + DESC 'RFC2256: postal code' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) + +attributetype ( 2.5.4.18 NAME 'postOfficeBox' + DESC 'RFC2256: Post Office Box' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} ) + +attributetype ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' + DESC 'RFC2256: Physical Delivery Office Name' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) + +attributetype ( 2.5.4.20 NAME 'telephoneNumber' + DESC 'RFC2256: Telephone Number' + EQUALITY telephoneNumberMatch + SUBSTR telephoneNumberSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} ) + +attributetype ( 2.5.4.21 NAME 'telexNumber' + DESC 'RFC2256: Telex Number' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) + +attributetype ( 2.5.4.22 NAME 'teletexTerminalIdentifier' + DESC 'RFC2256: Teletex Terminal Identifier' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) + +attributetype ( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' ) + DESC 'RFC2256: Facsimile (Fax) Telephone Number' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) + +attributetype ( 2.5.4.24 NAME 'x121Address' + DESC 'RFC2256: X.121 Address' + EQUALITY numericStringMatch + SUBSTR numericStringSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} ) + +attributetype ( 2.5.4.25 NAME 'internationaliSDNNumber' + DESC 'RFC2256: international ISDN number' + EQUALITY numericStringMatch + SUBSTR numericStringSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} ) + +attributetype ( 2.5.4.26 NAME 'registeredAddress' + DESC 'RFC2256: registered postal address' + SUP postalAddress + SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) + +attributetype ( 2.5.4.27 NAME 'destinationIndicator' + DESC 'RFC2256: destination indicator' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} ) + +attributetype ( 2.5.4.28 NAME 'preferredDeliveryMethod' + DESC 'RFC2256: preferred delivery method' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 + SINGLE-VALUE ) + +attributetype ( 2.5.4.29 NAME 'presentationAddress' + DESC 'RFC2256: presentation address' + EQUALITY presentationAddressMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 + SINGLE-VALUE ) + +attributetype ( 2.5.4.30 NAME 'supportedApplicationContext' + DESC 'RFC2256: supported application context' + EQUALITY objectIdentifierMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) + +attributetype ( 2.5.4.31 NAME 'member' + DESC 'RFC2256: member of a group' + SUP distinguishedName ) + +attributetype ( 2.5.4.32 NAME 'owner' + DESC 'RFC2256: owner (of the object)' + SUP distinguishedName ) + +attributetype ( 2.5.4.33 NAME 'roleOccupant' + DESC 'RFC2256: occupant of role' + SUP distinguishedName ) + +# system schema +#attributetype ( 2.5.4.34 NAME 'seeAlso' +# DESC 'RFC2256: DN of related object' +# SUP distinguishedName ) + +# system schema +#attributetype ( 2.5.4.35 NAME 'userPassword' +# DESC 'RFC2256/2307: password of user' +# EQUALITY octetStringMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) + +# Must be transferred using ;binary +# with certificateExactMatch rule (per X.509) +attributetype ( 2.5.4.36 NAME 'userCertificate' + DESC 'RFC2256: X.509 user certificate, use ;binary' + EQUALITY certificateExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) + +# Must be transferred using ;binary +# with certificateExactMatch rule (per X.509) +attributetype ( 2.5.4.37 NAME 'cACertificate' + DESC 'RFC2256: X.509 CA certificate, use ;binary' + EQUALITY certificateExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) + +# Must be transferred using ;binary +attributetype ( 2.5.4.38 NAME 'authorityRevocationList' + DESC 'RFC2256: X.509 authority revocation list, use ;binary' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) + +# Must be transferred using ;binary +attributetype ( 2.5.4.39 NAME 'certificateRevocationList' + DESC 'RFC2256: X.509 certificate revocation list, use ;binary' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) + +# Must be stored and requested in the binary form +attributetype ( 2.5.4.40 NAME 'crossCertificatePair' + DESC 'RFC2256: X.509 cross certificate pair, use ;binary' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 ) + +# system schema +#attributetype ( 2.5.4.41 NAME 'name' +# EQUALITY caseIgnoreMatch +# SUBSTR caseIgnoreSubstringsMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) + +attributetype ( 2.5.4.42 NAME ( 'givenName' 'gn' ) + DESC 'RFC2256: first name(s) for which the entity is known by' + SUP name ) + +attributetype ( 2.5.4.43 NAME 'initials' + DESC 'RFC2256: initials of some or all of names, but not the surname(s).' + SUP name ) + +attributetype ( 2.5.4.44 NAME 'generationQualifier' + DESC 'RFC2256: name qualifier indicating a generation' + SUP name ) + +attributetype ( 2.5.4.45 NAME 'x500UniqueIdentifier' + DESC 'RFC2256: X.500 unique identifier' + EQUALITY bitStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 ) + +attributetype ( 2.5.4.46 NAME 'dnQualifier' + DESC 'RFC2256: DN qualifier' + EQUALITY caseIgnoreMatch + ORDERING caseIgnoreOrderingMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) + +attributetype ( 2.5.4.47 NAME 'enhancedSearchGuide' + DESC 'RFC2256: enhanced search guide' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) + +attributetype ( 2.5.4.48 NAME 'protocolInformation' + DESC 'RFC2256: protocol information' + EQUALITY protocolInformationMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 ) + +# system schema +#attributetype ( 2.5.4.49 NAME 'distinguishedName' +# EQUALITY distinguishedNameMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) + +attributetype ( 2.5.4.50 NAME 'uniqueMember' + DESC 'RFC2256: unique member of a group' + EQUALITY uniqueMemberMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) + +attributetype ( 2.5.4.51 NAME 'houseIdentifier' + DESC 'RFC2256: house identifier' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) + +# Must be transferred using ;binary +attributetype ( 2.5.4.52 NAME 'supportedAlgorithms' + DESC 'RFC2256: supported algorithms' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 ) + +# Must be transferred using ;binary +attributetype ( 2.5.4.53 NAME 'deltaRevocationList' + DESC 'RFC2256: delta revocation list; use ;binary' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) + +attributetype ( 2.5.4.54 NAME 'dmdName' + DESC 'RFC2256: name of DMD' + SUP name ) + +attributetype ( 2.5.4.65 NAME 'pseudonym' + DESC 'X.520(4th): pseudonym for the object' + SUP name ) + +# Standard object classes from RFC2256 + +# system schema +#objectclass ( 2.5.6.0 NAME 'top' +# DESC 'RFC2256: top of the superclass chain' +# ABSTRACT +# MUST objectClass ) + +# system schema +#objectclass ( 2.5.6.1 NAME 'alias' +# DESC 'RFC2256: an alias' +# SUP top STRUCTURAL +# MUST aliasedObjectName ) + +objectclass ( 2.5.6.2 NAME 'country' + DESC 'RFC2256: a country' + SUP top STRUCTURAL + MUST c + MAY ( searchGuide $ description ) ) + +objectclass ( 2.5.6.3 NAME 'locality' + DESC 'RFC2256: a locality' + SUP top STRUCTURAL + MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) ) + +objectclass ( 2.5.6.4 NAME 'organization' + DESC 'RFC2256: an organization' + SUP top STRUCTURAL + MUST o + MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ + x121Address $ registeredAddress $ destinationIndicator $ + preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationaliSDNNumber $ + facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ + postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) + +objectclass ( 2.5.6.5 NAME 'organizationalUnit' + DESC 'RFC2256: an organizational unit' + SUP top STRUCTURAL + MUST ou + MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ + x121Address $ registeredAddress $ destinationIndicator $ + preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationaliSDNNumber $ + facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ + postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) + +objectclass ( 2.5.6.6 NAME 'person' + DESC 'RFC2256: a person' + SUP top STRUCTURAL + MUST ( sn $ cn ) + MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) + +objectclass ( 2.5.6.7 NAME 'organizationalPerson' + DESC 'RFC2256: an organizational person' + SUP person STRUCTURAL + MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ + preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationaliSDNNumber $ + facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ + postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) ) + +objectclass ( 2.5.6.8 NAME 'organizationalRole' + DESC 'RFC2256: an organizational role' + SUP top STRUCTURAL + MUST cn + MAY ( x121Address $ registeredAddress $ destinationIndicator $ + preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ + seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ + postOfficeBox $ postalCode $ postalAddress $ + physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) + +objectclass ( 2.5.6.9 NAME 'groupOfNames' + DESC 'RFC2256: a group of names (DNs)' + SUP top STRUCTURAL + MUST ( member $ cn ) + MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) + +objectclass ( 2.5.6.10 NAME 'residentialPerson' + DESC 'RFC2256: an residential person' + SUP person STRUCTURAL + MUST l + MAY ( businessCategory $ x121Address $ registeredAddress $ + destinationIndicator $ preferredDeliveryMethod $ telexNumber $ + teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ + facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ + postOfficeBox $ postalCode $ postalAddress $ + physicalDeliveryOfficeName $ st $ l ) ) + +objectclass ( 2.5.6.11 NAME 'applicationProcess' + DESC 'RFC2256: an application process' + SUP top STRUCTURAL + MUST cn + MAY ( seeAlso $ ou $ l $ description ) ) + +objectclass ( 2.5.6.12 NAME 'applicationEntity' + DESC 'RFC2256: an application entity' + SUP top STRUCTURAL + MUST ( presentationAddress $ cn ) + MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ + description ) ) + +objectclass ( 2.5.6.13 NAME 'dSA' + DESC 'RFC2256: a directory system agent (a server)' + SUP applicationEntity STRUCTURAL + MAY knowledgeInformation ) + +objectclass ( 2.5.6.14 NAME 'device' + DESC 'RFC2256: a device' + SUP top STRUCTURAL + MUST cn + MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) ) + +objectclass ( 2.5.6.15 NAME 'strongAuthenticationUser' + DESC 'RFC2256: a strong authentication user' + SUP top AUXILIARY + MUST userCertificate ) + +objectclass ( 2.5.6.16 NAME 'certificationAuthority' + DESC 'RFC2256: a certificate authority' + SUP top AUXILIARY + MUST ( authorityRevocationList $ certificateRevocationList $ + cACertificate ) MAY crossCertificatePair ) + +objectclass ( 2.5.6.17 NAME 'groupOfUniqueNames' + DESC 'RFC2256: a group of unique names (DN and Unique Identifier)' + SUP top STRUCTURAL + MUST ( uniqueMember $ cn ) + MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) + +objectclass ( 2.5.6.18 NAME 'userSecurityInformation' + DESC 'RFC2256: a user security information' + SUP top AUXILIARY + MAY ( supportedAlgorithms ) ) + +objectclass ( 2.5.6.16.2 NAME 'certificationAuthority-V2' + SUP certificationAuthority + AUXILIARY MAY ( deltaRevocationList ) ) + +objectclass ( 2.5.6.19 NAME 'cRLDistributionPoint' + SUP top STRUCTURAL + MUST ( cn ) + MAY ( certificateRevocationList $ authorityRevocationList $ + deltaRevocationList ) ) + +objectclass ( 2.5.6.20 NAME 'dmd' + SUP top STRUCTURAL + MUST ( dmdName ) + MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ + x121Address $ registeredAddress $ destinationIndicator $ + preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ + street $ postOfficeBox $ postalCode $ postalAddress $ + physicalDeliveryOfficeName $ st $ l $ description ) ) + +# +# Object Classes from RFC 2587 +# +objectclass ( 2.5.6.21 NAME 'pkiUser' + DESC 'RFC2587: a PKI user' + SUP top AUXILIARY + MAY userCertificate ) + +objectclass ( 2.5.6.22 NAME 'pkiCA' + DESC 'RFC2587: PKI certificate authority' + SUP top AUXILIARY + MAY ( authorityRevocationList $ certificateRevocationList $ + cACertificate $ crossCertificatePair ) ) + +objectclass ( 2.5.6.23 NAME 'deltaCRL' + DESC 'RFC2587: PKI user' + SUP top AUXILIARY + MAY deltaRevocationList ) + +# +# Standard Track URI label schema from RFC 2079 +# system schema +#attributetype ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' +# DESC 'RFC2079: Uniform Resource Identifier with optional label' +# EQUALITY caseExactMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + +objectclass ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' + DESC 'RFC2079: object that contains the URI attribute type' + SUP top AUXILIARY + MAY ( labeledURI ) ) + +# +# Derived from RFC 1274, but with new "short names" +# +#attributetype ( 0.9.2342.19200300.100.1.1 +# NAME ( 'uid' 'userid' ) +# DESC 'RFC1274: user identifier' +# EQUALITY caseIgnoreMatch +# SUBSTR caseIgnoreSubstringsMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 0.9.2342.19200300.100.1.3 + NAME ( 'mail' 'rfc822Mailbox' ) + DESC 'RFC1274: RFC822 Mailbox' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) + +objectclass ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' + DESC 'RFC1274: simple security object' + SUP top AUXILIARY + MUST userPassword ) + +# RFC 1274 + RFC 2247 +attributetype ( 0.9.2342.19200300.100.1.25 + NAME ( 'dc' 'domainComponent' ) + DESC 'RFC1274/2247: domain component' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +# RFC 2247 +objectclass ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' + DESC 'RFC2247: domain component object' + SUP top AUXILIARY MUST dc ) + +# RFC 2377 +objectclass ( 1.3.6.1.1.3.1 NAME 'uidObject' + DESC 'RFC2377: uid object' + SUP top AUXILIARY MUST uid ) + +# From COSINE Pilot +attributetype ( 0.9.2342.19200300.100.1.37 + NAME 'associatedDomain' + DESC 'RFC1274: domain associated with object' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +# RFC 2459 -- deprecated in favor of 'mail' (in cosine.schema) +attributetype ( 1.2.840.113549.1.9.1 + NAME ( 'email' 'emailAddress' 'pkcs9email' ) + DESC 'RFC3280: legacy attribute for email addresses in DNs' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) + --- openldap-2.4.23.orig/debian/schema/compare-schema +++ openldap-2.4.23/debian/schema/compare-schema @@ -0,0 +1,26 @@ +#!/bin/sh +# +# Compare the stripped versions of the schema with the unmodified versions +# from the source as distributed upstream and find any non-comment changes +# so that our stripped versions can be updated. +# +# Takes the directory containing our stripped schema and the directory +# containing the upstream schema. Uses the first directory as a working +# area. + +set -e + +ours="$1" +theirs="$2" +if [ -z "$ours" ] || [ -z "$theirs" ] ; then + echo 'Usage: compare-schema ' >&2 + exit 1 +fi + +cd $ours +for schema in *.schema *.ldif ; do + grep -v '^#' "$schema" | grep -v '^ *$' > "${schema}.debian" + grep -v '^#' "$theirs/$schema" | grep -v '^ *$' > "${schema}.upstream" + diff -u "${schema}.debian" "${schema}.upstream" + rm "${schema}.debian" "${schema}.upstream" +done --- openldap-2.4.23.orig/debian/schema/extra/misc.ldif +++ openldap-2.4.23/debian/schema/extra/misc.ldif @@ -0,0 +1,25 @@ +# misc.ldif +# +# This is the ldif version of misc.schema to be used with cn=config. +# The nss overlay requires rfc822MailMember which is defined here. +# +dn: cn=misc,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: misc +olcAttributeTypes: ( 2.16.840.1.113730.3.1.13 NAME 'mailLocalAddress' DESC + 'RFC822 email address of this recipient' EQUALITY caseIgnoreIA5Match SYNTAX 1 + .3.6.1.4.1.1466.115.121.1.26{256} ) +olcAttributeTypes: ( 2.16.840.1.113730.3.1.18 NAME 'mailHost' DESC 'FQDN of + the SMTP/MTA of this recipient' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4 + .1.1466.115.121.1.26{256} SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113730.3.1.47 NAME 'mailRoutingAddress' DES + C 'RFC822 routing address of this recipient' EQUALITY caseIgnoreIA5Match SYNT + AX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.2.1.15 NAME 'rfc822MailMember' DES + C 'rfc822 mail address of group member(s)' EQUALITY caseIgnoreIA5Match SYNTAX + 1.3.6.1.4.1.1466.115.121.1.26 ) +olcObjectClasses: ( 2.16.840.1.113730.3.2.147 NAME 'inetLocalMailRecipient' + DESC 'Internet local mail recipient' SUP top AUXILIARY MAY ( mailLocalAddres + s $ mailHost $ mailRoutingAddress ) ) +olcObjectClasses: ( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' DESC 'NIS + mail alias' SUP top STRUCTURAL MUST cn MAY rfc822MailMember ) --- openldap-2.4.23.orig/debian/schema/extra/README +++ openldap-2.4.23/debian/schema/extra/README @@ -0,0 +1 @@ +Extra schemas that are not part of upstream OpenLDAP tarball. --- openldap-2.4.23.orig/debian/tests/find_unused_functions +++ openldap-2.4.23/debian/tests/find_unused_functions @@ -0,0 +1,30 @@ +#! /usr/bin/perl -w + +use autouse Data::Dumper, qw{Dumper}; + +# Script to find the unused shell functions in slapd.scripts-common + +our @code; + +# Get all shell code from maintainer scripts + +foreach my $file ((, , , + )) { + open SCRIPT, "<$file" or + die "Can't open $file: $!"; + push @code,