--- openldap-2.4.28.orig/doc/guide/COPYRIGHT +++ openldap-2.4.28/doc/guide/COPYRIGHT @@ -0,0 +1,64 @@ +Copyright 1998-2011 The OpenLDAP Foundation +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +A copy of this license is available in the file LICENSE in the +top-level directory of the distribution or, alternatively, at +. + +OpenLDAP is a registered trademark of the OpenLDAP Foundation. + +Individual files and/or contributed packages may be copyright by +other parties and/or subject to additional restrictions. + +This work is derived from the University of Michigan LDAP v3.3 +distribution. Information concerning this software is available +at . + +This work also contains materials derived from public sources. + +Additional information about OpenLDAP can be obtained at +. + +--- + +Portions Copyright 1998-2008 Kurt D. Zeilenga. +Portions Copyright 1998-2006 Net Boolean Incorporated. +Portions Copyright 2001-2006 IBM Corporation. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +--- + +Portions Copyright 1999-2008 Howard Y.H. Chu. +Portions Copyright 1999-2008 Symas Corporation. +Portions Copyright 1998-2003 Hallvard B. Furuseth. +Portions Copyright 2008-2009 Gavin Henry. +Portions Copyright 2008-2009 Suretec Systems Ltd. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that this notice is preserved. +The names of the copyright holders may not be used to endorse or +promote products derived from this software without their specific +prior written permission. This software is provided ``as is'' +without express or implied warranty. + +--- + +Portions Copyright (c) 1992-1996 Regents of the University of Michigan. +All rights reserved. + +Redistribution and use in source and binary forms are permitted +provided that this notice is preserved and that due credit is given +to the University of Michigan at Ann Arbor. The name of the +University may not be used to endorse or promote products derived +from this software without specific prior written permission. This +software is provided ``as is'' without express or implied warranty. + --- openldap-2.4.28.orig/doc/guide/LICENSE +++ openldap-2.4.28/doc/guide/LICENSE @@ -0,0 +1,47 @@ +The OpenLDAP Public License + Version 2.8, 17 August 2003 + +Redistribution and use of this software and associated documentation +("Software"), with or without modification, are permitted provided +that the following conditions are met: + +1. Redistributions in source form must retain copyright statements + and notices, + +2. Redistributions in binary form must reproduce applicable copyright + statements and notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution, and + +3. Redistributions must contain a verbatim copy of this document. + +The OpenLDAP Foundation may revise this license from time to time. +Each revision is distinguished by a version number. You may use +this Software under terms of this license revision or under the +terms of any subsequent revision of the license. + +THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS +CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) +OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + +The names of the authors and copyright holders must not be used in +advertising or otherwise to promote the sale, use or other dealing +in this Software without specific, written prior permission. Title +to copyright in this Software shall at all times remain with copyright +holders. + +OpenLDAP is a registered trademark of the OpenLDAP Foundation. + +Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, +California, USA. All Rights Reserved. Permission to copy and +distribute verbatim copies of this document is granted. --- openldap-2.4.28.orig/debian/README.DB_CONFIG +++ openldap-2.4.28/debian/README.DB_CONFIG @@ -0,0 +1,187 @@ +For good performance using the BDB backend, a good DB_CONFIG file in the +database directory (usually /var/lib/ldap) is crucial. The following two +articles should help you to determine a good configuration for your +requirements. A standard DB_CONFIG is installed but it may not be adequate +for your system. + +The current version of OpenLDAP supports putting DB_CONFIG parameters into +slapd.conf instead by prefixing those options with dbconfig. See the +slapd-bdb(5) man page for more information. If there is no DB_CONFIG file +when slapd starts and there are dbconfig lines in slapd.conf, slapd will +write out a DB_CONFIG file with those settings before initializing the +database. + +With the current version of OpenLDAP, any changes to DB_CONFIG will take +effect automatically after restarting slapd. Running db_recover is no +longer required. + + -- Torsten Landschoff Sun, 29 May 2005 18:08:10 +0200 + Russ Allbery Fri, 01 Jun 2007 23:57:33 -0700 + +How do I configure the BDB backend? +----------------------------------- +(Taken from http://www.openldap.org/faq/data/cache/893.html, author unknown) + +The BDB backend ("back-bdb") uses a lot of special features of Sleepycat's +Berkeley DB library, and there are a lot of details that must be set correctly +to get the best results from it. Even though the LDBM backend ("back-ldbm") can +use the BerkeleyDB library, the BDB and LDBM backends have some very important +differences, as already noted in (Xref) What are the different backends? What +are their differences?. + +Because back-bdb is transaction-based and uses write-ahead logging to ensure +data consistency, it has much heavier I/O demands than back-ldbm. Also, the +transaction log files accumulate as data is written to the directory, and these +log files must be cleaned out periodically. Otherwise the log files will +consume enormous amounts of disk space. The cleanup procedures are described in +(Xref) How to maintain Berkeley DB (logs etc.) ?. + +The information needed to fully understand things and to properly configure +back-bdb is divided among the slapd-bdb(5) manual page and the SleepyCat +BerkeleyDB documentation (http://www.sleepycat.com/docs/). + +You should read the entire slapd-bdb(5) manpage before proceeding. The only +mandatory keyword is "directory" for setting the location of the database +files. The other keywords control tradeoffs between data reliability, +performance, and memory use. To ensure that committed transactions actually get +flushed to disk, you should use the "checkpoint" keyword, otherwise your data +is vulnerable to loss due to system failures. See the SleepyCat documentation +for more information about checkpoints. (In fact, you should read all of +chapter 9 "Berkeley DB Transactional Data Store Applications" in the SleepyCat +reference manual. At least, read sections 1-3 and 13-24.) + +The "dbnosync" keyword is provided for compatibility with back-ldbm; the +preferred method of setting this is to use the BDB DB_CONFIG file option +set_flags DB_TXN_NOSYNC. The "lockdetect" keyword is also deprecated, you +should instead use the BDB DB_CONFIG file set_lk_detect keyword. (It's safe to +leave this at the default setting.) + +A number of important items must be configured in the BDB DB_CONFIG file and +not in slapd.conf. You should, at least, read about these items: + +set_cachesize + The BDB library maintains its own cache separate from the back-bdb entry + cache. You must set this cache to a size appropriate for your database and + physical memory size. Note that this is a persistent setting - after you + set it the first time, further changes will be ignored until you recreate + the environment using db_recover. +set_lg_dir + Set the directory for storing transaction logs. For best performance, + the transaction logs must be located on a different physical disk from + the database files. +set_lg_bsize + Set the buffer size for the transaction log. Larger is better, but it + doesn't have much effect unless you're also using the DB_TXN_NOSYNC + option. With a default log file size of 10MB I usually set this to 2MB. + The default is only 32K, which is too small for back-bdb. + +On a very busy system you might see error messages talking about running out of +locks, lockers, or lock objects. Usually the default values are plenty, and in +older versions of the BDB library the errors were more likely due to library +bugs than actual system load. However, it is possible that you have actually +run out of lock resources due to heavy system usage. If this happens, you +should read about the set_lk_max_lockers, set_lk_max_locks, and +set_lk_max_objects keywords. + +How do I determine the proper BDB/HDB database cache size? +---------------------------------------------------------- +(Taken from http://www.openldap.org/faq/data/cache/1075.html, written by +hyc@openldap.org, Kurt@OpenLDAP.org) + +Not having a proper database cache size will cause performance issues. (Note: +in older versions of Berkeley DB, an improper database case size could also +cause the server to hang.) + +These issues are not an indication of corruption occurring in the database. It +is merely the fact that the cache is thrashing itself that causes +performance/response time to slowdown. If you take the time to read and +understand the Berkeley DB documentation, measure the library performance using +db_stat, and tune your settings, you will avoid these problems. + +It is not absolutely necessary to configure a BerkeleyDB cache equal in size to +your entire database. All that you need is a cache that's large enough for your +"working set." That means, large enough to hold all of the most frequently +accessed data, plus a few less-frequently accessed items. + +You should really read the BDB documentation referenced above, but let me spell +out what that really means here, in detail. The discussion here is focused on +back-bdb and back-hdb, but most of it also applies to back-ldbm when using +BerkeleyDB as the underlying database engine. + +Start with the most obvious - the back-bdb database lives in two main files, +dn2id.bdb and id2entry.bdb. These are B-tree databases. We have never +documented the back-bdb internal layout before, because it didn't seem like +something anyone should have to worry about, nor was it necessarily cast in +stone. But here's how it works today, in OpenLDAP 2.1 and 2.2. (All of the +database files in back-ldbm are B-trees by default.) + +A B-tree is a balanced tree; it stores data in its leaf nodes and bookkeeping +data in its interior nodes. (If you don't know what tree data structures look +like in general, Google for some references, because that's getting far too +elementary for the purposes of this discussion.) + +For decent performance, you need enough cache memory to contain all the nodes +along the path from the root of the tree down to the particular data item +you're accessing. That's enough cache for a single search. For the general +case, you want enough cache to contain all the internal nodes in the database. +"db_stat -d" will tell you how many internal pages are present in a database. +You should check this number for both dn2id and id2entry. + +Also note that id2entry always uses 16KB per "page", while dn2id uses whatever +the underlying filesystem uses, typically 4 or 8KB. To avoid thrashing the +cache and triggering these infinite hang bugs in BDB 4.1.25, your cache must be +at least as large as the number of internal pages in both the dn2id and +id2entry databases, plus some extra space to accomodate the actual leaf data +pages. + +For example, in my OpenLDAP 2.2 test database, I have an input LDIF file that's +about 360MB. With the back-hdb backend this creates a dn2id.bdb that's 68MB, +and an id2entry that's 800MB. db_stat tells me that dn2id uses 4KB pages, has +433 internal pages, and 6378 leaf pages. The id2entry uses 16KB pages, has 52 +internal pages, and 45912 leaf pages. In order to efficiently retrieve any +single entry in this database, the cache should be at least + +(433+1) * 4KB + (52+1) * 16KB in size: 1736KB + 848KB =~ 2.5MB. + +This doesn't take into account other library overhead, so this is even lower +than the barest minimum. The default cache size, when nothing is configured, is +only 256KB. If you tried to do much of anything with this database and only +default settings, BDB 4.1.25 would lock up in an infinite loop. + +This 2.5MB number also doesn't take indexing into account. Each indexed +attribute uses another database file of its own, using a Hash structure. +(Again, in back-ldbm, the indexes also use B-trees by default, so this part of +the discussion doesn't apply unless back-ldbm was explicitly compiled to use +Hashes instead. Also, in OpenLDAP 2.2 onward, all of the indexes use B-trees, +there are no more Hash database files. So just use the B-tree information above +and ignore this Hash discussion.) + +Unlike the B-trees, where you only need to touch one data page to find an entry +of interest, doing an index lookup generally touches multiple keys, and the +point of a hash structure is that the keys are evenly distributed across the +data space. That means there's no convenient compact subset of the database +that you can keep in the cache to insure quick operation, you can pretty much +expect references to be scattered across the whole thing. My strategy here +would be to provide enough cache for at least 50% of all of the hash data. +(Number of hash buckets + number of overflow pages + number of duplicate pages) +* page size / 2. + +The objectClass index for my example database is 5.9MB and uses 3 hash buckets +and 656 duplicate pages. So ( 3 + 656 ) * 4KB / 2 =~ 1.3MB. + +With only this index enabled, I'd figure at least a 4MB cache for this backend. +(Of course you're using a single cache shared among all of the database files, +so the cache pages will most likely get used for something other than what you +accounted for, but this gives you a fighting chance.) + +With this 4MB cache I can slapcat this entire database on my 1.3GHz PIII in 1 +minute, 40 seconds. With the cache doubled to 8MB, it still takes the same +1:40s. Once you've got enough cache to fit the B-tree internal pages, +increasing it further won't have any effect until the cache really is large +enough to hold 100% of the data pages. I don't have enough free RAM to hold all +the 800MB id2entry data, so 4MB is good enough. + +With back-bdb and back-hdb you can use "db_stat -m" to check how well the +database cache is performing. Unfortunately you can't do this with back-ldbm, +as the statistics are not accessible when slapd is running, nor are they saved +anywhere when slapd is stopped. (Yet another reason not to use back-ldbm.) --- openldap-2.4.28.orig/debian/rules +++ openldap-2.4.28/debian/rules @@ -0,0 +1,188 @@ +#!/usr/bin/make -f + +# Set this variable if you're building packages outside of Debian and don't +# want the checks for DFSG-freeness. +#DFSG_NONFREE = 1 + +export DEB_BUILD_HARDENING=1 + +export DEB_CFLAGS_MAINT_APPEND := -Wall -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -DLDAP_CONNECTIONLESS +export DEB_BUILD_MAINT_OPTIONS := hardening=+pie,+bindnow + +# Workaround for bad glibc behavior when resolving localhost +export RESOLV_MULTI = off + +DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) +DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS) + +CONFIG = $(shell grep -v "^\#" debian/configure.options) +ifneq ($(DEB_HOST_ARCH_OS),linux) + CONFIG += --disable-mdb +endif + +installdir := $(CURDIR)/debian/tmp +builddir := $(CURDIR)/debian/build +slapddir := $(CURDIR)/debian/slapd/usr/sbin + +MAKEVARS := STRIP= + +# These variables are used only by get-orig-source, which will normally only +# be run by maintainers. +VERSION = 2.4.28 +URL = http://www.openldap.org/software/download/OpenLDAP/openldap-release/ + +# Download the upstream source and make changes as required for DFSG reasons. +# Assumes wget is available, as this is generally only used by the package +# maintainers. +get-orig-source: + @if [ ! -d "debian/schema" ] ; then \ + echo 'Run this from the top directory of the Debian source' >&2; \ + exit 1; \ + fi + wget $(URL)/openldap-$(VERSION).tgz + tar xzf openldap-$(VERSION).tgz + rm -r openldap-$(VERSION)/doc/drafts + rm -r openldap-$(VERSION)/doc/rfc + set -e; for schema in debian/schema/*.schema debian/schema/*.ldif ; do \ + file=`basename "$$schema"`; \ + rm openldap-$(VERSION)/servers/slapd/schema/$$file; \ + done + mv openldap-$(VERSION) openldap_$(VERSION).orig + tar cf openldap_$(VERSION).orig.tar openldap_$(VERSION).orig + rm -r openldap_$(VERSION).orig + gzip -9 openldap_$(VERSION).orig.tar + +%: + dh $@ --with quilt,autoreconf --builddirectory=$(builddir) + +override_dh_auto_configure: + # Check if we include the RFCs, Internet-Drafts, or upstream schemas + # with RFC text (which are non DFSG-free). You can set DFSG_NONFREE + # to build the packages from the unchanged upstream sources but Debian + # can not ship the RFCs in main so this test is here to make sure it + # does not get in by accident again. -- Torsten + if [ -z "$(DFSG_NONFREE)" ]; then \ + if [ -e doc/drafts ] || [ -e doc/rfc ]; then exit 1; fi; \ + if [ -e servers/slapd/schema/core.schema ] \ + && grep -q 'RFC 4519 definition' servers/slapd/schema/core.schema; \ + then \ + exit 1; \ + fi; \ + fi + + # Copy our stripped schema versions into where upstream expects them. + if [ -z "$(DFSG_NONFREE)" ]; then \ + cp debian/schema/*.schema debian/schema/*.ldif \ + servers/slapd/schema/; \ + fi + + dh_auto_configure -- $(CONFIG) + +override_dh_auto_build: + dh_auto_build -- $(MAKEVARS) + $(MAKE) -C contrib/slapd-modules/smbk5pwd + $(MAKE) -C contrib/slapd-modules/nssov/ $(MAKEVARS) nssov.la + $(MAKE) -C contrib/slapd-modules/autogroup + +override_dh_auto_install: + dh_auto_install -- $(MAKEVARS) + $(MAKE) -C contrib/slapd-modules/smbk5pwd install DESTDIR=$(installdir) + $(MAKE) -C contrib/slapd-modules/nssov install DESTDIR=$(installdir) + $(MAKE) -C contrib/slapd-modules/autogroup install DESTDIR=$(installdir) + + # Empty the dependency_libs file in the .la files. + for F in $(installdir)/usr/lib/ldap/*.la; do \ + sed -i "s/^dependency_libs=.*/dependency_libs=''/" $$F; \ + done + + # Check all built libraries for unresolved symbols except for the + # libslapi library. It is a special case since the SLAPI interface + # depends on symbols defined in slapd itself. Those symbols will + # remain unresolved until the plugin is loaded into slapd. + for F in $(installdir)/usr/lib/$(DEB_HOST_MULTIARCH)/*.so.*.*.*; do \ + if echo "$$F" | grep -q libslapi ; then \ + continue; \ + fi; \ + if LD_LIBRARY_PATH=$(installdir)/usr/lib/$(DEB_HOST_MULTIARCH) ldd -d -r $$F 2>&1 | grep '^undefined symbol:'; then \ + echo; \ + echo "library $$F has undefined references. Please fix this before continuing."; \ + exit 1; \ + fi; \ + done + + # Upstream installs schema files in mode 0444 - policy wants 0644 + find $(installdir)/etc -type f|xargs chmod 0644 + # Upstream manpages are section 8C but installed as section 8 + find $(installdir)/usr/share/man -name \*.8 \ + | xargs perl -pi -e 's#(\.TH \w+ 8)C#$$1#' + +override_dh_install: + dh_install + rm -rf $(CURDIR)/debian/slapd/usr/lib/ldap/smbk5pwd* + chmod 0755 $(CURDIR)/debian/slapd/usr/share/slapd/ldiftopasswd + + # install AppArmor profile + install -D -m 644 $(CURDIR)/debian/apparmor-profile $(CURDIR)/debian/slapd/etc/apparmor.d/usr.sbin.slapd + + # install ufw profile + install -D -m 644 $(CURDIR)/debian/slapd.ufw.profile $(CURDIR)/debian/slapd/etc/ufw/applications.d/slapd + + dh_apparmor -pslapd --profile-name=usr.sbin.slapd + +override_dh_installinit: + dh_installinit -- "defaults 19 80" + +override_dh_strip: + dh_strip -plibldap-2.4-2 --dbg-package=libldap-2.4-2-dbg + dh_strip -pslapd --dbg-package=slapd-dbg + dh_strip -Nlibldap-2.4-2 -Nslapd + # hardlink these so not confined by apparmor; do this here and not + # in dh_link so that dh_strip doesn't get confused and put the wrong + # binary in the debug package. + for f in slapacl slapadd slapauth slapcat slapdn slapindex slappasswd slaptest slapschema ; do \ + ln -f $(slapddir)/slapd $(slapddir)/$$f ; \ + done + +override_dh_link: + for pkg in libldap2-dev libldap-2.4-2; do \ + sed -e"s/\$${DEB_HOST_MULTIARCH}/$(DEB_HOST_MULTIARCH)/g" < debian/$$pkg.links.in > debian/$$pkg.links; \ + done + dh_link + +override_dh_makeshlibs: + # ideally we would do this and not have any libldap-2.4.so.2 links + # at all, but that requires adjusting the build scripts first to + # link against libldap_r, otherwise dh_shlibdeps fails + #dh_makeshlibs -plibldap-2.4-2 -V 'libldap-2.4-2 (>= 2.4.7)' + echo "slapd:Provides=$$(objdump -p debian/slapd/usr/lib/$(DEB_HOST_MULTIARCH)/libslapi-*.so.* \ + | sed -ne '/SONAME/ { s/[[:space:]]*SONAME[[:space:]]*//; \ + s/\.so\./-/; p; q }' \ + )" >> debian/slapd.substvars + dh_makeshlibs -pslapd -X/usr/lib/ldap/ -V "$$(sed -ne's/slapd:Provides=//p' debian/slapd.substvars)" + +override_dh_installdeb: + dh_installdeb + perl -w debian/dh_installscripts-common -p slapd + +override_dh_auto_clean: + dh_auto_clean + # Update translation templates for debconf + debconf-updatepo + # Remove our stripped schema from the upstream source area. + if [ -z "$(DFSG_NONFREE)" ]; then \ + set -e; for s in debian/schema/*.schema debian/schema/*.ldif; do \ + rm -f servers/slapd/schema/`basename $$s`; \ + done; \ + fi + + rm -f contrib/slapd-modules/nssov/nss-pam-ldapd/config.sub contrib/slapd-modules/nssov/nss-pam-ldapd/config.guess + + # Clean the contrib directory + rm -rf contrib/slapd-modules/smbk5pwd/.libs \ + contrib/slapd-modules/smbk5pwd/smbk5pwd.lo \ + contrib/slapd-modules/smbk5pwd/smbk5pwd.la \ + contrib/slapd-modules/smbk5pwd/smbk5pwd.o + rm -rf contrib/slapd-modules/autogroup/.libs \ + contrib/slapd-modules/autogroup/autogroup.lo \ + contrib/slapd-modules/autogroup/autogroup.la \ + contrib/slapd-modules/autogroup/autogroup.o --- openldap-2.4.28.orig/debian/dh_installscripts-common +++ openldap-2.4.28/debian/dh_installscripts-common @@ -0,0 +1,22 @@ +#!/usr/bin/perl -w + +use strict; +use Debian::Debhelper::Dh_Lib; + +init(); + +foreach my $package (@{$dh{DOPACKAGES}}) { + my $tmp=tmpdir($package); + my $ext=pkgext($package); + + if (! -d "$tmp/DEBIAN") { + next; + } + + foreach my $file (qw{postinst preinst prerm postrm config}) { + my $f="$tmp/DEBIAN/$file"; + if ($f) { + complex_doit("perl -pe 's~#SCRIPTSCOMMON#~qx{cat debian/${ext}scripts-common}~eg' -i $f"); + } + } +} --- openldap-2.4.28.orig/debian/slapd.links +++ openldap-2.4.28/debian/slapd.links @@ -0,0 +1,2 @@ +usr/share/slapd/DB_CONFIG usr/share/doc/slapd/examples/DB_CONFIG +usr/share/slapd/slapd.conf usr/share/doc/slapd/examples/slapd.conf --- openldap-2.4.28.orig/debian/configure.options +++ openldap-2.4.28/debian/configure.options @@ -0,0 +1,204 @@ +#`configure' configures this package to adapt to many kinds of systems. +# +#Usage: ./configure [OPTION]... [VAR=VALUE]... +# +#To assign environment variables (e.g., CC, CFLAGS...), specify them as +#VAR=VALUE. See below for descriptions of some of the useful variables. +# +#Defaults for the options are specified in brackets. +# +#Configuration: +# -h, --help display this help and exit +# --help=short display options specific to this package +# --help=recursive display the short help of all the included packages +# -V, --version display version information and exit +# -q, --quiet, --silent do not print `checking...' messages +# --cache-file=FILE cache test results in FILE [disabled] +# -C, --config-cache alias for `--cache-file=config.cache' +# -n, --no-create do not create output files +# --srcdir=DIR find the sources in DIR [configure dir or `..'] +# +#Installation directories: +# --prefix=PREFIX install architecture-independent files in PREFIX +# [/usr/local] +--prefix=/usr +# --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX +# [PREFIX] +# +#By default, `make install' will install all the files in +#`/usr/local/bin', `/usr/local/lib' etc. You can specify +#an installation prefix other than `/usr/local' using `--prefix', +#for instance `--prefix=$HOME'. +# +#For better control, use the options below. +# +#Fine tuning of the installation directories: +# --bindir=DIR user executables [EPREFIX/bin] +# --sbindir=DIR system admin executables [EPREFIX/sbin] +# --libexecdir=DIR program executables [EPREFIX/libexec] +--libexecdir='${prefix}/lib' +# --sysconfdir=DIR read-only single-machine data [PREFIX/etc] +--sysconfdir=/etc +# --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] +# --localstatedir=DIR modifiable single-machine data [PREFIX/var] +--localstatedir=/var +# --libdir=DIR object code libraries [EPREFIX/lib] +# --includedir=DIR C header files [PREFIX/include] +# --oldincludedir=DIR C header files for non-gcc [/usr/include] +# --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] +# --datadir=DIR read-only architecture-independent data [DATAROOTDIR] +# --infodir=DIR info documentation [DATAROOTDIR/info] +# --localedir=DIR locale-dependent data [DATAROOTDIR/locale] +# --mandir=DIR man documentation [DATAROOTDIR/man] +--mandir='${prefix}/share/man' +# --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE] +# --htmldir=DIR html documentation [DOCDIR] +# --dvidir=DIR dvi documentation [DOCDIR] +# --pdfdir=DIR pdf documentation [DOCDIR] +# --psdir=DIR ps documentation [DOCDIR] +# +#Program names: +# --program-prefix=PREFIX prepend PREFIX to installed program names +# --program-suffix=SUFFIX append SUFFIX to installed program names +# --program-transform-name=PROGRAM run sed PROGRAM on installed program names +# +#System types: +# --build=BUILD configure for building on BUILD [guessed] +# --host=HOST cross-compile to build programs to run on HOST [BUILD] +# --target=TARGET configure for building compilers for TARGET [HOST] +# +#Optional Features: +# --disable-option-checking ignore unrecognized --enable/--with options +# --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) +# --enable-FEATURE[=ARG] include FEATURE [ARG=yes] +# --enable-debug enable debugging no|yes|traditional [yes] +--enable-debug +# --enable-dynamic enable linking built binaries with dynamic libs [no] +--enable-dynamic +# --enable-syslog enable syslog support [auto] +--enable-syslog +# --enable-proctitle enable proctitle support [yes] +--enable-proctitle +# --enable-ipv6 enable IPv6 support [auto] +--enable-ipv6 +# --enable-local enable AF_LOCAL (AF_UNIX) socket support [auto] +--enable-local +# +#SLAPD (Standalone LDAP Daemon) Options: +# --enable-slapd enable building slapd [yes] +--enable-slapd +# --enable-dynacl enable run-time loadable ACL support (experimental) [no] +--enable-dynacl +# --enable-aci enable per-object ACIs (experimental) no|yes|mod [no] +--enable-aci +# --enable-cleartext enable cleartext passwords [yes] +--enable-cleartext +# --enable-crypt enable crypt(3) passwords [no] +--enable-crypt +# --enable-lmpasswd enable LAN Manager passwords [no] +--disable-lmpasswd +# --enable-spasswd enable (Cyrus) SASL password verification [no] +--enable-spasswd +# --enable-modules enable dynamic module support [no] +--enable-modules +# --enable-rewrite enable DN rewriting in back-ldap and rwm overlay [auto] +--enable-rewrite +# --enable-rlookups enable reverse lookups of client hostnames [no] +--enable-rlookups +# --enable-slapi enable SLAPI support (experimental) [no] +--enable-slapi +# --enable-slp enable SLPv2 support [no] +--enable-slp +# --enable-wrappers enable tcp wrapper support [no] +--enable-wrappers +# +#SLAPD Backend Options: +# --enable-backends enable all available backends no|yes|mod +--enable-backends=mod +# --enable-bdb enable Berkeley DB backend no|yes|mod [yes] +# --enable-dnssrv enable dnssrv backend no|yes|mod [no] +# --enable-hdb enable Hierarchical DB backend no|yes|mod [yes] +# --enable-ldap enable ldap backend no|yes|mod [no] +# --enable-meta enable metadirectory backend no|yes|mod [no] +# --enable-monitor enable monitor backend no|yes|mod [yes] +# --enable-ndb enable MySQL NDB Cluster backend no|yes|mod [no] +--disable-ndb +# --enable-null enable null backend no|yes|mod [no] +# --enable-passwd enable passwd backend no|yes|mod [no] +# --enable-perl enable perl backend no|yes|mod [no] +# --enable-relay enable relay backend no|yes|mod [yes] +# --enable-shell enable shell backend no|yes|mod [no] +# --enable-sock enable sock backend no|yes|mod [no] +# --enable-sql enable sql backend no|yes|mod [no] +# +#SLAPD Overlay Options: +# --enable-overlays enable all available overlays no|yes|mod +--enable-overlays=mod +# --enable-accesslog In-Directory Access Logging overlay no|yes|mod [no] +# --enable-auditlog Audit Logging overlay no|yes|mod [no] +# --enable-collect Collect overlay no|yes|mod [no] +# --enable-constraint Attribute Constraint overlay no|yes|mod [no] +# --enable-dds Dynamic Directory Services overlay no|yes|mod [no] +# --enable-deref Dereference overlay no|yes|mod [no] +# --enable-dyngroup Dynamic Group overlay no|yes|mod [no] +# --enable-dynlist Dynamic List overlay no|yes|mod [no] +# --enable-memberof Reverse Group Membership overlay no|yes|mod [no] +# --enable-ppolicy Password Policy overlay no|yes|mod [no] +# --enable-proxycache Proxy Cache overlay no|yes|mod [no] +# --enable-refint Referential Integrity overlay no|yes|mod [no] +# --enable-retcode Return Code testing overlay no|yes|mod [no] +# --enable-rwm Rewrite/Remap overlay no|yes|mod [no] +# --enable-seqmod Sequential Modify overlay no|yes|mod [no] +# --enable-sssvlv ServerSideSort/VLV overlay no|yes|mod [no] +# --enable-syncprov Syncrepl Provider overlay no|yes|mod [yes] +# --enable-translucent Translucent Proxy overlay no|yes|mod [no] +# --enable-unique Attribute Uniqueness overlay no|yes|mod [no] +# --enable-valsort Value Sorting overlay no|yes|mod [no] +# +#Library Generation & Linking Options +# --enable-static[=PKGS] build static libraries [default=yes] +# --enable-shared[=PKGS] build shared libraries [default=yes] +# --enable-fast-install[=PKGS] +# optimize for fast installation [default=yes] +# --disable-dependency-tracking speeds up one-time build +# --enable-dependency-tracking do not reject slow dependency extractors +# --disable-libtool-lock avoid locking (might break parallel builds) +# +#Optional Packages: +# --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] +# --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) +# --with-subdir=DIR change default subdirectory used for installs +--with-subdir=ldap +# --with-cyrus-sasl with Cyrus SASL support [auto] +--with-cyrus-sasl +# --with-fetch with fetch(3) URL support [auto] +# --with-threads with threads [auto] +--with-threads +--with-gssapi +# --with-tls with TLS/SSL support auto|openssl|gnutls [auto] +--with-tls=gnutls +# --with-yielding-select with implicitly yielding select [auto] +# --with-mp with multiple precision statistics auto|longlong|long|bignum|gmp [auto] +# --with-odbc with specific ODBC support iodbc|unixodbc|odbc32|auto [auto] +--with-odbc=unixodbc +# --with-gnu-ld assume the C compiler uses GNU ld [default=no] +# --with-pic try to use only PIC/non-PIC objects [default=use +# both] +# --with-tags[=TAGS] include additional configurations [automatic] +# +#See INSTALL file for further details. +# +#Some influential environment variables: +# CC C compiler command +# CFLAGS C compiler flags +# LDFLAGS linker flags, e.g. -L if you have libraries in a +# nonstandard directory +# LIBS libraries to pass to the linker, e.g. -l +# CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if +# you have headers in a nonstandard directory +# CPP C preprocessor +# +#Use these variables to override the choices made by `configure' or to help +#it to find libraries and programs with nonstandard names/locations. +# +#Report bugs to the package provider. --- openldap-2.4.28.orig/debian/slapd.ufw.profile +++ openldap-2.4.28/debian/slapd.ufw.profile @@ -0,0 +1,9 @@ +[OpenLDAP LDAP] +title=OpenLDAP with TLS +description=OpenLDAP is a free, fast, lightweight LDAP server +ports=389/tcp + +[OpenLDAP LDAPS] +title=OpenLDAP over SSL +description=OpenLDAP is a free, fast, lightweight LDAP server +ports=636/tcp --- openldap-2.4.28.orig/debian/slapi-dev.install +++ openldap-2.4.28/debian/slapi-dev.install @@ -0,0 +1,2 @@ +usr/include/slapi-plugin.h +usr/lib/*/libslapi.so --- openldap-2.4.28.orig/debian/libldap2-dev.manpages +++ openldap-2.4.28/debian/libldap2-dev.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man3/* --- openldap-2.4.28.orig/debian/libldap-2.4-2.README.Debian +++ openldap-2.4.28/debian/libldap-2.4-2.README.Debian @@ -0,0 +1,22 @@ +Notes about Debian's libldap2 package +------------------------------------- + +It has been reported that using libnss-ldap can cause a failure to +unmount /usr on system shutdown. The reason is that the nss module +uses libldap from /usr and is used by the shell in the system +scripts executed on shutdown/reboot. + +More precisely bash uses the getpwuid function to get the data of +the current user which pulls in the nss modules which includes +the ldap libraries if you are using that module. + +Possible solutions to this problem are: + +a) use another shell that does not utilize getpwuid for getting info + about the current user (take dash for example). +b) make sure that the nsswitch.conf is replaced by a version which does + not mention ldap before the system is shut down (and have a startup + script that installs the "full" version of that file). +c) move the libraries to /lib (not recommended). + + -- Torsten Landschoff Mon, 30 Sep 2002 11:06:22 +0200 --- openldap-2.4.28.orig/debian/slapd.conf +++ openldap-2.4.28/debian/slapd.conf @@ -0,0 +1,136 @@ +# This is the main slapd configuration file. See slapd.conf(5) for more +# info on the configuration options. + +####################################################################### +# Global Directives: + +# Features to permit +#allow bind_v2 + +# Schema and objectClass definitions +include /etc/ldap/schema/core.schema +include /etc/ldap/schema/cosine.schema +include /etc/ldap/schema/nis.schema +include /etc/ldap/schema/inetorgperson.schema + +# Where the pid file is put. The init.d script +# will not stop the server if you change this. +pidfile /var/run/slapd/slapd.pid + +# List of arguments that were passed to the server +argsfile /var/run/slapd/slapd.args + +# Read slapd.conf(5) for possible values +loglevel none + +# Where the dynamically loaded modules are stored +modulepath /usr/lib/ldap +moduleload back_@BACKEND@ + +# The maximum number of entries that is returned for a search operation +sizelimit 500 + +# The tool-threads parameter sets the actual amount of cpu's that is used +# for indexing. +tool-threads 1 + +####################################################################### +# Specific Backend Directives for @BACKEND@: +# Backend specific directives apply to this backend until another +# 'backend' directive occurs +backend @BACKEND@ + +####################################################################### +# Specific Backend Directives for 'other': +# Backend specific directives apply to this backend until another +# 'backend' directive occurs +#backend + +####################################################################### +# Specific Directives for database #1, of type @BACKEND@: +# Database specific directives apply to this databasse until another +# 'database' directive occurs +database @BACKEND@ + +# The base of your directory in database #1 +suffix "@SUFFIX@" + +# rootdn directive for specifying a superuser on the database. This is needed +# for syncrepl. +# rootdn "cn=admin,@SUFFIX@" + +# Where the database file are physically stored for database #1 +directory "/var/lib/ldap" + +# The dbconfig settings are used to generate a DB_CONFIG file the first +# time slapd starts. They do NOT override existing an existing DB_CONFIG +# file. You should therefore change these settings in DB_CONFIG directly +# or remove DB_CONFIG and restart slapd for changes to take effect. + +# For the Debian package we use 2MB as default but be sure to update this +# value if you have plenty of RAM +dbconfig set_cachesize 0 2097152 0 + +# Sven Hartge reported that he had to set this value incredibly high +# to get slapd running at all. See http://bugs.debian.org/303057 for more +# information. + +# Number of objects that can be locked at the same time. +dbconfig set_lk_max_objects 1500 +# Number of locks (both requested and granted) +dbconfig set_lk_max_locks 1500 +# Number of lockers +dbconfig set_lk_max_lockers 1500 + +# Indexing options for database #1 +index objectClass eq + +# Save the time that the entry gets modified, for database #1 +lastmod on + +# Checkpoint the BerkeleyDB database periodically in case of system +# failure and to speed slapd shutdown. +checkpoint 512 30 + +# The userPassword by default can be changed +# by the entry owning it if they are authenticated. +# Others should not be able to see it, except the +# admin entry below +# These access lines apply to database #1 only +access to attrs=userPassword,shadowLastChange + by dn="@ADMIN@" write + by anonymous auth + by self write + by * none + +# Ensure read access to the base for things like +# supportedSASLMechanisms. Without this you may +# have problems with SASL not knowing what +# mechanisms are available and the like. +# Note that this is covered by the 'access to *' +# ACL below too but if you change that as people +# are wont to do you'll still need this if you +# want SASL (and possible other things) to work +# happily. +access to dn.base="" by * read + +# The admin dn has full write access, everyone else +# can read everything. +access to * + by dn="@ADMIN@" write + by * read + +# For Netscape Roaming support, each user gets a roaming +# profile for which they have write access to +#access to dn=".*,ou=Roaming,o=morsnet" +# by dn="@ADMIN@" write +# by dnattr=owner write + +####################################################################### +# Specific Directives for database #2, of type 'other' (can be @BACKEND@ too): +# Database specific directives apply to this databasse until another +# 'database' directive occurs +#database + +# The base of your directory for database #2 +#suffix "dc=debian,dc=org" --- openldap-2.4.28.orig/debian/slapd.manpages +++ openldap-2.4.28/debian/slapd.manpages @@ -0,0 +1,2 @@ +debian/tmp/usr/share/man/man5/slap*.5 +debian/tmp/usr/share/man/man8/slap*.8 --- openldap-2.4.28.orig/debian/slapd.scripts-common +++ openldap-2.4.28/debian/slapd.scripts-common @@ -0,0 +1,815 @@ +# -*- sh -*- +# This file can be included with #SCRIPTSCOMMON# + + +# ===== Dumping and reloading using LDIF files ========================= {{{ +# +# If incompatible changes are done to the database underlying a LDAP +# directory we need to dump the contents and reload the data into a newly +# created database after the new server was installed. The following +# functions deal with this functionality. + + +# ----- Configuration of this component -------------------------------- {{{ +# +# Dumping the database can have negative effects on the system we are +# running on. If there is a lot of data dumping it might fill a partition +# for example. Therefore we must give the user exact control over what we +# are doing. + +database_dumping_enabled() { # {{{ +# Check if the user has enabled database dumping for the current situation. +# Return success if yes. +# Usage: if database_dumping_enabled; then ... fi + + db_get slapd/dump_database + case "$RET" in + always) + ;; + "when needed") + database_format_changed || return 1 + ;; + never) + return 1 + ;; + *) + echo >&2 "Unknown value for slapd/dump_database: $RET" + echo >&2 "Please report!" + exit 1 + ;; + esac +} + +# }}} +database_format_changed() { # {{{ +# Check if the database format has changed since the old installed version +# Return success if yes. +# Usage: if database_format_changed; then + + if dpkg --compare-versions "$OLD_VERSION" lt-nl 2.4.25-2; then + return 0 + else + return 1 + fi +} + +# }}} +database_dumping_destdir() { # {{{ +# Figure out the directory we are dumping the database to and create it +# if it does not exist. +# Usage: destdir=`database_dumping_destdir` + + local dir + db_get slapd/dump_database_destdir + dir=`echo "$RET"|sed -e "s/VERSION/$OLD_VERSION/"` + mkdir -p -m 700 "$dir" + echo $dir +} + +# }}} +create_new_user() { # {{{ + if [ -z "`getent group openldap`" ]; then + addgroup --quiet --system openldap + fi + if [ -z "`getent passwd openldap`" ]; then + echo -n " Creating new user openldap... " >&2 + adduser --quiet --system --home /var/lib/ldap --shell /bin/false \ + --ingroup openldap --disabled-password --disabled-login \ + --gecos "OpenLDAP Server Account" openldap + echo "done." >&2 + fi +} +# }}} +create_ldap_directories() { # {{{ + if [ ! -d /var/lib/ldap ]; then + mkdir -m 0700 /var/lib/ldap + fi + if [ ! -d /var/run/slapd ]; then + mkdir -m 0755 /var/run/slapd + fi + update_permissions /var/lib/ldap + update_permissions /var/run/slapd +} +# }}} +update_permissions() { # {{{ + dir="$1" + if [ -d "$dir" ]; then + [ -z "$SLAPD_USER" ] || chown -R "$SLAPD_USER" "$dir" + [ -z "$SLAPD_GROUP" ] || chgrp -R "$SLAPD_GROUP" "$dir" + fi +} +# }}} +update_databases_permissions() { # {{{ + get_suffix | while read suffix; do + dbdir=`get_directory "$suffix"` + update_permissions "$dbdir" + done +} +# }}} +# }}} +# ----- Dumping and loading the data ------------------------------------ {{{ + +migrate_to_slapd_d_style() { # {{{ + + # Check if we need to migrate to the new style. + if previous_version_older 2.4.23-3 && [ -f "${SLAPD_CONF}" ] \ + && ! [ -d /etc/ldap/slapd.d ] + then + + # Create the new configuration directory + mkdir /etc/ldap/slapd.d + + echo -n " Migrating slapd.conf to slapd.d configuration style... " >&2 + capture_diagnostics slaptest -f ${SLAPD_CONF} -F /etc/ldap/slapd.d || failed=1 + if [ "$failed" ]; then + + echo "failed." >&2 + echo >&2 + cat <<-EOF +Migrating slapd.conf file (${SLAPD_CONF}) to slapd.d failed with the following +error while running slaptest: +EOF + release_diagnostics " " + rm -rf /etc/ldap/slapd.d + exit 1 + fi + + # Backup the old slapd.conf + mv ${SLAPD_CONF} ${SLAPD_CONF}.old + SLAPD_CONF=/etc/ldap/slapd.d + + # Add olcAccess control to grant local root connections access + sed -i '/^olcDatabase: {-1}frontend/a\ +olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break\ +olcAccess: {1}to dn.exact="" by * read\ +olcAccess: {2}to dn.base="cn=Subschema" by * read' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif" + sed -i '/^olcDatabase: {0}config/a\ +olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif" + + # TODO: Now we are doing something that is not allowed by policy but it + # has to be done. + sed -i -e "/^[[:space:]]*SLAPD_CONF=.*/ s/^/#/" /etc/default/slapd + echo "done." >&2 + fi +} + +dump_databases() { # {{{ +# If the user wants us to dump the databases they are dumped to the +# configured directory. + local db suffix file dir failed slapcat_opts + + database_dumping_enabled || return 0 + + dir=`database_dumping_destdir` + echo >&2 " Dumping to $dir: " + (get_suffix | while read suffix; do + dbdir=`get_directory "$suffix"` + if [ -n "$dbdir" ] && [ -d "$dbdir" ]; then + file="$dir/$suffix.ldif" + echo -n " - directory $suffix... " >&2 + # Need to support slapd.d migration from preinst + if [ -f "${SLAPD_CONF}" ]; then + slapcat_opts="-g -f ${SLAPD_CONF}" + else + slapcat_opts="-g -F ${SLAPD_CONF}" + fi + slapcat ${slapcat_opts} -b "$suffix" > "$file" || failed=1 + if [ "$failed" ]; then + rm -f "$file" + echo "failed." >&2 + db_subst slapd/upgrade_slapcat_failure location "$dir" <&5 + db_input critical slapd/upgrade_slapcat_failure <&5 || true + db_go <&5 || true + exit 1 + fi + echo "done." >&2 + fi + done) 5<&0 &2 " Loading from $dir: " + get_suffix | while read suffix; do + dbdir=`get_directory "$suffix"` + if [ -z "$dbdir" ]; then + continue + fi + if ! is_empty_dir "$dbdir"; then + echo >&2 \ + " Directory $dbdir for $suffix not empty, aborting." + exit 1 + fi + + file="$dir/$suffix.ldif" + echo -n " - directory $suffix... " >&2 + + # If there is an old DB_CONFIG file, restore it before + # running slapadd + backupdir=`compute_backup_path -n "$dbdir" "$suffix"` + if [ -e "$backupdir"/DB_CONFIG ]; then + cp -a "$backupdir"/DB_CONFIG "$dbdir"/ + else + copy_example_DB_CONFIG "$dbdir"/ + fi + + if [ -f "${SLAPD_CONF}" ]; then + slapadd_opts="-g -f ${SLAPD_CONF}" + else + slapadd_opts="-g -F ${SLAPD_CONF}" + fi + capture_diagnostics slapadd ${slapadd_opts} \ + -q -b "$suffix" -l "$file" || failed=1 + if [ "$failed" ]; then + rm -f "$dbdir"/* + echo "failed." >&2 + echo >&2 + cat <<-EOF + Loading the database from the LDIF dump failed with the following + error while running slapadd: +EOF + release_diagnostics " " + exit 1 + fi + echo "done." >&2 + + if [ -n "$SLAPD_USER" ] || [ -n "$SLAPD_GROUP" ]; then + echo -n " - chowning database directory ($SLAPD_USER:$SLAPD_GROUP)... " + [ -z "$SLAPD_USER" ] || \ + chown -R "$SLAPD_USER" "$dbdir" + [ -z "$SLAPD_GROUP" ] || \ + chgrp -R "$SLAPD_GROUP" "$dbdir" + echo "done"; + fi + done +} + +# }}} +move_incompatible_databases_away() { # {{{ + echo >&2 " Moving old database directories to /var/backups:" + (get_suffix | while read suffix; do + dbdir=`get_directory "$suffix"` + move_old_database_away "$dbdir" "$suffix" <&5 + done) 5<&0 + +# XXX: should ask the user via debconf + + local dirname basedn ok_exists + if [ "$1" = "-n" ]; then + ok_exists=yes + shift + fi + dirname="$1" + basedn="$2" + + # Computing the name of the backup directory from the old version, + # the suffix etc. all makes me feel worried. I'd rather have a + # directory name which is not going to exist. So the simple + # scheme we are using now is to compute the filename from the + # directory name and appending date and time. And we check if it + # exists to be really sure... -- Torsten + + local target + local id + id="$OLD_VERSION" + [ -n "$id" ] || id=`date +%Y%m%d-%H%M%S` + target="/var/backups/$basedn-$id.ldapdb" + # Configuration via dpkg-reconfigure. + # The backup directory already exists when reconfigured + # twice or more: append a timestamp. + if [ -e "${target}" ] && ([ "$MODE" = reconfigure ] || [ "$DEBCONF_RECONFIGURE" ]); then + target="$target-`date +%Y%m%d-%H%M%S`" + fi + if [ -e "$target" ] && [ -z "$ok_exists" ]; then + echo >&2 + echo >&2 " Backup path $target exists. Giving up..." + exit 1 + fi + + echo "$target" +} + +# }}} +move_old_database_away() { # {{{ +# Move the old database away if it is still there +# +# In fact this function makes sure that the database directory is empty +# with the exception of any DB_CONFIG file +# and can be populated with a new database. If something is in the way +# it is moved to a backup directory if the user accepted the debconf +# option slapd/move_old_database. Otherwise we output a warning and let +# the user fix it himself. +# Usage: move_old_database_away [] + + local databasedir backupdir + databasedir="$1" + suffix="${2:-unknown}" + + if [ ! -e "$databasedir" ] || is_empty_dir "$databasedir"; then + return 0 + fi + + # Note that we can't just move the database dir as it might be + # a mount point. Instead me move the content which might + # include mount points as well anyway, but it's much less likely. + db_get slapd/move_old_database + if [ "$RET" = true ]; then + backupdir=`compute_backup_path "$databasedir" "$suffix"` + echo -n " - directory $suffix... " >&2 + mkdir -p "$backupdir" + find "$databasedir" -mindepth 1 -maxdepth 1 \ + -exec mv {} "$backupdir" \; + echo done. >&2 + else + cat >&2 < + local directory srcdir + + directory="$1" + srcdir="/usr/share/slapd" + + if ! [ -f "${directory}/DB_CONFIG" ] && [ -d "$directory" ]; then + cp $srcdir/DB_CONFIG "${directory}/DB_CONFIG" + fi +} + +# }}} +create_new_configuration() { # {{{ +# Create a new configuration and directory + + local basedn dc backend + + # For the domain really.argh.org we create the basedn + # dc=really,dc=argh,dc=org with the dc entry dc: really + db_get slapd/domain + basedn="dc=`echo $RET | sed 's/^\.//; s/\./,dc=/g'`" + dc="`echo $RET | sed 's/^\.//; s/\..*$//'`" + + db_get slapd/backend + backend="`echo $RET|tr A-Z a-z`" + + # Looks like the following code is not needed as slapd is unconfigured + # first and stopped at that time. So no need to stop slapd at all here. + + if [ -e "/var/lib/ldap" ] && ! is_empty_dir /var/lib/ldap; then + echo >&2 " Moving old database directory to /var/backups:" + move_old_database_away /var/lib/ldap + fi + create_ldap_directories + create_new_slapd_conf "$basedn" "$backend" + create_new_directory "$basedn" "$dc" + + # Put the right permissions on this directory. + update_permissions /var/lib/ldap + + # Now that we created the new directory we don't need the passwords in the + # debconf database anymore. So wipe them. + wipe_admin_pass +} +# }}} +create_new_slapd_conf() { # {{{ +# Create the new slapd.d directory (configuration) +# Usage: create_new_slapd_conf + + local initldif failed basedn backend backendobjectclass adminpass + + # Fetch configuration + basedn="$1" + backend="$2" + if [ "$backend" = "hdb" ]; then + backendobjectclass="olcHdbConfig" + else + backendobjectclass="olcBdbConfig" + fi + db_get slapd/internal/adminpw + adminpass="$RET" + + echo -n " Creating initial configuration... " >&2 + + # Create the slapd.d directory. + rm -rf ${SLAPD_CONF}/cn=config ${SLAPD_CONF}/cn=config.ldif + mkdir -p ${SLAPD_CONF} + initldif=`mktemp -t slapadd.XXXXXX` + cat /usr/share/slapd/slapd.init.ldif > ${initldif} + + # Change some defaults + sed -i -e "s|@BACKEND@|$backend|g" ${initldif} + sed -i -e "s|@BACKENDOBJECTCLASS@|$backendobjectclass|g" ${initldif} + sed -i -e "s|@SUFFIX@|$basedn|g" ${initldif} + sed -i -e "s|@PASSWORD@|$adminpass|g" ${initldif} + + capture_diagnostics slapadd -F "${SLAPD_CONF}" -b "cn=config" \ + -l "${initldif}" || failed=1 + if [ "$failed" ]; then + cat <<-EOF +Loading the initial configuration from the ldif file (${init_ldif}) failed with +the following error while running slapadd: +EOF + release_diagnostics " " + exit 1 + fi + + update_permissions "${SLAPD_CONF}" + rm -f "${initldif}" + echo "done." >&2 +} +# }}} +encode_utf8() { #{{{ +# Make the value utf8 encoded. Takes one argument and utf8 encode it. +# Usage: val=`encode_utf8 ` + perl -e 'use Encode; print encode_utf8($ARGV[0]);' "$1" +} #}}} +create_new_directory() { # {{{ +# Create a new directory. Takes the basedn and the dc value of that entry. +# Other information is extracted from debconf. +# Usage: create_new_directory + + local basedn dc organization adminpass + basedn="$1" + dc="$2" + + # Encode to utf8 and base64 encode the organization. + db_get shared/organization + organization=`encode_utf8 "$RET"` + db_get slapd/internal/adminpw + adminpass="$RET" + + echo -n " Creating LDAP directory... " >&2 + + initldif=`mktemp -t slapadd.XXXXXX` + cat <<-EOF > "${initldif}" + dn: $basedn + objectClass: top + objectClass: dcObject + objectClass: organization + o: $organization + dc: $dc + + dn: cn=admin,$basedn + objectClass: simpleSecurityObject + objectClass: organizationalRole + cn: admin + description: LDAP administrator + userPassword: $adminpass + EOF + + capture_diagnostics slapadd -F "${SLAPD_CONF}" -b "${basedn}" \ + -l "${initldif}" || failed=1 + if [ "$failed" ]; then + rm -f ${initldif} + echo "failed." >&2 + cat <<-EOF +Loading the initial configuration from the ldif file (${init_ldif}) failed with +the following error while running slapadd: +EOF + release_diagnostics " " + exit 1 + fi + + rm -f ${initldif} + echo "done." >&2 +} +# }}} +configure_v2_protocol_support() { # {{{ +# Adds the "allow bind_v2" directive to the configuration if the user decided +# he wants to have ldap v2 enabled. + + db_get slapd/allow_ldap_v2 + if [ "$RET" != "true" ]; then return 0; fi + + echo -n " Enabling LDAPv2 support... " >&2 + + # cn=config enabled, try to update the cn=config.ldif + if [ -d "$SLAPD_CONF" ]; then + if ! grep -q -E "^olcAllows:[[:space:]]+bind_v2" "${SLAPD_CONF}/cn=config.ldif"; then + echo "olcAllows: bind_v2" >> "${SLAPD_CONF}/cn=config.ldif" + fi + echo "done" >&2 + return 0 + fi +} +# }}} +backup_config_once() { # {{{ +# Create a backup of the current configuration files. +# Usage: backup_config_once + + local backupdir + + if [ -z "$FLAG_CONFIG_BACKED_UP" ]; then + backupdir=`database_dumping_destdir` + if [ -e "$SLAPD_CONF" ]; then + cp -a "$SLAPD_CONF" "$backupdir" + fi + FLAG_CONFIG_BACKED_UP=yes + fi +} + +# }}} + + +# Set up the defaults for our templates +set_defaults_for_unseen_entries() { + DOMAIN=`hostname -d 2>/dev/null` || true + if [ -z "$DOMAIN" ]; then DOMAIN='nodomain'; fi + + db_fget slapd/domain seen + if [ "$RET" = false ]; then + db_set slapd/domain "$DOMAIN" + fi + + db_fget shared/organization seen + if [ "$RET" = false ]; then + db_set shared/organization "$DOMAIN" + fi +} + +crypt_admin_pass() { # {{{ +# Store the encrypted admin password into the debconf db +# Usage: crypt_admin_pass + + local adminpw; + + db_get slapd/password1 + if [ ! -z "$RET" ]; then + db_set slapd/internal/adminpw `create_password_hash "$RET"` + else + + # Set the password. + adminpw=`generate_admin_pass` + db_set slapd/internal/generated_adminpw $adminpw + db_set slapd/internal/adminpw `create_password_hash "$adminpw"` + fi +} + +generate_admin_pass() { +# Generate a password, if no password given then generate one. +# Usage: generate_admin_pass + + perl << 'EOF' +# -------- +sub generatePassword { + $length = shift; + $possible = 'abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ'; + $password = ''; + while(length($password) < $length) { + $password.= substr($possible, (int(rand(length($possible)))), 1); + } + return $password; +} +print generatePassword(15); +EOF +# -------- +} + +wipe_admin_pass() { +# Remove passwords after creating the initial ldap database. +# Usage: wipe_admin_pass + db_set slapd/password1 "" + db_set slapd/password2 "" + db_set slapd/internal/adminpw "" + db_set slapd/internal/generated_adminpw "" +} + +# }}} +create_password_hash() { # {{{ +# Create the password hash for the given password +# Usage: hash=`create_password_hash "$password"` + + slappasswd -s "$1" +} + +# }}} +previous_version_older() { # {{{ +# Check if the previous version is newer than the reference version passed. +# If we are not upgrading the previous version is assumed to be newer than +# any reference version. +# Usage: previous_version_older + + if dpkg --compare-versions "$OLD_VERSION" lt-nl "$1"; then + return 0 + else + return 1 + fi +} + +# }}} +previous_version_newer() { # {{{ +# Check if the previous version is newer than the reference version passed. +# If we are not upgrading the previous version is assumed to be newer than +# any reference version. +# Usage: previous_version_newer + + if dpkg --compare-versions "$OLD_VERSION" gt-nl "$1"; then + return 0 + else + return 1 + fi +} # }}} + +is_initial_configuration() { # {{{ +# Check if this is the initial configuration and not an upgrade of an +# existing configuration +# Usage: if is_initial_configuration "$@"; then ... fi from top level + + # Plain installation + if [ "$1" = configure ] && [ -z "$2" ]; then + return 0 + fi + # Configuration via dpkg-reconfigure + if [ "$1" = reconfigure ] || [ "$DEBCONF_RECONFIGURE" ]; then + return 0 + fi + # Upgrade but slapd.conf doesn't exist. If the user is doing this + # intentionally because they want to put it somewhere else, they + # should select manual configuration in debconf. + if [ "$1" = configure ] && [ ! -e "${SLAPD_CONF}" ]; then + return 0 + fi + return 1 +} + +# }}} +is_empty_dir() { # {{{ +# Check if a path refers to a directory that is "empty" from the POV of slapd +# (i.e., contains no files except for an optional DB_CONFIG). +# Usage: if is_empty_dir "$dir"; then ... fi + + output=`find "$1" -mindepth 1 -maxdepth 1 \! -name DB_CONFIG 2>/dev/null` + if [ -n "$output" ]; then + return 1 + else + return 0 + fi +} + +# }}} + +# ===== Global variables ================================================ {{{ +# +# At some points we need to know which version we are upgrading from if +# any. More precisely we only care about the configuration and data we +# might have laying around. Some parts also want to know which mode the +# script is running in. + +MODE="$1" # install, upgrade, etc. - see debian-policy +OLD_VERSION="$2" + +# Source the init script configuration +# See example file debian/slapd.default for variables defined here +if [ -f "/etc/default/slapd" ]; then + . /etc/default/slapd +fi + +# Load the default location of the slapd config file +if [ -z "$SLAPD_CONF" ]; then + if [ -f "/etc/ldap/slapd.conf" ] && \ + [ ! -e "/etc/ldap/slapd.d" ] + then + SLAPD_CONF="/etc/ldap/slapd.conf" + else + SLAPD_CONF="/etc/ldap/slapd.d" + fi +fi + +# }}} + +# ----- Handling diagnostic output ------------------------------------ {{{ +# +# Often you want to run a program while you are showing progress +# information to the user. If the program you are running outputs some +# diagnostics it will mess up your screen. +# +# This is what the following functions are designed for. When running the +# program, use capture_diagnostics to store what the program outputs to +# stderr and use release_diagnostics to write out the captured output. + + +capture_diagnostics() { # {{{ +# Run the command passed and capture the diagnostic output in a temporary +# file. You can dump that file using release_diagnostics. + + # Create the temporary file + local tmpfile + tmpfile=`mktemp` + exec 7<>"$tmpfile" + rm "$tmpfile" + + # Run the program and capture stderr. If the program fails the + # function fails with the same status. + "$@" 2>&7 || return $? +} + +# }}} +release_diagnostics() { # {{{ +# Dump the diagnostic output captured via capture_diagnostics, optionally +# prefixing each line. +# Usage: release_diagnostics "prefix" + + local script + script=' + seek STDIN, 0, 0; + print "$ARGV[0]$_" while ();'; + perl -e "$script" "$1" <&7 +} + +# }}} + + +# }}} + +# vim: set sw=8 foldmethod=marker: + --- openldap-2.4.28.orig/debian/README.source +++ openldap-2.4.28/debian/README.source @@ -0,0 +1,8 @@ +This package uses quilt to manage all modifications to the upstream +source. Changes are stored in the source package as diffs in +debian/patches and applied during the build. Please see: + + /usr/share/doc/quilt/README.source + +for more information on how to apply the patches, modify patches, or +remove a patch. --- openldap-2.4.28.orig/debian/libldap-2.4-2.manpages +++ openldap-2.4.28/debian/libldap-2.4-2.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man5/ldap.conf.5 --- openldap-2.4.28.orig/debian/ldap-utils.README.Debian +++ openldap-2.4.28/debian/ldap-utils.README.Debian @@ -0,0 +1,5 @@ +If you want to play with shell and ldapsearch output, be sure your dn +entries are one per line. A perl script could be: + + ldapsearch ... | perl -p -0040 -e 's/\n //' + --- openldap-2.4.28.orig/debian/control +++ openldap-2.4.28/debian/control @@ -0,0 +1,120 @@ +Source: openldap +Section: net +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian OpenLDAP Maintainers +Uploaders: Roland Bauerschmidt , + Stephen Frost , + Steve Langasek , + Torsten Landschoff , + Matthijs Möhlmann , + Russ Allbery +Build-Depends: debhelper (>= 8.9.0~), + dpkg-dev (>= 1.16.1), + libdb5.1-dev, libgcrypt-dev, + libgnutls-dev (>= 1.7), unixodbc-dev, libncurses5-dev, libperl-dev (>= 5.8.0), + libsasl2-dev, libslp-dev, libltdl-dev | libltdl3-dev (>= 1.4.3), + libwrap0-dev, perl, debconf-utils, po-debconf, quilt (>= 0.46-7), + groff-base, time, heimdal-dev, hardening-wrapper, + dh-autoreconf, dh-apparmor +Build-Conflicts: libbind-dev, bind-dev, libicu-dev, autoconf2.13 +Standards-Version: 3.9.1 +Homepage: http://www.openldap.org/ +Vcs-Svn: svn://svn.debian.org/pkg-openldap/openldap/trunk +Vcs-Browser: http://svn.debian.org/wsvn/pkg-openldap/openldap/trunk + +Package: slapd +Section: net +Priority: optional +Architecture: any +Pre-Depends: debconf (>= 0.5) | debconf-2.0, ${misc:Pre-Depends} +Depends: ${shlibs:Depends}, libldap-2.4-2 (= ${binary:Version}), + coreutils (>= 4.5.1-1), psmisc, perl (>> 5.8.0) | libmime-base64-perl, + adduser, lsb-base (>= 3.2-13), ${misc:Depends} +Recommends: libsasl2-modules +Suggests: ldap-utils, ufw +Conflicts: umich-ldapd, ldap-server, libltdl3 (= 1.5.4-1) +Replaces: libldap2, ldap-utils (<< 2.2.23-3) +Provides: ldap-server, ${slapd:Provides} +Description: OpenLDAP server (slapd) + This is the OpenLDAP (Lightweight Directory Access Protocol) server + (slapd). The server can be used to provide a standalone directory + service. + +Package: slapd-smbk5pwd +Section: net +Priority: extra +Architecture: any +Depends: slapd (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} +Description: Keeps Samba and Kerberos passwords in sync within slapd. + Extends the PasswordModify Extended Operation to update Kerberos keys + and Samba password hashes for an LDAP user. The Kerberos support is + written for Heimdal using its hdb-ldap backend. The Samba support is + written using the Samba 3.0 LDAP schema. + +Package: ldap-utils +Section: net +Priority: optional +Architecture: any +Depends: ${shlibs:Depends}, libldap-2.4-2 (= ${binary:Version}), ${misc:Depends} +Recommends: libsasl2-modules +Conflicts: umich-ldap-utils, openldap-utils, ldap-client +Replaces: openldap-utils, slapd (<< 2.2.23-0.pre6), openldapd +Provides: ldap-client, openldap-utils +Description: OpenLDAP utilities + This package provides utilities from the OpenLDAP (Lightweight + Directory Access Protocol) package. These utilities can access a + local or remote LDAP server and contain all the client programs + required to access LDAP servers. + +Package: libldap-2.4-2 +Section: libs +Priority: standard +Architecture: any +Multi-Arch: same +Conflicts: ldap-utils (<= 2.1.23-1) +Pre-Depends: multiarch-support +Depends: ${shlibs:Depends}, ${misc:Depends} +Replaces: libldap2, libldap-2.3-0 +Description: OpenLDAP libraries + These are the run-time libraries for the OpenLDAP (Lightweight Directory + Access Protocol) servers and clients. + +Package: libldap-2.4-2-dbg +Section: debug +Priority: extra +Architecture: any +Multi-Arch: same +Depends: libldap-2.4-2 (= ${binary:Version}), ${misc:Depends} +Description: Debugging information for OpenLDAP libraries + This package provides detached debugging information for the OpenLDAP + (Lightweight Directory Access Protocol) libraries. It is useful + primarily to permit better backtraces and crash dump analysis after + problems with the libraries. GDB will find this debug information + automatically. + +Package: libldap2-dev +Section: libdevel +Priority: extra +Architecture: any +Multi-Arch: same +Conflicts: libldap-dev, libopenldap-dev +Replaces: libopenldap-dev +Provides: libldap-dev +Depends: libldap-2.4-2 (= ${binary:Version}), ${misc:Depends} +Description: OpenLDAP development libraries + This package allows development of LDAP applications using the OpenLDAP + libraries. It includes headers, libraries and links to allow static and + dynamic linking. + +Package: slapd-dbg +Section: debug +Priority: extra +Architecture: any +Depends: slapd (= ${binary:Version}), ${misc:Depends} +Description: Debugging information for the OpenLDAP server (slapd) + This package provides detached debugging information for the OpenLDAP + (Lightweight Directory Access Protocol) server (slapd). It is useful + primarily to permit better backtraces and crash dump analysis after + problems with the libraries. GDB will find this debug information + automatically. --- openldap-2.4.28.orig/debian/slapd.docs +++ openldap-2.4.28/debian/slapd.docs @@ -0,0 +1 @@ +debian/README.DB_CONFIG --- openldap-2.4.28.orig/debian/libldap-2.4-2.shlibs +++ openldap-2.4.28/debian/libldap-2.4-2.shlibs @@ -0,0 +1,3 @@ +liblber-2.4 2 libldap-2.4-2 (>= 2.4.7) +libldap-2.4 2 libldap-2.4-2 (>= 2.4.7) +libldap_r-2.4 2 libldap-2.4-2 (>= 2.4.7) --- openldap-2.4.28.orig/debian/DB_CONFIG +++ openldap-2.4.28/debian/DB_CONFIG @@ -0,0 +1,78 @@ +# WARNING: Before tuning the following parameters, _PLEASE READ_ +# /usr/share/doc/slapd/README.DB_CONFIG.gz + +# Set the database in memory cache size. +# +# set_cachesize +# Sets the database in memory cache size. +# Database entries and indexes will be stored in this cache to +# avoid disk access during database read and write operations. +# Tuning this value can greatly effect your database performance. +# The parameters are: +# : The number of gigabytes of memory to allocate to the cache. +# : The number of bytes of memory to allocate to the cache. +# : The number of cache segments to use. If this value is set to +# 0 or 1 then Berkeley DB will try to allocate one contiguous section +# of memory for the cache. If this value is greater than 1, the cache +# will be split into that number of segments. +#set_cachesize 0 52428800 0 + +# For the Debian package we use 2MB as default but be sure to update this +# value if you have plenty of RAM +set_cachesize 0 2097152 0 + +# Sets the database startup flags. +# +# set_flags +# There are various flag options that may be set. The DB_TXN_NOSYNC flag +# tells the database not to immediately flush transaction buffers to disk. +# Setting this flag can help speed up database access during periods of +# database write activity BUT at expense of data safety. Enable it only +# to load data with slapadd, while slapd is not running. +#set_flags DB_TXN_NOSYNC + + +# Set the maximum in memory cache in for database file name caching. +# +# set_lg_regionmax +# This value should be increased as the number of database files increases +# (tables and indexes). +#set_lg_regionmax 1048576 + +# Set the maximum size of log files in . +# +# set_lg_max +# Logs will be rotated when amount of data have been written to +# one log file. This value should be at least four times the size of +# set_lg_bsize. +#set_lg_max 10485760 + +# Set the in memory cache for log information. +# +# set_lg_bsize +# When amount of logging information have been written to this +# cache it will be flushed to disk. +#set_lg_bsize 2097152 +# For the Debian package we use 512kByte which should suffice for typical +# directory usage (read often, write seldom) +set_lg_bsize 524288 + +# Set the log file directory to . +# +# set_lg_dir /usr/local/var/openldap-logs +# Log files should preferably be on a different disk than the +# database files. This both improves reliability (for disastrous +# recovery) and speed of the database. +#set_lg_dir + + +# Sven Hartge reported that he had to set this value incredibly high +# to get slapd running at all. See http://bugs.debian.org/303057 +# for more information. + +# Number of objects that can be locked at the same time. +set_lk_max_objects 5000 +# Number of locks (both requested and granted) +set_lk_max_locks 5000 +# Number of lockers +set_lk_max_lockers 5000 --- openldap-2.4.28.orig/debian/copyright +++ openldap-2.4.28/debian/copyright @@ -0,0 +1,468 @@ +This package was downloaded from: + + + +The upstream distribution has been repackaged to remove the RFCs and +Internet-Drafts included in the upstream distribution, since the Internet +Society license does not meet the Debian Free Software Guidelines. The +schema files that contain verbatim text from RFCs or Internet-Drafts have +similarly been removed and are replaced during the package build with +versions stripped of the literal RFC or Internet-Draft text. + +Copyright: + +Copyright 1998-2007 The OpenLDAP Foundation +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. A copy of this license is available at +http://www.OpenLDAP.org/license.html or in file LICENSE in the +top-level directory of the distribution (included at the end of +this file). + +OpenLDAP is a registered trademark of the OpenLDAP Foundation. + +Individual files and/or contributed packages may be copyright by +other parties and subject to additional restrictions. + +This work is derived from the University of Michigan LDAP v3.3 +distribution. Information concerning this software is available +at: http://www.umich.edu/~dirsvcs/ldap/ + +This work also contains materials derived from public sources. + +Additional Information about OpenLDAP can be obtained at: + http://www.openldap.org/ + +or by sending e-mail to: + info@OpenLDAP.org + +--- + +The OpenLDAP Public License + Version 2.7, 7 September 2001 + +Redistribution and use of this software and associated documentation +("Software"), with or without modification, are permitted provided +that the following conditions are met: + +1. Redistributions of source code must retain copyright statements + and notices, + +2. Redistributions in binary form must reproduce applicable copyright + statements and notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution, and + +3. Redistributions must contain a verbatim copy of this document. + +The OpenLDAP Foundation may revise this license from time to time. +Each revision is distinguished by a version number. You may use +this Software under terms of this license revision or under the +terms of any subsequent revision of the license. + +THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS +CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) +OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + +The names of the authors and copyright holders must not be used in +advertising or otherwise to promote the sale, use or other dealing +in this Software without specific, written prior permission. Title +to copyright in this Software shall at all times remain with +copyright holders. + +--- +Noted above is that various files can be copyrighted individually. +The licenses found in the OpenLDAP tree are as follows: + +CRL +----------------------------------- +# Copyright 1999 Computing Research Labs, New Mexico State University +# +# Permission is hereby granted, free of charge, to any person obtaining a +# copy of this software and associated documentation files (the "Software"), +# to deal in the Software without restriction, including without limitation +# the rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Software, and to permit persons to whom the +# Software is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +# THE COMPUTING RESEARCH LAB OR NEW MEXICO STATE UNIVERSITY BE LIABLE FOR ANY +# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT +# OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR +# THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +----------------------------------- + + +FSF +----------------------------------- +# Copyright (C) 1994, 1995-8, 1999, 2001 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +----------------------------------- + + +HC +----------------------------------- + * Permission is granted to anyone to use this software for any purpose + * on any computer system, and to alter it and redistribute it, subject + * to the following restrictions: + * + * 1. The author is not responsible for the consequences of use of this + * software, no matter how awful, even if they arise from flaws in it. + * + * 2. The origin of this software must not be misrepresented, either by + * explicit claim or by omission. Since few users ever read sources, + * credits should appear in the documentation. + * + * 3. Altered versions must be plainly marked as such, and must not be + * misrepresented as being the original software. Since few users + * ever read sources, credits should appear in the + * documentation. + * + * 4. This notice may not be removed or altered. + +----------------------------------- + + +IBM +----------------------------------- + * Portions Copyright (c) 1995 by International Business Machines, Inc. + * + * International Business Machines, Inc. (hereinafter called IBM) grants + * permission under its copyrights to use, copy, modify, and distribute this + * Software with or without fee, provided that the above copyright notice and + * all paragraphs of this notice appear in all copies, and that the name of IBM + * not be used in connection with the marketing of any product incorporating + * the Software or modifications thereof, without specific, written prior + * permission. + * + * To the extent it has a right to do so, IBM grants an immunity from suit + * under its patents, if any, for the use, sale or manufacture of products to + * the extent that such products are used for performing Domain Name System + * dynamic updates in TCP/IP networks by means of the Software. No immunity is + * granted for any product per se or for any other function of any product. + * + * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL, + * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN + * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. + +----------------------------------- + + +IS +----------------------------------- +# Full Copyright Statement +# +# Copyright (C) The Internet Society (1999). All Rights Reserved. +# +# This document and translations of it may be copied and furnished to +# others, and derivative works that comment on or otherwise explain it +# or assist in its implementation may be prepared, copied, published +# and distributed, in whole or in part, without restriction of any +# kind, provided that the above copyright notice and this paragraph are +# included on all such copies and derivative works. However, this +# document itself may not be modified in any way, such as by removing +# the copyright notice or references to the Internet Society or other +# Internet organizations, except as needed for the purpose of +# developing Internet standards in which case the procedures for +# copyrights defined in the Internet Standards process must be +# followed, or as required to translate it into languages other than +# English. +# +# The limited permissions granted above are perpetual and will not be +# revoked by the Internet Society or its successors or assigns. +# +# This document and the information contained herein is provided on an +# "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +# TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +# BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +# HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +# MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +This license was present in the copies of several schema files and one +LDIF file as distributed upstream. The relevant content has been removed +except where it is purely functional (descriptions of an LDAP schema). +The copyright notice has been retained with a clarifying comment. The +provisions in the above license that prohibit modification therefore +should no longer apply to any files distributed with the Debian package. + +Several files in libraries/libldap also reference this license as the +copyright on ABNF sequences embedded as comments in those files. These +too are purely functional interface specifications distributed as part of +the LDAP protocol standard and do not contain creative work such as +free-form text. +----------------------------------- + + +ISC +----------------------------------- + * Copyright (c) 1996, 1998 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + +----------------------------------- + + +JC +----------------------------------- + * This software is not subject to any license of Silicon Graphics + * Inc. or Purdue University. + * + * Redistribution and use in source and binary forms are permitted + * without restriction or fee of any kind as long as this notice + * is preserved. + +The following is additional information from Juan C. Gomez on how +this license is to be interpreted: +----- +Local-Date: Fri, 06 Jun 2003 13:18:52 -0400 +Date: Fri, 6 Jun 2003 10:18:52 -0700 +From: Juan Gomez +To: Stephen Frost +X-Mailer: Lotus Notes Release 5.0.2a (Intl) 23 November 1999 +Subject: Re: Juan C. Gomez license in OpenLDAP Source + +Stephen, + +"There is no restriction on modifications and derived works" on the work I +did for the openldap server as long as this is consistent with the openldap +license. Please forward this email to Kurt so he does the appropriate +changes to the files to reflect this. + + +Regards, Juan +----------------------------------- + + +MA +----------------------------------- + * Copyright (c) 2000, Mark Adamson, Carnegie Mellon. All rights reserved. + * This software is not subject to any license of Carnegie Mellon University. + * + * Redistribution and use in source and binary forms are permitted without + * restriction or fee of any kind as long as this notice is preserved. + * + * The name "Carnegie Mellon" must not be used to endorse or promote + * products derived from this software without prior written permission. + +The following is additional information from Mark Adamson on how this license +is to be interpreted: +------ +Local-Date: Thu, 05 Jun 2003 16:53:32 -0400 +Date: Thu, 5 Jun 2003 16:53:32 -0400 (EDT) +From: Mark Adamson +To: Stephen Frost +Subject: Re: Mark Adamson license in OpenLDAP source + +Hi Stephen, + + I don't see how this conflicts with the Debian FSG. The first statement +in the copyright pertaining to CMU say only that we don't license out the +software. The second mention denies the right to say things like, +"Now! Powered by software from Carnegie Mellon!" There is no restriction +on modifications and derived works. + +-Mark +------ +----------------------------------- + + +MIT +----------------------------------- +# Copyright 1991 by the Massachusetts Institute of Technology +# +# Permission to use, copy, modify, distribute, and sell this software and its +# documentation for any purpose is hereby granted without fee, provided that +# the above copyright notice appear in all copies and that both that +# copyright notice and this permission notice appear in supporting +# documentation, and that the name of M.I.T. not be used in advertising or +# publicity pertaining to distribution of the software without specific, +# written prior permission. M.I.T. makes no representations about the +# suitability of this software for any purpose. It is provided "as is" +# without express or implied warranty. + +----------------------------------- + + +OL2 +----------------------------------- +Copyright 1999-2001 The OpenLDAP Foundation, Redwood City, +California, USA. All Rights Reserved. Permission to copy and +distribute verbatim copies of this document is granted. +----------------------------------- + + +PM +----------------------------------- + * Copyright (C) 2000 Pierangelo Masarati, + * All rights reserved. + * + * Permission is granted to anyone to use this software for any purpose + * on any computer system, and to alter it and redistribute it, subject + * to the following restrictions: + * + * 1. The author is not responsible for the consequences of use of this + * software, no matter how awful, even if they arise from flaws in it. + * + * 2. The origin of this software must not be misrepresented, either by + * explicit claim or by omission. Since few users ever read sources, + * credits should appear in the documentation. + * + * 3. Altered versions must be plainly marked as such, and must not be + * misrepresented as being the original software. Since few users + * ever read sources, credits should appear in the documentation. + * + * 4. This notice may not be removed or altered. + * +----------------------------------- + + +PM2 +----------------------------------- + * Redistribution and use in source and binary forms are permitted only + * as authorized by the OpenLDAP Public License. A copy of this + * license is available at http://www.OpenLDAP.org/license.html or + * in file LICENSE in the top-level directory of the distribution. +----------------------------------- + + +UoC +----------------------------------- + * Redistribution and use in source and binary forms are permitted + * provided that the above copyright notice and this paragraph are + * duplicated in all such forms and that any documentation, + * advertising materials, and other materials related to such + * distribution and use acknowledge that the software was developed + * by the University of California, Berkeley. The name of the + * University may not be used to endorse or promote products derived + * from this software without specific prior written permission. + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + +NOTE: The Regents have since retroactively removed the advertising +clause from above. + +----------------------------------- + + +UoC2 +----------------------------------- + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + +NOTE: The Regents have since retroactively removed the advertising +clause from above. +See: +ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change + +----------------------------------- + + +UoM +----------------------------------- + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and that due credit is given + * to the University of Michigan at Ann Arbor. The name of the University + * may not be used to endorse or promote products derived from this + * software without specific prior written permission. This software + * is provided ``as is'' without express or implied warranty. +--- +After discussing this license with the OpenLDAP Foundation we received +clarification on it: +--- + + * To: Stephen Frost + * Subject: Re: OpenLDAP Licenseing issues + * From: "Kurt D. Zeilenga" + * Date: Wed, 28 May 2003 10:55:44 -0700 + * Cc: Steve Langasek ,debian-legal@lists.debian.org, openldap-devel@OpenLDAP.org + * In-reply-to: <20030528162613.GB8524@ns.snowman.net> + * Message-id: <5.2.0.9.0.20030528094229.02924780@127.0.0.1> + * Old-return-path: + +Steven, + +The OpenLDAP Foundation believes it the Regents' statement grants a +license to redistribute derived works and is confident that the University, +who is quite aware of our actions (as they actively participate in them), +does not consider our actions to infringe on their rights. You are +welcomed to your opinions. I suggest, however, that before you rely +on your or other people's opinions (including ours), that you consult +with a lawyer familiar with applicable law and the particulars of your +situation. + +The Foundation sees no reason for it to expend its limited resources +seeking clarifications which it believes are unnecessary. You are, +of course, welcomed to expend time and energy seeking clarifications +you think are necessary. I suggest you contact University's general +counsel office (http://www.umich.edu/~vpgc/). + +Regards, Kurt +----------------------------------- + + --- openldap-2.4.28.orig/debian/slapd.postrm +++ openldap-2.4.28/debian/slapd.postrm @@ -0,0 +1,38 @@ +#!/bin/sh + +set -e + +# Load debconf if available (might have been removed before purging +# slapd) + +if [ -e "/usr/share/debconf/confmodule" ]; then + . /usr/share/debconf/confmodule +fi + +# Check if the user wants the database removed on purging slapd +remove_database_on_purge() { + db_get slapd/purge_database || RET=false + if [ "$RET" = "true" ]; then + return 0 + else + return 1 + fi +} + +if [ "$1" = "purge" ]; then + echo -n "Removing slapd configuration... " + rm -f /etc/ldap/slapd.conf 2>/dev/null || true + rm -rf /etc/ldap/slapd.d 2>/dev/null || true + echo "done." + + if remove_database_on_purge; then + echo -n "Purging OpenLDAP database... " + rm -rf /var/lib/ldap || true + echo done + fi +fi + +#DEBHELPER# + +exit 0 + --- openldap-2.4.28.orig/debian/slapd.backup +++ openldap-2.4.28/debian/slapd.backup @@ -0,0 +1,62 @@ +#!/bin/bash +# +# Backup LDAP directories +# +# This script can be put in cron to create backups. +# +# Author: Matthijs Mohlmann +# Date: Sat, 15 Jul 2006 21:13:14 +0200 +# License: GPLv2 + +# Make sure the backups are secured. +umask 077 + +BACKUPDIR="/var/backups/slapd" +DEFAULTS="/etc/default/slapd" + +# Check if there is a directory slapd, otherwise create it. +if [ ! -d "$BACKUPDIR" ]; then + mkdir -p -m 0700 "$BACKUPDIR" +fi + +# Load default settings. +if [ -e "$DEFAULTS" ]; then + . "$DEFAULTS" +fi + +# Specify a slapd.conf if not specified. +if [ -z "$SLAPD_CONF" ]; then + SLAPD_CONF="/etc/ldap/slapd.conf" +fi + +# Set IFS to end of line. +ORIGIFS=$IFS +IFS=`echo -en "\n\b"` + +# Backup recursive through all configfiles all suffix's in the form: +# suffix.ldif in /var/backups/slapd +function backupDirectories() { + local conf=$1 + local directory="" + local include="" + + suffix=`grep "^suffix" $conf | sed -e "s/\(^suffix\s\+\|\"\|\'\)//g"` + for directory in "$suffix"; do + if [ ! -z "$suffix" ]; then + slapcat -l "$BACKUPDIR/$suffix.ldif" -b "$suffix" + fi + done + + includes=`grep "^include" $conf | awk '{print $2}'` + for include in $includes; do + backupDirectories "$include" + done +} + +backupDirectories "$SLAPD_CONF" + +# Put IFS back. +IFS=$ORIGIFS + +exit 0 + --- openldap-2.4.28.orig/debian/slapd.examples +++ openldap-2.4.28/debian/slapd.examples @@ -0,0 +1 @@ +debian/slapd.backup --- openldap-2.4.28.orig/debian/slapd.lintian-overrides +++ openldap-2.4.28/debian/slapd.lintian-overrides @@ -0,0 +1,3 @@ +# libslapi is a special case, used only for writing extension modules for +# slapd, and is therefore shipped with slapd. +slapd: package-name-doesnt-match-sonames libslapi-2.4-2 --- openldap-2.4.28.orig/debian/slapd-smbk5pwd.dirs +++ openldap-2.4.28/debian/slapd-smbk5pwd.dirs @@ -0,0 +1 @@ +usr/lib/ldap --- openldap-2.4.28.orig/debian/libldap2-dev.links.in +++ openldap-2.4.28/debian/libldap2-dev.links.in @@ -0,0 +1,12 @@ +usr/share/man/man3/lber-encode.3 usr/share/man/man3/ber_put_bitstring.3 +usr/share/man/man3/lber-encode.3 usr/share/man/man3/ber_put_boolean.3 +usr/share/man/man3/lber-encode.3 usr/share/man/man3/ber_start_seq.3 +usr/share/man/man3/lber-memory.3 usr/share/man/man3/ber_memalloc.3 +usr/share/man/man3/lber-memory.3 usr/share/man/man3/ber_memcalloc.3 +usr/share/man/man3/lber-memory.3 usr/share/man/man3/ber_memfree.3 +usr/share/man/man3/lber-memory.3 usr/share/man/man3/ber_memrealloc.3 +usr/share/man/man3/lber-types.3 usr/share/man/man3/ber_int_t.3 +usr/share/man/man3/lber-types.3 usr/share/man/man3/ber_len_t.3 +usr/share/man/man3/lber-types.3 usr/share/man/man3/ber_tag_t.3 +usr/lib/${DEB_HOST_MULTIARCH}/libldap_r.so usr/lib/${DEB_HOST_MULTIARCH}/libldap.so +usr/lib/${DEB_HOST_MULTIARCH}/libldap_r.a usr/lib/${DEB_HOST_MULTIARCH}/libldap.a --- openldap-2.4.28.orig/debian/clean +++ openldap-2.4.28/debian/clean @@ -0,0 +1,2 @@ +debian/libldap-2.4-2.links +debian/libldap2-dev.links --- openldap-2.4.28.orig/debian/slapd.install +++ openldap-2.4.28/debian/slapd.install @@ -0,0 +1,9 @@ +etc/ldap/schema +usr/lib/slapd usr/sbin +usr/lib/ldap/*.so* +usr/lib/ldap/*.la +usr/lib/*/libslapi-*.so.* +debian/ldiftopasswd usr/share/slapd +debian/DB_CONFIG usr/share/slapd +debian/slapd.conf usr/share/slapd +debian/slapd.init.ldif usr/share/slapd --- openldap-2.4.28.orig/debian/ldap-utils.dirs +++ openldap-2.4.28/debian/ldap-utils.dirs @@ -0,0 +1,2 @@ +usr/bin +usr/share/man --- openldap-2.4.28.orig/debian/libldap-2.4-2.lintian-overrides +++ openldap-2.4.28/debian/libldap-2.4-2.lintian-overrides @@ -0,0 +1 @@ +libldap-2.4-2: package-name-doesnt-match-sonames liblber-2.4-2 libldap-r-2.4-2 --- openldap-2.4.28.orig/debian/ldap-utils.install +++ openldap-2.4.28/debian/ldap-utils.install @@ -0,0 +1,10 @@ +debian/tmp/usr/bin/ldapadd usr/bin +debian/tmp/usr/bin/ldapdelete usr/bin +debian/tmp/usr/bin/ldapmodrdn usr/bin +debian/tmp/usr/bin/ldapsearch usr/bin +debian/tmp/usr/bin/ldapcompare usr/bin +debian/tmp/usr/bin/ldapmodify usr/bin +debian/tmp/usr/bin/ldappasswd usr/bin +debian/tmp/usr/bin/ldapwhoami usr/bin +debian/tmp/usr/bin/ldapexop usr/bin +debian/tmp/usr/bin/ldapurl usr/bin --- openldap-2.4.28.orig/debian/libldap-2.4-2.links.in +++ openldap-2.4.28/debian/libldap-2.4-2.links.in @@ -0,0 +1 @@ +usr/lib/${DEB_HOST_MULTIARCH}/libldap_r-2.4.so.2 usr/lib/${DEB_HOST_MULTIARCH}/libldap-2.4.so.2 --- openldap-2.4.28.orig/debian/slapd.dirs +++ openldap-2.4.28/debian/slapd.dirs @@ -0,0 +1,4 @@ +var/lib/slapd +usr/share/slapd +usr/share/lintian/overrides +etc/ldap/sasl2 --- openldap-2.4.28.orig/debian/autoreconf +++ openldap-2.4.28/debian/autoreconf @@ -0,0 +1,2 @@ +. +contrib/ldapc++ --- openldap-2.4.28.orig/debian/TODO +++ openldap-2.4.28/debian/TODO @@ -0,0 +1,32 @@ +openldap2.2 (2.2.23-4) unstable; urgency=low + + * debian/slapd.NEWS: Summarize the upstream changes and make clear that + the upgrade may be problemated. Sketch the upgrade procedure. + * debian/README.Debian: Explain what to check for if upgrading fails and + how to recover. + * CARLO: debian/slapd.scripts-common: Handle all UTF-8 supported characters + in organization field by converting the locale specific input into + utf-8 and base64 encoding the result (closes: #236097). + * Maintainer scripts: Handle the configuration to enable ldif dumping + correctly: Dump if requested and only slapadd the data if it is + supposed to be there. + * Check ITS#3267 (possible data loss) and apply the patch to the + package. + * CARLO: Escape special chars in the names of backup LDIF files using + the %xx syntax. + * Check lintian warning: Postinst uses db_input. I think the usage is + okay as it is an error message IIRC which is also output using cat + in case debconf is not available. + + -- Torsten Landschoff Sun, 3 Apr 2005 20:24:52 +0200 + +openldap2.2 (2.2.23-5) unstable; urgency=low + + * Refactoring of the maintainer scripts. Goals: + + No more direct access to global variables but accessor functions + to check for invalid uses. Example: Don't use $OLD_VERSION but + `get_previous_version`. That way invalid uses can easily be flagged + if that information is not available anymore. + * Remove perl script to hash a password and use slappasswd instead. + + -- Torsten Landschoff Sun, 3 Apr 2005 20:24:52 +0200 --- openldap-2.4.28.orig/debian/slapd.py +++ openldap-2.4.28/debian/slapd.py @@ -0,0 +1,49 @@ +#!/usr/bin/python + +'''apport hook for slapd + +(c) 2010 Adam Sommer. +Author: Adam Sommer + +This program is free software; you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation; either version 2 of the License, or (at your +option) any later version. See http://www.gnu.org/copyleft/gpl.html for +the full text of the license. +''' + +from apport.hookutils import * +import os + +# Scrub olcRootPW attribute and credentials strings if necessary. +def scrub_pass_strings(config): + olcrootpw_regex = re.compile('olcRootPW:.*') + olcrootpw_string = olcrootpw_regex.search(config) + if olcrootpw_string: + config = config.replace(olcrootpw_string.group(0), 'olcRootPW: @@APPORTREPLACED@@') + + credentials_regex = re.compile('credentials=.* ') + credentials_string = credentials_regex.search(config) + if credentials_string: + config = config.replace(credentials_string.group(0), 'credentials=@@APPORTREPLACED@@ ') + + return config + +def add_info(report, ui): + response = ui.yesno("The contents of your /etc/ldap/slapd.d directory " + "may help developers diagnose your bug more " + "quickly. However, it may contain sensitive " + "information. Do you want to include it in your " + "bug report?") + + if response == None: # user cancelled + raise StopIteration + + elif response == True: + # Get the cn=config tree. + cn_config = root_command_output(['/usr/bin/ldapsearch', '-Q', '-LLL', '-Y EXTERNAL', '-H ldapi:///', '-b cn=config']) + report['CNConfig'] = scrub_pass_strings(cn_config) + + # Get slapd messages from /var/log/syslog + slapd_re = re.compile('slapd', re.IGNORECASE) + report['SysLog'] = recent_syslog(slapd_re) --- openldap-2.4.28.orig/debian/watch +++ openldap-2.4.28/debian/watch @@ -0,0 +1,5 @@ +# debian/watch -- Rules for uscan to find new upstream versions. + +version=3 +http://www.openldap.org/software/download/ \ + (?:.*/)?openldap-?_?([\d+\.]+)\.tgz --- openldap-2.4.28.orig/debian/slapd.postinst +++ openldap-2.4.28/debian/slapd.postinst @@ -0,0 +1,90 @@ +#! /bin/sh + +set -e + +. /usr/share/debconf/confmodule + +# This will be replaced with debian/slapd.scripts-common which includes +# various helper functions and $OLD_VERSION and $SLAPD_CONF +#SCRIPTSCOMMON# + +postinst_initial_configuration() { # {{{ +# Configure slapd for the first time (when first installed) +# Usage: postinst_initial_configuration + + if manual_configuration_wanted; then + echo " Omitting slapd configuration as requested." >&2 + else + crypt_admin_pass + create_new_configuration + configure_v2_protocol_support + fi +} + +# }}} +postinst_upgrade_configuration() { # {{{ +# Handle upgrading slapd from some older version +# Usage: postinst_upgrade_configuration + + # Better back up the config file in any case + echo -n " Backing up $SLAPD_CONF in `database_dumping_destdir`... " >&2 + backup_config_once + echo done. >&2 + + # Check if the database format has changed. + if database_format_changed; then + + # During upgrading we have to load the old data + move_incompatible_databases_away + load_databases + fi + + # Move to slapd.d configuration style. + migrate_to_slapd_d_style + + # One-time upgrade fix for olcAccess on cn=Subschema + if previous_version_older 2.4.23-5 && previous_version_newer 2.4.23-3 \ + && [ -e "$SLAPD_CONF/cn=config/olcDatabase={-1}frontend.ldif" ] \ + && ! grep -i 'olcAccess:.*subschema' "$SLAPD_CONF/cn=config/olcDatabase={-1}frontend.ldif" + then + sed -i '/olcAccess: {0}/a\ +olcAccess: {1}to dn.exact="" by * read\ +olcAccess: {2}to dn.base="cn=Subschema" by * read' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif" + fi + + # Enable LDAP protocol v2 support if needed. + configure_v2_protocol_support + + # Update permissions of all database directories and /var/run/slapd + update_databases_permissions + update_permissions /var/run/slapd + + # Versions prior to 2.4.7-1 could create a slapd.conf that wasn't + # readable by the openldap user. + update_permissions "${SLAPD_CONF}" +} + +# }}} + +# Create a new user. Don't create the user, however, if the local +# administrator has already customized slapd to run as a different user. +if [ "$MODE" = "configure" ] || [ "$MODE" = "reconfigure" ] ; then + if [ "openldap" = "$SLAPD_USER" ] ; then + create_new_user + fi +fi + +# Configuration. +if is_initial_configuration "$@"; then + postinst_initial_configuration +else + postinst_upgrade_configuration +fi + +db_stop || true + +#DEBHELPER# + +exit 0 + +# vim: set sw=8 foldmethod=marker: --- openldap-2.4.28.orig/debian/slapd.default +++ openldap-2.4.28/debian/slapd.default @@ -0,0 +1,45 @@ +# Default location of the slapd.conf file or slapd.d cn=config directory. If +# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to +# /etc/ldap/slapd.conf). +SLAPD_CONF= + +# System account to run the slapd server under. If empty the server +# will run as root. +SLAPD_USER="openldap" + +# System group to run the slapd server under. If empty the server will +# run in the primary group of its user. +SLAPD_GROUP="openldap" + +# Path to the pid file of the slapd server. If not set the init.d script +# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by +# default) +SLAPD_PIDFILE= + +# slapd normally serves ldap only on all TCP-ports 389. slapd can also +# service requests on TCP-port 636 (ldaps) and requests via unix +# sockets. +# Example usage: +# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" +SLAPD_SERVICES="ldap:/// ldapi:///" + +# If SLAPD_NO_START is set, the init script will not start or restart +# slapd (but stop will still work). Uncomment this if you are +# starting slapd via some other means or if you don't want slapd normally +# started at boot. +#SLAPD_NO_START=1 + +# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, +# the init script will not start or restart slapd (but stop will still +# work). Use this for temporarily disabling startup of slapd (when doing +# maintenance, for example, or through a configuration management system) +# when you don't want to edit a configuration file. +SLAPD_SENTINEL_FILE=/etc/ldap/noslapd + +# For Kerberos authentication (via SASL), slapd by default uses the system +# keytab file (/etc/krb5.keytab). To use a different keytab file, +# uncomment this line and change the path. +#export KRB5_KTNAME=/etc/krb5.keytab + +# Additional options to pass to slapd +SLAPD_OPTIONS="" --- openldap-2.4.28.orig/debian/slapd-smbk5pwd.install +++ openldap-2.4.28/debian/slapd-smbk5pwd.install @@ -0,0 +1,2 @@ +usr/lib/ldap/smbk5pwd.so* +usr/lib/ldap/smbk5pwd.la --- openldap-2.4.28.orig/debian/slapd.prerm +++ openldap-2.4.28/debian/slapd.prerm @@ -0,0 +1,11 @@ +#!/bin/sh + +set -e + +. /usr/share/debconf/confmodule + +#DEBHELPER# + +exit 0 + +# vim: set foldmethod=marker: --- openldap-2.4.28.orig/debian/slapd.README.Debian +++ openldap-2.4.28/debian/slapd.README.Debian @@ -0,0 +1,213 @@ +Notes about Debian's slapd package +---------------------------------- + + Please see the bottom of this file for the ways in which the Debian + OpenLDAP packages differ from the upstream OpenLDAP releases. Please + report any bugs that may be related to those changes to Debian via + reportbug and not to upstream; upstream is not responsible for changes + made in the Debian package. + +The OpenLDAP configuration + + Since version 2.4.23-3 the configuration of OpenLDAP has been changed to + /etc/ldap/slapd.d by default. The OpenLDAP packages in Debian provide an + automatic migration to the new configuration style. With the new + configuration style it is possible to change values on the fly without + restarting slapd. Changes are made through the use of ldif files and + ldap{add,modify}. In Debian you can use the following command to search + the configuration: + + ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" + + To modify configuration use the command: + + ldapmodify -Y EXTERNAL -H ldapi:/// -f + + For configuration options see the several manpages that exist or the + documentation provided upstream. + +Using BDB/HDB Backends + + HDB is the recommended database backend. It's the same as BDB but + allows some additional operations. + + slapd BDB and HDB backends rely on libdb to store data on your disks. + libdb uses a configuration file to tune database specific + parameters. This file is called DB_CONFIG, and should be created in each + directory containing one of your ldap databases, usually /var/lib/ldap. + + It is VERY IMPORTANT to correctly setup a DB_CONFIG file. It is not + just a matter of performance: depending on the version of slapd and + libdb being used, your slapd may just hang and stop answering queries. + + To correctly set up your DB_CONFIG file, please refer to + README.DB_CONFIG.gz in this directory. + +BerkeleyDB Version + + slapd has been built against version 4.8.30 of BerkeleyDB. This version is + supported by the upstream developers. + + slapd will automatically handle database recovery, so you generally do + not need the BerkeleyDB utilities. However, if you want to perform + other operations directly on the raw database without using the slapd + tools, install db4.8-util and use those BerkeleyDB utilities. Utilities + from other db*-util packages will not work correctly and may render the + database unusable by slapd. + +Logging + + slapd logs to the facility local4. If you want to direct slapd's logs to + a separate log file, add a line like: + + local4.debug /var/log/slapd.log + + to /etc/syslog.conf. You may also want to add ";local4.none" to the + catch-all entry that logs to /var/log/messages so that it doesn't + continue to receive slapd logs. + +SASL Configuration + + To enable GSSAPI (Kerberos) authentication to slapd, install either the + libsasl2-modules-gssapi-mit or libsasl2-modules-gssapi-heimdal packages + depending on which Kerberos implementation you want to use. + + SASL configuration files may be placed either in /usr/lib/sasl2 (the + standard path, but not a great place for configuration files) or in + /etc/ldap/sasl2. A SASL configuration file should be named after the + program that will use it. So, for instance, to configure SASL for + slapd, create a file named slapd.conf in /etc/ldap/sasl2 or in + /usr/lib/sasl2. + +TCP Wrappers + + The Debian slapd package is compiled with TCP wrappers. This means that + you are able to restrict access to the LDAP server using /etc/hosts.deny + or /etc/hosts.allow. + +Running slapd under a Different UID/GID + + By default, slapd runs as openldap in the openldap group. Keeping the + default is easiest. If for some reason you need to run slapd as a + different user: + + - Create the user/group for slapd -- usually: + + adduser --system --group --disabled-login + + - Stop slapd: + + /etc/init.d/slapd stop + + - Tell slapd to run under a different UID by editing /etc/default/slapd + and setting SLAPD_USER and SLAPD_GROUP. (For example, + SLAPD_USER="ldap", SLAPD_GROUP="ldap") + + - Tell linux slapd can access all database files -- usually: + + chown -R : /var/lib/ldap + + - Tell linux slapd can access configuration files -- usually: + + chgrp -R /etc/ldap/slapd.d + chmod -R g+rX /etc/ldap/slapd.d + + - Tell linux slapd can access /var/run/slapd and write a PID file: + + chgrp /var/run/slapd + chmod 0770 /var/run/slapd + + - Start slapd -- /etc/init.d/slapd start + + Once you have done so, remember to always run any utilities that access + or update the database (such as slapadd) as the same user that slapd is + running as. If you forget, you will need to redo the chown noted above. + +If slapd Depends on Other Service + + In the event that you are running slapd with a different back-end module + that depends on other programs (such as an SQL database) you may need to + adjust the runlevels of slapd to start after the SQL database. + +Creating NSS Flat Files from LDAP + + If you have need to create passwd/shadow/etc files from an LDAP + directory there is now a script included with these Debian packages + which may help you. The script is in /usr/share/slapd/ and is named + ldiftopasswd. In general you should be able to do: + + ldapsearch | ldiftopasswd + + and it will generate the files for you. You will need appropriate + privileges, of course, and appropriate arguments to ldapsearch. + +Modifications Compared to Upstream + + Compared to stock OpenLDAP as shipped by the OpenLDAP project, the + Debian packages make the following modifications. If you see any + problems caused by or related to these modifications, please report them + via the Debian bug tracking system using reportbug, not to the OpenLDAP + project. + + * The only LDAP library installed is libldap_r, which in the upstream + release is only used for slapd, and libldap is a symlink to it. This + library has thread safety for use with slapd, but that thread safety + is not checked for any application other than slapd by upstream. + Upstream does not support using libldap_r for programs other than + slapd. The current library installation strategy in the Debian + packages is an attempt to deal with problems caused by symbol + conflicts between libldap and libldap_r when both are pulled in by the + same process (most commonly by libnss-ldap) and the number of packages + that use libldap in threaded code expecting thread safety. + + * libldap and libber have symbol versioning added to prevent problems + during partial upgrades from older versions of the libraries. + + * slapindex has been patched to warn when run as root and the man page + has been patched to notify users that slapindex should be run as the + user slapd runs as. There is some upstream discussion of a better + fix. + + * slapd is configured to look in /etc/ldap/sasl2 in addition to + /usr/lib/sasl2 for SASL configuration files. + + * libldap has been patched to work around what may be a bug in GnuTLS in + calculating the length of subjectAltName in TLS certificates. See + . + + * The libldap library is patched to add two functions used by + evolution-exchange for NTLM authentication to Active Directory. See + . + + * Several paths have been adjusted to fit Debian file permissions and + for Filesystem Hierarchy Standard compliance, namely: + - The ldapi socket is in /var/run/slapd + - The slapi error log has been moved to /var/log/slapi-errors + - The slapd database location is /var/lib/ldap + + In addition, upstream patches from CVS may be applied to fix bugs in the + current release and will not be noted here unless they're not expected + to be in the next release. + + Finally, note that the Debian OpenLDAP packages have been compiled + against GnuTLS instead of OpenSSL to avoid licensing problems for + GPL-covered packages that use the LDAP libraries. This is a supported + configuration, but it's not widely used outside of Debian. + + For the exact patches applied to the upstream source and references to + the relevant upstream ITS numbers, Debian bugs, and upstream + synchronization status, see the debian/patches directory in the + openldap source package. + + -- Russ Allbery , Thu, 14 Feb 2008 18:47:07 -0800 + +Apparmor Profile +---------------- + + If your system uses AppArmor, please note that the shipped enforcing profile + works with the default installation, and changes in your configuration may + require changes to the installed apparmor profile. Please see + https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this + software. + + -- Jamie Strandboge , Mon, 4 Feb 2008 21:18:21 -0500 --- openldap-2.4.28.orig/debian/slapd.NEWS +++ openldap-2.4.28/debian/slapd.NEWS @@ -0,0 +1,18 @@ +openldap (2.4.23-3) unstable; urgency=low + + The OpenLDAP packages in Debian now use the slapd.d LDIF-based + configuration model by default. Please see README.Debian for more + information. + + -- Matthijs Mohlmann Mon, 19 Jul 2010 10:48:19 +0200 + +openldap2.3 (2.3.23-1) unstable; urgency=low + + The Debian slapd package no longer includes support for the LDBM backend. + It has been disabled as a result of concerns over data loss and lack of + upstream support. For more information, see: + http://www.openldap.org/faq/index.cgi?_highlightWords=ldbm&file=756 + The BDB backend is now the main backend to use. This backend is supported + upstream and has several fixes included for known problems. + + -- Matthijs Mohlmann Sun, 26 Feb 2006 20:05:44 +0100 --- openldap-2.4.28.orig/debian/slapd.templates +++ openldap-2.4.28/debian/slapd.templates @@ -0,0 +1,143 @@ +Template: slapd/no_configuration +Type: boolean +Default: false +_Description: Omit OpenLDAP server configuration? + If you enable this option, no initial configuration or database will be + created for you. + +Template: slapd/dump_database +Type: select +__Choices: always, when needed, never +Default: when needed +_Description: Dump databases to file on upgrade: + Before upgrading to a new version of the OpenLDAP server, the data from + your LDAP directories can be dumped into plain text files in the + standard LDAP Data Interchange Format. + . + Selecting "always" will cause the databases to be dumped + unconditionally before an upgrade. Selecting "when needed" will only + dump the database if the new version is incompatible with the old + database format and it needs to be reimported. If you select "never", + no dump will be done. + +Template: slapd/dump_database_destdir +Type: string +Default: /var/backups/slapd-VERSION +_Description: Directory to use for dumped databases: + Please specify the directory where the LDAP databases will be exported. + In this directory, several LDIF files will be created which correspond + to the search bases located on the server. Make sure you have enough + free space on the partition where the directory is located. The first + occurrence of the string "VERSION" is replaced with the server version + you are upgrading from. + +Template: slapd/move_old_database +Type: boolean +Default: true +_Description: Move old database? + There are still files in /var/lib/ldap which will probably break + the configuration process. If you enable this option, the maintainer + scripts will move the old database files out of the way before + creating a new database. + +Template: slapd/invalid_config +Type: boolean +Default: true +_Description: Retry configuration? + The configuration you entered is invalid. Make sure that the DNS domain name + is syntactically valid, the field for the organization is not left empty and + the admin passwords match. If you decide not to retry the configuration the + LDAP server will not be set up. Run 'dpkg-reconfigure slapd' if you want to + retry later. + +Template: slapd/domain +Type: string +_Description: DNS domain name: + The DNS domain name is used to construct the base DN of the LDAP directory. + For example, 'foo.example.org' will create the directory with + 'dc=foo, dc=example, dc=org' as base DN. + +Template: shared/organization +Type: string +_Description: Organization name: + Please enter the name of the organization to use in the base DN of your + LDAP directory. + +Template: slapd/password1 +Type: password +_Description: Administrator password: + Please enter the password for the admin entry in your LDAP directory. + +Template: slapd/password2 +Type: password +_Description: Confirm password: + Please enter the admin password for your LDAP directory again to verify + that you have typed it correctly. + +Template: slapd/password_mismatch +Type: note +_Description: Password mismatch + The two passwords you entered were not the same. Please try again. + +Template: slapd/purge_database +Type: boolean +Default: false +_Description: Do you want the database to be removed when slapd is purged? + +Template: slapd/internal/adminpw +Type: password +Description: Encrypted admin password: + Internal template, should never be displayed to users. + +Template: slapd/internal/generated_adminpw +Type: password +Description: Generated admin password: + Internal template, should never be displayed to users. + +Template: slapd/allow_ldap_v2 +Type: boolean +Default: false +_Description: Allow LDAPv2 protocol? + The obsolete LDAPv2 protocol is disabled by default in slapd. Programs + and users should upgrade to LDAPv3. If you have old programs which + can't use LDAPv3, you should select this option and 'allow bind_v2' + will be added to your slapd.conf file. + +Template: slapd/upgrade_slapcat_failure +Type: error +#flag:translate!:5 +#flag:comment:4 +# This paragraph is followed by a (non translatable) paragraph +# containing a command line +#flag:comment:6 +# Translators: keep "${location}" unchanged. This is a variable that +# will be replaced by a directory name at execution +_Description: slapcat failure during upgrade + An error occurred while upgrading the LDAP directory. + . + The 'slapcat' program failed while extracting the LDAP directory. This + may be caused by an incorrect configuration file (for example, missing + 'moduleload' lines to support the backend database). + . + This failure will cause 'slapadd' to fail later as well. The old database + files will be moved to /var/backups. If you want to try this upgrade + again, you should move the old database files back into place, fix + whatever caused slapcat to fail, and run: + . + slapcat > ${location} + . + Then move the database files back to a backup area and then try running + slapadd from ${location}. + +Template: slapd/backend +Type: select +Choices: BDB, HDB +Default: HDB +_Description: Database backend to use: + The HDB backend is recommended. HDB and BDB use similar storage formats, + but HDB adds support for subtree renames. Both support the same + configuration options. + . + In either case, you should review the resulting database configuration + for your needs. See /usr/share/doc/slapd/README.DB_CONFIG.gz for more + details. --- openldap-2.4.28.orig/debian/changelog +++ openldap-2.4.28/debian/changelog @@ -0,0 +1,3944 @@ +openldap (2.4.28-1.1ubuntu6) quantal; urgency=low + + * Fix issue with intermittent connection issues when using LDAPv3 + protocol (LP: #1023025): + - d/patches/its-7107-fix-Operation-init-on-reuse.diff: Cherry picked + patch from upstream VCS which ensures objects are initialized before + re-use. + + -- Pierre Fersing Thu, 19 Jul 2012 14:05:09 +0100 + +openldap (2.4.28-1.1ubuntu5) quantal; urgency=low + + * debian/rules: Add smbk5pwd build. + * debian/control: Add slapd-smbk5pwd binary package. + * debian/patches/heimdal-fix: adapt parameters of + hdb_generate_key_set_password() to heimdal 1.6~git20120311 + (patch from Debian #664930). + + -- Jorge Salamero Sanz Wed, 18 Jul 2012 09:30:28 -0400 + +openldap (2.4.28-1.1ubuntu4) precise; urgency=low + + * debian/control: Build-Depends on dh-apparmor (LP: #948481) + + -- Jamie Strandboge Thu, 05 Apr 2012 09:34:37 -0500 + +openldap (2.4.28-1.1ubuntu3) precise; urgency=low + + * Add its-7176-only-poll-sockets-for-write-as-needed.diff + (LP: #932823). + + -- Timo Aaltonen Tue, 21 Feb 2012 15:36:29 +0200 + +openldap (2.4.28-1.1ubuntu2) precise; urgency=low + + * Remove debian/patches/CVE-2011-4079; it's already in this upstream + version. Fixes FTBFS. + + -- Daniel T Chen Wed, 25 Jan 2012 17:26:17 -0500 + +openldap (2.4.28-1.1ubuntu1) precise; urgency=low + + * Merge from Debian testing. Remaining changes: + - Install a default DIT (LP: #442498). + - Document cn=config in README file (LP: #370784). + - remaining changes: + + AppArmor support: + - debian/apparmor-profile: add AppArmor profile + - use dh_apparmor: + - debian/rules: use dh_apparmor + - debian/control: Build-Depends on debhelper 7.4.20ubuntu5 + - updated debian/slapd.README.Debian for note on AppArmor + - debian/slapd.dirs: add etc/apparmor.d/force-complain + + Enable GSSAPI support (LP: #495418): + - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise): + - Add --with-gssapi support + - Make guess_service_principal() more robust when determining + principal + - debian/patches/series: apply gssapi.diff patch. + - debian/configure.options: Configure with --with-gssapi + - debian/control: Added libkrb5-dev as a build depend + + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support + in the openldap library, as required by Likewise-Open (LP: #390579) + + Don't build smbk5pwd overlay since it uses heimdal instead of krb5: + - debian/control: + - remove build-dependency on heimdal-dev. + - remove slapd-smbk5pwd binary package. + - debian/rules: don't build smbk5pwd slapd module. + + debian/{control,rules}: enable PIE hardening + + ufw support (LP: #423246): + - debian/control: suggest ufw. + - debian/rules: install ufw profile. + - debian/slapd.ufw.profile: add ufw profile. + + Enable nssoverlay: + - debian/patches/nssov-build, debian/series, debian/rules: + Apply, build and package the nss overlay. + - debian/schema/extra/misc.ldif: add ldif file for the misc schema + which defines rfc822MailMember (required by the nss overlay). + + debian/rules, debian/schema/extra/: + Fix configure rule to supports extra schemas shipped as part + of the debian/schema/ directory. + + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544) + + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in + neither the default DIT nor via an Authn mapping. + + debian/slapd.scripts-common: adjust minimum version that triggers a + database upgrade. Upgrade from maverick shouldn't trigger database + upgrade (which would happen with the version used in Debian). + + debian/slapd.scripts-common: add slapcat_opts to local variables. + Remove unused variable new_conf. + + debian/slapd.script-common: Fix package reconfiguration. + - Fix backup directory naming for multiple reconfiguration. + + debian/slapd.default, debian/slapd.README.Debian: + use the new configuration style. + + Install nss overlay (LP: #675391): + - debian/rules: run install target for nssov module. + - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema + + debian/patches/gssapi.diff: + - Update patch so that likewise-open is usuable again. (LP: #661547) + + debian/patches/service-operational-before-detach: New patch replacing old one + of the same name as previous could cause database corruption based on upstream commits. + (LP: #727973) + + debian/patches/CVE-2011-4079: fix off by one error in postalAddressNormalize() + (CVE-2011-4079) + + + -- Chuck Short Mon, 23 Jan 2012 10:01:13 -0500 + +openldap (2.4.28-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Disable the mdb backend on non-Linux, it looks like it doesn't work with + linuxthreads (closes: #654824). + + -- Julien Cristau Mon, 16 Jan 2012 19:45:42 +0100 + +openldap (2.4.28-1) unstable; urgency=low + + * New upstream release. + - Fixes CVE-2011-4079. Closes: #647610. + - Fixes support for proxy authorization with SASL-GSSAPI. + Closes: #608815. + - Drop patch service-operational-before-detach, which came from upstream. + - Drop patch fix-its6898-locking-issue, included upstream. + - Refresh other patches as needed. + * debian/slapd.scripts-common: quote the argument to slappasswd, to cope + with shell characters in the string. Thanks to Nicolai Ehemann + for the patch. Closes: #635931. + * Install ldif.h in libldap2-dev, now that it's been blessed upstream. + Closes: #644985. + * debian/patches/no-bdb-ABI-second-guessing: don't force an exact match on + the upstream version of libdb; this is redundant with our packaging + system, and causes spurious errors when there's a non-ABI-breaking + BDB upstream release. Closes: #651333. + * Build-conflict with the ancient autoconf2.13, which is incompatible with + dh-autoreconf. (Maybe dh-autoreconf itself should conflict with it?) + Closes: #651598. + + [ Updated debconf translations ] + * Dutch, thanks to Jeroen Schot . Closes: #651400. + + -- Steve Langasek Thu, 05 Jan 2012 06:07:11 +0000 + +openldap (2.4.25-4ubuntu1) precise; urgency=low + + * Merge from Debian testing. Remaining changes: + - Install a default DIT (LP: #442498). + - Document cn=config in README file (LP: #370784). + - remaining changes: + + AppArmor support: + - debian/apparmor-profile: add AppArmor profile + - use dh_apparmor: + - debian/rules: use dh_apparmor + - debian/control: Build-Depends on debhelper 7.4.20ubuntu5 + - updated debian/slapd.README.Debian for note on AppArmor + - debian/slapd.dirs: add etc/apparmor.d/force-complain + + Enable GSSAPI support (LP: #495418): + - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise): + - Add --with-gssapi support + - Make guess_service_principal() more robust when determining + principal + - debian/patches/series: apply gssapi.diff patch. + - debian/configure.options: Configure with --with-gssapi + - debian/control: Added libkrb5-dev as a build depend + + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support + in the openldap library, as required by Likewise-Open (LP: #390579) + + Don't build smbk5pwd overlay since it uses heimdal instead of krb5: + - debian/control: + - remove build-dependency on heimdal-dev. + - remove slapd-smbk5pwd binary package. + - debian/rules: don't build smbk5pwd slapd module. + + debian/{control,rules}: enable PIE hardening + + ufw support (LP: #423246): + - debian/control: suggest ufw. + - debian/rules: install ufw profile. + - debian/slapd.ufw.profile: add ufw profile. + + Enable nssoverlay: + - debian/patches/nssov-build, debian/series, debian/rules: + Apply, build and package the nss overlay. + - debian/schema/extra/misc.ldif: add ldif file for the misc schema + which defines rfc822MailMember (required by the nss overlay). + + debian/rules, debian/schema/extra/: + Fix configure rule to supports extra schemas shipped as part + of the debian/schema/ directory. + + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544) + + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in + neither the default DIT nor via an Authn mapping. + + debian/slapd.scripts-common: adjust minimum version that triggers a + database upgrade. Upgrade from maverick shouldn't trigger database + upgrade (which would happen with the version used in Debian). + + debian/slapd.scripts-common: add slapcat_opts to local variables. + Remove unused variable new_conf. + + debian/slapd.script-common: Fix package reconfiguration. + - Fix backup directory naming for multiple reconfiguration. + + debian/slapd.default, debian/slapd.README.Debian: + use the new configuration style. + + Install nss overlay (LP: #675391): + - debian/rules: run install target for nssov module. + - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema + + debian/patches/gssapi.diff: + - Update patch so that likewise-open is usuable again. (LP: #661547) + + debian/patches/service-operational-before-detach: New patch replacing old one + of the same name as previous could cause database corruption based on upstream commits. + (LP: #727973) + + debian/patches/CVE-2011-4079: fix off by one error in postalAddressNormalize() + (CVE-2011-4079) + + -- Chuck Short Tue, 22 Nov 2011 06:17:49 +0000 + +openldap (2.4.25-4) unstable; urgency=low + + * Drop explicit depends on libdb4.8, since we're now linking against + libdb5.1. Thanks to Peter Marschall for catching. Closes: #621403 + again. + * Rebuild against cyrus-sasl2 2.1.25. Closes: #628237. + * Use dh_autoreconf instead of a locally-patched autogen.sh. + * debian/patches/no-AM_INIT_AUTOMAKE: don't use AM_INIT_AUTOMAKE macro + when we aren't using automake. + * Convert debian/rules to dh(1). + * use DEB_CFLAGS_MAINT_APPEND with appropriate versioned dependency on + debhelper and dpkg-dev, so we can pick up dpkg-buildflags for our + policy-mandated flags - as well as our security-enhancing ones! + Closes: #644427. + * Also set hardening=+pie,+bindnow buildflags options for maximum + security, since this is a security-sensitive daemon dealing with + untrusted input. Ubuntu has been building with these flags for a + while via hardening-wrappers, so the change is presumed safe. + * Drop debian/check_config. The upstream configure script now enforces + --with-cyrus-sasl, so there's no need for a second check. + * debian/po/es.po: tweak an ambiguous string in the Spanish debconf + translation, noticed in response to a submitted Catalan translation + * debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff: + Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL. + Thanks to Jan-Marek Glogowski for the + patch. Closes: #327585. + + [ Updated debconf translations ] + * Catalan, thanks to Innocent De Marchi . + Closes: #644274. + + -- Steve Langasek Tue, 18 Oct 2011 01:08:34 +0000 + +openldap (2.4.25-3ubuntu3) precise; urgency=low + + * Rebuild for Perl 5.14. + + -- Colin Watson Tue, 15 Nov 2011 20:50:09 +0000 + +openldap (2.4.25-3ubuntu2) precise; urgency=low + + * SECURITY UPDATE: potential denial of service (LP: #884163) + - debian/patches/CVE-2011-4079: fix off by one error in + postalAddressNormalize() + - CVE-2011-4079 + + -- Jamie Strandboge Mon, 14 Nov 2011 13:59:56 -0600 + +openldap (2.4.25-3ubuntu1) precise; urgency=low + + * Merge from debian unstable. Remaining changes: + - Install a default DIT (LP: #442498). + - Document cn=config in README file (LP: #370784). + - remaining changes: + + AppArmor support: + - debian/apparmor-profile: add AppArmor profile + - use dh_apparmor: + - debian/rules: use dh_apparmor + - debian/control: Build-Depends on debhelper 7.4.20ubuntu5 + - updated debian/slapd.README.Debian for note on AppArmor + - debian/slapd.dirs: add etc/apparmor.d/force-complain + + Enable GSSAPI support (LP: #495418): + - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise): + - Add --with-gssapi support + - Make guess_service_principal() more robust when determining + principal + - debian/patches/series: apply gssapi.diff patch. + - debian/configure.options: Configure with --with-gssapi + - debian/control: Added libkrb5-dev as a build depend + + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support + in the openldap library, as required by Likewise-Open (LP: #390579) + + Don't build smbk5pwd overlay since it uses heimdal instead of krb5: + - debian/control: + - remove build-dependency on heimdal-dev. + - remove slapd-smbk5pwd binary package. + - debian/rules: don't build smbk5pwd slapd module. + + debian/{control,rules}: enable PIE hardening + + ufw support (LP: #423246): + - debian/control: suggest ufw. + - debian/rules: install ufw profile. + - debian/slapd.ufw.profile: add ufw profile. + + Enable nssoverlay: + - debian/patches/nssov-build, debian/series, debian/rules: + Apply, build and package the nss overlay. + - debian/schema/extra/misc.ldif: add ldif file for the misc schema + which defines rfc822MailMember (required by the nss overlay). + + debian/rules, debian/schema/extra/: + Fix configure rule to supports extra schemas shipped as part + of the debian/schema/ directory. + + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544) + + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in + neither the default DIT nor via an Authn mapping. + + debian/slapd.scripts-common: adjust minimum version that triggers a + database upgrade. Upgrade from maverick shouldn't trigger database + upgrade (which would happen with the version used in Debian). + + debian/slapd.scripts-common: add slapcat_opts to local variables. + Remove unused variable new_conf. + + debian/slapd.script-common: Fix package reconfiguration. + - Fix backup directory naming for multiple reconfiguration. + + debian/slapd.default, debian/slapd.README.Debian: + use the new configuration style. + + Install nss overlay (LP: #675391): + - debian/rules: run install target for nssov module. + - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema + + debian/patches/gssapi.diff: + - Update patch so that likewise-open is usuable again. (LP: #661547) + + debian/patches/service-operational-before-detach: New patch replacing old one + of the same name as previous could cause database corruption based on upstream commits. + (LP: #727973) + + -- Chuck Short Wed, 19 Oct 2011 20:53:08 +0000 + +openldap (2.4.25-3) unstable; urgency=low + + * Brown paper bag: really fix the .links.in handling, so we don't generate + broken /usr/lib/${DEB_HOST_MULTIARCH} dirs. + + -- Steve Langasek Mon, 15 Aug 2011 09:50:37 +0000 + +openldap (2.4.25-2) unstable; urgency=low + + [ Matthijs Möhlmann ] + * Change to bdb 5.1 (Closes: #621403) + * Add note to ldap-utils package how to unfold lines. (Closes: #530519) + (Thanks to Peter Marschall and Javier Barroso) + + [ Steve Langasek ] + * Acknowledge NMU for bug #596343; thanks to Thijs Kinkhorst for the fix! + * Bump to compat level 7, so we don't have to spell out debian/tmp in + every single .install file + * Build for multiarch. + + -- Steve Langasek Sun, 14 Aug 2011 23:17:09 -0700 + +openldap (2.4.25-1.1ubuntu4) oneiric; urgency=low + + * Brown paper bag: really fix the .links.in handling, so we don't generate + broken /usr/lib/${DEB_HOST_MULTIARCH} dirs. + + -- Steve Langasek Mon, 15 Aug 2011 09:43:29 +0000 + +openldap (2.4.25-1.1ubuntu3) oneiric; urgency=low + + * Cherry-pick multiarch support from Debian (LP: #826601): + - Bump to compat level 7, so we don't have to spell out debian/tmp in + every single .install file + - Build for multiarch. + + -- Steve Langasek Mon, 15 Aug 2011 02:23:43 -0700 + +openldap (2.4.25-1.1ubuntu2) oneiric; urgency=low + + * debian/apparmor-profile: Allow /var/run and /run. (LP: #810270) + + -- Martin Pitt Thu, 14 Jul 2011 15:18:02 +0200 + +openldap (2.4.25-1.1ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes: + - Install a default DIT (LP: #442498). + - Document cn=config in README file (LP: #370784). + - remaining changes: + + AppArmor support: + - debian/apparmor-profile: add AppArmor profile + - use dh_apparmor: + - debian/rules: use dh_apparmor + - debian/control: Build-Depends on debhelper 7.4.20ubuntu5 + - updated debian/slapd.README.Debian for note on AppArmor + - debian/slapd.dirs: add etc/apparmor.d/force-complain + + Enable GSSAPI support (LP: #495418): + - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise): + - Add --with-gssapi support + - Make guess_service_principal() more robust when determining + principal + - debian/patches/series: apply gssapi.diff patch. + - debian/configure.options: Configure with --with-gssapi + - debian/control: Added libkrb5-dev as a build depend + + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support + in the openldap library, as required by Likewise-Open (LP: #390579) + + Don't build smbk5pwd overlay since it uses heimdal instead of krb5: + - debian/control: + - remove build-dependency on heimdal-dev. + - remove slapd-smbk5pwd binary package. + - debian/rules: don't build smbk5pwd slapd module. + + debian/{control,rules}: enable PIE hardening + + ufw support (LP: #423246): + - debian/control: suggest ufw. + - debian/rules: install ufw profile. + - debian/slapd.ufw.profile: add ufw profile. + + Enable nssoverlay: + - debian/patches/nssov-build, debian/series, debian/rules: + Apply, build and package the nss overlay. + - debian/schema/extra/misc.ldif: add ldif file for the misc schema + which defines rfc822MailMember (required by the nss overlay). + + debian/rules, debian/schema/extra/: + Fix configure rule to supports extra schemas shipped as part + of the debian/schema/ directory. + + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544) + + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in + neither the default DIT nor via an Authn mapping. + + debian/slapd.scripts-common: adjust minimum version that triggers a + database upgrade. Upgrade from maverick shouldn't trigger database + upgrade (which would happen with the version used in Debian). + + debian/slapd.scripts-common: add slapcat_opts to local variables. + Remove unused variable new_conf. + + debian/slapd.script-common: Fix package reconfiguration. + - Fix backup directory naming for multiple reconfiguration. + + debian/slapd.default, debian/slapd.README.Debian: + use the new configuration style. + + Install nss overlay (LP: #675391): + - debian/rules: run install target for nssov module. + - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema + + debian/patches/gssapi.diff: + - Update patch so that likewise-open is usuable again. (LP: #661547) + + debian/patches/service-operational-before-detach: New patch replacing old one + of the same name as previous could cause database corruption based on upstream commits. + (LP: #727973) + + -- Chuck Short Sun, 05 Jun 2011 17:38:40 +0100 + +openldap (2.4.25-1.1) unstable; urgency=low + + * Non-maintainer upload to fix RC bug. + * Fix "dpkg-reconfigure slapd". Closes: #596343 + + -- Thijs Kinkhorst Tue, 31 May 2011 11:57:29 +0200 + +openldap (2.4.25-1ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes: + - Install a default DIT (LP: #442498). + - Document cn=config in README file (LP: #370784). + - remaining changes: + + AppArmor support: + - debian/apparmor-profile: add AppArmor profile + - use dh_apparmor: + - debian/rules: use dh_apparmor + - debian/control: Build-Depends on debhelper 7.4.20ubuntu5 + - updated debian/slapd.README.Debian for note on AppArmor + - debian/slapd.dirs: add etc/apparmor.d/force-complain + + Enable GSSAPI support (LP: #495418): + - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise): + - Add --with-gssapi support + - Make guess_service_principal() more robust when determining + principal + - debian/patches/series: apply gssapi.diff patch. + - debian/configure.options: Configure with --with-gssapi + - debian/control: Added libkrb5-dev as a build depend + + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support + in the openldap library, as required by Likewise-Open (LP: #390579) + + Don't build smbk5pwd overlay since it uses heimdal instead of krb5: + - debian/control: + - remove build-dependency on heimdal-dev. + - remove slapd-smbk5pwd binary package. + - debian/rules: don't build smbk5pwd slapd module. + + debian/{control,rules}: enable PIE hardening + + ufw support (LP: #423246): + - debian/control: suggest ufw. + - debian/rules: install ufw profile. + - debian/slapd.ufw.profile: add ufw profile. + + Enable nssoverlay: + - debian/patches/nssov-build, debian/series, debian/rules: + Apply, build and package the nss overlay. + - debian/schema/extra/misc.ldif: add ldif file for the misc schema + which defines rfc822MailMember (required by the nss overlay). + + debian/rules, debian/schema/extra/: + Fix configure rule to supports extra schemas shipped as part + of the debian/schema/ directory. + + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544) + + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in + neither the default DIT nor via an Authn mapping. + + debian/slapd.scripts-common: adjust minimum version that triggers a + database upgrade. Upgrade from maverick shouldn't trigger database + upgrade (which would happen with the version used in Debian). + + debian/slapd.scripts-common: add slapcat_opts to local variables. + Remove unused variable new_conf. + + debian/slapd.script-common: Fix package reconfiguration. + - Fix backup directory naming for multiple reconfiguration. + + debian/slapd.default, debian/slapd.README.Debian: + use the new configuration style. + + Install nss overlay (LP: #675391): + - debian/rules: run install target for nssov module. + - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema + + debian/patches/gssapi.diff: + - Update patch so that likewise-open is usuable again. (LP: #661547) + + debian/patches/service-operational-before-detach: New patch replacing old one + of the same name as previous could cause database corruption based on upstream commits. + (LP: #727973) + + Dropped: + - debian/patches/gold: Use the debian version instead + - debian/patches/CVE-2011-1024: Fixed upstream + - debian/patches/CVE-2011-1025: Fixed upstream + - debian/patches/CVE-2011-1081: Fixed upstream + + -- Chuck Short Sun, 08 May 2011 16:34:09 +0100 + +openldap (2.4.25-1) unstable; urgency=low + + * New upstream version (Closes: #617606, #618904, #606815, #608813) + - Fixes CVE-2011-1024, CVE-2011-1025, CVE-2011-1081 + - slapd server process frequently hangs during everyday usage is fixed in + newer versions of openldap according to the bug submitter + * Refresh all patches + * Remove manpage-tlscyphersuite-additions, applied upstream + * Remove issue-6534-patch, applied upstream + * Add Slovak translation, thanks Slavko (Closes: #608699) + * Add debian specific patch for ldap.conf. Add TLS_CACERT option and set it + by default to /etc/ssl/certs/ca-certificates.crt (Closes: #555409, #616703) + * Add patch to fix a FTBFS with binutils-gold (Closes: #555867) + * Add slapschema, just hardlink it (Closes: #601569) + * Update patch service-operational-before-detach (Closes: #616164, #598361) + * Add ldif_* symbols to libldap-2.4-2 + * Add upstream patch for a locking issue in libldap_r + * Fix build failure, use @SHELL@ instead of hardcoded /bin/sh (build/top.mk) + (Closes: #621925) + + -- Matthijs Möhlmann Mon, 11 Apr 2011 22:10:14 +0200 + +openldap (2.4.23-7) unstable; urgency=low + + * Updated vietnamese translation, thanks Clytie Siddall + (Closes: #601537, #598575) + * Updated portuguese translation, thanks Traduz (Closes: #599760) + * Updated danish translation, thanks Joe Dalton (Closes: #599835) + + -- Matthijs Mohlmann Sat, 06 Nov 2010 12:13:01 +0100 + +openldap (2.4.23-6ubuntu7) oneiric; urgency=low + + * Rebuild for Perl 5.12. + + -- Colin Watson Sun, 08 May 2011 13:40:28 +0100 + +openldap (2.4.23-6ubuntu6) natty; urgency=low + + * SECURITY UPDATE: fix successful anonymous bind via chain overlay when + using forwarded authentication failures + - debian/patches/CVE-2011-1024 + - CVE-2011-1024 + * SECURITY UPDATE: verify password when authenticating to rootdn and using ndb + backend. Note: Ubuntu is not compiled with --enable-ndb by default + - debian/patches/CVE-2011-1025 + - CVE-2011-1025 + * SECURITY UPDATE: fix DoS when processing unauthenticated modrdn requests + and requestDN is empty + - debian/patches/CVE-2011-1081 + - CVE-2011-1081 + - LP: #742104 + + -- Jamie Strandboge Thu, 07 Apr 2011 11:36:53 -0500 + +openldap (2.4.23-6ubuntu5) natty; urgency=low + + * debian/patches/service-operational-before-detach: New patch replacing + old one of same name as previous could cause database corruption, + based on upstream commits. (LP: #727973) + + -- Dave Walker (Daviey) Wed, 02 Mar 2011 20:33:08 +0000 + +openldap (2.4.23-6ubuntu4) natty; urgency=low + + * Fix FTBFS with ld.gold. + + -- Matthias Klose Wed, 19 Jan 2011 07:39:49 +0100 + +openldap (2.4.23-6ubuntu3) natty; urgency=low + + * debian/patches/gssapi.diff: + Update patch so that likewise-open is usable again (LP: #661547) + + -- Thierry Carrez (ttx) Fri, 26 Nov 2010 15:50:11 +0100 + +openldap (2.4.23-6ubuntu2) natty; urgency=low + + * Install nss overlay (LP: #675391): + - debian/rules: run install target for nssov module. + - debian/patches/nssov-build: fix patch to install schema in + /etc/ldap/schema. + + -- Mathias Gug Wed, 17 Nov 2010 18:16:42 -0500 + +openldap (2.4.23-6ubuntu1) natty; urgency=low + + * Merge from Debian unstable: + - Install a default DIT (LP: #442498). + - Document cn=config in README file (LP: #370784). + - remaining changes: + + AppArmor support: + - debian/apparmor-profile: add AppArmor profile + - use dh_apparmor: + - debian/rules: use dh_apparmor + - debian/control: Build-Depends on debhelper 7.4.20ubuntu5 + - updated debian/slapd.README.Debian for note on AppArmor + - debian/slapd.dirs: add etc/apparmor.d/force-complain + + Enable GSSAPI support (LP: #495418): + - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise): + - Add --with-gssapi support + - Make guess_service_principal() more robust when determining + principal + - debian/patches/series: apply gssapi.diff patch. + - debian/configure.options: Configure with --with-gssapi + - debian/control: Added libkrb5-dev as a build depend + + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support + in the openldap library, as required by Likewise-Open (LP: #390579) + + Don't build smbk5pwd overlay since it uses heimdal instead of krb5: + - debian/control: + - remove build-dependency on heimdal-dev. + - remove slapd-smbk5pwd binary package. + - debian/rules: don't build smbk5pwd slapd module. + + debian/{control,rules}: enable PIE hardening + + ufw support (LP: #423246): + - debian/control: suggest ufw. + - debian/rules: install ufw profile. + - debian/slapd.ufw.profile: add ufw profile. + + Enable nssoverlay: + - debian/patches/nssov-build, debian/series, debian/rules: + Apply, build and package the nss overlay. + - debian/schema/extra/misc.ldif: add ldif file for the misc schema + which defines rfc822MailMember (required by the nss overlay). + + debian/rules, debian/schema/extra/: + Fix configure rule to supports extra schemas shipped as part + of the debian/schema/ directory. + + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544) + + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in + neither the default DIT nor via an Authn mapping. + + debian/slapd.scripts-common: adjust minimum version that triggers a + database upgrade. Upgrade from maverick shouldn't trigger database + upgrade (which would happen with the version used in Debian). + + debian/slapd.scripts-common: add slapcat_opts to local variables. + Remove unused variable new_conf. + + debian/slapd.script-common: Fix package reconfiguration. + - Fix backup directory naming for multiple reconfiguration. + + debian/slapd.default, debian/slapd.README.Debian: + use the new configuration style. + + -- Mathias Gug Fri, 12 Nov 2010 15:19:07 -0500 + +openldap (2.4.23-6) unstable; urgency=high + + * Check for an empty directory to prevent an rm -f /*. (Closes: #597704) + + -- Matthijs Mohlmann Thu, 23 Sep 2010 10:17:50 +0200 + +openldap (2.4.23-5) unstable; urgency=high + + [ Steve Langasek ] + * High-urgency upload for RC bugfix. + * debian/slapd.scripts-common: fix gratuitous (and wrong) use of grep in + get_suffix(), which causes us to incorrectly parse any slapd.conf that + uses tabs instead of spaces. Closes: #595672. + * debian/slapd.init, debian/slapd.scripts-common: when $SLAPD_CONF is not + set in /etc/default/slapd, we should always set a default value, giving + precedence to slapd.d and falling back to slapd.conf. Users who don't + want to use an existing slapd.d should point at slapd.conf explicitly. + Closes: #594714, #596343. + * debian/slapd.init: 'invoke-rc.d slapd stop' should not fail due to the + absence of a slapd configuration; we should still exit 0 so that the + package can be removed gracefully. Closes: #596100. + * drop build-conflicts with libssl-dev; we explicitly pass + --with-tls=gnutls to configure, so there's no risk of a misbuild here. + * debian/slapd.default: now that we have a sensible default behavior in + both slapd.init and the maintainer scripts, leave SLAPD_CONF empty to + save pain later. + * debian/slapd.scripts-common: ... and do the same in + migrate_to_slapd_d_style, we just need to comment out the user's + previous entry instead of blowing it away. + * debian/slapd.scripts-common: call get_suffix in a way that lets us + separate responses by newlines, to properly handle the case when a + DN has embedded spaces. Introduces a few more stupid fd tricks to work + around possible problems with debconf. Closes: #595466. + * debian/slapd.scripts-common: when parsing the names of includes, handle + double-quotes and escape characters as described in slapd.conf(5). + Closes: #595784. + * debian/slapd.scripts-common, debian/slapd.postinst: on upgrade from + versions <= 2.4.23-4, explicitly grant access to cn=Subschema, which + otherwise is blocked by our added olcAccess settings. Closes: #596326. + * debian/slapd.init.ldif: set the acl in the default LDIF for new installs, + too. + * Likewise, grant access to dn.exact="" so that base dn autodiscovery + works as intended. Closes: #596049. + * debian/slapd.init.ldif: synchronize our behavior on new installs with + that on upgrades, avoiding the non-standard cn=localroot,cn=config. + * debian/slapd.scripts-common: don't run the migration code if slapd.d + already exists. Closes: #593965. + + [ Matthijs Mohlmann ] + * Remove upgrade_supported_from_backend, implemented patch from + Peter Marschall to automatically detect if an upgrade is + supported. (Closes: #594712) + + [ Peter Marschall ] + * debian/slapd.init: correctly set the slapd.conf argument even when + SLAPD_PIDFILE is non-empty in /etc/default/slapd. Closes: #593880. + * debian/slapd.scripts-common: pass -g to slapadd/slapcat, so that + subordinate databases aren't incorrectly included in the dump/restore of + the parent database. Closes: #594821. + + -- Steve Langasek Mon, 13 Sep 2010 06:59:11 +0000 + +openldap (2.4.23-4) unstable; urgency=low + + [ Steve Langasek ] + * Bump the database upgrade version check to 2.4.23-4; should have been + set to 2.4.23-1 when we switched to db4.8, but was missed so we need to + clean up. Closes: #593550. + + [ Matthijs Mohlmann ] + * Fix root access to cn=config on upgrades from configuration style slapd.conf + Thanks to Mathias Gug (Closes: #593566, #593878) + + -- Matthijs Mohlmann Thu, 26 Aug 2010 20:30:51 +0200 + +openldap (2.4.23-3) unstable; urgency=low + + * Configure the newly installed openldap package using slapd.d instead of + slapd.conf, merged from ubuntu. (Closes: #562723, #494155, #333428) + * Update the debconf templates by running debconf-updatepo. + * We do not support upgrades from older releases then lenny, so removed some + upgrade functions from slapd.scripts-common. + * Updated japanese translation, thanks Kenshi Muto (Closes: #589508) + * Updated czech translation, thanks Miroslav Kure (Closes: #589569) + * Update slapd.README.Debian and slapd.NEWS and note the new configuration + style. + * Fixes CVE-2010-0211 and CVE-2010-0212 (Closes: #589852) + * Update italian translation, thanks Luca Monducci (Closes: #590154) + * Update spanish translation, thanks Francisco Javier Cuadrado + (Closes: #590829) + * Update basque translation, thanks Iñaki Larrañaga Murgoitio + * Bump Standards-Version to 3.9.1 + * Added debian specific patch to wait until slapd is operational before + detaching to the terminal (Closes: #589915) + * Add a lintian overrides for libldap. + * Empty dependency_libs line in .la files. (Closes: #591550) + * Update galician translation, thanks Jorge Barreiro (Closes: #592815) + + -- Matthijs Mohlmann Tue, 17 Aug 2010 22:00:16 +0200 + +openldap (2.4.23-2) unstable; urgency=medium + + * Depend on libdb4.8 >= 4.8.30 (Closes: #588969) + * Urgency previous as previous version fixes a RC bug. + + -- Matthijs Mohlmann Wed, 14 Jul 2010 10:17:27 +0200 + +openldap (2.4.23-1) unstable; urgency=low + + * New upstream version + * Change to build dependency libdb4.8-dev instead of libdb4.7-dev + * Updated french translation thanks Christian Perrier (Closes: #579192) + * Updated swedish translation thanks Martin Bagge (Closes: #580145) + * Updated german translation thanks Helge Kreutzmann (Closes: #579582) + * Updated russian translation thanks Yuri Kozlov (Closes: #585688) + * Fix bashisms in debian/rules (Closes: #581454) + * Add documentation patch (Closes: #513270) + * Refreshed all quilt patches. + * Bump Standards-Version to 3.9.0 + + -- Matthijs Mohlmann Mon, 12 Jul 2010 13:25:00 +0200 + +openldap (2.4.23-0ubuntu4) natty; urgency=low + + * debian/slapd.templates: amended typo in slapd/move_old_database + (LP: #666028) + + -- James Page Mon, 08 Nov 2010 10:00:58 +0000 + +openldap (2.4.23-0ubuntu3.2) maverick-proposed; urgency=low + + * debian/slapd.templates: re-add slapd/move_old_database template as it's + used during the package upgrade. Thanks to James Page for pointing it. + * debian/slapd.config: restore debconf question slapd/move_old_database. + + -- Mathias Gug Thu, 14 Oct 2010 16:56:38 -0400 + +openldap (2.4.23-0ubuntu3.1) maverick-proposed; urgency=low + + [ James Page ] + * Fixed install/upgrade process to dump/restore databases due + to uplift to libdb4.8-dev (LP: #658227) + + -- Mathias Gug Thu, 14 Oct 2010 14:50:49 -0400 + +openldap (2.4.23-0ubuntu3) maverick; urgency=low + + * debian/rules: move dh_apparmor before dh_installinit + + -- Jamie Strandboge Fri, 06 Aug 2010 17:34:21 -0500 + +openldap (2.4.23-0ubuntu2) maverick; urgency=low + + * convert to using dh_apparmor: + - debian/rules, debian/slapd.post{inst,rm}: use dh_apparmor + - debian/control: Build-Depends on debhelper 7.4.20ubuntu5 + * debian/apparmor-profile: use local include + + -- Jamie Strandboge Fri, 06 Aug 2010 15:08:55 -0500 + +openldap (2.4.23-0ubuntu1) maverick; urgency=low + + * New release, features include: + + Fixed libldap to return server's error code (ITS#6569) + + Fixed libldap memleaks (ITS#6568) + + Fixed liblutil off-by-one with delta (ITS#6541) + + Fixed slapd acls with glued databases (ITS#6468) + + Fixed slapd syncrepl rid logging (ITS#6533) + + Fixed slapd modrdn handling of invalid values (ITS#6570) + + Fixed slapd-bdb hasSubordinates computation (ITS#6549) + + Fixed slapd-bdb to use memcpy instead for strcpy (ITS#6474) + + Fixed slapd-bdb entry cache delete failure (ITS#6577) + + Fixed slapd-ldap to return control responses (ITS#6530) + + Fixed slapo-ppolicy to use Debug (ITS#6566) + + Fixed slapo-refint to zero out freed DN vals (ITS#6572) + + Fixed slapo-rwm to use Debug (ITS#6566) + + Fixed slapo-sssvlv to use Debug (ITS#6566) + + Fixed slapo-syncprov lost deletes in refresh phase (ITS#6555) + + Fixed slapo-valsort to use Debug (ITS#6566) + + Fixed contrib/nssov network.c missing patch (ITS#6562) + + Fixed test043 attribute sorting (ITS#6553) + + slapd-config(5) note default rootdn (ITS#6546) + * Rebased patches debian/patches/dropped nssov-build + * Resynchronize with Debian: + + debian/control: + - Bump standards-version to 3.9.0 + - Use libdb4.8-dev (LP: #572489) + + Added debian/patches/issue-6534-patch + + Added debian/patches/ldap-conf-tls-cacertdir + * Add ufw support, thanks to PatRiehecky (LP: #423246) + + [Adam Sommer] + * debian/rules, debian/slapd.py: Add apport hook. (LP: #610544) + + -- Chuck Short Wed, 28 Jul 2010 11:35:16 -0400 + +openldap (2.4.21-1) unstable; urgency=low + + [ Steve Langasek ] + * New upstream version + (Closes: #561144, #465024, #502769, #528695, #564686, #504728) + * Add upstream manpage for ldapexop; thanks to Peter Marschall + . Closes: #549291. + + [ Matthijs Mohlmann ] + * Ack NMU (Closes: #553432) + * Update Standards-Version to 3.8.4 + * Fix NEWS entry to have the correct version number + * Improve the wording for the slapd/invalid_config question (Closes: #452834) + * Make lintian a bit more happy (Closes: #518660) + * Fix bashism (Closes: #518657) + * Refresh all patches + * Add patch from upstream (Closes: #549642) + * Reworked the configure.options a bit to include some more options + * Enable dynamic acls + * Use slappasswd to create a secure password (Closes: #490930) + * Set a rootdn and rootpw if no password is given by debconf (Closes: #231950) + * Better document the TLSCipherSuite in slapd.conf manpage (Closes: #563113) + * Better document the TLS_CIPHER_SUITE in ldap.conf manpage (Closes: #510346) + * Add smbk5pwd slapd module, used patch from Mark Hymers (Closes: #443073) + * Add autogroup slapd module, used patch from Mathieu Parent (Closes: #575900) + * Add lsb logging, used patch from David Härdeman (Closes: #385898) + * Use dh_lintian to install the lintian-overrides + * Added critical error report when slapcat fails (Closes: #226090) + + -- Matthijs Mohlmann Thu, 22 Apr 2010 23:40:30 +0200 + +openldap (2.4.21-0ubuntu5) lucid; urgency=low + + * Fix local root connection access: replace olcAuthzRegexp mapping to + cn=localroot,cn=config with using the SASL dn directly in olcAccess. + Makes upgrades much simpler and robust (LP: #563829). + + -- Mathias Gug Fri, 23 Apr 2010 00:23:31 -0400 + +openldap (2.4.21-0ubuntu4) lucid; urgency=low + + [ Simon Olofsson ] + * debian/slapd.postinst: + - Show a message after successful migration (LP: #538848) + + [ Jorgen Rosink ] + * debian/slapd.init: add simple status checking with LSB compatible exit + codes (LP: #562377) + * debian/slapd.init.ldif: + - remove admin user in default config database (LP: #556176) + - in default config, add olcAccess entries giving access to controls + available and cn=subschema (LP: #427842) + + [ Scott Moser ] + * debian/slapd.scripts-common: Do not create /nonexistent directory + for openldap user's home (LP: #556176) + * debian/slapd.postinst: fix cn=config olcAccess migration (LP: #559070) + + -- Scott Moser Mon, 12 Apr 2010 16:16:47 -0400 + +openldap (2.4.21-0ubuntu3) lucid; urgency=low + + * debian/slapd.postinst, debian/slapd.scripts-common: Upgrade databases + before trying to convert to slapd.d, to avoid upgrade failure from hardy + (LP: #536958) + * debian/slapd.postinst: Add a {1} numeric index to olcAccess entry in + olcDatabase={0}config.ldif to avoid upgrade failures (LP: #538516, #526230) + + -- Thierry Carrez Mon, 29 Mar 2010 13:31:47 +0200 + +openldap (2.4.21-0ubuntu2) lucid; urgency=low + + * debian/apparmor-profile: Update apparmor profile. (LP: #508190) + + -- Chuck Short Tue, 09 Mar 2010 13:33:35 -0500 + +openldap (2.4.21-0ubuntu1) lucid; urgency=low + + * New upstream release. + * debian/rules, debian/schema/extra/: + Fix get-orig-source rule to supports extra schemas shipped as part of the + debian/schema/ directory. + + -- Mathias Gug Thu, 18 Feb 2010 00:58:13 -0500 + +openldap (2.4.18-0ubuntu2) lucid; urgency=low + + * debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise): + - Add --with-gssapi support + - Make guess_service_principal() more robust when determining principal + * Enable GSSAPI support (LP: #495418): + - debian/configure.options: Configure with --with-gssapi + - debian/control: Added libkrb5-dev as a build depend + + -- Thierry Carrez Fri, 11 Dec 2009 11:31:11 +0100 + +openldap (2.4.18-0ubuntu1) karmic; urgency=low + + * New upstream release: (LP: #419515): + + pcache overlay supports disconnected mode. + * Fix nss overlay load (LP: #417163). + + -- Mathias Gug Mon, 07 Sep 2009 13:41:10 -0400 + +openldap (2.4.17-2.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fixed CVE-2009-3767: libraries/libldap/tls_o.c doesn't properly handle NULL + character in subject Common Name (Closes: #553432) + + -- Giuseppe Iuculano Tue, 10 Nov 2009 19:09:45 +0100 + +openldap (2.4.17-2) unstable; urgency=low + + * Fix up the lintian warnings: + - add missing misc-depends on all packages + - slapd, libldap-2.4-2-dbg sections changed to 'debug' to match archive + overrides + - bump Standards-Version to 3.8.2, no changes required. + * slapd.scripts-common: fix upgrade to correctly handle multiple database + declarations; thanks, Peter Marschall ! Closes: #517556 + * Add 'status' argument to init script; thanks to Peter Eisentraut + . Closes: #545898. + * New patch, do-not-second-guess-sonames, to remove an incorrect check for + the Cyrus SASL version number at runtime. If there's any reason this is + needed, it needs to be addressed in the cyrus-sasl soname and Debian + shlibs, not here. Closes: #546885. + + -- Steve Langasek Tue, 22 Sep 2009 20:06:34 -0700 + +openldap (2.4.17-1ubuntu3) karmic; urgency=low + + * Install a minimal slapd configuration instead of creating a default + database with a default DIT: + + Move openldap user home from /var/lib/ldap to /nonexistent. + + Remove all code and templates dealing with the default database and DIT + creation. + + Add an Authz map from root user (UID=0) to cn=localroot,cn=config and + grant all access to the latter in the cn=config database as well as the + default backend configuration. + * Add cn=localroot,cn=config authz mapping on upgrades. + + -- Mathias Gug Tue, 11 Aug 2009 14:48:56 -0400 + +openldap (2.4.17-1ubuntu2) karmic; urgency=low + + [ Thierry Carrez ] + * debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support + in the openldap library, as required by Likewise-Open (LP: #390579) + + [ Mathias Gug ] + * debian/patches/its6077-uniqueness-overlay: fixes some issues with the + uniqueness overlay. + * debian/patches/its6220-writetimeout-directive: fixes a problem with the + writetimeout directive being in effect even if it wasn't set, + closing connections incorrectly. + * debian/patches/its6222-dncachesize-parameter: fixes the behavior of the + dncachesize parameter that was added in RE24, so that if it is set to + "0" (now the default), it has an unlimited DN cache (RE23 always + had an unlimited DN cache). + + -- Mathias Gug Fri, 31 Jul 2009 13:43:46 -0400 + +openldap (2.4.17-1ubuntu1) karmic; urgency=low + + [ Steve Langasek ] + * Fix up the lintian warnings: + - add missing misc-depends on all packages + - slapd, libldap-2.4-2-dbg sections changed to 'debug' to match archive + overrides + - bump Standards-Version to 3.8.2, no changes required. + + [ Mathias Gug ] + * Resynchronise with Debian. Remaining changes: + - AppArmor support: + - debian/apparmor-profile: add AppArmor profile + - updated debian/slapd.README.Debian for note on AppArmor + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.postrm: remove symlink in force-complain/ on purge + - debian/rules: install apparmor profile. + - Don't use local statement in config script as it fails if /bin/sh + points to bash. + - debian/slapd.postinst, debian/slapd.script-common: set correct + ownership and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group + readable) and /var/run/slapd (world readable). + - Enable nssoverlay: + - debian/patches/nssov-build, debian/rules: Build and package the nss + overlay. + - debian/schema/misc.ldif: add ldif file for the misc schema which + defines rfc822MailMember (required by the nss overlay). + - debian/{control,rules}: enable PIE hardening + - Use cn=config as the default configuration backend instead of + slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade + asking the end user to enter a new password to control the access to + the cn=config tree. + - debian/slapd.postinst: create /var/run/slapd before updating its + permissions. + - debian/slapd.init: Correctly set slapd config backend option even if + the pidfile is configured in slapd default file. + * Dropped: + - Merged in Debian: + - Update priority of libldap-2.4-2 to match the archive override. + - Add the missing ldapexop and ldapurl tools to ldap-utils, as well as + the ldapurl(1) manpage. + - Bump build-dependency on debhelper to 6 instead of 5, since that's + what we're using. + - Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using + the built-in default of ldap:/// only. + - Fixed in upstream release: + - debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034 + failure when built with PIE. + - debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be + trusted. + - Update Apparmor profile support: don't support upgrade from pre-hardy + systems: + - debian/slapd.postinst: Reload AA profile on configuration + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/control: Conflicts with apparmor-profiles << + 2.1+1075-0ubuntu4 to make sure that if earlier version of + apparmor-profiles gets installed it won't overwrite our profile. + - follow ApparmorProfileMigration and force apparmor complain mode on + some upgrades + - debian/slapd.preinst: create symlink for force-complain on + pre-feisty upgrades, upgrades where apparmor-profiles profile is + unchanged (ie non-enforcing) and upgrades where apparmor profile + does not exist. + - debian/patches/autogen.sh: no longer needed with karmic libtool. + - Call libtoolize with the --install option to install + config.{guess,sub} files. + + -- Mathias Gug Thu, 30 Jul 2009 16:42:58 -0400 + +openldap (2.4.17-1) unstable; urgency=low + + * New upstream version. + - Fixes FTBFS on ia64 with -fPIE. Closes: #524770. + - Fixes some TLS issues with GnuTLS. Closes: #505191. + * Update priority of libldap-2.4-2 to match the archive override. + * Add the missing ldapexop and ldapurl tools to ldap-utils, as well as the + ldapurl(1) manpage. Thanks to Peter Marschall for the patch. + Closes: #496749. + * Bump build-dependency on debhelper to 6 instead of 5, since that's + what we're using. Closes: #498116. + * Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using + the built-in default of ldap:/// only. + * Build-depend on libltdl-dev | libltdl3-dev (>= 1.4.3), for the package + name change. Closes: #522965. + + [ Updated debconf translations ] + * Spanish, thanks to Francisco Javier Cuadrado . + Closes: #521804. + + -- Steve Langasek Tue, 28 Jul 2009 10:17:15 -0700 + +openldap (2.4.15-1.1ubuntu1) karmic; urgency=low + + * Resynchronise with Debian. Remaining changes: + - AppArmor support: + - debian/apparmor-profile: add AppArmor profile + - debian/slapd.postinst: Reload AA profile on configuration + - updated debian/slapd.README.Debian for note on AppArmor + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/control: Conflicts with apparmor-profiles << + 2.1+1075-0ubuntu4 to make sure that if earlier version of + apparmor-profiles gets installed it won't overwrite our profile. + - follow ApparmorProfileMigration and force apparmor complain mode on + some upgrades + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.preinst: create symlink for force-complain on + pre-feisty upgrades, upgrades where apparmor-profiles profile is + unchanged (ie non-enforcing) and upgrades where apparmor profile + does not exist. + - debian/slapd.postrm: remove symlink in force-complain/ on purge + - debian/patches/autogen.sh: + - Call libtoolize with the --install option to install + config.{guess,sub} files. + - Don't use local statement in config script as it fails if /bin/sh + points to bash. + - debian/slapd.postinst, debian/slapd.script-common: set correct + ownership and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group + readable) and /var/run/slapd (world readable). + - Enable nssoverlay: + - debian/patches/nssov-build, debian/rules: Build and package the nss + overlay. + - debian/schema/misc.ldif: add ldif file for the misc schema which + defines rfc822MailMember (required by the nss overlay). + - debian/{control,rules}: enable PIE hardening + - Use cn=config as the default configuration backend instead of + slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade + asking the end user to enter a new password to control the access to + the cn=config tree. + - Update priority of libldap-2.4-2 to match the archive override. + - Add the missing ldapexop and ldapurl tools to ldap-utils, as well as + the ldapurl(1) manpage. + - Bump build-dependency on debhelper to 6 instead of 5, since that's + what we're using. + - Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using + the built-in default of ldap:/// only. + - debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034 + failure when built with PIE. + - debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be + trusted. + - debian/slapd.postinst: create /var/run/slapd before updating its + permissions. + - debian/slapd.init: Correctly set slapd config backend option even if + the pidfile is configured in slapd default file. + * Drop patch to avoid the test suite on hppa, as hppa is EOL. + + -- Colin Watson Wed, 24 Jun 2009 10:45:20 +0100 + +openldap (2.4.15-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Change libltdl3-dev Build-Depends to libltdl-dev | libltdl3-dev + (Closes: #522965) + + -- Kurt Roeckx Sun, 19 Apr 2009 18:24:32 +0200 + +openldap (2.4.15-1ubuntu3) jaunty; urgency=low + + * No-change rebuild to fix lpia shared library dependencies. + + -- Colin Watson Thu, 19 Mar 2009 09:52:40 +0000 + +openldap (2.4.15-1ubuntu2) jaunty; urgency=low + + * debian/slapd.postinst: create /var/run/slapd before updating its + permissions (LP: #298928). + * debian/slapd.init: Correclty set slapd config backend option even if the + pidfile is configured in slapd default file (LP: #292364). + * debian/apparmor-profile: support multiple databases to be stored under + /var/lib/ldap/. (LP: #286614). + + -- Mathias Gug Fri, 13 Mar 2009 13:56:12 -0400 + +openldap (2.4.15-1ubuntu1) jaunty; urgency=low + + [ Steve Langasek ] + * Update priority of libldap-2.4-2 to match the archive override. + * Add the missing ldapexop and ldapurl tools to ldap-utils, as well as the + ldapurl(1) manpage. Thanks to Peter Marschall for the patch. + Closes: #496749. + * Bump build-dependency on debhelper to 6 instead of 5, since that's + what we're using. Closes: #498116. + * Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using + the built-in default of ldap:/// only. + + [ Mathias Gug ] + * Merge from debian unstable, remaining changes: + - Modify Maintainer value to match the DebianMaintainerField + speficication. + - AppArmor support: + - debian/apparmor-profile: add AppArmor profile + - debian/slapd.postinst: Reload AA profile on configuration + - updated debian/slapd.README.Debian for note on AppArmor + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmour-profiles gets + installed it won't overwrite our profile. + - follow ApparmorProfileMigration and force apparmor compalin mode on + some upgrades (LP: #203529) + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.preinst: create symlink for force-complain on pre-feisty + upgrades, upgrades where apparmor-profiles profile is unchanged (ie + non-enforcing) and upgrades where apparmor profile does not exist. + - debian/slapd.postrm: remove symlink in force-complain/ on purge + - debian/control: + - Build-depend on libltdl7-dev rather then libltdl3-dev. + - debian/patches/autogen.sh: + - Call libtoolize with the --install option to install config.{guess,sub} + files. + - Don't use local statement in config script as it fails if /bin/sh + points to bash (LP: #286063). + - Disable the testsuite on hppa. Allows building of packages on this + architecture again, once this package is in the archive. + LP: #288908. + - debian/slapd.postinst, debian/slapd.script-common: set correct ownership + and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and + /var/run/slapd (world readable). (LP: #257667). + - Enable nssoverlay: + - debian/patches/nssov-build, debian/rules: Build and package + the nss overlay. + - debian/schema/misc.ldif: add ldif file for the misc schema + which defines rfc822MailMember (required by the nss overlay). + - debian/{control,rules}: enable PIE hardening + - Use cn=config as the default configuration backend instead of + slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade + asking the end user to enter a new password to control the access to the + cn=config tree. + * Dropped: + - debian/patches/corrupt-contextCSN: The contextCSN can get corrupted at + times. (ITS: #5947) Fixed in new upstream version 2.4.15. + - debian/patches/fix-ucred-libc due to changes how newer glibc handle + the ucred struct now. Implemented in Debian. + * debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034 failure + when built with PIE. + * debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be + trusted (LP: #305264). + + -- Mathias Gug Fri, 06 Mar 2009 17:34:21 -0500 + +openldap (2.4.15-1) unstable; urgency=low + + * New upstream version + - Fixes a bug with the pcache overlay not returning cached entries + (closes: #497697) + - Update evolution-ntlm patch to apply to current Makefiles. + - (tentatively) drop gnutls-ciphers, since this bug was reported to be + fixed upstream in 2.4.8. The fix applied in 2.4.8 didn't match the + patch from the bug report, so this should be watched for regressions. + * Build against db4.7 instead of db4.2 at last! Closes: #421946. + * Build with --disable-ndb, to avoid a misbuild when libmysqlclient is + installed in the build environment. + * Add -D_GNU_SOURCE to CFLAGS, apparently required for building with + current headers in unstable + + -- Steve Langasek Tue, 24 Feb 2009 14:27:35 -0800 + +openldap (2.4.14-0ubuntu1) jaunty; urgency=low + + [ Steve Langasek ] + * New upstream version + - Fixes a bug with the pcache overlay not returning cached entries + (closes: #497697) + - Update evolution-ntlm patch to apply to current Makefiles. + - (tentatively) drop gnutls-ciphers, since this bug was reported to be + fixed upstream in 2.4.8. The fix applied in 2.4.8 didn't match the + patch from the bug report, so this should be watched for regressions. + * Build against db4.7 instead of db4.2 at last! Closes: #421946. + * Build with --disable-ndb, to avoid a misbuild when libmysqlclient is + installed in the build environment. + * New patch, no-crlcheck-for-gnutls, to fix a build failure when using + --with-tls=gnutls. + + [ Mathias Gug ] + * Merge from debian unstable, remaining changes: + - debian/apparmor-profile: add AppArmor profile + - debian/slapd.postinst: Reload AA profile on configuration + - updated debian/slapd.README.Debian for note on AppArmor + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmour-profiles gets + installed it won't overwrite our profile. + - Modify Maintainer value to match the DebianMaintainerField + speficication. + - follow ApparmorProfileMigration and force apparmor compalin mode on + some upgrades (LP: #203529) + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.preinst: create symlink for force-complain on pre-feisty + upgrades, upgrades where apparmor-profiles profile is unchanged (ie + non-enforcing) and upgrades where apparmor profile does not exist. + - debian/slapd.postrm: remove symlink in force-complain/ on purge + - debian/patches/fix-ucred-libc due to changes how newer glibc handle + the ucred struct now. + - debian/control: + - Build-depend on libltdl7-dev rather then libltdl3-dev. + - debian/patches/autogen.sh: + - Call libtoolize with the --install option to install config.{guess,sub} + files. + - Don't use local statement in config script as it fails if /bin/sh + points to bash (LP: #286063). + - Disable the testsuite on hppa. Allows building of packages on this + architecture again, once this package is in the archive. + LP: #288908. + - debian/slapd.postinst, debian/slapd.script-common: set correct ownership + and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and + /var/run/slapd (world readable). (LP: #257667). + - debian/patches/nssov-build, debian/rules: + Build and package the nss overlay. + debian/schema/misc.ldif: add ldif file for the misc schema, which defines + rfc822MailMember (required by the nss overlay). + - debian/{control,rules}: enable PIE hardening + - Use cn=config as the default configuration backend instead of + slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade + asking the end user to enter a new password to control the access to the + cn=config tree. + * debian/patches/corrupt-contextCSN: The contextCSN can get corrupted at + times. (ITS: #5947) + + -- Mathias Gug Wed, 18 Feb 2009 18:44:00 -0500 + +openldap (2.4.11-1) unstable; urgency=low + + * New upstream version (closes: #499560). + - Fixes a crash with syncrepl and delcsn (closes: #491066). + - Fix CRL handling with GnuTLS (closes: #498410). + - Drop patches no_backend_inter-linking, + CVE-2008-2952_BER-decoding-assertion, and gnutls-ssf, applied + upstream. + + [ Russ Allbery ] + * New patch, back-perl-init, which updates the calling conventions + around initialization and shutdown of the Perl interpreter to match + the current perlembed recommendations. Fixes probable hangs on HPPA + in back-perl. Thanks, Niko Tyni. (Closes: #495069) + + [ Steve Langasek ] + * Drop the conflict with libldap2, which is not the standard means of + handling symbol conflicts in Debian and which causes serious upgrade + problems from etch. Closes: #487211. + + -- Steve Langasek Sat, 11 Oct 2008 01:53:55 -0700 + +openldap (2.4.11-0ubuntu7) jaunty; urgency=low + + * Don't use local statement in config script as it fails if /bin/sh + points to bash (LP: #286063). + + -- Mathias Gug Tue, 04 Nov 2008 20:03:46 -0500 + +openldap (2.4.11-0ubuntu6) intrepid; urgency=low + + * Disable the testsuite on hppa. Allows building of packages on this + architecture again, once this package is in the archive. + LP: #288908. + + -- Matthias Klose Fri, 24 Oct 2008 23:22:33 +0200 + +openldap (2.4.11-0ubuntu5) intrepid; urgency=low + + * Don't set admin passwords in ldif files if adminpw is empty. + (LP: #273988 - LP: #276606). + + -- Mathias Gug Mon, 13 Oct 2008 19:31:15 -0400 + +openldap (2.4.11-0ubuntu4) intrepid; urgency=low + + * debian/slapd.postinst, debian/slapd.script-common: set correct ownership + and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and + /var/run/slapd (world readable). (LP: #257667). + * debian/slapd.script-common: + - Fix package reconfiguration: + + Remove slapd.d/ directory if it already exists when creating a new + configuration. + + Fix backup directory naming for multiple reconfiguration. + + -- Mathias Gug Wed, 24 Sep 2008 21:01:42 -0400 + +openldap (2.4.11-0ubuntu3) intrepid; urgency=low + + * debian/patches/nssov-build, debian/rules: + Build and package the nss overlay. + * debian/schema/misc.ldif: add ldif file for the misc schema, which defines + rfc822MailMember (required by the nss overlay). + + -- Mathias Gug Tue, 26 Aug 2008 18:42:54 -0400 + +openldap (2.4.11-0ubuntu2) intrepid; urgency=low + + * debian/{control,rules}: enable PIE hardening + + -- Kees Cook Wed, 20 Aug 2008 15:47:01 -0700 + +openldap (2.4.11-0ubuntu1) intrepid; urgency=low + + * New upstream version: + - Mainly bug fixes. + - New nss slapd overlay (not compiled by default). + * Use cn=config as the default configuration backend instead of + slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade + asking the end user to enter a new password to control the access to the + cn=config tree. + + -- Mathias Gug Mon, 11 Aug 2008 20:26:05 -0400 + +openldap (2.4.10-3ubuntu1) intrepid; urgency=low + + [ Mathias Gug ] + * Merge from debian unstable, remaining changes: + - debian/apparmor-profile: add AppArmor profile + - debian/slapd.postinst: Reload AA profile on configuration + - updated debian/slapd.README.Debian for note on AppArmor + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmour-profiles gets + installed it won't overwrite our profile. + - Modify Maintainer value to match the DebianMaintainerField + speficication. + - follow ApparmorProfileMigration and force apparmor compalin mode on + some upgrades (LP: #203529) + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.preinst: create symlink for force-complain on pre-feisty + upgrades, upgrades where apparmor-profiles profile is unchanged (ie + non-enforcing) and upgrades where apparmor profile does not exist. + - debian/slapd.postrm: remove symlink in force-complain/ on purge + - debian/patches/fix-ucred-libc due to changes how newer glibc handle + the ucred struct now. + - debian/patches/fix-unique-overlay-assertion.patch: + Fix another assertion error in unique overlay (LP: #243337). + Backport from head. + * Dropped - implemented in Debian: + - debian/patches/fix-gnutls-key-strength.patch: + Fix slapd handling of ssf using gnutls. (LP: #244925). + - debian/control: + Add time as build dependency: needed by make test. + * debian/control: + - Build-depend on libltdl7-dev rather then libltdl3-dev. + * debian/patches/autogen.sh: + - Call libtoolize with the --install option to install config.{guess,sub} + files. + + [ Jamie Strandboge ] + * adjust apparmor profile to allow gssapi (LP: #229252) + * adjust apparmor profile to allow cnconfig (LP: #243525) + + -- Mathias Gug Wed, 30 Jul 2008 19:46:02 -0400 + +openldap (2.4.10-3) unstable; urgency=low + + [ Steve Langasek ] + * New patch, CVE-2008-2952_BER-decoding-assertion, to fix a remote DoS + vulnerability in the BER decoder. Addresses CVE-2008-2952, + closes: #488710. + * debian/slapd.scripts-common, debian/slapd.postinst: drop + update_path_argsfile_pidfile function, not needed for updates from etch + or newer. + * Drop the code to check for and upgrade ldbm databases. The etch + release of slapd had already dropped support for them and direct + upgrades from sarge are not supported. + + [ Russ Allbery ] + * Apply upstream patch to convert GnuTLS cipher strength from bytes to + bits, as expected by OpenLDAP. (Closes: #473796) + * Add Build-Depends on time, used by the test suite and only a shell + built-in with bash. Thanks, Daniel Schepler. (Closes: #490754) + * Refresh all patches, convert all patches to -p1, and remove extraneous + Index: lines. (Closes: #485263) + * Unless DFSG_NONFREE is set, also check whether the upstream schemas + with RFC comments are included. + * Update standards version to 3.8.0. + - Include debian/README.source pointing to the quilt README.source. + - Wrap Uploaders for readability. + * Wrap slapd's Depends for readability. + + [ Updated debconf translations ] + * Swedish, thanks to Martin Ågren . + Closes: #492748. + + -- Steve Langasek Mon, 28 Jul 2008 15:26:06 -0700 + +openldap (2.4.10-2ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/apparmor-profile: add AppArmor profile + - debian/slapd.postinst: Reload AA profile on configuration + - updated debian/slapd.README.Debian for note on AppArmor + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmour-profiles gets + installed it won't overwrite our profile. + - Modify Maintainer value to match the DebianMaintainerField + speficication. + - follow ApparmorProfileMigration and force apparmor compalin mode on + some upgrades (LP: #203529) + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.preinst: create symlink for force-complain on pre-feisty + upgrades, upgrades where apparmor-profiles profile is unchanged (ie + non-enforcing) and upgrades where apparmor profile does not exist. + - debian/slapd.postrm: remove symlink in force-complain/ on purge + - debian/patches/fix-ucred-libc due to changes how newer glibc handle + the ucred struct now. + - debian/patches/fix-unique-overlay-assertion.patch: + Fix another assertion error in unique overlay (LP: #243337). + Backport from head. + - debian/patches/fix-gnutls-key-strength.patch: + Fix slapd handling of ssf using gnutls. (LP: #244925). + - debian/control: + Add time as build dependency: needed by make test. + * Dropped - implemented in Debian: + - debian/rules: + Support debuild nocheck option: don't run tests if nocheck is set. + + -- Mathias Gug Thu, 10 Jul 2008 14:45:49 -0400 + +openldap (2.4.10-2) unstable; urgency=low + + * Support DEB_BUILD_OPTIONS=nocheck to disable running the test suite at + build time + * Hack around glibc behavior when resolving localhost, by exporting + RESOLV_MULTI=off when invoking the test suite + * Reclaim the 'openldap' source package name; openldap2.3 has been a + misnomer for some time, causing undue confusion, so switch to a + permanent source package name that we won't need to change again later. + - Along the way, kill off non-DFSG-compliant schema files that snuck + back into the archive due to my bad merge of 2.4.10. + + -- Steve Langasek Sun, 06 Jul 2008 22:03:32 -0700 + +openldap2.3 (2.4.10-1ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/apparmor-profile: add AppArmor profile + - debian/slapd.postinst: Reload AA profile on configuration + - updated debian/slapd.README.Debian for note on AppArmor + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmour-profiles gets + installed it won't overwrite our profile. + - Modify Maintainer value to match the DebianMaintainerField + speficication. + - follow ApparmorProfileMigration and force apparmor compalin mode on + some upgrades (LP: #203529) + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.preinst: create symlink for force-complain on pre-feisty + upgrades, upgrades where apparmor-profiles profile is unchanged (ie + non-enforcing) and upgrades where apparmor profile does not exist. + - debian/slapd.postrm: remove symlink in force-complain/ on purge + - debian/patches/fix-ucred-libc due to changes how newer glibc handle + the ucred struct now. + - debian/patches/fix-unique-overlay-assertion.patch: + Fix another assertion error in unique overlay (LP: #243337). + Backport from head. + * debian/control: + - add time as build dependency: needed by make test. + * debian/rules: + - support debuild nocheck option: don't run tests if nocheck is set. + * debian/patches/fix-gnutls-key-strength.patch: + - fix slapd handling of ssf using gnutls. (LP: #244925). + * Dropped - accepted in Debian: + - debian/rules, debian/slapd.links: use hard links to slapd instead of + symlinks for slap* so these applications aren't confined by apparmor + (LP: #203898) + * Dropped - fixed in new upstream release: + - debian/patches/fix-assertion-io.patch: Fixes ber_flush2 assertion. + (LP: #215904) + - debian/patches/fix-dnpretty-assertion.patch: Fix dnPrettyNormal assertion + error. (LP: #234196) + - dropped debian/patches/fix-notify-crasher.patch: Fix modify timestamp crashes. + (LP: #220724) + - debian/patches/fix-syncrepl-oops: Fixes segmentation fault when using + syncrepl. (LP: #227178) + - dropped debian/patches/SECURITY_CVE-2008-0658.patch. Already applied + upstream. + + -- Mathias Gug Thu, 03 Jul 2008 14:15:08 -0400 + +openldap2.3 (2.4.10-1) unstable; urgency=low + + [ Steve Langasek ] + * New upstream release. + - Clean up ld_defconn if it was freed, fixing an assertion failure in + various clients. Closes: #469232. + - Fixes slapd syncrepl hang on back-config. Closes: #471253. + - Drop patch hurd-path-max, integrated upstream. + * Drop spurious build-dependency on heimdal-dev, introduced accidentally + as part of an aborted attempt to build the smbk5pwd overlay. + * Use hardlinks instead of symlinks for the various slap* commands; this + is functionally equivalent for us, and reduces divergence from + derivatives such as Ubuntu that use apparmor. Closes: #488409. + * New patch, no_backend_inter-linking, to fix the meta backend to not + try to look up symbols in external objects (back_ldap) that it + doesn't link against. + * Turn on 'make test' during builds, now that back_meta is fixed. + + [ Matthijs Mohlmann ] + * All manpages in category 5 were missing, wrong directory. + (Closes: #474976, #483631, #483633) + + -- Steve Langasek Mon, 30 Jun 2008 04:28:34 -0700 + +openldap2.3 (2.4.9-1ubuntu4) intrepid; urgency=low + + * debian/patches/fix-unique-overlay-assertion.patch: + - Fix another assertion error in unique overlay, backported from head. + (LP: #243337) Note: This patch will still be needed when moved to 2.4.10 + + -- Chuck Short Mon, 30 Jun 2008 18:49:52 +0000 + +openldap2.3 (2.4.9-1ubuntu3) intrepid; urgency=low + + * Drop spurious dependency on hiemdal-dev. Caused by an aborted attempt to + include the smbk5pwd overlay. + + -- Chuck Short Wed, 11 Jun 2008 21:25:40 +0000 + +openldap2.3 (2.4.9-1ubuntu2) intrepid; urgency=low + + * Rebuild for perl 5.10 transition (LP: #230016) + * debian/patches/fix-syncrepl-oops: Fixes segmentation fault when using + syncrepl. (LP: #227178) + + -- Chuck Short Mon, 09 Jun 2008 14:56:40 +0000 + +openldap2.3 (2.4.9-1ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/apparmor-profile: add AppArmor profile + - debian/slapd.postinst: Reload AA profile on configuration + - updated debian/slapd.README.Debian for note on AppArmor + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmour-profiles gets + installed it won't overwrite our profile. + - Modify Maintainer value to match the DebianMaintainerField + speficication. + - follow ApparmorProfileMigration and force apparmor compalin mode on + some upgrades (LP: #203529) + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.preinst: create symlink for force-complain on pre-feisty + upgrades, upgrades where apparmor-profiles profile is unchanged (ie + non-enforcing) and upgrades where apparmor profile does not exist. + - debian/slapd.postrm: remove symlink in force-complain/ on purge + - debian/rules, debian/slapd.links: use hard links to slapd instead of + symlinks for slap* so these applications aren't confined by apparmor + (LP: #203898) + - debian/patches/fix-assertion-io.patch: Fixes ber_flush2 assertion. + (LP: #215904) + - debian/patches/fix-dnpretty-assertion.patch: Fix dnPrettyNormal assertion + error. (LP: #234196) + - dropped debian/patches/fix-notify-crasher.patch: Fix modify timestamp crashes. + (LP: #220724) + - dropped debian/patches/SECURITY_CVE-2008-0658.patch. Already applied + upstream. + * Added debian/patches/fix-ucred-libc due to changes how newer glibc handle + the ucred struct now. + + -- Chuck Short Fri, 30 May 2008 17:09:53 +0100 + +openldap2.3 (2.4.9-1) unstable; urgency=low + + [ Updated debconf translations ] + * French, thanks to Christian Perrier . + Closes: #471792. + * Finnish, thanks to Esko Arajärvi . Closes: #475238. + * Czech, thanks to Miroslav Kure . + Closes: #480138. + * Basque, thanks to Piarres Beobide . + Closes: #480177. + * Vietnamese, thanks to Clytie Siddall . + Closes: #480181. + * Galician, thanks to Jacobo Tarrio . Closes: #480218. + * Japanese, thanks to Kenshi Muto . Closes: #480247. + * Italian, thanks to Luca Monducci . (Closes: #477718) + * Brazilian Portuguese, thanks to Eder L. Marques + (Closes: #480172) + * Portuguese, thanks to Tiago Fernandes + (Closes: #481126) + * Russian, thanks to Yuri Kozlov (Closes: #481214) + * Dutch, thanks to "cobaco (aka Bart Cornelis)" . + Closes: #483014. + + [ Matthijs Mohlmann ] + * New upstream release. + - Bad entryUUID no longer crashes slapd. (Closes: #471867) + - Fix assertion failure in some modify operations. (Closes: #474161) + - Mention index in slapd.conf's man page. (Closes: #414650) + - Fixes to slapd include handling. (Closes: #457261) + - Fix syncrepl cookie truncation. (Closes: #464024) + - Fix memory allocation in ldap_parse_page_control. (Closes: #464877) + - Fix slapd crash when accessed by multiple threads. (Closes: #479237) + * Acknowledge NMU. + (Closes: #474976, #471225, #475856, #474652, #465875) + * Bump Standards-Version to 3.7.3 + * Add versioned build dependency on libgnutls-dev (Closes: #466558) + * Bump debhelper compat level to 6. + + [ Russ Allbery ] + * Use MAXPATHLEN rather than PATH_MAX, since OpenLDAP defines the + former and the latter isn't defined on GNU Hurd. Thanks, Samuel + Thibault. (Closes: #475744) + + -- Matthijs Mohlmann Mon, 26 May 2008 22:34:16 +0200 + +openldap2.3 (2.4.7-6.3) unstable; urgency=low + + * Non-maintainer upload. + * Install all slapd relevant manpages into slapd package. + (closes: #474976) + * Make libldap-2.4-2 conflict against libldap2. (closes: #475856) + + -- Bastian Blank Tue, 29 Apr 2008 18:00:23 +0200 + +openldap2.3 (2.4.7-6.2) unstable; urgency=low + + * Non-maintainer upload to solve release goal issues. + * Add LSB dependency header to init.d scripts (Closes: #474652) + + -- Petter Reinholdtsen Wed, 16 Apr 2008 08:04:49 +0200 + +openldap2.3 (2.4.7-6.1) unstable; urgency=high + + * Non-maintainer upload by security team. + * Fix possible remote denial of service vulnerability in the BDB backend + via a modrdn operation with a NOOP control + (CVE-2008-0658; Closes: #465875). + + -- Nico Golde Tue, 04 Mar 2008 14:34:44 +0100 + +openldap2.3 (2.4.7-6ubuntu3) hardy; urgency=low + + * remove apparmor-profile workaround for Launchpad #202161 (it's now fixed + in klibc) + + -- Jamie Strandboge Mon, 07 Apr 2008 16:09:38 -0400 + +openldap2.3 (2.4.7-6ubuntu2) hardy; urgency=low + + * apparmor-profile workaround for Launchpad #202161 + * follow ApparmorProfileMigration and force apparmor complain mode on some + upgrades (LP: #203529) + - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 + - debian/slapd.dirs: add etc/apparmor.d/force-complain + - debian/slapd.preinst: create symlink for force-complain/ on pre-feisty + upgrades, upgrades where apparmor-profiles profile is unchanged (ie + non-enforcing) and upgrades where apparmor profile does not exist + - debian/slapd.postrm: remove symlink in force-complain/ on purge + * debian/rules, debian/slapd.links: use hard links to slapd instead of + symlinks for slap* so these applications aren't confined by apparmor + (LP: #203898) + + -- Jamie Strandboge Tue, 18 Mar 2008 13:53:23 -0400 + +openldap2.3 (2.4.7-6ubuntu1) hardy; urgency=low + + * Merge from Debian unstable, remaining changes: + + debian/patches/SECURITY_CVE-2008-0658.patch (LP: #197077) + slapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP 2.3.39 + allows remote authenticated users to cause a denial of service (daemon + crash) via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION) + control, a related issue to CVE-2007-6698. + + debian/apparmor-profile: add AppArmor profile + + debian/slapd.postinst: Reload AA profile on configuration + + updated debian/slapd.README.Debian for note on AppArmor + + debian/control: Replaces apparmor-profiles << 2.1+1075-0ubuntu4 as we + should now take control + + debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmor-profiles gets + installed it won't overwrite our profile + + Modify Maintainer value to match the DebianMaintainerField + specification. + + -- Steve Langasek Tue, 04 Mar 2008 01:59:51 +0000 + +openldap2.3 (2.4.7-6) unstable; urgency=low + + [ Updated debconf translations ] + * Dutch, thanks to Bart Cornelis . Closes: #452950. + * Brazilian Portuguese, thanks to Eder L. Marques . + Closes: #463460. + * German, thanks to Helge Kreutzmann . + Closes: #465784. + + [ Steve Langasek ] + * Relax build-dependency on libsasl2-dev now that the versioned dependency + is satisfied by all extant versions (including in oldstable), fixing a + lintian warning about versioned build-deps on Debian revisions. + * Avoid using a mutex around getaddrinfo() and getnameinfo() calls, which + are guaranteed by glibc to be threadsafe; this fixes a deadlock when + using nss_ldap for host lookups. Closes: #340601. + * debian/libldap2-dev.manpages: install all of man3/* instead of + enumerating specific manpages to install. Closes: #320073. + * Add new patch, sasl-cleartext-strncasecmp, to correct a regression that + prevented the use of the {CLEARTEXT} password scheme with SASL. + Closes LP: #191563. + * drop LGPL from debian/copyright; there is no longer any code under this + license in the package. + * Drop patch gnutls-altname-nulterminated; it's been determined that the + "length" discrepancy was a bug in gnutls, and fixed in that package. + * debian/configure.options: explicitly pass --with-odbc=unixodbc, so + that we depend on the right ODBC implementation when both happen to + be installed at build time. + + [ Russ Allbery ] + * Add a stamp file for the configure rule to avoid rerunning configure + needlessly. Closes: #465588. + * Don't create the openldap user if slapd has been configured to run as + a different user. If slapd has been configured to run as openldap, do + create the user on reconfigure. Closes: #452438. + * Reformat, reorganize, and update slapd's README.Debian. + - Include SASL configuration information. + - Remove LDBM information, since upstream no longer even ships LDBM + and the debconf prompting and maintainer scripts already take care + of any lingering databases. + - Document the differences between the Debian OpenLDAP packages and + upstream. + + -- Steve Langasek Thu, 28 Feb 2008 22:15:17 -0800 + +openldap2.3 (2.4.7-5ubuntu2) hardy; urgency=low + + * SECURITY UPDATE: + + debian/patches/SECURITY_CVE-2008-0658.patch (LP: #197077) + slapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP 2.3.39 + allows remote authenticated users to cause a denial of service (daemon crash) + via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION) control, a related + issue to CVE-2007-6698. + + * References + - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0658 + - http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5358 + + -- Emanuele Gentili Sun, 02 Mar 2008 16:34:30 +0100 + +openldap2.3 (2.4.7-5ubuntu1) hardy; urgency=low + + * add AppArmor profile + + debian/apparmor-profile + + debian/slapd.postinst: Reload AA profile on configuration + * updated debian/slapd.README.Debian for note on AppArmor + * debian/control: Replaces apparmor-profiles << 2.1+1075-0ubuntu4 as we + should now take control + * debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmor-profiles gets installed + it won't overwrite our profile + * Modify Maintainer value to match the DebianMaintainerField + specification. + + -- Jamie Strandboge Wed, 13 Feb 2008 17:15:41 +0000 + +openldap2.3 (2.4.7-5) unstable; urgency=low + + [ Updated debconf translations ] + * Finnish, thanks to Esko Arajärvi . Closes: #462688. + * Galician, thanks to Jacobo Tarrio . Closes: #462987. + * French, thanks to Christian Perrier . + Closes: #463149. + * Russian, thanks to Yuri Kozlov . Closes: #463442. + * Czech, thanks to Miroslav Kure . Closes: #463472. + * German, thanks to Helge Kreutzmann . + Closes: #464718. + + [ Steve Langasek ] + * Fix various regressions related to the introduction of GnuTLS: + - Add new patch, gnutls-ciphers, to fix support for specifying multiple + ciphers with TLSCipherSuite option in slapd.conf. Thanks to Kyle + Moffett for the patch. Closes LP: #188200. + - Add new patch, slapd-tlsverifyclient-default, to set the intended + default value of "TLSVerifyClient never" in the right place. + - Add new patch, gnutls-altname-nulterminated, to account for differences + in how the "length" is returned for commonName vs. subjectAltName. + - Comment out TLSCipherSuite settings on upgrade from all versions prior + to 2.4.7-5, and throw a debconf error to the user notifying them of + this, since all OpenSSL cipher suite values are incompatible with + GnuTLS. + Closes: #462588. + * Add new patch from upstream, entryCSN-backwards-compatibility, to support + auto-converting entryCSN attributes in a previously supported old format, + fixing an upgrade failure. Closes: #462099. + * Use --retry TERM/10 instead of --retry 10 when stopping slapd, since the + latter resorts to a SIGKILL and may corrupt backend data; whereas the + former will exit non-zero if slapd is still running but won't directly + cause data-loss. Thanks to Mark McDonald for the patch. LP: #92139. + * Fix manpage symlinks in libldap2-dev; thanks to Reuben Thomas for + reporting. Closes: #463971. + * Fix a superfluous space in the debconf templates, due to a trailing space + in the templates. Closes: #464719. + + -- Steve Langasek Sat, 09 Feb 2008 14:25:55 -0800 + +openldap2.3 (2.4.7-4) unstable; urgency=high + + [ Steve Langasek ] + * Build-conflict with libicu-dev, for consistent dependencies in all + build environments. + * Fix an oversight in the checkpoint migration, which caused the checkpoint + option to not be moved far enough down. Closes: #462304, LP: #185257. + * Build-depend on unixodbc instead of iODBC. + + [ Updated debconf translations ] + * Japanese, thanks to Kenshi Muto . Closes: #462191. + + -- Steve Langasek Fri, 25 Jan 2008 02:17:23 -0800 + +openldap2.3 (2.4.7-3) unstable; urgency=low + + * Add missing build-dependency on groff-base, to allow use of soelim during + build. + + -- Steve Langasek Mon, 21 Jan 2008 15:18:27 -0800 + +openldap2.3 (2.4.7-2) unstable; urgency=low + + * Temporarily drop slapi-dev from the package to get through NEW; this + functionality should be readded later, either by restoring the slapi-dev + package or by moving it to libldap2-dev, depending on the outcome of + discussion with the ftp-masters. + + -- Steve Langasek Mon, 21 Jan 2008 06:13:21 -0800 + +openldap2.3 (2.4.7-1) unstable; urgency=low + + [ Steve Langasek ] + * New upstream version; closes: #449354. + - remove another schema from upstream source, collective.schema, + that contains text from the IETF RFCs and include a stripped copy + in debian/schema. + - drop patches slurpd-in-spool and man-slurpd, since slurpd is no + longer provided upstream. + - libldap2.3-0 is now libldap2.4-2 + - build libldap2-dev from this source package now, superseding + openldap2; closes: #428385, #260118, #262539, #391899, #393215. + - lastmod and denyop have been moved to contrib upstream and are no + longer shipped as supported overlays + - drop dependency on libldap2 and take ownership of the + /etc/ldap/ldap.conf conffile, since libldap2 is now obsolete + - need to dump and reload databases again for the upgrade from 2.3.39. + - ldap_init(3) no longer attempts to document the internals of the + LDAP opaque type. Closes: #320072. + - ldap-utils utilities find LDAP servers via SRV records when given a + URL with -H and no host in the URL. Closes: #221173. + - if the old slapd.conf included any replica commands, automatically + enable syncprov for the corresponding database and print an error + with debconf. + * slapd.conf and DB_CONFIG are used in the postinst, they shouldn't be + shipped under doc/examples because /usr/share/doc can't be depended + on per policy; ship the files under /usr/share/slapd and symlink the + /other/ way, which also spares us from dh_compress trying to gzip + slapd.conf. Closes: #452749. + * Drop libldap.so as was done for libldap2, making it a link to + libldap_r.so to avoid unfortunate symbol collisions. + * Add new patch, libldap-symbol-versions, to build libldap and liblber + with symbol versions; needed to avoid segfaults when applications + manage to pull both libldap2 and the new libldap-2.4-2 into the same + process (as during a partial upgrade or the initial soname + transition), and also when the library soname changes again in the + future (as it's likely to do). + * Reintroduce add-autogen-sh patch, with build deps on libtool, automake, + and autoconf, required due to the previous patch; this time around, take + care to clean up the autogenerated files in the clean target as well + * Build-depend on libgnutls-dev instead of on libssl-dev, so that at long + last we can build the server and lib from the same source package again + without licensing problems. Closes: #457182, #407334, #428468, #381788. + Closes: #412706. + * slapd.prerm, slapd.postinst: drop no-longer-needed upgrade code for + openldap < 2.1.22 + * Ask about ldbm to bdb migration in the preinst, since there is no + guarantee that the debconf config script will be run before the unpack + phase. + * Don't stop slapd in the preinst by hand, the prerm already stops the + old slapd using the standard interfaces. + * Don't build with LAN Manager password support; these passwords are more + insecure than traditional Unix crypt, and only relevant when talking to + Windows 98. + * Move libslapi into the slapd package and provide a virtual package for + library dependencies, since this is expected to stay lockstep with the + server. + * Split slapi dev support into a new libslapi-dev package, as this is + unrelated to libldap; and drop libslapi.a since it would be insane to try + to statically link a dynamically-loaded slapi plugin. + * "checkpoint" directives are no longer supported as part of the backend + config, only as part of the database config; move the lines around in + slapd.conf on upgrade. + * "schemacheck" directives are no longer supported; comment them out + on upgrade since this option was set by default in sarge. + * Package description updates; thanks to Christian Perrier + and the Smith review project for these + improvements. + * Incorporate debconf template changes suggested by the debian-l10n-english + team as part of the Smith review project. Closes: #447224. + + [ Russ Allbery ] + * Removed fix_ldif and all remaining code to try running it on LDIF + dumps. Schema checking has been imposed since 2.1 and it's highly + unlikely that anyone still needs this. + * Move the checkpoint directive in the default slapd.conf below the + database and suffix directives for the primary database. This is now + required for OpenLDAP 2.4. + * Create /etc/ldap/slapd.conf owned by the openldap group and mode 640 + by default so that slapindex and friends can read it when run as the + openldap user. Fix permissions on upgrade if slapd.conf is owned by + root and mode 600. Closes: #432662. + * Drop slapd patch to read slapd.conf before dropping privileges, since + slapd.conf should now be readable by SLAPD_GROUP. + * If SLAPD_CONF is set to a directory in /etc/default/slapd, assume + the cn=config backend is used and start slapd with the appropriate + options. Based on a patch from Mike Burr. Closes: #411413. + * Rework slapd's README.Debian: + - Document the BerkeleyDB version. Closes: #438127. + - Document how to direct slapd's logs to another file. Closes: #258931. + - Remove obsolete information about TLS/SSL and OpenLDAP 2.0 upgrades. + - Recommend HDB instead of BDB. + - Generally reformat and reorganize. + * Patch cleanup: + - Combine the NTLM patches for Evolution into a single patch. + - Add explanatory comments to every patch. + - Refresh all patches to remove diff garbage and trailing whitespace. + * debian/rules cleanup: + - Fix patch dependencies for parallel build (hopefully). + - Tell configure the system type. + - Rewrite upstream_strip_nondfsg.sh as a get-orig-source target. + - Remove stamp files as the first step of the clean target. + - Add trivial build-arch and build-indep targets. + - Remove dead code and unnecessary comments. + * Remove postrm code to delete /var/lib/slapd/upgrade* flag files. We + haven't used those since the 2.1 upgrade. + * Update Vcs-* headers for new repository layout. + * Remove versioned dependency on an ancient dpkg-dev. + * Wrap and reorder Build-Depends for readability. + + [ Updated debconf translations ] + * Czech, thanks to Miroslav Kure . Closes: #458215. + * German, thanks to Helge Kreutzmann . + Closes: #452833. + * Spanish + * Finnish, thanks to Esko Arajärvi . Closes: #448061. + * French, thanks to Christian Perrier . + Closes: #452632. + * Galician, thanks to Jacobo Tarrio . + Closes: #451158. + * Italian, thanks to Luca Monducci . Closes: #449442. + * Japanese, thanks to Kenshi Muto . Closes: #451325. + * Dutch, thanks to Bart Cornelis . Closes: #448935. + * Brazilian Portuguese + * Portuguese, thanks to Tiago Fernandes . + Closes: #453341. + * Russian, thanks to Yuri Kozlov . Closes: #453318. + * Vietnamese, thanks to Clytie Siddall . + Closes: #453411. + + -- Steve Langasek Mon, 21 Jan 2008 04:58:24 -0800 + +openldap2.3 (2.3.39-1) unstable; urgency=medium + + * Medium severity due to denial of service fix. + * New upstream release. + - CVE-2007-5708: Fix remote denial of service attack in slapo-pcache + (the overlay for proxy caching). (Closes: #448644) + - Multiple additional more minor bug fixes. + * Document in the default slapd.conf that dbconfig options only generate + the DB_CONFIG file on first slapd start and have no effect afterwards + unless DB_CONFIG is removed. (Closes: #442191) + * Inline the checkpoint and BerkeleyDB backend settings in the default + slapd.conf rather than generating them dynamically in postinst. All + the allowable default database choices are now BerekelyDB variants and + will probably continue to be so for the forseeable future, and this is + easier to maintain. + * Drop debconf questions, warnings, and maintainer script functions + dealing with upgrades from OpenLDAP 2.1, which is now too hold for + supported direct upgrades. (Closes: #444806) + * Add a watch file. Thanks, Fernando Ribeiro. (Closes: #435290) + * Add Homepage, Vcs-Svn, and Vcs-Browser control fields. + + -- Russ Allbery Mon, 12 Nov 2007 16:00:47 -0800 + +openldap2.3 (2.3.38-1) unstable; urgency=low + + [ Steve Langasek ] + * Drop debian/patches/use-lpthread, which is no longer needed on mips* + because gcc has been fixed. + * Drop debian/patches/add-autogen-sh, also no longer needed now that + the above patch is gone. + + [ Matthijs Mohlmann ] + * Fix bashism in initscript. (Closes: #428883) + * Drop upstream patches ITS4924, ITS4925 and ITS4966. + * Add patch for objectClasses which causes slapd to crash. (Closes: #440632) + - CVE-2007-5707. + - Upstream bug ITS5119. + * Change default loglevel to none, to log high priority messages. + (Closes: #442000) + * Tighten up the build dependencies, now that autogen patch is removed. + + -- Matthijs Mohlmann Mon, 17 Sep 2007 22:58:54 +0200 + +openldap2.3 (2.3.35-2) unstable; urgency=low + + * Enable LAN Manager password support in slapd. (Closes: #245341) + * If automatic configuration is selected and slapd.conf doesn't exist + during an upgrade, treat this as a fresh installation rather than + aborting with an error. Also try to provide a better error message if + the user has deleted /etc/ldap/schema but we just generated a new + configuration that references it. These cases can occur if someone + removes (rather than purges) the package, manually deletes /etc/ldap, + and then reinstalls. (Closes: #205010) + * Don't fail in slapd's postrm if /etc/ldap/schema has already been + deleted. + * Remove slapd conflicts with libbind-dev and bind-dev. There no longer + appears to be anything in those packages that would break slapd's + resolver. (Closes: #225896) + * Add libldap-2.3-0-dbg and slapd-dbg packages with detached debugging + information. + * db_recover is no longer required after changing DB_CONFIG; slapd now + detects changes itself and does the right thing. Also note in + README.DB_CONFIG the existence of the dbconfig slapd.conf parameter + and slapd's DB_CONFIG writing support. (Closes: #412575) + * Add options to /etc/default/slapd to let the system administrator tell + the init script to not start slapd on boot. (Closes: #254999) + * Redirect fd 3 to /dev/null in the slapd init script for additional + robustness when debconf is running. (Closes: #227482) + * Add to /etc/default/slapd a commented-out example of how to change the + keytab file used for GSSAPI authentication. (Closes: #412017) + * Use variables in /etc/init.d/slapd for the paths to slapd and slurpd + so that someone who really wants to can override them in + /etc/default/slapd. (Closes: #403948) + * Allow people building packages for outside Debian to skip the checks + for non-DFSG-free material by setting a variable. Thanks, Peter + Marschall. (Closes: #427245) + * Remove duplicate libldap-2.3-0 dependencies. (Closes: #408987) + * Use binary:Version instead of Source-Version for the tight + dependencies between slapd and ldap-utils and libldap-2.3-0. + + -- Russ Allbery Mon, 11 Jun 2007 20:26:26 -0700 + +openldap2.3 (2.3.35-1) unstable; urgency=low + + * New upstream release with many bug fixes. + - Allow syncprov to follow aliases. (Closes: #422087) + * Apply upstream patches: + - ITS#4924: client crash on incorrectly tagged result from server. + - ITS#4925: NOOP modify with BDB backend crashed slapd. + - ITS#4966: Delete of valsort-controlled entries crashed slapd. + * Enable SLAPI support. (Closes: #390954) + * Re-enable use of the epoll system call since Debian no longer supports + 2.4 kernels. This means that the OpenLDAP packages will not work on + pre-2.6 kernels. + * Remove schema files that contain text from IETF RFCs from the upstream + source since that text is not DFSG-free. Instead, install stripped + versions of those schema files containing only the functional + interface specifications, a comment explaining why this is needed, and + a pointer to the relevant RFC. (Closes: #361846) + * Document the repackaging of the upstream source in debian/copyright. + * Update config.guess and config.sub during the build instead of in the + clean target and remove them in the clean target for a clean diff. + Build-depend on autotools-dev so that we can unconditionally copy over + the latest versions. + * Added commentary and upstream ITS numbers for several patches + applicable upstream. + * Use debian/compat rather than the deprecated DH_COMPAT rules setting. + * Update to debhelper compatibility level V5 (no changes required). + + -- Russ Allbery Wed, 30 May 2007 22:42:28 -0700 + +openldap2.3 (2.3.30-5) unstable; urgency=low + + [ Steve Langasek ] + * Add Portuguese debconf translation; thanks to Tiago Fernandes. + Closes: #409632. + * Re-add .la files to the slapd package, for greater compatibility + with upstream documentation. + + [ Russ Allbery ] + * When starting slapd, create a symlink from /var/run/ldapi to + /var/run/slapd/ldapi for compatibility with 2.1 client libraries. + Closes: #385809. + * Apply upstream patch to prevent a race condition in slapd when + shutting down connections. + * Update the Brazilian Portuguese debconf translation; thanks to Felipe + Augusto van de Wiel. + + -- Russ Allbery Thu, 8 Mar 2007 18:21:02 -0800 + +openldap2.3 (2.3.30-4) unstable; urgency=low + + * Ok, argh, it helps to check that the function being re-added to the + preinst hasn't been removed again from the common include. Re-add + break_on_ldbm_to_bdb_migration_disagree, because by all appearances + we /should/ be using this in the preinst. Closes: #411474. + + -- Steve Langasek Mon, 19 Feb 2007 03:55:22 -0800 + +openldap2.3 (2.3.30-3) unstable; urgency=medium + + [ Matthijs Mohlmann ] + * Added spanish translation. (Closes: #404250) + * Documentation updates backported from upstream. + * Fix a security bug in kerberos kbind code. (Only used when enabling with + --enable-kbind option) But better safe then sorry. + * Backported a mem leak fix on failed binds. + * Added patch from upstream that fixes a memory leak in ACLs that use sets. + + [ Steve Langasek ] + * *Really* abort in preinst if the user doesn't accept the upgrade + from ldbm to bdb. Closes: #392747. + * Set the name of debian/slapd.NEWS right so that it gets + installed in the binary package. Closes: #409923. + * Add Russian debconf translation; thanks to Yuri Kozlov. + Closes: #405706. + * Add Galician debconf translation; thanks to Jacobo Tarrio. + Closes: #407267. + + -- Steve Langasek Sun, 18 Feb 2007 16:47:16 -0800 + +openldap2.3 (2.3.30-2) unstable; urgency=low + + * Make sure that the pidfile directory doesn't exist in the init script. + (Closes: #402705) + + -- Matthijs Mohlmann Tue, 12 Dec 2006 21:34:44 +0100 + +openldap2.3 (2.3.30-1) unstable; urgency=low + + * New upstream release. + - Fixed authzTo/authzFrom URL matching. + - Fixed syncrepl consumer memory leaks. + - Fixed slapd-hdb livelock. + - Fixed slapo-ppolicy external quality check. + - Fixed ldapsearch(1) man page acknowledgement. + * Added patch to make sure that the pidfile directory exists. + (Closes: #390337) + * Do not ask the question allow ldap v2 logins when user wants manual + configuration. (Closes: #401003) + * Add patch to look also in /etc/ldap/sasl2 for sasl configuration. + (Closes: #398657) + * Removed db4.2-util recommend, the slapd binary includes checking code to + fix DB errors. + * Updated README in schema directory. It doesn't list collective.schema + anymore. (Closes: #287358) + * Updated manpages to point to right paths. (Closes: #398790) + + -- Matthijs Mohlmann Sat, 9 Dec 2006 20:50:58 +0100 + +openldap2.3 (2.3.29-1) unstable; urgency=medium + + [ Matthijs Mohlmann ] + * New upstream release. + - Fixes Denial of Service through a certain combination of LDAP BIND + requests (CVE-2006-5779) (Closes: #397673) + * LSB section added to the init script. + * Updated README.Debian about running as non-root user (Closes: #389369) + * Updated de translation (Closes: #396096) + * Added some documentation / warning when running slapindex as root. + * Remove drafts and rfc from the tarball. (Closes: #393404) + + -- Matthijs Mohlmann Sat, 11 Nov 2006 11:24:42 +0100 + +openldap2.3 (2.3.27-1) unstable; urgency=low + + [ Matthijs Mohlmann ] + * New upstream release. + * pidfile location is changed 3 years ago, when people are upgrading from + back then they have a broken slapd because the openldap user is not able + to write to /var/run. (Closes: #380687) + * Patches by Quanah Gibson-Mount + - Fix one time memleak on startup in the accesslog db. + * Changed priority of libldap-2.3-0 to optional as it is only used by slapd. + + [ Torsten Landschoff ] + * Remove RFC documents as they do not meet the DFSG. + + debian/rules: Check that the RFCs are gone to make sure it does not + get included again by accident. + + -- Matthijs Mohlmann Sat, 2 Sep 2006 00:33:44 +0200 + +openldap2.3 (2.3.25-1) unstable; urgency=low + + [ Matthijs Mohlmann ] + * New upstream release: + - Accepts 'require none' in slapd.conf (closes: #370023). + - Added patch to fix a bold issue in the manpage ldapsearch. Thanks to + Matt Kraai. (Closes: #355670) + * Added commented out rootdn parameter in slapd.conf. (Closes: #303245) + * Make the scripts output a bit more consistent. + * Fix a regression in the slapd packages. Data directory is /var/lib/ldap + and not /var/openldap-data, also adjust the manpages to reflect these + change. Thanks to Peter Marschall. (Closes: #368891) + * Removed script move_files, dh_install is used instead. (Closes: #368896) + * Dutch translation already updated. Closes: #375101) + * Documented that slapd is compiled with TCP wrappers (Closes: #351428) + * dpkg-reconfigure slapd now just reinstalls slapd and moves old databases + to /var/backups. Already done in previous version (Closes: #230366, #208056) + + [ Torsten Landschoff ] + * debian/libldap-2.3-0.install: Ignore version information when installing + libraries. This way it does not need updating for each new upstream + release. + + -- Matthijs Mohlmann Wed, 26 Jul 2006 18:05:40 +0200 + +openldap2.3 (2.3.24-2) unstable; urgency=low + + * Switch slapd from running as root to running as user. + (Closes: #292845, #261696) + * Changing configuration in slapd.conf by the postinst will now also follow + includes. (Closes: #304488) + * Patches by Quanah Gibson-Mount + - fix a lock bug with a virtual root entry in the BDB backend. + - fix boolean logic in the overlays. + - fix that slurpd can use ldaps. + - fix initialization of auditdb. + - fix TLS concurrency issues. + - fix exop password change that didn't reset pwdMustChange. + - fix syncrepl that fails when no rootdn is defined. + * Add dependency on adduser. + * Specify the PATH variable in the init script. (Closes: #367981) + * Added patch to read config before dropping privileges. + * epoll(4) system call is missing on kernels <2.6, this causes slapd to + not work on 2.4 kernels. Added patch that remove the #define in + portable.in (Closes: #369352, #372194, #373233) + * In 2.3.24 slapd won't segfault if the moduleload directive appears + somewhere else. (Closes: #349011) + * Removed fileutils dependency, it's superseeded in Sarge already. + (Closes: #370013) + * Use find in combination with mv to move an old directory away. + (Closes: #306435) + * Updated Dutch debconf translation (Closes: #365172) + * Added an example backup script that can be put into cron (Closes: #319477) + * Make the db directories 0700. On new installations this is the default. + (Closes: #354450) + * Get rid of a '.' in front of a domain. (Closes: #318143) + * Added shadowLastChange to the ACL in the default slapd.conf + (Closes: #370550) + * Updated Japanese translation (Closes: #378565) + + -- Matthijs Mohlmann Mon, 17 Jul 2006 18:22:45 +0200 + +openldap2.3 (2.3.24-1) unstable; urgency=low + + [ Matthijs Mohlmann ] + * New upstream version. (Closes: #369544) + * Update patch slurpd-in-spool. (Closes: #368586, #368709, #368889) + * Added slapi-errorlog-file to be into /var/log (Closes: #368895) + * Removed patch configure.in-fix, incorporated upstream. + * Move debian/configure.options.new to debian/configure.options. + * Added patch to put ldapi socket in /var/run/slapd. + * Removed bdb recovery from the init.d script. This was introduced to fix + bug #255276. Now that slapd has the ability to check and recover from bdb + failures, this function is not needed anymore. (Closes: #369484, #369093) + * Updated the lintian overrides. + + [ Torsten Landschoff ] + * Include man pages for accesslog and auditlog overlays, patch by + Peter Marschall (closes: #368888). + + -- Matthijs Mohlmann Thu, 1 Jun 2006 08:16:02 +0200 + +openldap2.3 (2.3.23-1) unstable; urgency=low + + [ Matthijs Mohlmann ] + * New upstream release. (Closes: #308906, #310282, #353877, #335618, #315158) + (Closes: #310282, #319155) + * OpenLDAP checks database before starting up. + (Closes: #190165, #195079, #294701, #308416) + * move_old_database_away isn't called in a while loop anymore (which would + kill debconf interaction) (Closes: #299100) + * BDB_CONFIG file will be installed on new installations (Closes: #301292) + * Move to dh_install. + * Move to quilt patch system. + * Fix manpage. + * Make ldiftopasswd and fix_ldif executable. (fixes lintian warnings) + * Wipe passwords after we created the initial configuration. + * The config scripts is runned twice, this causes the password in + slapd/internal/adminpw to be empty. This fixes the issue with having an + empty password in the ldap database. (Closes: #343113, #347725) + * Added #DEBHELPER# token to fix a lintian warning. + * bdb has changed between major versions, so dump the database and import it + again for versions before 2.3.19. + * Remove comments from debian/control (The out commented control information + is actually in debian/control.dev) + * Enable all backends and overlays with: --enable-backends=mod and + --enable-overlays=mod + * Add | debconf-2.0 to unblock cdebconf transition (Closes: #332053) + * Added Danish debconf translation (Closes: #353897) + * Updated French debconf translation (Closes: #320739) + * Updated Vietnamese debconf translation (Closes: #319706) + * Updated Czech debconf translation (Closes: #356554) + * Encode the organization to utf8 (Closes: #236097) + * Disabled the LDBM backend. Break in preinstallation if user doesn't want + to migrate to BDB backend. + * Removed choice for LDBM backend from slapd templates. And some explanation + in that question about the LDBM backend. + * Add sizelimit and tool-threads and some documentation to slapd.conf + (Closes: #327808) + * slapd.scripts-common had two functions with the same name. + * Don't return a error message if hostname fails. + * Backup the config only once on upgrade. + * For new installations do not install a DB_CONFIG file but use the + slapd.conf as file for BDB/HDB configuration parameters. See: slapd-bdb(5) + * Added various "exit 0" to the installation scripts. + * Add configure.in patch to fix C comparison what should be bash (ITS#4416) + * Raise debconf configuration level from low to medium for + slapd/no_configuration. + * Updated Standards-Version to 3.7.2.0 + * Added build-dependency on perl which is used in the debian/rules file. + Considered by lintian. + * Added lintian override for too-long-extended-description-in-templates, it + is an explanation about the backends. + + [ Steve Langasek ] + * debian/slapd.templates: Fix typo durin -> during; re-run + debconf-updatepo, fixing up the fuzzies (closes: #319596). + + [ Torsten Landschoff ] + * debian/slapd.scripts-common: Rename backend_supported to + upgrade_supported_from_backend for more clarity. + + -- Matthijs Mohlmann Sat, 13 May 2006 00:28:11 +0200 + +openldap2.2 (2.2.26-4) unstable; urgency=low + + * [l10n] Vietnamese translations by Clytie Siddall (closes: #316623). + * debian/slapd.templates: Fix typos occured -> occurred (closes: #316624). + * libraries/libldap/url.c: Apply patch from upstream CVS to fix URI + parsing (closes: #317100). + + -- Torsten Landschoff Tue, 19 Jul 2005 20:52:17 +0200 + +openldap2.2 (2.2.26-3) unstable; urgency=low + + * [SECURITY] Applied the patch available at + http://bugzilla.padl.com/show_bug.cgi?id=210 + to force libldap to really use TLS when requested in /etc/ldap/ldap.conf + (cf. CAN-2005-2069). Clients still will use libldap2 from openldap2 + source package so this is only to prepare unleashing the libraries of + OpenLDAP 2.2 for unstable... + + -- Torsten Landschoff Sun, 3 Jul 2005 10:41:37 +0200 + +openldap2.2 (2.2.26-2) unstable; urgency=low + + * Assembled changes from patches supplied by Peter Marschall (thanks, + Peter): + | debian/move_files: Move slapd and slurpd to /usr/sbin and adjust symlinks + (closes: #316354). + + debian/slapd.links: Remove symlinks from /usr/sbin to /usr/lib. + | debian/rules: Don't install cron jobs needed for GnuTLS as long as we are + using OpenSSL. + | debian/control: Remove build-dependencies needed for GnuTLS + (closes: #316355). + + Require libsasl >= 2.1.18 as recommended by OpenLDAP project. + | Update quicktool patch from Quanah Gibson-Mount (closes: #316361). + | debian/slapd.init: Use /bin/sh as shell when running db_recover + (closes: #316350). + | debian/configure.options: Enabled dynlist and proxycache overlays + (closes: #316351). + + * debian/po/de.po: Apply typo correction patch (closes: #313809). + * debian/po/fr.po: Apply updates by Christian Perrier (closes: #315122). + + -- Torsten Landschoff Fri, 1 Jul 2005 12:53:18 +0200 + +openldap2.2 (2.2.26-1) unstable; urgency=low + + * New upstream release. + * debian/slapd.init: Run db_recover as the user configured for slapd + (closes: #311331). + * debian/po/cs.po: Add Czech translation by Miroslav Kure (closes: #312064). + * Run debconf-updatepo, oh my :( + * Update configure via libtoolize -cf; aclocal-1.4; autoconf2.50. + * configure.in: Try to fix memcmp check (probably does not work anymore, but + we should have a working memcmp on all Debian systems anyway). + * debian/rules: Remove config.{sub,guess} before installing new versions + (just in case there were symlinks for them...). + + -- Torsten Landschoff Tue, 21 Jun 2005 12:06:40 +0200 + +openldap2.2 (2.2.23-8) unstable; urgency=low + + * debian/DB_CONFIG: Fixed the log cache configuration (used the wrong + command so there was about no effect). + + -- Torsten Landschoff Mon, 30 May 2005 08:48:10 +0200 + +openldap2.2 (2.2.23-7) unstable; urgency=low + + * debian/slapd.scripts-common: Install the default DB_CONFIG for each + database loaded from LDIF which didn't have a DB_CONFIG before. + * (automatic) Updated config.sub and config.guess from autotools-dev. + + -- Torsten Landschoff Mon, 30 May 2005 08:08:37 +0200 + +openldap2.2 (2.2.23-6) unstable; urgency=low + + Torsten Landschoff : + * debian/po/ja.po: Merge updates from Kenshi Muto (closes: #303505). + * debian/po/fr.po: Merge updates from Christian Perrier (closes: #306229). + * debian/slapd.scripts-common: If the user enters the empty value for + the database dumping directory use the default value. Seems like the + readline interface does not care about the default value + (closes: #308234). + * debian/slapd.postinst: Make sure the debhelper commands are executed + in all cases (closes: #310422). + * Merged suggested changes by Eugene Konev to automatically run + db_recover before starting slapd (closes: #255276). + + debian/slapd.init: Run db_recover if enabled and available and no + slapd process running. + + debian/slapd.default: Add configuration option to disable it. + * Applied and improved patch by Matthijs Mohlmann to support migration + from ldbm to bdb backend. + + debian/slapd.config: Ask if migration is wanted. + + debian/slapd.postinst: Update configuration from ldbm to bdb if yes. + + debian/slapd.scripts-common: Implemented some parts in their own + functions. + * Add a README.DB_CONFIG.gz and reference it where referring to BDB + configuration. + * Update default DB_CONFIG with some senseful values. + + Steve Langasek : + * libraries/libldap_r/Makefile.in: make sure the ximian-connector ntlm + patch is applied to libldap_r, not just to libldap + * debian/move_files: make libldap a symlink to libldap_r, as carrying + two versions of this library around is more trouble than it's worth, + and can cause glorious segfaults down the line + + -- Torsten Landschoff Mon, 30 May 2005 08:07:49 +0200 + +openldap2.2 (2.2.23-5) unstable; urgency=low + + Torsten Landschoff : + * debian/lintian-overrides: Add. Contains lintian warnings/errors to + override for each package (plus comments). + + debian/move_files: Automatically install applying overrides into + each package. + + Steve Langasek : + * configure.in: reinstate the remainder of the fix for 195990 from + 2.1.22-2: give preference to -lpthread over -pthread in configure.in, + because some archs (mipsel, at least) don't like -pthread. + + -- Steve Langasek Sun, 24 Apr 2005 05:01:02 -0700 + +openldap2.2 (2.2.23-4) unstable; urgency=low + + Torsten Landschoff : + * debian/control: Make the requirement for debconf a pre-dependency as + we are using it from the maintainer scripts. + * debian/slapd.preinst: Always use debconf (don't check for availability). + * debian/slapd.scripts-common: Remove the alert_user function which + was there to output an error message in case debconf is not available. + + Steve Langasek : + * debian/fix_ldif: Add code to fix up oddly formatted integer attribs; + limited use because it only fixes those attributes that we have + prior knowledge of (i.e., those in the default schemas we ship), but + it's something at least. Closes: #302629. + * debian/fix_ldif: Also change fix_ldif to not chew up everything that + has a # in the line: treat lines beginning with # as comments, but # + is a valid character in an attribute value. + * debian/rules: Fix the check for missing lib symbols to use + LD_LIBRARY_PATH, so the package builds on systems that don't already + have libldap-2.2-7 installed. Closes: #305785. + * debian/po/ja.po: Use the partial translation provided by Kenshi Muto. + + Stephen Frost : + * debian/slapd.scripts-common: Make sure - ends up at the end of the + bracket expression given to grep so it's not treated as a range + (closes: #302743). + + -- Steve Langasek Sat, 23 Apr 2005 22:01:20 -0700 + +openldap2.2 (2.2.23-3) unstable; urgency=low + + Steve Langasek + * libraries/libldap_r/Makefile.in: Code that uses pthreads *must* be + linked with -pthread, even if it's a library; without this, the + libldap_r library ends up with dangling unversioned reference to + pthread_create() which gets resolved to a wrong version that causes + segfaults on 64-bit platforms. Closes: #304549. + * debian/rules: error out on build if an installed library has + undefined symbols; future-proofing against a repeat of #304549. + * debian/slapd.postinst: don't dump and reload directories unless we + know we're upgrading from an incompatible version! Closes: #304840. + * debian/slapd.scripts-common: don't use merge_logical_lines for + functions that will be writing back to the config; the code is not + as pretty now, but the output is much less ugly. Closes: #303243. + * debian/slapd.examples, debian/slapd.scripts-common, + debian/slapd.links, debian/move_files: install DB_CONFIG in + /usr/share/slapd/ instead of /usr/share/doc/slapd/examples/; this + simplifies the code, and ensures users who don't install + /usr/share/doc aren't penalized. Create links for the DB_CONFIG and + slapd.confg templates to /usr/share/doc/slapd/examples, since these + are worthwhile examples as well. + * Updated maintainer scripts to keep DB_CONFIG for LDAP databases over + upgrades (closes: #265860). + * Move slappasswd to the slapd package, since it's now a symlink and + isn't actually useful without the slapd binary (closes: #304339). + + -- Torsten Landschoff Thu, 21 Apr 2005 01:29:57 +0200 + +openldap2.2 (2.2.23-2) unstable; urgency=low + + * debian/configure.options: Change localstatedir to /var from /var/run + as the current upstream version adds /run to that during runtime for + slapi sockets etc. Problem: The database location is specified relative + to localstatedir/openldap-data. Another thing to fix... + (closes: #298271, #304491). + * debian/slapd.scripts-common (load_databases): Reimplement automatic + fixing of LDIF data via the fix_ldif script. Only tried if an + initial slapadd using the original LDIF data fails. With this change + upgrading from woody for some simple cases does work again. + * Disabled the version check for Berkeley DB in upstream code. Any + libdb4.2 package should work but of course using the latest will give + you the best results (closes: #300851). + * debian/slapd.scripts-common (import_database): Removed, no longer used. + * debian/slapd.scripts-common: Store the diagnostic output from + slapadd and output it before aborting if the command failed. + * debian/po/fr.po: Use the translations provided by Christian Perrier + (closes: #304141). + * debian/slapd.scripts-common: Use the -q option during slapadd to + improve performance. + * debian/slapd.templates (slapd/dump_database_destdir): Apply rewording + changes from Thomas Prokosch. Gives the user more information about + the usage of that directory. + + Run debconf-updatepo to update the translation templates. + * debian/slapd.templates: Clean up the debconf templates of the slapd + packages by merging the changes suggested by Christian Perrier + (closes: #302829). Thanks, Christian! + + Changed the wording of some of the templates. + + Adapt to the DTSG (Debconf Templates Style Guide). + + Removed item slapd/admin which is not used anymore. + + Run debconf-updatepo and send new fr.po to Christian Perrier. + * debian/slapd.postinst: Make a backup copy of slapd.conf before changing + anything (closes: #304485). + * Trivial improvements: + + Don't ask to move contents of /var/lib/ldap if it does not even + exist (but also is not an empty directory...) in initial config. + + Move check for current installation status out of configure_dumping. + + -- Torsten Landschoff Thu, 14 Apr 2005 19:57:11 +0200 + +openldap2.2 (2.2.23-1) unstable; urgency=low + + * debian/slapd.scripts-common: Move all shell functions of the maintainer + scripts here to have it all in one place. + * Another pass over the maintainer scripts to remove cruft and tidy up + the code a bit. Fixed some bugs on the way. + * Test upgrade and installation revealed some bugs, mostly typos: + + return in shell actually is "return $?", not "return 0" as I though + + Referenced $src where $srcdir was meant. + + Only load old directories on upgrade and not during initial + installation. + + -- Torsten Landschoff Fri, 1 Apr 2005 18:50:21 +0200 + +openldap2.2 (2.2.23-0.pre6) experimental; urgency=low + + Torsten Landschoff : + * debian/slapd.postinst: Add a testing interface to test the helper + functions. + * debian/slapd.postinst: Make sure that debconf actually displays the + error message even if the user has already seen it before. + * debian/slapd.postinst (compute_backup_path): Make function more robust + in case we don't know the old version or the suffix of the database. + Converted the backup dir to a more simple scheme which should be save + against accidental overwriting. + * Rewrote part of the maintainer scripts for correct handling of + directory dumps in preinst. New debconf questions etc. + * Move the manpage of slappasswd to ldap-utils where slappasswd itself + is included (closes: #300212). + + debian/control: Add Replaces: slapd << 2.2.23-0.pre6 to ldap-utils. + + debian/move_files: Move slappasswd manpage into ldap-utils. + * debian/slapd.config: Don't fail if hostname is unset (pulled from + Ubuntu, thanks to Jeff Bailey). + * Applied patch by Quanah Gibson-Mount (directory administrator of Stanford) + to add -q option to some tools for quick operation without updating + logs. This is mostly for importing directories from LDIF backups. + * Go back to libdb4.2 as OpenLDAP is known to have problems with BDB 4.3. + + debian/control: Update dependencies for BDB 4.2. + + debian/slapd.scripts-common: Mark all databases before this version + as incompatible. + * Fix some bashisms in maintainer scripts. + * debian/slapd.postinst: Include the version of the backup in the + backup of a database directory. + + Carlo Contavalli : + * debian/slapd.init: Print command line if starting a daemon failed. + * debian/slapd.postinst: Handle hdb backend just as if it was bdb. + * debian/README.Debian: Add some notes about DB_CONFIG and how to run + slapd under a different uid/gid. + * Install an example DB_CONFIG file during initial configuration + + slapd.postinst: Add a function to implement this and hook it into + create_new_configuration. + + debian/DB_CONFIG: Example DB_CONFIG that is installed. + + debian/slapd.examples: Mark DB_CONFIG as an example. + * servers/slapd/daemon.c: Actually change the permissions of the + unix socket if requested using an ldapi url with x-mod. + * debian/slapd.scripts-common: change privileges of upgraded databases + as indicated by SLAPD_USER and SLAPD_GROUP variables. + * debian/slapd.scripts-common,slapd.postinst: corrected some minor + typos. + + -- Torsten Landschoff Fri, 1 Apr 2005 12:26:35 +0200 + +openldap2.2 (2.2.23-0.pre5) experimental; urgency=low + + * Apply NTLM patch from ximian-connector source package. + * debian/slapd.postinst: Fix small typo leading to upgrade failures. + Added some notes while wading through maintainer scripts. + * debian/slapd.postinst: Make slapadd more noisy, writing the new + directory to stderr if something goes wrong (should help for + bug #236097). + * Make slapd.init idempotent by adding --oknodo to start-stop-daemon + invocations (closes: #298741). Kudos to Bill Allombert for this + patch. + * slapd.postinst: Try to fix slapd.conf for syntactic and semantic changes + introduced upstream into 2.2.x. + * slapd.scripts-common: Make sure directories before 2.2.23 are dumped + and reloaded on upgrade. + + -- Torsten Landschoff Fri, 11 Mar 2005 18:54:57 +0100 + +openldap2.2 (2.2.23-0.pre4) experimental; urgency=low + + * Rename libldap2.2 to libldap-2.2-7 to match soname. Updated + debian/{control,rules,...}. + * Checked the usage of the ucdata files shipped with libldap2 before. + Actually they stem from liblunicode which is only linked to slapd. + Therefore those files are shipped with slapd now. This change is + relevant so that multiple libldap-2.2-x packages can coexist later. + * debian/control: Updated for slapd replacing files from libldap2. + * debian/control: Recommend db4.3-util instead of db4.2-util as we are + using the former version now for slapd. + * debian/control: Add Build-Depends for libperl-dev, this time for + real. I wonder what went wrong last time as it built correctly with + pdebuild (closes: #297123). + + -- Torsten Landschoff Mon, 28 Feb 2005 15:17:52 +0100 + +openldap2.2 (2.2.23-0.pre3) experimental; urgency=low + + * debian/slapd.prerm: Reformat and fix double stopping of slapd. Find + out which bug we are working around and document it. + * debian/configure.options: Enable ACI support (closes: #101602). + Looked through the source code and it seems to be properly + insulated to not make a difference when not used. + * .../Makefile.in: Remove -s option from install invocations and let + dh_strip handle stripping binaries (closes: #264448). + * debian/slapd.postinst: Code cleanup and reading, unused and duplicate + code removed. Main body still needs fixing. + * debian/slapd.postinst: Fixed chmod --reference calls to keep the + permissions of slapd.conf. Putting data into the file using shell + redirection recreates the file with default umask and owner, killing + the permissions we applied using chod --reference after creating the + file. Instead we change the permissions directly before renaming the + file now. Wrapped it into a function and update the owner as well. + How do we do this correctly for ACLs etc.!? Thanks to Carlo Contavalli + for pointing this out. + * servers/slapd/main.c: Log a warning if writing the pidfile or writing + the arguments file fails (closes: #261696). + * debian/control: Add missing build dependency for perl development + library (closes: #297123). + + -- Torsten Landschoff Sun, 27 Feb 2005 17:44:03 +0100 + +openldap2.2 (2.2.23-0.pre2) experimental; urgency=low + + * servers/slurpd/slurp.h: Relocate the default spool directory to + /var/spool/slurpd again. + * Merged some changes done by Fabio M. Di Nitto for the ubuntu + distribution (thanks, Fabio!): + + debian/slapd.{postinst,conf}: Checkpoint BDB databases every 512kb + or 30 minutes by default. + + debian/slapd.scripts-common: Make is_empty_dir less noisy on first + install (cosmetic). + * Applied some changes suggested by Ondrej Sury: + + debian/rules: Add MAKEVARS variable and set datadir = + /usr/share/libldap2.2/ucdata instead of changing build/top.mk as + suggested. + + debian/move_files: Install /usr/share/libldap2.2 into libldap2.2 + and remove duplicate ldap.conf manpage. + + debian/control: Let libldap2.2 dependon libldap2 for config files. + * Also in Ondrej's patch: + + doc/man/man8/slapd.8: Refer to slapd.conf instead of ldap.h for + loglevel documentation. Changed by ubuntu? I don't know... + * debian/slapd.README.Debian: Update TLS/SSL information. + + -- Torsten Landschoff Fri, 25 Feb 2005 14:44:59 +0100 + +openldap2.2 (2.2.23-0.pre1) experimental; urgency=low + + * Merge new upstream release 2.2.23. + * Change name of source package to openldap2.2. + * configure.in: Fix AC_LIBOBJ for configure2.50. + * Run libtoolize, aclocal-1.4 and autoconf2.50 to get a working + configure script. + * debian/slapd.init: Output failure reasons using "$failure" so that + no glob substitution is done. Had a hard time grokking why slapd + would mention the contents of the current directory in its error + message... + * debian/rules: Disable building -dev packages as we don't want + other packages to link against the new libraries before sarge. + Remove the binary-indep target from the binary dependends list. + * debian/control: Move packages that are no longer build into control-dev. + * debian/configure.options: Build against OpenSSL with --with-tls + (this can only be done for slapd itself, we need GnuTLS support + before enabling this for libldap2.2-dev). + * debian/control: Update build dependencies for libdb4.3 and OpenSSL. + + -- Torsten Landschoff Wed, 23 Feb 2005 19:29:38 +0100 + +openldap2 (2.2.18-0.pre2) experimental; urgency=low + + * debian/check_config: Make sasl2 check more robust against file + format changes in config.status. + * debian/libldap2.shlibs: Remove. + * Update configure script using libtoolize, aclocal-1.4 and autoconf2.50 + to fix wrong shared library dependency in libldap2.2 (depended on + libldap2 by linking against the system's liblber). + * debian/libldap2.README.Debian: Move to libldap2.2.README.Debian. + * Lintian cleanup: + + Run debconf-updatepo for debian/rules clean and manually as + requested. + + Update config.guess and config.sub in debian/rules clean as well. + First update done. + + debian/rules (install): Fix the manpage section of the admin commands + from 8C to 8. + + debian/rules (binary-arch): Run dh_fixperms to fix the permissions + on shared libraries. + + -- Torsten Landschoff Thu, 13 Jan 2005 11:53:28 +0100 + +openldap2 (2.2.18-0.pre1) experimental; urgency=low + + * New upstream release. + * Disable TLS for now. + * debian/rules: Don't run autoheader and autoconf. + * debian/configure.options: Recreated and updated for new setup. + * debian/rules: Move slapd, slurpd from /usr/lib to /usr/sbin. + * Rename library packages to include the OpenLDAP version. + * Remove /etc/ldap/ldap*.conf from libldap2.2 to avoid clash with + libldap2. Also add Replaces entry for libldap2 to allow overwriting + for now. Needs fixing... + * Instead of moving slapd from /usr/lib to /usr/sbin create a symlink. + Seems like slapadd etc. are now all included in the slapd binary + and all link to its binary. + * debian/rules: Run dh_link for arch dependend packages. + * configure: Fix broken libdb checking which forced static building of + back-bdb. + * debian/slapd.conf: Fix access directive to use "attrs=" instead of + "attribute=" which wasn't officially supported anyway. + + -- Torsten Landschoff Wed, 3 Nov 2004 09:57:14 +0100 + +openldap2 (2.1.30-3) unstable; urgency=high + + * Urgeny high since previous releases were hardly usable (at least + with TLS). + * Roland Bauerschmidt + + libraries/libldap/gnutls.c, libraries/libldap/tls.c, + include/ldap_pvt_gnutls.h: Use callback with + gnutls_certificate_set_params_function to generate dh_params and + rsa_params (this is also the way, it's done with OpenSSL). We need + GNUTLS 1.0.9 for this. With the new version of libgcrypt, we also + need to initialize threading explicitly. The previous + segmentation faults resulted from the *global* param structure + being recreated and freed for every session. Many thanks to + Matthias Urlichs who helped debugging a lot and also packaged + GNUTLS 1.0.16 very quickly... Closes: #244827. + + debian/control: Add build dependency to libgcrypt11-dev (we're + initializing it directly now) and change libgnutls10-dev to + libgnutls11-dev. + + libraries/libldap/gnutls.c: in tls_gnutls_need_{dh,rsa}_params + (formerly ldap_gnutls_need_...), create temp files more securely, + doing unlink before opening and opening them with O_EXCL. This is + necessary because under Linux 2.6 all threads have the same PID. + Thanks to Andrew Suffield for pointing this out. + + debian/slapd.cron.daily: cron job to remove GNUTLS rsa_export and + dh param cache files every day. + + debian/slapd.README.Debian: add note that we use GNUTLS rather + than OpenSSL. + + -- Roland Bauerschmidt Mon, 26 Jul 2004 18:41:23 +0200 + +openldap2 (2.1.30-2) unstable; urgency=low + + * Roland Bauerschmidt + + debian/slapd.scripts-common: add missing space before ! + Closes: #251036, #253633, #257513. + * Torsten Landschoff + + Applied patch by Ralf Hack to support non-standard config file + location in /etc/default/slapd (closes: #229195). + + Applied patch to fix handling of abandoned commands + (closes: #254183). Thanks to Peter Marschall for submitting it. + + Applied patch to fix memory leak after search (closes: #254184). + Thanks again, Peter! + + Applied trivial patch to support logging to DAEMON facility + as well as LOCAL* (closes: #254186). Here you are, Peter ;) + + -- Roland Bauerschmidt Fri, 09 Jul 2004 15:56:06 +0200 + +openldap2 (2.1.30-1) unstable; urgency=low + + * Torsten Landschoff : + + debian/control: Have slapd conflict with libltdl3 version 1.5.4-1 + as with that version loading of .so files is broken which breaks + slapd (closes: #249152). + + Applied patch to fix Perl backend (closes: #245347). Kudos + to Peter Marschall. + + debian/configure.options: Enable building of Perl backend. + + * Roland Bauerschmidt + + debian/slapd.templates: replace 'domain' with 'DNS domain name' + which is little more specific + + debian/slapd.config: check if the domain has a valid syntax to + prevent slapadd from failing. Closes: #235749. + + New upstream version with fix for NS-MTA-MD5 hash length + checking. Closes: #226583. + + -- Torsten Landschoff Mon, 24 May 2004 23:33:21 +0200 + +openldap2 (2.1.29-2) unstable; urgency=low + + * Roland Bauerschmidt + + debian/rules: Revert change to install ldapadd as symlink. + Somehow, with that change, ldapadd didn't get installed at all. + Closes: #243537. + + -- Roland Bauerschmidt Tue, 13 Apr 2004 19:49:55 +0200 + +openldap2 (2.1.29-1) unstable; urgency=low + + * Stephen Frost + + libraries/gnutls.c: Generate and store RSA/DH parameters, + based off a patch by Petr Vandrovec (though changed alot). + Closes: #234639, #234593 + + * Roland Bauerschmidt + + Merged new upstream release. + + debian/slapd.prerm: add #DEBHELPER# token. + + debian/control: have slapd depend on debconf (>= 0.5) to ensure + it supports the seen flag. + + debian/rules: ldapadd is installed as a hardlink to ldapmodify; + use a symlink instead. + + debian/slapd.{scripts-common,postinst,preinst,config}: Add new + function read_slapd_conf that evaluates include statements. + + -- Torsten Landschoff Mon, 12 Apr 2004 15:27:55 +0200 + +openldap2 (2.1.26-1) unstable; urgency=low + + * Torsten Landschoff : + + Merged new upstream release. + + debian/slapd.templates (slapd/purge_database): Set default value to + false. + + debian/slapd.config (manual_configuration_wanted): Don't exit + from the script directly if the user wants to configure + slapd manually (exit 0 -> return 0). + + Build-depend on libgnutls10-dev instead of libgnutls7-dev and + rebuild (closes: #233833). + + Move previous content of /var/lib/ldap away during creation of + an initial directory (closes: #228886, #233512). + + debian/slapd.postrm: Remove flag files in /var/lib/slapd on purge. + + Removed functionality (verbose error messages) from gnutls.c until + it compiled with libgnutls10-dev :-(( + + debian/slapd.postinst: Overwrite existing /etc/ldap/slapd.conf (only + reached during initial installation/dpkg-reconfigure). + + -- Torsten Landschoff Mon, 23 Feb 2004 09:36:32 +0100 + +openldap2 (2.1.25-1) unstable; urgency=low + + * Roland Bauerschmidt : + + New upstream version. + - Build against libdb4.2. Hopefully, this resolves the BDB + lock ups when configured improperly. + + debian/control: Have ldap-utils depend on the same version of + libldap2, and libldap2 conflict with ldap-utils (<= 2.1.23-1). + Closes: #216661. + + debian/slapd.{templates,config}: Check if there are slave + databases in slapd.conf lacking an updateref option, and warn + about it. Closes: #216797. + + debian/slapd.{templates,config,postinst,conf}: Ask which + database backend to use (BDB or LDBM). + + debian/slapd.README.Debian: cleanup + + servers/slapd/back-bdb/dbcache.c: Turn off subdatabases. This + is an incompatible database format change, but according to + Howard Chu "using them (subdatabases) is known to cause deadlocks + on multiprocessor machines, among other issues." + + debian/control: add Recommends: db4.2-util to slapd + + debian/control: add Recommends: libsasl2-modules to slapd and + ldap-utils. Closes: #224058. + + debian/slapd.{scripts-common,preinst,postinst}: Extended dump + and restore code to deal with different versions for different + backends. + + debian/control: Geez, centipede seems to have vanished a long + time ago. So don't claim it's included in the slapd package. + + debian/slapd.docs: created with servers/slapd/back-sql/ + rdbms_depends. Closes: #225807. + + * Torsten Landschoff : + + debian/move_files: Install slappasswd into ldap-utils instead + of slapd as it's useful without slapd as well (closes: #228705). + + debian/control: Make ldap-utils Replaces: slapd < 2.1.25 because + of that change. + + debian/control: Use libdb4.2-dev instead of libdb4.1-dev as a + number of problems seem to be related to DB 4.1. + + -- Torsten Landschoff Fri, 6 Feb 2004 20:48:22 +0100 + +openldap2 (2.1.23-1) unstable; urgency=low + + * Roland Bauerschmidt : + + New upstream version. + + Applied fix for admin password breakage from Michael Beattie + . Closes: #214270. + + Added Dutch Debconf template translation by cobaco@linux.be. + Closes: #215373. + + Bumped Standards-Version (no changes needed). + + * Torsten Landschoff : + + debian/move_files: Install slappasswd into ldap-utils instead + of slapd (closes: #228705). + + -- Roland Bauerschmidt Sat, 18 Oct 2003 19:56:54 +0200 + +openldap2 (2.1.22-3) unstable; urgency=low + + * Call perl -w to run debian/dh_installscripts-common. Closes: #214054. + + -- Roland Bauerschmidt Sat, 4 Oct 2003 14:22:11 +0200 + +openldap2 (2.1.22-2) unstable; urgency=high + + * Stephen Frost + + servers/slapd/daemon.c: Apply patch from head for select handling. + + debian/rules: Fix build options to optimize correctly and to use + DEB_BUILD_OPTIONS (Policy, 10.1). Closes: #202306 + + debian/slapd.conf: Add in ACL for root DSE explicitly. + + debian/slapd.init: Add --oknodo in stop_slurpd. Closes: #202592 + + debian/rules: Need quotes around $(CFLAGS) on configure line. + + debian/slapd.init: Remove \'s before quotes around pidfile. + + debian/slapd.init: Add support for -h slapd flag. Closes: #201991 + + debian/slapd.default: Add variable $SLAPD_SERVICES for slapd -h. + + libraries/libldap/tls.c: Apply patch from asuffield in #202741 to + fix subjectAltName usage. Closes: #202741 + + * Torsten Landschoff : + + Fix invocation of "head" in maintainer scripts and replace usage of + [ foo -a bar ] by [ foo ] && [ bar ] (closes: #203292). + + debian/slapd.postrm: Small cleanup, only remove the directory, not + the backups, on purge. + + debian/rules: Don't run the upstream install target if we did not + rebuild the whole tree. Makes debugging maintainer script much more + tolerable. + + debian/slapd.config: Cleaned up and restructured for readability. + + debian/slapd.templates: Replaced the invalid_suffix template with + invalid_config which is more general and can be used for any + inconsistency in the initial configuration. + + debian/slapd.postinst: Rewritten to eliminate all that spaghetti. + Did not yet implement all old features again... + - Now the #DEBHELPER# part is always reached so that the daemon + will be restarted even if no automatic configuration is wanted + (closes: #204008). + + Fixed the undefined symbols in libldap_r.so.2 (closes: #195990). + | configure.in: Try -lpthread before -pthread to link the thread + library. libtool does not pass -pthread through, -lpthread seems + to work though. + | libraries/libldap_r/Makefile.in: Add $(LTHREAD_LIBS) to + UNIX_LINK_LIBS so that pthread is linked when creating a shared library + as well. + + * Roland Bauerschmidt : + + debian/configure.options: change --localstatedir=/var/lib to + --localstatedir=/var/run. Since localstatedir isn't used anywhere + in the code, except for the ldapi socket (and examples in the + manpages which are correct at the moment anyway), all this change + does should be changing the default location of the ldapi socket + from /var/lib/ldapi to /var/run/ldapi. Closes: #160965. + + libraries/libldap/tls.c: In get_ca_list, walk through CACERTDIR + manually if building against GNUTLS (since there is no equivalent + to SSL_add_dir_cert_subjects_to_stack). Closes: #205609. + + debian/slapd.preinst: create /var/backups/ldap/$oldver with + permissions 0700. Also change permissions for /var/backups/ldap + to 0700 if it already exists. Closes: #209019. + + Added Japanese translation of Debconf templates by Kenshi Muto + . Closes: #210731. + + debian/slapd.{postinst,preinst,config}: Replaced duplicate + implementations of the same functions with one version and moved + those into debian/slapd.scripts-common which will be included by + debian/dh_installscripts-common. + + debian/slapd.preinst: before dumping the database, check if the + backend is supported + + debian/slapd.postinst: + - add -q to grep call for allow bind_v2 + - readded pre-2.1 (woody) upgrade path (that is, dumping, fixing + and reimporting the database) + + -- Roland Bauerschmidt Fri, 3 Oct 2003 15:35:29 +0200 + +openldap2 (2.1.22-1) unstable; urgency=low + + * Stephen Frost : + + New upstream version (minor changes). + + debian/control: Change build-deps to autoconf2.13, Closes: #201482 + + debian/rules: Add dh_compress -i for binary-indep. + + debian/slapd.postinst: Give variable for read (avoids bashism). + + configure/.in: Use upstream's version of back-meta/back-ldap fix. + + -- Stephen Frost Wed, 16 Jul 2003 08:42:23 -0400 + +openldap2 (2.1.21-2) unstable; urgency=low + + * Stephen Frost : + + debian/slapd.preinst: slapcat here if possible, if slapcat not + available then slapcat in postinst. Also remove old unused + function. + + debian/slapd.postinst: Check if slapcat in preinst worked and use + those results in preference. Also moved to using /var/backups/ldap. + + servers/slapd/daemon.c: Provide more information on socket/bind + failures. Patch submitted upstream. Closes: #94967. + + ./configure, ./configure.in: Fix check for back_ldap in back_meta. + back_ldap now included as module. back_ldap and back_meta appear + to load fine, though order may matter. Closes: #196995. + + debian/control: Add versioned Depends on perl, need recent version + for migration script. + + debian/slapd.{pre,post}inst: Allow for whitespace in postinst + before database definitions + + debian/control: Drop the libldap2-dev Depends that aren't actually + necessary. + + debian/slapd.preinst: Add create_sed_script to create the script to + deal with multi-line commands in slapd.conf. Modify things to use + sed script to preprocess slapd.conf before using it. Remove + support for whitespace preceeding commands. + + debian/slapd.postinst: Add create_sed_script here too and modify + everything to use it as necessary. Also change everything to + reference $SLAPD_CONF instead of /etc/ldap/slapd.conf everywhere. + Remove support for whitespace preceeding commands. + + debian/slapd.postinst: Removed all tabs. Changed all sed scripts + to used [:space:] instead of [space tab]. + + debian/slapd.postinst: Removed debugging statements from ldap_v2 + support handling code. + + debian/slapd.preinst: Changed to use mktemp for sed script. + + debian/slapd.postinst: Changed to use mktemp for sed script. + + debian/slapd.config: If no hostname set just use debian.org. + + contrib/ldapc++/config.{sub,guess}: Resync back to upstream, no + reason not to, we don't even build this stuff... + + debian/control: Change build-depends to libgnutls7-dev instead of + libssl-dev. + + debian/rules: Now run autoconf && autoheader to pick up on the + configure.in changes needed for GNU TLS. + + debian/copyright: Added Steve Langasek (SL) copyright statement. + + Patch from Steve Langasek for GNU TLS support, Closes: #198553 + | include/ldap_pvt_gnutls.h: Added for GNU TLS + | configure.in: Now uses GNU TLS where available. + | servers/slapd/schema_init.c: Modified for GNU TLS- some functions + removed because GNU TLS layer does not support them yet. + | build/install-sh: Added for new autoconf. + | libraries/libldap/Makefile.in: Changed to compile GNU TLS portions. + | libraries/libldap/getdn.c: Stub function added, GNU TLS layer does + not support TLS certificates for authentication yet. + | libraries/libldap/tls.c: Now calls GNU TLS functions instead of + OpenSSL. + | libraries/libldap/gnutls.c: Added to support GNU TLS in place of + OpenSSL for TLS connections. + | libraries/libldap_r/Makefile.in: Changed to compile GNU TLS portions. + + debian/slapd.postinst: remove temp file if upgrading or doing a + reconfigure but the OLDSUFFIX and basedn match so that we do not + move an empty file overtop of slapd.conf. Closes: #190797. + + debian/slapd.init: Inform user when not starting slapd due to + no configuration file found. Deals with users who select to not + configure slapd during installation. + + debian/slapd.init: Removed cat <<-EOF and got rid of associated + tabs; best to not depend on tab vs. space distinction. + + debian/slapd.config: Change debconf question names to be fully + qualified in the $var from the for loop- organization is under + shared/ and domain is under slapd/, not both under slapd/. + + debian/slapd.postrm: Can not depend on debconf being around in + postrm so check before attempting to source it. Also protect + against failure from db_get. + + debian/slapd.postinst: Check for old directory and move it out + of the way if it exists on new configure or reconfigure. + + debian/slapd.postinst: Fix db_input's for error messages, + should be high priority and need to || true them. + + debian/slapd.postinst: Do not error exit once we've told the + user about the problem, if there was one, with slapcat/slapadd. + + debian/slapd.postinst: Make sure we get the organization before + we attempt to fix_ldif on old slapcat output. Default to unknown + if the organization is not set. + + debian/slapd.postinst: Be sure that slapd has been stopped before + attempting to fix and slapadd old slapcat. + + debian/slapd.postinst: Do not use --exec with s-s-d in postinst. + + debian/slapd.postinst: grep calls need to be || true'd when no + matching lines found is possible (this case is handled). + + debian/slapd.postinst: Be very sure slapd has stopped before + attempting to upgrade database. + + debian/slapd.preinst: Use either the pidfile or exec if pidfile + is not available when stopping. Do not put \"\" around pidfile. + Use $oldver instead of $2. + + debian/slapd.config: Reask questions on a reconfigure. Use the + same logic as slapd.postinst for when to ask questions regarding + the db. Be sure to db_go after db_input's. + + debian/slapd.templates: Fix allow_bind_v2 short description to + make more sense since the default is off. + + debian/slapd.preinst: Use perl instead of sed for handling conf. + + debian/slapd.postinst: Use perl instead of sed for handling conf, + use old sed method to insert \n's, user invoke-rc.d when slapd + needs to be stopped. Assume preinst shuts slapd down for upgrade. + + debian/slapd.postinst: Only stop slapd on reconfigure. + + * Torsten Landschoff : + + doc/man/man8/slapd.8: Refer to slapd.conf(5) for a description of + the debugging level (closes: #176980). + + debian/move_files: Kill of the static archives of our backend + modules as they are of absolutely no use. + + * Steve Langasek : + + debian/slapd.postinst: Add a new function, get_database_list, that + prints out the list of configured databases from slapd.conf + one row at a time. Move all of the upgrade handling into a + loop, and iterate through the configured databases. Since the + while loop is in fact a subshell, be sure to handle errors + correctly. We also have to look at the configured directory + for each database, instead of assuming /var/lib/ldap. + Closes: #190155, #190156. + + debian/slapd.preinst: Simplify the handling of error status: if + the slapcat fails, just remove the ldif file. Also, add the + suffix to the name of the output file, and add the + get_database_list function here as well. + + * Roland Bauerschmidt : + + debian/rules: call dh_makeshlibs with -plibldap2 rather than just + with libldap2 + + debian/slapd.postinst: Add question about no configuration. + + debian/slapd.templates: Add template for no config question. + + debian/slapd.templates: Add template for invalid suffix. + + debian/slapd.config: Add no configuration option. Closes: #87986 + + debian/slapd.config: Complain to the user on invalid domain/org. + + -- Stephen Frost Tue, 15 Jul 2003 12:37:05 -0400 + +openldap2 (2.1.21-1) unstable; urgency=low + + * Torsten Landschoff : + + Merged new upstream release. + + * Stephen Frost : + + debian/control: Add libbind-dev and bind-dev to the conflicts for + slapd, the libs in them can end up being used even when not + compiled against causing getaddrinfo() to fail. Closes: #166777 + + debian/copyright: Flush out the copyright file to include all found + copyrights and updates to those. + + debian/copyright: Add clarification of MA license + + debian/copyright: Add clarification of JC license + + debian/slapd.templates: More clearly inform users of important + config change. Closes: #194192. + + debian/control: Remove patch from build-depends (dpkg-dev depends on it) + + debian/fix_ldif: Correctly handle base64-encoded DNs. Closes: #197014. + + debian/slapd.templates: Added templates for asking about LDAPv2 support + and telling the user of slapcat/slapadd failures during upgrade. + + debian/slapd.postinst: Added support for adding LDAPv2 support + + debian/slapd.postinst: Modified to handle slapcat/slapadd failure. + In the event of an upgrade failure the database will be left untouched + and the user notified. Closes: #192431 + + debian/slapd.postinst: Use ldif_dump_location in more places... + + debian/slapd.prerm: Check if upgrade failed and assume bad old init.d + script was used and attempt to shut down slapd with --oknodo in case + slapd isn't running. Closes: #193854. (Again) + + debian/slapd.conf: Add commented out allow line + + debian/rules: Tell dh_installinit to not touch slapd.prerm now. + + debian/slapd.postinst: Do a dry-run with slapadd first and check if + that worked or not. If it did not work then tell the user, otherwise + do a real slapadd which should work. + + debian/slapd.postinst: Make sure slapd is stopped before doing + slapadd/slapcat's and the like. (Note: The woody version does not + stop slapd). Closes: #189777. + + debian/slapd.postinst: Check if directories exist before attempting + to mkdir them. Closes: #189947 + + debian/slapd.README.debian: Add note about runlevel issue. + Closes: #175736 + + debian/move_files: Copy ldiftopasswd into /usr/share/slapd for users + to use, if they find it useful. Closes: #94963. + + debian/slapd.README.Debian: Added note about ldiftopasswd. + + * Roland Bauerschmidt : + + debian/slapd.postinst: fixed typos and check for the existence of + slapd.conf before reading it. + + -- Torsten Landschoff Thu, 19 Jun 2003 17:35:32 +0200 + +openldap2 (2.1.17-3) unstable; urgency=low + + * Stephen Frost : + + debian/slapd.init: Add --oknodo for stopping slapd. Closes: #192423, #193854. + + debian/slapd.init: Change START_SLURPD to SLURPD_START. Closes: #190724. + + debian/libldap2.shlibs: Bump to 2.1.17- 2.1.12 never hit the archive. + These should only be bumped when new symbols are added so we should + figure out a way to handle checking that. + + debian/slapd.dirs: Added /var/run/slapd for pidfile + + debian/slapd.conf: Moved pidfile to /var/run/slapd; Needed if running + non-root. + + debian/slapd.conf: Clean up config file, be more explicit about what + directives are 'general', 'backend', and 'database'. Moved and + commented out 'replogfile' since it is database specific, wasn't doing + anything where it was and use of it depends on slurpd usage. + I consider this solving #151511 since we don't ask if you want to use + replication anymore anyway. Closes: #151511 + + debian/copy_slapd_dev_files: Added to copy the include files for + building slapd back-ends. + + debian/control: Add warning about libslapd2-dev + + debian/control: Add build-depend on po-debconf for dh_installdebconf + + debian/slapd.default: Add option for settings SLAPD_CONF file + + debian/slapd.init: Changed to use SLAPD_CONF, setting it to + /etc/ldap/slapd.conf if it is not specified. Closes: #91318 + + debian/control: Added libslapd2-dev to control file. Closes: #192163. + + debian/rules: Added binary-indep to the binary: build line and flushed + it out to build the libslapd2-dev deb. Added -k to dh_clean since we're + building arch and indep debs now. + + Maintainer upload, acknowledge NMU. Closes: #98039. + + Add debian/po/fr.po from 194740. Closes: #194740 + + Add space before ']' on line 113 of postinst. Closes: #194192, #194943 + + * Torsten Landschoff : + + debian/control: Enforce libldap2 to be the same version as slapd + as slapd (legitimately) uses internal functions of that library + (closes: #190164). + + debian/slapd.postinst: Fix the regexp for finding the database + definitions. + + * Steve Langasek : + + debian/slapd.preinst: don't use debconf or ldapsearch in the + preinst, as this is a policy violation (even if a previous + version was installed, it could've been removed-but-not-purged). + Closes: #189811, #195029. + + debian/slapd.{pre,post}inst: dump & fix up the directory in the + postinst, not in the preinst -- using slapcat/slapadd, not + ldapmodify. This ensures that the dump will succeed whenever the + database is present, rather than depending on access to an admin + dn. Closes: #190085. + + debian/fix_ldif, debian/move_files, debian/copyright: add Dave + Horsfall's dn-fixing script, to handle objectClass upgrading + + debian/slapd.postinst: Skip the duplicate prompting for the + organization name; we're guaranteed to always have one. + + -- Torsten Landschoff Fri, 6 Jun 2003 16:56:16 +0200 + +openldap2 (2.1.17-2) unstable; urgency=low + + * The who-says-slavery-is-dead upload. + * Steve Langasek : + + debian/slapd.postinst: Fix the database regexp. + + debian/slapd.postinst: Only add moduleload lines *once* on upgrade + from 2.0. Wrap the backup code with a check for + /var/lib/slapd/upgrade_2.0, to guarantee idempotency. + Closes: #190401. + + debian/slapd.{config,templates,postinst}: On dpkg-reconfigure, + don't wipe out an existing config; only merge in any requested + changes. Also, prompt before wiping out the existing db. + Closes: #190799. + + debian/slapd.{postinst,examples},debian/rules: Move slapd.conf + from doc/slapd/examples to /usr/share/slapd, per policy. + + debian/slapd.postinst: make sure slapd.conf is always created + atomically. + + debian/slapd.postrm: If removing databases on package purge, + remove any database backups as well. + + * Torsten Landschoff : + + debian/configure.options: Disable ACIs because they are still + experimental. + + debian/control: Change section and priority of libldap2-dev to + libdevel and extra respectively (dinstall message). + + debian/slapd.preinst: Only query the object classes of the root + dn if there was no error parsing the config. + + Update templates for po-debconf using the patch submitted by + Andre Luis Lopes (closes: #189933). + + Use [[:space:]] instead of [\t ] in sed invocations since the + latter does not seem to work (reported by Daniel Lutz). + + debian/control: Add Replaces: entry for openldapd since ldif.5.gz + was included in the potato package of that name (closes: #190660). + + debian/control: Tighten the build dependency on libtldl3-dev as + versions before 1.4.3 required the .la file for dynamic binding + (thanks to Josip Rodin for pointing this out). + + -- Torsten Landschoff Sat, 19 Apr 2003 02:28:32 +0200 + +openldap2 (2.1.17-1) unstable; urgency=low + + * New upstream release. + * Torsten Landschoff : + + debian/slapd.init: Improve the error reporting. If nothing is output + by the failing command don't leave the user alone but print a hint + to look into the logfile etc. + + debian/control: Require at least version 2.1.3 of libsasl2-dev + as this is what the configure script checks for. Pointed out by + Norbert Tretkowski. + + debian/slapd.{pre,post}inst: Small cleanups, added some comments, + adapted for the removal of the .la files in slapd package. + + -- Torsten Landschoff Sat, 19 Apr 2003 01:59:26 +0200 + +openldap2.1 (2.1.16-1) unstable; urgency=low + + * New upstream release. + + build/top.mk: Remove patch to omit "-static" at linking time. Upstream + now respects the --enable-shared flag used at configuration time. + + debian/slapd.postinst: Automagically add the module load directives + after upgrade as needed. + + debian/slapd.config: + - Only ask questions to create a new directory on fresh install. + - Ask wether the right modules should automatically be loaded in + slapd.conf. + + debian/slapd.templates: Add the templates for autoloading modules + and fixing the directory. + + debian/slapd.preinst: New script to support upgrading from 2.0. + The old prerm did not stop the daemon so we have to do it here. + Also a first attempt to fix broken LDAP directories not acceptable + to 2.1. + - Conditionally load debconf when upgrading as it only has to + be available in that case. + + debian/slapd.preinst: Dump database before upgrade. + + debian/slapd.postinst: Recreate database from dump after upgrade. + Move old database out of the way. + + * Roland Bauerschmidt + + debian/slapd.README.Debian: mention that backend database modules are + now compiled as shared objects + + * Stephen Frost + + debian/slapd.conf: Drop the '.la' file extension + + debian/move_files: Drop and rm the .la files, they aren't necessary. + + debian/slapd.README.Debian: Dropped the .la from the module_load line. + + servers/slapd/daemon.c: check slapd_srvurls is not NULL before + deref; included in upstream CVS. + + servers/slapd/back-*/init.c: Change the munged symbol names to + init_module, they do not need to be munged, and cause problems when + they are and not using .la files (which cause other problems) + + servers/slapd/module.c: Change to use lt_dlopenext() so we don't + need the .la files + + -- Torsten Landschoff Wed, 26 Mar 2003 20:34:35 +0100 + +openldap2.1 (2.1.12-1) experimental; urgency=low + + * Initial release of OpenLDAP 2.1 packages. Closes: #167566, #178014. + - this includes support for the >= and <= operators. Closes: #159078. + - fixes various upstream bugs. Closes: #171008. + + * Torsten Landschoff + - debian/check_config: Added script to check if OpenLDAP was configured + the way we want it. + - Don't build special TLS packages anymore - SSL is enabled in the + stock ldap library. Everything else will just give me more headaches. + - Build against libsasl2 instead of libsasl1. Closes: #176462. + - debian/control: + - Build-depend on debhelper 4.0 as debian/rules uses DH_COMPAT=4. + - Depend on coreutils | fileutils. Closes: #175704, #185676. + - Make libldap2 conflict with libldap2-tls which is obsolete now. + - debian/rules: Move the long list of configure options to a new + file debian/configure.options and read $(CONFIG) from that file. + - configure with --enable-aci. Closes: #101602. + - debian/slapd.init: Rewrite and add comments. + - Add support for running as non-root (closes: #111765, #157037). + - servers/slapd/main.c (main): Remove pid file on exit (closes: #162284). + - servers/slurpd/slurp.h: Change the default spool directory to + /var/spool/slurpd (avoids passing it via -t in init.d). + - servers/{slapd,slurpd}/Makefile.in: Install binaries into sbindir + instead of libexecdir. + - debian/control: Add Stephen Frost to the Uploaders field. Thanks + for your help, Stephen! + - contrib/ldapc++/config.{guess,sub}: Replaced with current files from + autotools-dev (lintian). Not actually neccessary since this part of + the package is not currently built but I think this is the best way + to shut up lintian :) + - build/mod.mk: Use -m 644 instead of -m 755 in installing shared + libraries. Shared libraries should not be marked as executable + (lintian). + - debian/libldap2.conffiles: Remove, since we are using version 4 + of debhelper which tags everything in /etc as conffile by default. + - debian/rules: Change the mode of everything upstream installed into + /etc to 0644 as required by policy (lintian). + - debian/rules: Call dh_installdeb later in the binary target so that + the conffiles are already there for listing. Without this nothing in + /etc gets tagged as conffile... (lintian). + - debian/rules: Pass the start and stop priority of slapd to + dh_installinit in preparation for a postinst supported by debhelper. + - debian/rules: Call dh_installdirs again. + - Rewrite slapd.config, slapd.postinst, slapd.templates - a first try + in getting slapd to configure itself. Way to go. + + * Roland Bauerschmidt + - debian/control: + - build-depend on libdb4.1-dev instead of libdb4.0-dev + - conflict, replace, and provide libldap2-tls (libldap2) + - removed ldap-gateways binary package + - drop suggestion to obsolete openldap-guide. Closes: #171894, #146968. + - debian/rules: + - build with BDB backend + - run dh_installdeb + - only run dh_makeshlibs for libldap2 + - debian/slapd.dirs: added to create /var/lib/ldap and /var/spool/slurpd + - debian/slapd.postinst: + - properly remove temporary files on errors. Closes: #160412. + - install init.d link if slapd.conf already exists. Closes: #159542. + - run db_stop even if package isn't configured for the first time. This + prevents hanging during upgrades. + - added debian/slapd.default and use it from debian/slapd.init. + Closes: #160964, #176832. + - added debian/slapd.README.Debian + - added versioned dependency on coreutils to make lintian quiet. + - added debian/slapd.postrm + - remove slapd.conf when package is purged + - remove /var/lib/ldap when slapd/purge_database is true + - remove /etc/ldap/schema if empty. Closes: #185173. + - debian/templates: added slapd/purge_database template + - build/top.mk: link against libcrypt before other SECURITY_LIBS + - debian/libldap2.shlibs: tighten dependencies. Closes: #181168. + + * Stephen Frost + - debian/control: added libltdl2-dev and libslp-dev to the build-depends + - Correct typo for back-sql init routine; already in OpenLDAP upstream + CVS + - Correct free of SASL interact results; already in OpenLDAP upstream CVS + - Duplicate the DN from SASL to ensure '\0' termination; already in + OpenLDAP upstream CVS + - debian/control: added Replaces: slapd (<< 2.1) for ldap-utils due to + ldif.5 move. + - Add modulepath /usr/lib/ldap to default slapd config + - Add moduleload back_bdb to default slapd config + - Changed libexecdir to ${prefix}/lib + - Add usr/lib/ldap to slapd portion of move_files + - Modified backend types to be built as modules for dynamic loading + - Fixed pt_BR translation + + -- Roland Bauerschmidt Sat, 15 Mar 2003 21:35:24 +0100 + +openldap2 (2.0.27-3) unstable; urgency=high + + * [SECURITY]: Apply the patch used by SuSE in SuSE-SA:2002:047 + (or rather the parts of it not yet included upstream). + + -- Torsten Landschoff Fri, 20 Dec 2002 04:47:15 +0100 + +openldap2 (2.0.27-2) unstable; urgency=low + + * debian/control: Make libldap2-dev depend on libssl-dev and + libsasl-dev, since those libs are pulled via the libldap.la file + (closes: #164791). + * debian/control: Add shlibs:Depends to libldap2-tls as well. Most + of those depends are pulled via libldap2 but of course libssl + is not among those. (closes: #169950). + * debian/libldap2-tls: Remove old divertions on "configure" and not + on "upgrade" - the latter is not really called. + + -- Torsten Landschoff Fri, 22 Nov 2002 00:35:29 +0100 + +openldap2 (2.0.27-1) unstable; urgency=low + + * New upstream release. + + -- Torsten Landschoff Wed, 6 Nov 2002 01:12:06 +0100 + +openldap2 (2.0.23-14) unstable; urgency=low + + * debian/rules: Remove search paths from .la files using some perl + trickery (closes: #110479). + * debian/libldap2.README.debian: Document the NSS problem which stops /usr + from being unmounted cleanly when using libnss-ldap (for more info + see bug#159771). + + * Started cleaning up the maintainer scripts: + - Remove creation of the /usr/doc symlinks (lintian). + - Don't run ldconfig in prerm scripts (lintian). + + -- Torsten Landschoff Mon, 30 Sep 2002 12:10:05 +0200 + +openldap2 (2.0.23-13) unstable; urgency=low + + * As Ashley Clark found out the preinst of libldap-tls fails for a new + install. My fault - I did not check that (removing ldap is cumbersome + if you are using it... :) and the scripts were only checked without + "set -e" in effect. + + debian/libldap2-tls.preinst: Apply Ashley's patch (thanks a lot, + Ashley. closes: #162123). + + Coincidently the other installation scripts seem to be okay, the + failing command is in the middle of a pipe and therefore ignored. + + -- Torsten Landschoff Tue, 24 Sep 2002 12:56:18 +0200 + +openldap2 (2.0.23-12) unstable; urgency=low + + * Apply the patch from upstream ITS#2012 to support MD5 hashes. Problem + is that OpenSSL comes with its own version of the crypt() function + which is linked in instead of the system's version from libcrypt. + The patch changes the link order so that slapd takes the system's + implementation. + * debian/rules: Pass --enable-crypt-first to configure to enable the + patch (closes: #160763). + * Fix the diversion handling of libldap2-tls: + - preinst: Only install diversions that are not there. + - postrm: Remove this package's diversions. + - postinst: Remove obsolete diversions after upgrade. + - Removal of diversions is done in reverted order of the installation. + + * Enable DNSSRV support as requested by Turbo. No Kerberos for now, sorry. + * debian/control: Updates Standards-Version to 3.5.7 and fix running + of ldconfig in maintainer scripts. + + -- Torsten Landschoff Mon, 23 Sep 2002 12:18:40 +0200 + +openldap2 (2.0.23-11) unstable; urgency=low + + * debian/rules: Build with --with-tls (closes: #80591, #155937). + * debian/control: + + Add build dependency on libssl-dev. + + Specify Roland Bauerschmidt as co maintainer. + * Added the trickery to have libldap2 without TLS and libldap2-tls + with the TLS stuff. Otherwise we have to change the base system, + and god knows how long that would take. + + Most of the changes done by Roland Bauerschmidt. We now build the + source two times - with and without ssl. We mostly use the ssl enabled + stuff with the exception of a libldap2 package which does not have + support for that. If you need TLS support you have to install + libldap2-tls, which diverts the libraries from libldap2 out of the + way and replaces them with the TLS enabled version. + + -- Torsten Landschoff Thu, 29 Aug 2002 13:35:39 +0200 + +openldap2 (2.0.23-10) unstable; urgency=low + + * debian/control: Build depend on libdb4.0-dev instead of libdb3-dev. + This should fix the index corruption problems (closes: #152959). + + -- Torsten Landschoff Sun, 18 Aug 2002 19:47:02 +0200 + +openldap2 (2.0.23-9) unstable; urgency=low + + * debian/slapd.init: Wait for the daemons to actually terminate for + the stop action (which is used for restart) and trap all errors + (closes: #148033). + * debian/rules: Build with -D_FILE_OFFSET_BITS=64 to support files + bigger than 2GB on all architectures (closes: #155197). As off_t is + about never used in the source that should not create any problems. + * debian/control: Make libldap2-dev depend on libsasl-dev + (closes: #135223, #96957). + * doc/man/man1/ldapmodify.1: Fix typo (closes: #105905). + * debian/rules: Create symlinks for some manpages (closes: #99547). + * Fix spelling error in description of ldap-gateways (closes: #124859). + * debian/copyright: Include the full content of the LICENSE file + (closes: #151222). + + -- Torsten Landschoff Thu, 8 Aug 2002 15:54:46 +0200 + +openldap2 (2.0.23-8) unstable; urgency=low + + * New maintainer. + * debian/control: Build-Conflict with libbind-dev to use the right + resolver library everywhere (closes: #112459). Of course, the + real solution must be to fix the configure script to not detect + libbind-dev and use the right resolver all the time. But a work around + is better than nothing I would say... + + -- Torsten Landschoff Wed, 7 Aug 2002 14:53:39 +0200 + +openldap2 (2.0.23-7) unstable; urgency=low + + * Add Brazilian translation for debconf templates. Closes: Bug#114021 + * Fix hostless LDAP URLs, patch from Lamont Jones. Closes: Bug#140387 + + -- Wichert Akkerman Sat, 4 May 2002 20:05:32 +0200 + +openldap2 (2.0.23-6) unstable; urgency=high + + * Make slapd.config idempotent, so that calling it once (during + preconfiguration) and again (during postinst) doesn't break things. + Patch from Anthony Towns. Closes: Bug#137552). + + -- Wichert Akkerman Sun, 14 Apr 2002 19:10:50 +0200 + +openldap2 (2.0.23-5) unstable; urgency=high + + * Fix slurpd invocation in slapd.init. Closes: Bug#141959 + * Ask for admin DN when using LDIF initialization as well. + Lets hope this finally Closes: Bug#137552 + * Merge German translation for debconf templates. Closes: Bug#141712 + * Add Build-Depends on debconf-utils since we use debconf-mergetemplate + * Remove bogus error from slapd.init. Closes: Bug#137718 + + -- Wichert Akkerman Tue, 9 Apr 2002 14:49:27 +0200 + +openldap2 (2.0.23-4) unstable; urgency=high + + * Only show already-configured note on initial installs. Closes: Bug#137100 + * Supply -t option to slurpd when starting it, not when stopping it. + Closes: Bug#136240 + * Use db_input instead of db_get for notes in the slapd postinst. + * Only fetch password from debconf when not using ldif initialization. + Closes: Bug#138558,#137552 + * Check if slapd.conf exists in slapd postinst. Closes: Bug#138136 + + -- Wichert Akkerman Sat, 6 Apr 2002 23:02:42 +0200 + +openldap2 (2.0.23-3) unstable; urgency=high + + * If can not get a password for the admin entry when installing slapd + generate one randomly. Closes: Bug#134774 + * Bump shlibs dependency to 2.0.23 + + -- Wichert Akkerman Thu, 21 Feb 2002 23:23:57 +0100 + +openldap2 (2.0.23-2) unstable; urgency=high + + * Create /var/spool/slurpd and tell slurpd to use that as temporary + directory. Closes: Bug#134564 + * Improve debconf prompts a bit. Closes: Bug#134945 + * Properly set default value for domain + * Clear crypted password from debconf after creating the LDAP directory + + -- Wichert Akkerman Sun, 17 Feb 2002 16:07:18 +0100 + +openldap2 (2.0.23-1) unstable; urgency=high + + * Upstream updated config.{guess,sub} so we are back to zero patches + again. + * Apply fix from Klaus Duscher for the missing password problem: the + config script did not check if it was run twice without slapd.conf + being generated in between and would abort with a missing password + error. Closes: Bug#132566 + * Change slapd priority for boot sequence to start earlier and stop + later so people can use LDAP for NSS purposes. Closes: Bug#130277 + + -- Wichert Akkerman Sun, 17 Feb 2002 16:07:18 +0100 + +openldap2 (2.0.22-2) unstable; urgency=low + + * Update config.{guess,sub} again. Closes: Bug#131469 + + -- Wichert Akkerman Thu, 7 Feb 2002 22:33:01 +0100 + +openldap2 (2.0.22-1) unstable; urgency=low + + * New upstream version + * Build properly as non-native package + + -- Wichert Akkerman Wed, 6 Feb 2002 00:17:20 +0100 + +openldap2 (2.0.21-3) unstable; urgency=high + + * Add logic to config and postinst to configure replication as well + * Don't fail in slapd postinst if we can't stop slapd. Closes: Bug#131617 + * Change localstatedir to /var/lib + * Remove /var/lib/ldap when purging slapd + * Don't remove user-supplied ldif file after creating the directory + * Set default replogfile + * Fix typo in severity for no_password note + * Encrypt admin password and remove it from the debconf database + + -- Wichert Akkerman Thu, 31 Jan 2002 17:03:36 +0100 + +openldap2 (2.0.21-2) unstable; urgency=medium + + * Update config.{guess,sub} and forwarded upstream (ITS#1567). + Closes: Bug#131469 + * Remove -x from slapd postinst. Closes: Bug#131502 + + -- Wichert Akkerman Wed, 30 Jan 2002 10:53:45 +0100 + +openldap2 (2.0.21-1) unstable; urgency=high + + * New upstream version, + * Update copyright + * Update config.guess and config.sub + * Redone packaging, no more dbs or debhelper + * Drop all patches, they are either unnecessary or alternatives have + been made upstream + + -- Wichert Akkerman Tue, 29 Jan 2002 17:04:10 +0100 + +openldap2 (2.0.14-1) unstable; urgency=high + + * New upstream version, which includes a billion second bug. + Closes: Bug#111833 + * Drop 005_libldbm_dbopen, upgrading the database in place no longer works + with the new db-env code. + * Redo 008_porting_maxpathlen + + -- Wichert Akkerman Sat, 15 Sep 2001 13:39:46 +0200 + +openldap2 (2.0.11-2) unstable; urgency=low + + * Test if /etc/init.d/slapd is executable when purging slapd. + Closes: Bug#100938 + * Update 008_porting_maxpathlen. Closes: Bug#100584 + * Don't use four11 as referral example anymore. Closes: Bug#99998 + * Fix synopsis of slapindex manpage. Added to 002_man_fixes. + Closes: Bug#98805 + * Removed stray backup file from 002_man_fixes + + -- Wichert Akkerman Tue, 19 Jun 2001 01:01:17 +0200 + +openldap2 (2.0.11-1) unstable; urgency=low + + * New upstream version + * Add autoconf to Build-Depends. Closes: Bug#99440 + * Fix new db upgrade patch. Closes: Bug#98853 + + -- Wichert Akkerman Sun, 3 Jun 2001 00:25:47 +0200 + +openldap2 (2.0.10-2) unstable; urgency=low + + * Tighten shlibs dependency to >= 2.0.1-1. Closes: Bug#98683 + + -- Wichert Akkerman Fri, 25 May 2001 16:32:35 +0200 + +openldap2 (2.0.10-1) unstable; urgency=low + + * New upstream version + * New maintainer + * Remove useless LINE_WIDTH bit from patch 000_clients + * Patch 004_ssl_fix has been merged upstream, removed + * Redo 005_db3_upgrade + * Rediff all other patches + + -- Wichert Akkerman Thu, 24 May 2001 14:56:02 +0200 + +openldap2 (2.0.7-6) unstable; urgency=low + + * Make sure autoconf is run if configure.in is changed (for Hurd patch), + closes: #96145 + * Fix slapd.postinst in the case of using an ldif file, closes: #95600 + * Use a var for slapd.conf in slapd init script. Partially fixes bug + 91318. + * Fixed hurd patch for strrchr in replog.c, closes: #93605 + + -- Ben Collins Mon, 7 May 2001 23:00:27 -0400 + +openldap2 (2.0.7-5) unstable; urgency=low + + * Fixed db3 upgrade code, closes: #92331, #92916 + * m68k should compile fine with db3 now, closes: #90165 + * Included provided patch for Hurd compilation, closes: #88079 + + -- Ben Collins Wed, 4 Apr 2001 17:46:47 -0400 + +openldap2 (2.0.7-4) unstable; urgency=low + + * slapd.conf is no longer a conffile, and not provided by the package. + Instead, it is only generated. closes: #81359 + * Fixed by previous upload, closes: #71852, #78950, #82491 + * Actually install the netscape schema, closes: #90323 + * Add comment to README.Debian about being compiled with libwrap, + closes: #84954 + * Provide example sasl config file, closes: #90855 + * Conflict replace openldap-utils (ldap-utils), and libopenldap-dev + (libldap2-dev), closes: #71471 + * Revert to using some code to upgrade previous db's. Remove slapd's dep + on db3-util, and remove postinst code that upgrades the db's. + + -- Ben Collins Sat, 24 Mar 2001 21:59:20 -0500 + +openldap2 (2.0.7-3) unstable; urgency=low + + * netscape-profile.schema: new schema for old roaming support + * 004_ssl_fix.diff: Fix for SSL support (not compiled in, but some + people use it). + * slapd.config: FINALLY fix the "dc=" base bug. + * Build-Depend on libdb3-dev now that it is available. + * Now that we use db3, make sure we upgrade existing databases to the + db3 format with db3_upgrade. + + -- Ben Collins Sun, 11 Mar 2001 23:36:34 -0500 + +openldap2 (2.0.7-2) unstable; urgency=low + + * slapd.postinst: fix debhelper wraper so it gets the right @argv, + closes: #71854 + * sendmail appears to be compiled against glibc2.2/libdb2 now, + closes: #71602 + * %strace ldapsearch cn=admin | & grep /etc | grep ldap + open("/etc/ldap/ldap.conf", O_RDONLY) = 3 + closes: #71716 + * ldap_first_attribute.3: s/ber_free(3)/ber_free/. closes: #76719 + * init.d/slapd: fix reference to pidfile, and also remove the pidfile + after killing the daemon, closes: #77633, #77635 + * Fix fgets buffer size thinko in slurpd. closes: #78003 + * slapd.8: s/ldap.h/slapd.conf(5)/. closes: #80457 + + -- Ben Collins Sun, 31 Dec 2000 00:02:46 -0500 + +openldap2 (2.0.7-1) unstable; urgency=low + + * New upstream + * Removed hack for shlibs now that dpkg 1.7 is available, added dpkg-dev + 1.7.1 to build-depends. + * start using DH_COMPAT=2 + + -- Ben Collins Fri, 10 Nov 2000 18:53:25 -0500 + +openldap2 (2.0.2-2) unstable; urgency=low + + * Recompile against libdb2/glibc 2.1.94/sasl + + -- Ben Collins Wed, 27 Sep 2000 11:31:59 -0400 + +openldap2 (2.0.2-1) unstable; urgency=low + + * New upstream version, includes some patches from me that fix some + stability issues + * debian/control:Build-Depends: change libwrap-dev to libwrap0-dev for + clarity, closes: #71366 + * debian/rules: make sure mail500 docs do not get installed under bogus + subdirs, closes: #71473 + * debian/README.build,debian/scripts/dbs-build.mk: Fix and document + build system better, closes: #71584 + * debian/local/slapd.conf: Setup default ACL's to work with openldap2 + correctly, closes: #71127, #71131 + * debian/README: document how to access OpenLDAP 1 servers via + ldap-utils, closes: #71469 + * debian/rules:CFLAGS: add -I/usr/include/db2 to make sure we get the + right header, closes: #71470 + * I cannot reproduce this. In debian/rules I have done exactly what is + needed to keep it from happening, and sparc, i386 and powerpc builds + do not show it, closes: #71472 + + -- Ben Collins Wed, 13 Sep 2000 22:32:35 -0400 + +openldap2 (2.0.1-2) unstable; urgency=low + + * Fixed up depend for libldap2 on itself + + -- Ben Collins Wed, 6 Sep 2000 13:24:06 -0400 + +openldap2 (2.0.1-1) unstable; urgency=low + + * New upstream version + * Added libsasl-dev to build-deps, closes: #70923 + + -- Ben Collins Tue, 5 Sep 2000 06:49:05 -0400 + +openldap2 (2.0-1) unstable; urgency=low + + * Initial release of OpenLDAP 2 test code + + -- Ben Collins Tue, 29 Aug 2000 14:28:39 -0400 + --- openldap-2.4.28.orig/debian/slapd.init.ldif +++ openldap-2.4.28/debian/slapd.init.ldif @@ -0,0 +1,84 @@ +# Global config: +dn: cn=config +objectClass: olcGlobal +cn: config +# Where the pid file is put. The init.d script +# will not stop the server if you change this. +olcPidFile: /var/run/slapd/slapd.pid +# List of arguments that were passed to the server +olcArgsFile: /var/run/slapd/slapd.args +# Read slapd.conf(5) for possible values +olcLogLevel: none +# The tool-threads parameter sets the actual amount of cpu's that is used +# for indexing. +olcToolThreads: 1 + +# Frontend settings +dn: olcDatabase={-1}frontend,cn=config +objectClass: olcDatabaseConfig +objectClass: olcFrontendConfig +olcDatabase: {-1}frontend +# The maximum number of entries that is returned for a search operation +olcSizeLimit: 500 +# Allow unlimited access to local connection from the local root user +olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break +# Allow unauthenticated read access for schema and base DN autodiscovery +olcAccess: {1}to dn.exact="" by * read +olcAccess: {2}to dn.base="cn=Subschema" by * read + +# Config db settings +dn: olcDatabase=config,cn=config +objectClass: olcDatabaseConfig +olcDatabase: config +# Allow unlimited access to local connection from the local root user +olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break + +# Load schemas +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +include: file:///etc/ldap/schema/core.ldif +include: file:///etc/ldap/schema/cosine.ldif +include: file:///etc/ldap/schema/nis.ldif +include: file:///etc/ldap/schema/inetorgperson.ldif + +# Load module +dn: cn=module{0},cn=config +objectClass: olcModuleList +cn: module{0} +olcModulePath: /usr/lib/ldap +olcModuleLoad: back_@BACKEND@ + +# Set defaults for the backend +dn: olcBackend=@BACKEND@,cn=config +objectClass: olcBackendConfig +olcBackend: @BACKEND@ + +# The database definition. +dn: olcDatabase=@BACKEND@,cn=config +objectClass: olcDatabaseConfig +objectClass: @BACKENDOBJECTCLASS@ +olcDatabase: @BACKEND@ +olcDbCheckpoint: 512 30 +olcDbConfig: set_cachesize 0 2097152 0 +olcDbConfig: set_lk_max_objects 1500 +olcDbConfig: set_lk_max_locks 1500 +olcDbConfig: set_lk_max_lockers 1500 +olcLastMod: TRUE +olcSuffix: @SUFFIX@ +olcDbDirectory: /var/lib/ldap +olcRootDN: cn=admin,@SUFFIX@ +olcRootPW: @PASSWORD@ +olcDbIndex: objectClass eq +olcAccess: to attrs=userPassword,shadowLastChange + by self write + by anonymous auth + by dn="cn=admin,@SUFFIX@" write + by * none +olcAccess: to dn.base="" by * read +olcAccess: to * + by self write + by dn="cn=admin,@SUFFIX@" write + by * read + --- openldap-2.4.28.orig/debian/slapd.preinst +++ openldap-2.4.28/debian/slapd.preinst @@ -0,0 +1,22 @@ +#! /bin/sh + +set -e + +. /usr/share/debconf/confmodule + +# This will be replaced with debian/slapd.scripts-common which includes +# various helper functions and $OLD_VERSION and $SLAPD_CONF +#SCRIPTSCOMMON# + +# If we are upgrading from an old version then stop slapd and attempt to +# slapcat out the data so we can use it in postinst to do the upgrade + +if [ "$MODE" = upgrade ]; then + dump_databases +fi + +#DEBHELPER# + +exit 0 + +# vim: set sw=8 foldmethod=marker: --- openldap-2.4.28.orig/debian/apparmor-profile +++ openldap-2.4.28/debian/apparmor-profile @@ -0,0 +1,54 @@ +# vim:syntax=apparmor +# Last Modified: Fri Jan 4 15:18:13 2008 +# Author: Jamie Strandboge + +#include + +/usr/sbin/slapd { + #include + #include + + #include + /etc/ssl/private/ r, + /etc/ssl/private/* r, + + /etc/sasldb2 r, + + capability dac_override, + capability net_bind_service, + capability setgid, + capability setuid, + + /etc/gai.conf r, + /etc/hosts.allow r, + /etc/hosts.deny r, + + # ldap files + /etc/ldap/** kr, + /etc/ldap/slapd.d/** rw, + + # kerberos/gssapi + /dev/tty rw, + /etc/krb5.keytab kr, + /var/tmp/ rw, + /var/tmp/** rw, + + # the databases and logs + /var/lib/ldap/ r, + /var/lib/ldap/** rwk, + + # lock file + /var/lib/ldap/alock kw, + + # pid files and sockets + /{,var/}run/slapd/* w, + /{,var/}run/nslcd/* w, + + /usr/lib/ldap/ r, + /usr/lib/ldap/* mr, + + /usr/sbin/slapd mr, + + # Site-specific additions and overrides. See local/README for details. + #include +} --- openldap-2.4.28.orig/debian/libldap-2.4-2.install +++ openldap-2.4.28/debian/libldap-2.4-2.install @@ -0,0 +1,5 @@ +usr/lib/*/liblber-2.4.so.2 +usr/lib/*/liblber-2.4.so.2.*.* +usr/lib/*/libldap_r-2.4.so.2 +usr/lib/*/libldap_r-2.4.so.2.*.* +etc/ldap/ldap.conf --- openldap-2.4.28.orig/debian/slapd.init +++ openldap-2.4.28/debian/slapd.init @@ -0,0 +1,195 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: slapd +# Required-Start: $remote_fs $network $syslog +# Required-Stop: $remote_fs $network $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: OpenLDAP standalone server (Lightweight Directory Access Protocol) +### END INIT INFO + +# Specify path variable +PATH=/sbin:/usr/sbin:/bin:/usr/bin + +. /lib/lsb/init-functions + +# Kill me on all errors +set -e + +# Set the paths to slapd as a variable so that someone who really +# wants to can override the path in /etc/default/slapd. +SLAPD=/usr/sbin/slapd + +# Stop processing if slapd is not there +[ -x $SLAPD ] || exit 0 + +# debconf may have this file descriptor open and it makes things work a bit +# more reliably if we redirect it as a matter of course. db_stop will take +# care of this, but this won't hurt. +exec 3>/dev/null + +# Source the init script configuration +if [ -f "/etc/default/slapd" ]; then + . /etc/default/slapd +fi + +# Load the default location of the slapd config file +if [ -z "$SLAPD_CONF" ]; then + if [ -e /etc/ldap/slapd.d ]; then + SLAPD_CONF=/etc/ldap/slapd.d + else + SLAPD_CONF=/etc/ldap/slapd.conf + fi +fi + +# Stop processing if the config file is not there +if [ ! -r "$SLAPD_CONF" ]; then + log_warning_msg "No configuration file was found for slapd at $SLAPD_CONF." + # if there is no config at all, we should assume slapd is not running + # and exit 0 on stop so that unconfigured packages can be removed. + [ "x$1" = xstop ] && exit 0 || exit 1 +fi + +# extend options depending on config type +if [ -f "$SLAPD_CONF" ]; then + SLAPD_OPTIONS="-f $SLAPD_CONF $SLAPD_OPTIONS" +elif [ -d "$SLAPD_CONF" ] ; then + SLAPD_OPTIONS="-F $SLAPD_CONF $SLAPD_OPTIONS" +fi + +# Find out the name of slapd's pid file +if [ -z "$SLAPD_PIDFILE" ]; then + # If using old one-file configuration scheme + if [ -f "$SLAPD_CONF" ] ; then + SLAPD_PIDFILE=`sed -ne 's/^pidfile[[:space:]]\+\(.\+\)/\1/p' \ + "$SLAPD_CONF"` + # Else, if using new directory configuration scheme + elif [ -d "$SLAPD_CONF" ] ; then + SLAPD_PIDFILE=`sed -ne \ + 's/^olcPidFile:[[:space:]]\+\(.\+\)[[:space:]]*/\1/p' \ + "$SLAPD_CONF"/'cn=config.ldif'` + fi +fi + +# XXX: Breaks upgrading if there is no pidfile (invoke-rc.d stop will fail) +# -- Torsten +if [ -z "$SLAPD_PIDFILE" ]; then + log_failure_msg "The pidfile for slapd has not been specified" + exit 1 +fi + +# Make sure the pidfile directory exists with correct permissions +piddir=`dirname "$SLAPD_PIDFILE"` +if [ ! -d "$piddir" ]; then + mkdir -p "$piddir" + [ -z "$SLAPD_USER" ] || chown -R "$SLAPD_USER" "$piddir" + [ -z "$SLAPD_GROUP" ] || chgrp -R "$SLAPD_GROUP" "$piddir" +fi + +# Pass the user and group to run under to slapd +if [ "$SLAPD_USER" ]; then + SLAPD_OPTIONS="-u $SLAPD_USER $SLAPD_OPTIONS" +fi + +if [ "$SLAPD_GROUP" ]; then + SLAPD_OPTIONS="-g $SLAPD_GROUP $SLAPD_OPTIONS" +fi + +# Check whether we were configured to not start the services. +check_for_no_start() { + if [ -n "$SLAPD_NO_START" ]; then + echo 'Not starting slapd: SLAPD_NO_START set in /etc/default/slapd' >&2 + exit 0 + fi + if [ -n "$SLAPD_SENTINEL_FILE" ] && [ -e "$SLAPD_SENTINEL_FILE" ]; then + echo "Not starting slapd: $SLAPD_SENTINEL_FILE exists" >&2 + exit 0 + fi +} + +# Tell the user that something went wrong and give some hints for +# resolving the problem. +report_failure() { + log_end_msg 1 + if [ -n "$reason" ]; then + log_failure_msg "$reason" + else + log_failure_msg "The operation failed but no output was produced." + + if [ -n "$SLAPD_OPTIONS" -o \ + -n "$SLAPD_SERVICES" ]; then + if [ -z "$SLAPD_SERVICES" ]; then + if [ -n "$SLAPD_OPTIONS" ]; then + log_failure_msg "Command line used: slapd $SLAPD_OPTIONS" + fi + else + log_failure_msg "Command line used: slapd -h '$SLAPD_SERVICES' $SLAPD_OPTIONS" + fi + fi + fi +} + +# Start the slapd daemon and capture the error message if any to +# $reason. +start_slapd() { + if [ -z "$SLAPD_SERVICES" ]; then + reason="`start-stop-daemon --start --quiet --oknodo \ + --pidfile "$SLAPD_PIDFILE" \ + --exec $SLAPD -- $SLAPD_OPTIONS 2>&1`" + else + reason="`start-stop-daemon --start --quiet --oknodo \ + --pidfile "$SLAPD_PIDFILE" \ + --exec $SLAPD -- -h "$SLAPD_SERVICES" $SLAPD_OPTIONS 2>&1`" + fi + + # Backward compatibility with OpenLDAP 2.1 client libraries. + if [ ! -h /var/run/ldapi ] && [ ! -e /var/run/ldapi ] ; then + ln -s slapd/ldapi /var/run/ldapi + fi +} + +# Stop the slapd daemon and capture the error message (if any) to +# $reason. +stop_slapd() { + reason="`start-stop-daemon --stop --quiet --oknodo --retry TERM/10 \ + --pidfile "$SLAPD_PIDFILE" \ + --exec $SLAPD 2>&1`" +} + +# Start the OpenLDAP daemons +start_ldap() { + trap 'report_failure' 0 + log_daemon_msg "Starting OpenLDAP" "slapd" + start_slapd + trap "-" 0 + log_end_msg 0 +} + +# Stop the OpenLDAP daemons +stop_ldap() { + trap 'report_failure' 0 + log_daemon_msg "Stopping OpenLDAP" "slapd" + stop_slapd + trap "-" 0 + log_end_msg 0 +} + +case "$1" in + start) + check_for_no_start + start_ldap ;; + stop) + stop_ldap ;; + restart|force-reload) + check_for_no_start + stop_ldap + start_ldap + ;; + status) + status_of_proc -p $SLAPD_PIDFILE $SLAPD slapd + ;; + *) + echo "Usage: $0 {start|stop|restart|force-reload|status}" + exit 1 + ;; +esac --- openldap-2.4.28.orig/debian/USE-CASES +++ openldap-2.4.28/debian/USE-CASES @@ -0,0 +1,7 @@ +Some ideas what to check and what the desired results would be: + +- running dpkg-reconfigure with an already configured slapd + + Should either backup the database or ask before killing it. + Same for slapd.conf. Neither old configuration or old database + should be lost without the user confirming that this is what he wants. --- openldap-2.4.28.orig/debian/compat +++ openldap-2.4.28/debian/compat @@ -0,0 +1 @@ +9 --- openldap-2.4.28.orig/debian/libldap-2.4-2.postinst +++ openldap-2.4.28/debian/libldap-2.4-2.postinst @@ -0,0 +1,15 @@ +#!/bin/sh +# +# Run ldconfig after installing the shared library. We have to do this +# manually rather than letting dh_makeshlibs deal with it because +# dh_makeshlibs can't cope with the trick we're pulling with libldap_r. + +set -e + +if [ "$1" = "configure" ]; then + ldconfig +fi + +#DEBHELPER# + +exit 0 --- openldap-2.4.28.orig/debian/ldap-utils.manpages +++ openldap-2.4.28/debian/ldap-utils.manpages @@ -0,0 +1,11 @@ +debian/tmp/usr/share/man/man1/ldapcompare.1 +debian/tmp/usr/share/man/man1/ldapdelete.1 +debian/tmp/usr/share/man/man1/ldapexop.1 +debian/tmp/usr/share/man/man1/ldapmodify.1 +debian/tmp/usr/share/man/man1/ldapmodrdn.1 +debian/tmp/usr/share/man/man1/ldappasswd.1 +debian/tmp/usr/share/man/man1/ldapsearch.1 +debian/tmp/usr/share/man/man1/ldapwhoami.1 +debian/tmp/usr/share/man/man1/ldapurl.1 +debian/tmp/usr/share/man/man1/ldapadd.1 +debian/tmp/usr/share/man/man5/ldif.5 --- openldap-2.4.28.orig/debian/slapd-smbk5pwd.docs +++ openldap-2.4.28/debian/slapd-smbk5pwd.docs @@ -0,0 +1 @@ +contrib/slapd-modules/smbk5pwd/README --- openldap-2.4.28.orig/debian/slapd.config +++ openldap-2.4.28/debian/slapd.config @@ -0,0 +1,167 @@ +#! /bin/sh + +set -e + +# Load debconf +. /usr/share/debconf/confmodule + +# This will be replaced with debian/slapd.scripts-common which includes +# various helper functions and $OLD_VERSION and $SLAPD_CONF +#SCRIPTSCOMMON# + +# Check if the user wants to configure slapd manually +want_manual_configuration() { + db_input medium slapd/no_configuration || true + db_go || true + db_get slapd/no_configuration + no_configuration="$RET" + + if [ "$no_configuration" = "true" ]; then + return 0 + fi + return 1 +} + +# Make sure the values entered make sense +validate_initial_config() { + local invalid + invalid="" + + # Make sure the domain name is valid + # The regexp doesn't work for UTF-8 domain names, but for that to + # work, we would also need to Base64 encode it in the LDIF; since + # we're not doing it at the moment, this should be fine for now + db_get slapd/domain + if [ -z "$RET" ] || ! echo "$RET" | grep -q '^[a-zA-Z0-9.-]*$'; then + db_fset slapd/domain seen false + invalid=true + fi + + # Suffix and Organization may not be empty + db_get shared/organization + if [ -z "$RET" ]; then + db_fset shared/organization seen false + invalid=true + fi + + # Make sure the passwords match + local pass1 pass2 + db_get slapd/password1 + pass1="$RET" + db_get slapd/password2 + pass2="$RET" + + if [ "$pass1" != "$pass2" ]; then + db_fset slapd/password1 seen false + db_fset slapd/password2 seen false + invalid=true + fi + + # Tell the user + if [ "$invalid" ]; then + db_fset slapd/invalid_config seen false + db_input critical slapd/invalid_config || true + db_go || true + db_get slapd/invalid_config + if [ "$RET" != "true" ]; then + db_set slapd/no_configuration true + invalid= + fi + fi + + if [ "$invalid" ]; then + return 1 + else + return 0 + fi +} + +# Query the information we need to create an initial directory +query_initial_config() { + while true; do + db_input medium slapd/domain || true + db_input medium shared/organization || true + db_input high slapd/password1 || true + db_input high slapd/password2 || true + db_input low slapd/backend || true + db_input low slapd/purge_database || true + # XXX - should be done more general, but for now this should do + # the trick + if [ -e "/var/lib/ldap" ] && ! is_empty_dir /var/lib/ldap; then + db_input low slapd/move_old_database || true + fi + db_go || true + + if validate_initial_config; then + break + fi + done +} + +configure_allow_v2_binds() { # {{{ +# Ask if the user would like their package to support LDAPv2.. +# This was the default in older versions but we want to ask +# for new installs too in case the user needs it.. + + db_input medium slapd/allow_ldap_v2 || true +} +# }}} + +# ----- Configuration of LDIF dumping and reloading--------------------- {{{ +# +# Dumping the database can have negative effects on the system we are +# running on. If there is a lot of data dumping it might fill a partition +# for example. Therefore we must give the user exact control over what we +# are doing. + +configure_dumping() { # {{{ +# Ask the user for the configuration of the dumping component +# Usage: configure_dumping + + # Look if the user wants to migrate to the BDB backend + if ! database_dumping_enabled; then + return 0 + fi + + # Configure if and where to dump the LDAP databases + db_input medium slapd/dump_database || true + db_go || true + db_get slapd/dump_database + + # Abort if the user does not want dumping + if [ "$RET" = never ]; then + return 0 + fi + + db_input medium slapd/dump_database_destdir || true + db_go || true + + # If the user entered the empty value, go back to the default + db_get slapd/dump_database_destdir + if [ "$RET" = "" ]; then + db_reset slapd/dump_database_destdir + fi +} + +# }}} +# }}} + +# Create an initial directory on fresh install +if is_initial_configuration "$@"; then + if ! want_manual_configuration; then + set_defaults_for_unseen_entries + query_initial_config + configure_allow_v2_binds + fi +fi + +# Configure the dumping and v2 binds components if we are upgrading some older +# version. +if [ "$1" = configure ] && [ -n "$2" ]; then + configure_dumping + configure_allow_v2_binds +fi + +db_go || true + +exit 0 --- openldap-2.4.28.orig/debian/libldap2-dev.install +++ openldap-2.4.28/debian/libldap2-dev.install @@ -0,0 +1,12 @@ +usr/include/lber.h +usr/include/lber_types.h +usr/include/ldap_cdefs.h +usr/include/ldap_features.h +usr/include/ldap.h +usr/include/ldap_schema.h +usr/include/ldap_utf8.h +usr/include/ldif.h +usr/lib/*/liblber.a +usr/lib/*/liblber.so +usr/lib/*/libldap_r.a +usr/lib/*/libldap_r.so --- openldap-2.4.28.orig/debian/ldiftopasswd +++ openldap-2.4.28/debian/ldiftopasswd @@ -0,0 +1,174 @@ +#!/usr/bin/perl -w +# +# +# Comments on usage from the email we received: +# I showed a friend the following script. He said I should submit it for +# inclusion in openldap, because it might useful for others. +# +# The attached perl script, when used like +# +# ldapsearch | ldiftopasswd +# +# will automatically: +# +# 1. create /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow +# +# 2. append /etc/passwd.top, /etc/shadow.top, /etc/group.top, and /etc/gshadow.top to respective files. +# +# 3. use data from ldap to create the files (note: gshadow isn't really +# supported, because I don't use it, nor could I find any +# documentation. Adding support for other files should be easy). +# +# (of course you need access to all fields including the password field +# for this, so use correct parameters to ldapsearch). +# +# This could be useful for instance on laptop computers where you don't +# want to run a slave slapd server for some reason (perhaps memory +# constraints). +# ---------------------------------------- +use strict; +use Getopt::Long; +use MIME::Base64; +use IO::File; + +my $passwdfile="/etc/passwd"; +my $shadowfile="/etc/shadow"; +my $groupfile="/etc/group"; +my $gshadowfile="/etc/gshadow"; +my $help; +GetOptions ( + '--passwd=s',\$passwdfile, + '--shadow=s',\$shadowfile, + '--group=s',\$groupfile, + '--gshadow=s',\$gshadowfile, + '--help',\$help, + ) or die "Bad options\n"; + +if ($help or $#ARGV != -1) { + print STDERR "usage: $0 [etcfile=filename] [--help]\n"; + exit 255; +} + +sub start_file($) { + my ($file) = @_; + my $outhandle = new IO::File; + $outhandle->open(">$file") or die "Cannot open $file for writing"; + + open(TMP,"<$file.top") or die "cannot open $file.top for reading"; + while () { $outhandle->print($_); } + close(TMP) or die "cannot close $file for reading"; + + return($outhandle); +} + +my $PASSWD = start_file($passwdfile); +my $SHADOW = start_file($shadowfile); +my $GROUP = start_file($groupfile); +my $GSHADOW = start_file($gshadowfile); + +sub dopasswd($) { + my ($record) = @_; + my $userPassword="*"; + + $PASSWD->print( + $record->{"uid"},":", + "x",":", + $record->{"uidNumber"},":", + $record->{"gidNumber"},":", + $record->{"gecos"},":", + $record->{"homeDirectory"},":", + $record->{"loginShell"},"\n"); + + if (defined($record->{"userPassword"}) && + $record->{"userPassword"} =~ /^{(crypt)}(.*)$/) + { $userPassword = $2; } + + $SHADOW->print( + $record->{"uid"},":", + $userPassword,":", + $record->{"shadowLastChange"} || "10706",":", + $record->{"shadowMin"} || "0",":", + $record->{"shadowMax"} || "99999",":", + $record->{"shadowWarning"} || "7",":", + $record->{"shadowInactive"} || "",":", + $record->{"shadowExpire"} || "",":", + "","\n"); +} + +sub dogroup($) { + my ($record) = @_; + my $userPassword="*"; + + my $members=""; + if (defined($record->{"memberUid"})) { + $members = join(",",@{$record->{"memberUid"}}); + } + + $GROUP->print( + $record->{"cn"},":", + "x",":", + $record->{"gidNumber"},":", + $members,"\n"); + + if (defined($record->{"userPassword"}) && + $record->{"userPassword"} =~ /^{(crypt)}(.*)$/) + { $userPassword = $2; } + +# !FIXME! +# $GSHADOW->print +# $record->{"cn"},":", +# "*",":", +# "",":", +# "","\n"; +} + + +my %record; +my $user=0; +my $group=0; + +while (<>) { + if (/^$/) { + if ($user) { + dopasswd(\%record); + } + if ($group) { + dogroup(\%record); + } + + $user = $group = 0; + %record=(); + } + elsif (/^objectClass: posixAccount$/) { + $user = 1; + } + elsif (/^objectClass: posixGroup$/) { + $group = 1; + } + elsif (/^(uid|uidNumber|gidNumber|gecos|homeDirectory|loginShell): (.*)$/) { + if (!defined($record{$1})) { $record{$1} = $2; } + } + elsif (/^(userPassword|shadowLastChange|shadowMin|shadowMax|shadowWarning|shadowInactive|shadowExpire): (.*)$/) { + if (!defined($record{$1})) { $record{$1} = $2; } + } + elsif (/^(cn): (.*)$/) { + if (!defined($record{$1})) { $record{$1} = $2; } + } + elsif (/^(uniqueMember): (.*)$/) { + push @{$record{$1}},$2; + if ($2 =~ /uid=([a-zA-Z]*),/) { + push @{$record{"memberUid"}},$1; + } + } + elsif (/^(memberUid): (.*)$/) { + push @{$record{$1}},$2; + } + elsif (/^(userPassword):: (.*)$/) { + $record{$1} = decode_base64($2); + } +} + +$PASSWD->close or die "Cannot close $passwdfile for writing"; +$SHADOW->close or die "Cannot close $shadowfile for writing"; +$GROUP->close or die "Cannot close $groupfile for writing"; +$GSHADOW->close or die "Cannot close $gshadowfile for writing"; --- openldap-2.4.28.orig/debian/tests/create_account +++ openldap-2.4.28/debian/tests/create_account @@ -0,0 +1,24 @@ +#! /usr/bin/perl -w + +# Shows how to create an entry on the LDAP server + +$host = "localhost"; # LDAP server +$basedn = "dc=galaxy"; # Base DN +$admindn = "cn=admin, $basedn"; # Admin entry +$adminpass = "foo"; # Password + +use Net::LDAP; + +$ldap = Net::LDAP->new("$host", onerror => "die"); +$ldap->bind($admindn, password => $adminpass); + +# Create "ou=People" entry if not there + +$results = $ldap->search(base => "$basedn", + filter => "ou=People", scope => "one"); +unless ($results->count > 0) { + $ldap->add("ou=People, $basedn", attr => [ + ou => "People", + objectClass => [ "top", "organizationalUnit" ] + ]); +} --- openldap-2.4.28.orig/debian/tests/hammer_slapd +++ openldap-2.4.28/debian/tests/hammer_slapd @@ -0,0 +1,98 @@ +#! /usr/bin/perl -w + +use Net::LDAP; +use Data::Dumper; + +$host = "localhost"; # LDAP server +$basedn = "dc=galaxy"; # Base DN +$admindn = "cn=admin, $basedn"; # Admin entry +$adminpass = "foo"; # Password +$group = $ARGV[0] || "People"; + +$ldap = Net::LDAP->new("$host", onerror => "die"); +$ldap->bind($admindn, password => $adminpass); + +sub create_group { + $results = $ldap->search(base => "$basedn", + filter => "ou=$group", scope => "one"); + unless ($results->count > 0) { + $ldap->add("ou=$group, $basedn", attr => [ + ou => "$group", + objectClass => [ "top", "organizationalUnit" ] + ]); + } +} + +sub invent_name { + our @words; + unless (@words) { + open WORDS, "/usr/share/dict/british-english-large"; + @words = grep /^[A-Z]\w{0,11}$/, ; + map { chomp } @words; + close WORDS; + } + + my $index = int(rand(@words)); + $index = int(rand(@words)) while not defined $words[$index]; + my $word = $words[$index]; + delete $words[$index]; + return $word; +} + +sub invent_names { + our @names; + + foreach (1..1000) { + push @names, { cn => invent_name, sn => invent_name }; + } +} + +sub create_entries { + foreach my $name (@names) { + create_account(%$name); + } +} + +sub create_account { + our $uid; + $uid = 1000 if not defined $uid; + + my %id = @_; + my $login = $id{cn}; + $login =~ tr/A-Z/a-z/; + $ldap->add("uid=$login, ou=$group, $basedn", attr => [ + %id, + objectClass => [ "top", "person", "posixAccount" ], + uid => $login, + uidNumber => $uid++, + gidNumber => 1000, + homeDirectory => "/home/$login" ]); +} + +sub delete_entries { + foreach my $name (@names) { + delete_account(%$name); + } +} + +sub delete_account { + my %id = @_; + my $login = $id{cn}; + $login =~ tr/A-Z/a-z/; + $ldap->delete("uid=$login, ou=$group, $basedn"); +} + +sub search_entries { + foreach (1..10000) { + my $num = int(rand(@names)); + $login = $names[$num]->{cn}; + $login =~ tr/A-Z/a-z/; + $ldap->search(base => "$basedn", filter => "uid=$login"); + } +} + +create_group; +invent_names; +create_entries; +search_entries; +delete_entries; --- openldap-2.4.28.orig/debian/tests/find_unused_functions +++ openldap-2.4.28/debian/tests/find_unused_functions @@ -0,0 +1,30 @@ +#! /usr/bin/perl -w + +use autouse Data::Dumper, qw{Dumper}; + +# Script to find the unused shell functions in slapd.scripts-common + +our @code; + +# Get all shell code from maintainer scripts + +foreach my $file ((, , , + )) { + open SCRIPT, "<$file" or + die "Can't open $file: $!"; + push @code,