--- openldap2.3-2.3.38.orig/debian/ldiftopasswd +++ openldap2.3-2.3.38/debian/ldiftopasswd @@ -0,0 +1,174 @@ +#!/usr/bin/perl -w +# +# +# Comments on usage from the email we received: +# I showed a friend the following script. He said I should submit it for +# inclusion in openldap, because it might useful for others. +# +# The attached perl script, when used like +# +# ldapsearch | ldiftopasswd +# +# will automatically: +# +# 1. create /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow +# +# 2. append /etc/passwd.top, /etc/shadow.top, /etc/group.top, and /etc/gshadow.top to respective files. +# +# 3. use data from ldap to create the files (note: gshadow isn't really +# supported, because I don't use it, nor could I find any +# documentation. Adding support for other files should be easy). +# +# (of course you need access to all fields including the password field +# for this, so use correct parameters to ldapsearch). +# +# This could be useful for instance on laptop computers where you don't +# want to run a slave slapd server for some reason (perhaps memory +# constraints). +# ---------------------------------------- +use strict; +use Getopt::Long; +use MIME::Base64; +use IO::File; + +my $passwdfile="/etc/passwd"; +my $shadowfile="/etc/shadow"; +my $groupfile="/etc/group"; +my $gshadowfile="/etc/gshadow"; +my $help; +GetOptions ( + '--passwd=s',\$passwdfile, + '--shadow=s',\$shadowfile, + '--group=s',\$groupfile, + '--gshadow=s',\$gshadowfile, + '--help',\$help, + ) or die "Bad options\n"; + +if ($help or $#ARGV != -1) { + print STDERR "usage: $0 [etcfile=filename] [--help]\n"; + exit 255; +} + +sub start_file($) { + my ($file) = @_; + my $outhandle = new IO::File; + $outhandle->open(">$file") or die "Cannot open $file for writing"; + + open(TMP,"<$file.top") or die "cannot open $file.top for reading"; + while () { $outhandle->print($_); } + close(TMP) or die "cannot close $file for reading"; + + return($outhandle); +} + +my $PASSWD = start_file($passwdfile); +my $SHADOW = start_file($shadowfile); +my $GROUP = start_file($groupfile); +my $GSHADOW = start_file($gshadowfile); + +sub dopasswd($) { + my ($record) = @_; + my $userPassword="*"; + + $PASSWD->print( + $record->{"uid"},":", + "x",":", + $record->{"uidNumber"},":", + $record->{"gidNumber"},":", + $record->{"gecos"},":", + $record->{"homeDirectory"},":", + $record->{"loginShell"},"\n"); + + if (defined($record->{"userPassword"}) && + $record->{"userPassword"} =~ /^{(crypt)}(.*)$/) + { $userPassword = $2; } + + $SHADOW->print( + $record->{"uid"},":", + $userPassword,":", + $record->{"shadowLastChange"} || "10706",":", + $record->{"shadowMin"} || "0",":", + $record->{"shadowMax"} || "99999",":", + $record->{"shadowWarning"} || "7",":", + $record->{"shadowInactive"} || "",":", + $record->{"shadowExpire"} || "",":", + "","\n"); +} + +sub dogroup($) { + my ($record) = @_; + my $userPassword="*"; + + my $members=""; + if (defined($record->{"memberUid"})) { + $members = join(",",@{$record->{"memberUid"}}); + } + + $GROUP->print( + $record->{"cn"},":", + "x",":", + $record->{"gidNumber"},":", + $members,"\n"); + + if (defined($record->{"userPassword"}) && + $record->{"userPassword"} =~ /^{(crypt)}(.*)$/) + { $userPassword = $2; } + +# !FIXME! +# $GSHADOW->print +# $record->{"cn"},":", +# "*",":", +# "",":", +# "","\n"; +} + + +my %record; +my $user=0; +my $group=0; + +while (<>) { + if (/^$/) { + if ($user) { + dopasswd(\%record); + } + if ($group) { + dogroup(\%record); + } + + $user = $group = 0; + %record=(); + } + elsif (/^objectClass: posixAccount$/) { + $user = 1; + } + elsif (/^objectClass: posixGroup$/) { + $group = 1; + } + elsif (/^(uid|uidNumber|gidNumber|gecos|homeDirectory|loginShell): (.*)$/) { + if (!defined($record{$1})) { $record{$1} = $2; } + } + elsif (/^(userPassword|shadowLastChange|shadowMin|shadowMax|shadowWarning|shadowInactive|shadowExpire): (.*)$/) { + if (!defined($record{$1})) { $record{$1} = $2; } + } + elsif (/^(cn): (.*)$/) { + if (!defined($record{$1})) { $record{$1} = $2; } + } + elsif (/^(uniqueMember): (.*)$/) { + push @{$record{$1}},$2; + if ($2 =~ /uid=([a-zA-Z]*),/) { + push @{$record{"memberUid"}},$1; + } + } + elsif (/^(memberUid): (.*)$/) { + push @{$record{$1}},$2; + } + elsif (/^(userPassword):: (.*)$/) { + $record{$1} = decode_base64($2); + } +} + +$PASSWD->close or die "Cannot close $passwdfile for writing"; +$SHADOW->close or die "Cannot close $shadowfile for writing"; +$GROUP->close or die "Cannot close $groupfile for writing"; +$GSHADOW->close or die "Cannot close $gshadowfile for writing"; --- openldap2.3-2.3.38.orig/debian/ldap-utils.manpages +++ openldap2.3-2.3.38/debian/ldap-utils.manpages @@ -0,0 +1,9 @@ +debian/tmp/usr/share/man/man1/ldapcompare.1 +debian/tmp/usr/share/man/man1/ldapdelete.1 +debian/tmp/usr/share/man/man1/ldapmodify.1 +debian/tmp/usr/share/man/man1/ldapmodrdn.1 +debian/tmp/usr/share/man/man1/ldappasswd.1 +debian/tmp/usr/share/man/man1/ldapsearch.1 +debian/tmp/usr/share/man/man1/ldapwhoami.1 +debian/tmp/usr/share/man/man1/ldapadd.1 +debian/tmp/usr/share/man/man5/ldif.5 --- openldap2.3-2.3.38.orig/debian/changelog +++ openldap2.3-2.3.38/debian/changelog @@ -0,0 +1,1867 @@ +openldap2.3 (2.3.38-1) unstable; urgency=low + + [ Steve Langasek ] + * Drop debian/patches/use-lpthread, which is no longer needed on mips* + because gcc has been fixed. + * Drop debian/patches/add-autogen-sh, also no longer needed now that + the above patch is gone. + + [ Matthijs Mohlmann ] + * Fix bashism in initscript. (Closes: #428883) + * Drop upstream patches ITS4924, ITS4925 and ITS4966. + * Add patch for objectClasses which causes slapd to crash. (Closes: #440632) + - Upstream bug ITS5119. + * Change default loglevel to none, to log high priority messages. + (Closes: #442000) + * Tighten up the build dependencies, now that autogen patch is removed. + + -- Matthijs Mohlmann Mon, 17 Sep 2007 22:58:54 +0200 + +openldap2.3 (2.3.35-2) unstable; urgency=low + + * Enable LAN Manager password support in slapd. (Closes: #245341) + * If automatic configuration is selected and slapd.conf doesn't exist + during an upgrade, treat this as a fresh installation rather than + aborting with an error. Also try to provide a better error message if + the user has deleted /etc/ldap/schema but we just generated a new + configuration that references it. These cases can occur if someone + removes (rather than purges) the package, manually deletes /etc/ldap, + and then reinstalls. (Closes: #205010) + * Don't fail in slapd's postrm if /etc/ldap/schema has already been + deleted. + * Remove slapd conflicts with libbind-dev and bind-dev. There no longer + appears to be anything in those packages that would break slapd's + resolver. (Closes: #225896) + * Add libldap-2.3-0-dbg and slapd-dbg packages with detached debugging + information. + * db_recover is no longer required after changing DB_CONFIG; slapd now + detects changes itself and does the right thing. Also note in + README.DB_CONFIG the existence of the dbconfig slapd.conf parameter + and slapd's DB_CONFIG writing support. (Closes: #412575) + * Add options to /etc/default/slapd to let the system administrator tell + the init script to not start slapd on boot. (Closes: #254999) + * Redirect fd 3 to /dev/null in the slapd init script for additional + robustness when debconf is running. (Closes: #227482) + * Add to /etc/default/slapd a commented-out example of how to change the + keytab file used for GSSAPI authentication. (Closes: #412017) + * Use variables in /etc/init.d/slapd for the paths to slapd and slurpd + so that someone who really wants to can override them in + /etc/default/slapd. (Closes: #403948) + * Allow people building packages for outside Debian to skip the checks + for non-DFSG-free material by setting a variable. Thanks, Peter + Marschall. (Closes: #427245) + * Remove duplicate libldap-2.3-0 dependencies. (Closes: #408987) + * Use binary:Version instead of Source-Version for the tight + dependencies between slapd and ldap-utils and libldap-2.3-0. + + -- Russ Allbery Mon, 11 Jun 2007 20:26:26 -0700 + +openldap2.3 (2.3.35-1) unstable; urgency=low + + * New upstream release with many bug fixes. + - Allow syncprov to follow aliases. (Closes: #422087) + * Apply upstream patches: + - ITS#4924: client crash on incorrectly tagged result from server. + - ITS#4925: NOOP modify with BDB backend crashed slapd. + - ITS#4966: Delete of valsort-controlled entries crashed slapd. + * Enable SLAPI support. (Closes: #390954) + * Re-enable use of the epoll system call since Debian no longer supports + 2.4 kernels. This means that the OpenLDAP packages will not work on + pre-2.6 kernels. + * Remove schema files that contain text from IETF RFCs from the upstream + source since that text is not DFSG-free. Instead, install stripped + versions of those schema files containing only the functional + interface specifications, a comment explaining why this is needed, and + a pointer to the relevant RFC. (Closes: #361846) + * Document the repackaging of the upstream source in debian/copyright. + * Update config.guess and config.sub during the build instead of in the + clean target and remove them in the clean target for a clean diff. + Build-depend on autotools-dev so that we can unconditionally copy over + the latest versions. + * Added commentary and upstream ITS numbers for several patches + applicable upstream. + * Use debian/compat rather than the deprecated DH_COMPAT rules setting. + * Update to debhelper compatibility level V5 (no changes required). + + -- Russ Allbery Wed, 30 May 2007 22:42:28 -0700 + +openldap2.3 (2.3.30-5) unstable; urgency=low + + [ Steve Langasek ] + * Add Portuguese debconf translation; thanks to Tiago Fernandes. + Closes: #409632. + * Re-add .la files to the slapd package, for greater compatibility + with upstream documentation. + + [ Russ Allbery ] + * When starting slapd, create a symlink from /var/run/ldapi to + /var/run/slapd/ldapi for compatibility with 2.1 client libraries. + Closes: #385809. + * Apply upstream patch to prevent a race condition in slapd when + shutting down connections. + * Update the Brazilian Portuguese debconf translation; thanks to Felipe + Augusto van de Wiel. + + -- Russ Allbery Thu, 8 Mar 2007 18:21:02 -0800 + +openldap2.3 (2.3.30-4) unstable; urgency=low + + * Ok, argh, it helps to check that the function being re-added to the + preinst hasn't been removed again from the common include. Re-add + break_on_ldbm_to_bdb_migration_disagree, because by all appearances + we /should/ be using this in the preinst. Closes: #411474. + + -- Steve Langasek Mon, 19 Feb 2007 03:55:22 -0800 + +openldap2.3 (2.3.30-3) unstable; urgency=medium + + [ Matthijs Mohlmann ] + * Added spanish translation. (Closes: #404250) + * Documentation updates backported from upstream. + * Fix a security bug in kerberos kbind code. (Only used when enabling with + --enable-kbind option) But better safe then sorry. + * Backported a mem leak fix on failed binds. + * Added patch from upstream that fixes a memory leak in ACLs that use sets. + + [ Steve Langasek ] + * *Really* abort in preinst if the user doesn't accept the upgrade + from ldbm to bdb. Closes: #392747. + * Set the name of debian/slapd.NEWS right so that it gets + installed in the binary package. Closes: #409923. + * Add Russian debconf translation; thanks to Yuri Kozlov. + Closes: #405706. + * Add Galician debconf translation; thanks to Jacobo Tarrio. + Closes: #407267. + + -- Steve Langasek Sun, 18 Feb 2007 16:47:16 -0800 + +openldap2.3 (2.3.30-2) unstable; urgency=low + + * Make sure that the pidfile directory doesn't exist in the init script. + (Closes: #402705) + + -- Matthijs Mohlmann Tue, 12 Dec 2006 21:34:44 +0100 + +openldap2.3 (2.3.30-1) unstable; urgency=low + + * New upstream release. + - Fixed authzTo/authzFrom URL matching. + - Fixed syncrepl consumer memory leaks. + - Fixed slapd-hdb livelock. + - Fixed slapo-ppolicy external quality check. + - Fixed ldapsearch(1) man page acknowledgement. + * Added patch to make sure that the pidfile directory exists. + (Closes: #390337) + * Do not ask the question allow ldap v2 logins when user wants manual + configuration. (Closes: #401003) + * Add patch to look also in /etc/ldap/sasl2 for sasl configuration. + (Closes: #398657) + * Removed db4.2-util recommend, the slapd binary includes checking code to + fix DB errors. + * Updated README in schema directory. It doesn't list collective.schema + anymore. (Closes: #287358) + * Updated manpages to point to right paths. (Closes: #398790) + + -- Matthijs Mohlmann Sat, 9 Dec 2006 20:50:58 +0100 + +openldap2.3 (2.3.29-1) unstable; urgency=medium + + [ Matthijs Mohlmann ] + * New upstream release. + - Fixes Denial of Service through a certain combination of LDAP BIND + requests (CVE-2006-5779) (Closes: #397673) + * LSB section added to the init script. + * Updated README.Debian about running as non-root user (Closes: #389369) + * Updated de translation (Closes: #396096) + * Added some documentation / warning when running slapindex as root. + * Remove drafts and rfc from the tarball. (Closes: #393404) + + -- Matthijs Mohlmann Sat, 11 Nov 2006 11:24:42 +0100 + +openldap2.3 (2.3.27-1) unstable; urgency=low + + [ Matthijs Mohlmann ] + * New upstream release. + * pidfile location is changed 3 years ago, when people are upgrading from + back then they have a broken slapd because the openldap user is not able + to write to /var/run. (Closes: #380687) + * Patches by Quanah Gibson-Mount + - Fix one time memleak on startup in the accesslog db. + * Changed priority of libldap-2.3-0 to optional as it is only used by slapd. + + [ Torsten Landschoff ] + * Remove RFC documents as they do not meet the DFSG. + + debian/rules: Check that the RFCs are gone to make sure it does not + get included again by accident. + + -- Matthijs Mohlmann Sat, 2 Sep 2006 00:33:44 +0200 + +openldap2.3 (2.3.25-1) unstable; urgency=low + + [ Matthijs Mohlmann ] + * New upstream release: + - Accepts 'require none' in slapd.conf (closes: #370023). + - Added patch to fix a bold issue in the manpage ldapsearch. Thanks to + Matt Kraai. (Closes: #355670) + * Added commented out rootdn parameter in slapd.conf. (Closes: #303245) + * Make the scripts output a bit more consistent. + * Fix a regression in the slapd packages. Data directory is /var/lib/ldap + and not /var/openldap-data, also adjust the manpages to reflect these + change. Thanks to Peter Marschall. (Closes: #368891) + * Removed script move_files, dh_install is used instead. (Closes: #368896) + * Dutch translation already updated. Closes: #375101) + * Documented that slapd is compiled with TCP wrappers (Closes: #351428) + * dpkg-reconfigure slapd now just reinstalls slapd and moves old databases + to /var/backups. Already done in previous version (Closes: #230366, #208056) + + [ Torsten Landschoff ] + * debian/libldap-2.3-0.install: Ignore version information when installing + libraries. This way it does not need updating for each new upstream + release. + + -- Matthijs Mohlmann Wed, 26 Jul 2006 18:05:40 +0200 + +openldap2.3 (2.3.24-2) unstable; urgency=low + + * Switch slapd from running as root to running as user. + (Closes: #292845, #261696) + * Changing configuration in slapd.conf by the postinst will now also follow + includes. (Closes: #304488) + * Patches by Quanah Gibson-Mount + - fix a lock bug with a virtual root entry in the BDB backend. + - fix boolean logic in the overlays. + - fix that slurpd can use ldaps. + - fix initialization of auditdb. + - fix TLS concurrency issues. + - fix exop password change that didn't reset pwdMustChange. + - fix syncrepl that fails when no rootdn is defined. + * Add dependency on adduser. + * Specify the PATH variable in the init script. (Closes: #367981) + * Added patch to read config before dropping privileges. + * epoll(4) system call is missing on kernels <2.6, this causes slapd to + not work on 2.4 kernels. Added patch that remove the #define in + portable.in (Closes: #369352, #372194, #373233) + * In 2.3.24 slapd won't segfault if the moduleload directive appears + somewhere else. (Closes: #349011) + * Removed fileutils dependency, it's superseeded in Sarge already. + (Closes: #370013) + * Use find in combination with mv to move an old directory away. + (Closes: #306435) + * Updated Dutch debconf translation (Closes: #365172) + * Added an example backup script that can be put into cron (Closes: #319477) + * Make the db directories 0700. On new installations this is the default. + (Closes: #354450) + * Get rid of a '.' in front of a domain. (Closes: #318143) + * Added shadowLastChange to the ACL in the default slapd.conf + (Closes: #370550) + * Updated Japanese translation (Closes: #378565) + + -- Matthijs Mohlmann Mon, 17 Jul 2006 18:22:45 +0200 + +openldap2.3 (2.3.24-1) unstable; urgency=low + + [ Matthijs Mohlmann ] + * New upstream version. (Closes: #369544) + * Update patch slurpd-in-spool. (Closes: #368586, #368709, #368889) + * Added slapi-errorlog-file to be into /var/log (Closes: #368895) + * Removed patch configure.in-fix, incorporated upstream. + * Move debian/configure.options.new to debian/configure.options. + * Added patch to put ldapi socket in /var/run/slapd. + * Removed bdb recovery from the init.d script. This was introduced to fix + bug #255276. Now that slapd has the ability to check and recover from bdb + failures, this function is not needed anymore. (Closes: #369484, #369093) + * Updated the lintian overrides. + + [ Torsten Landschoff ] + * Include man pages for accesslog and auditlog overlays, patch by + Peter Marschall (closes: #368888). + + -- Matthijs Mohlmann Thu, 1 Jun 2006 08:16:02 +0200 + +openldap2.3 (2.3.23-1) unstable; urgency=low + + [ Matthijs Mohlmann ] + * New upstream release. (Closes: #308906, #310282, #353877, #335618, #315158) + (Closes: #310282, #319155) + * OpenLDAP checks database before starting up. + (Closes: #190165, #195079, #294701, #308416) + * move_old_database_away isn't called in a while loop anymore (which would + kill debconf interaction) (Closes: #299100) + * BDB_CONFIG file will be installed on new installations (Closes: #301292) + * Move to dh_install. + * Move to quilt patch system. + * Fix manpage. + * Make ldiftopasswd and fix_ldif executable. (fixes lintian warnings) + * Wipe passwords after we created the initial configuration. + * The config scripts is runned twice, this causes the password in + slapd/internal/adminpw to be empty. This fixes the issue with having an + empty password in the ldap database. (Closes: #343113, #347725) + * Added #DEBHELPER# token to fix a lintian warning. + * bdb has changed between major versions, so dump the database and import it + again for versions before 2.3.19. + * Remove comments from debian/control (The out commented control information + is actually in debian/control.dev) + * Enable all backends and overlays with: --enable-backends=mod and + --enable-overlays=mod + * Add | debconf-2.0 to unblock cdebconf transition (Closes: #332053) + * Added Danish debconf translation (Closes: #353897) + * Updated French debconf translation (Closes: #320739) + * Updated Vietnamese debconf translation (Closes: #319706) + * Updated Czech debconf translation (Closes: #356554) + * Encode the organization to utf8 (Closes: #236097) + * Disabled the LDBM backend. Break in preinstallation if user doesn't want + to migrate to BDB backend. + * Removed choice for LDBM backend from slapd templates. And some explanation + in that question about the LDBM backend. + * Add sizelimit and tool-threads and some documentation to slapd.conf + (Closes: #327808) + * slapd.scripts-common had two functions with the same name. + * Don't return a error message if hostname fails. + * Backup the config only once on upgrade. + * For new installations do not install a DB_CONFIG file but use the + slapd.conf as file for BDB/HDB configuration parameters. See: slapd-bdb(5) + * Added various "exit 0" to the installation scripts. + * Add configure.in patch to fix C comparison what should be bash (ITS#4416) + * Raise debconf configuration level from low to medium for + slapd/no_configuration. + * Updated Standards-Version to 3.7.2.0 + * Added build-dependency on perl which is used in the debian/rules file. + Considered by lintian. + * Added lintian override for too-long-extended-description-in-templates, it + is an explanation about the backends. + + [ Steve Langasek ] + * debian/slapd.templates: Fix typo durin -> during; re-run + debconf-updatepo, fixing up the fuzzies (closes: #319596). + + [ Torsten Landschoff ] + * debian/slapd.scripts-common: Rename backend_supported to + upgrade_supported_from_backend for more clarity. + + -- Matthijs Mohlmann Sat, 13 May 2006 00:28:11 +0200 + +openldap2.2 (2.2.26-4) unstable; urgency=low + + * [l10n] Vietnamese translations by Clytie Siddall (closes: #316623). + * debian/slapd.templates: Fix typos occured -> occurred (closes: #316624). + * libraries/libldap/url.c: Apply patch from upstream CVS to fix URI + parsing (closes: #317100). + + -- Torsten Landschoff Tue, 19 Jul 2005 20:52:17 +0200 + +openldap2.2 (2.2.26-3) unstable; urgency=low + + * [SECURITY] Applied the patch available at + http://bugzilla.padl.com/show_bug.cgi?id=210 + to force libldap to really use TLS when requested in /etc/ldap/ldap.conf + (cf. CAN-2005-2069). Clients still will use libldap2 from openldap2 + source package so this is only to prepare unleashing the libraries of + OpenLDAP 2.2 for unstable... + + -- Torsten Landschoff Sun, 3 Jul 2005 10:41:37 +0200 + +openldap2.2 (2.2.26-2) unstable; urgency=low + + * Assembled changes from patches supplied by Peter Marschall (thanks, + Peter): + | debian/move_files: Move slapd and slurpd to /usr/sbin and adjust symlinks + (closes: #316354). + + debian/slapd.links: Remove symlinks from /usr/sbin to /usr/lib. + | debian/rules: Don't install cron jobs needed for GnuTLS as long as we are + using OpenSSL. + | debian/control: Remove build-dependencies needed for GnuTLS + (closes: #316355). + + Require libsasl >= 2.1.18 as recommended by OpenLDAP project. + | Update quicktool patch from Quanah Gibson-Mount (closes: #316361). + | debian/slapd.init: Use /bin/sh as shell when running db_recover + (closes: #316350). + | debian/configure.options: Enabled dynlist and proxycache overlays + (closes: #316351). + + * debian/po/de.po: Apply typo correction patch (closes: #313809). + * debian/po/fr.po: Apply updates by Christian Perrier (closes: #315122). + + -- Torsten Landschoff Fri, 1 Jul 2005 12:53:18 +0200 + +openldap2.2 (2.2.26-1) unstable; urgency=low + + * New upstream release. + * debian/slapd.init: Run db_recover as the user configured for slapd + (closes: #311331). + * debian/po/cs.po: Add Czech translation by Miroslav Kure (closes: #312064). + * Run debconf-updatepo, oh my :( + * Update configure via libtoolize -cf; aclocal-1.4; autoconf2.50. + * configure.in: Try to fix memcmp check (probably does not work anymore, but + we should have a working memcmp on all Debian systems anyway). + * debian/rules: Remove config.{sub,guess} before installing new versions + (just in case there were symlinks for them...). + + -- Torsten Landschoff Tue, 21 Jun 2005 12:06:40 +0200 + +openldap2.2 (2.2.23-8) unstable; urgency=low + + * debian/DB_CONFIG: Fixed the log cache configuration (used the wrong + command so there was about no effect). + + -- Torsten Landschoff Mon, 30 May 2005 08:48:10 +0200 + +openldap2.2 (2.2.23-7) unstable; urgency=low + + * debian/slapd.scripts-common: Install the default DB_CONFIG for each + database loaded from LDIF which didn't have a DB_CONFIG before. + * (automatic) Updated config.sub and config.guess from autotools-dev. + + -- Torsten Landschoff Mon, 30 May 2005 08:08:37 +0200 + +openldap2.2 (2.2.23-6) unstable; urgency=low + + Torsten Landschoff : + * debian/po/ja.po: Merge updates from Kenshi Muto (closes: #303505). + * debian/po/fr.po: Merge updates from Christian Perrier (closes: #306229). + * debian/slapd.scripts-common: If the user enters the empty value for + the database dumping directory use the default value. Seems like the + readline interface does not care about the default value + (closes: #308234). + * debian/slapd.postinst: Make sure the debhelper commands are executed + in all cases (closes: #310422). + * Merged suggested changes by Eugene Konev to automatically run + db_recover before starting slapd (closes: #255276). + + debian/slapd.init: Run db_recover if enabled and available and no + slapd process running. + + debian/slapd.default: Add configuration option to disable it. + * Applied and improved patch by Matthijs Mohlmann to support migration + from ldbm to bdb backend. + + debian/slapd.config: Ask if migration is wanted. + + debian/slapd.postinst: Update configuration from ldbm to bdb if yes. + + debian/slapd.scripts-common: Implemented some parts in their own + functions. + * Add a README.DB_CONFIG.gz and reference it where referring to BDB + configuration. + * Update default DB_CONFIG with some senseful values. + + Steve Langasek : + * libraries/libldap_r/Makefile.in: make sure the ximian-connector ntlm + patch is applied to libldap_r, not just to libldap + * debian/move_files: make libldap a symlink to libldap_r, as carrying + two versions of this library around is more trouble than it's worth, + and can cause glorious segfaults down the line + + -- Torsten Landschoff Mon, 30 May 2005 08:07:49 +0200 + +openldap2.2 (2.2.23-5) unstable; urgency=low + + Torsten Landschoff : + * debian/lintian-overrides: Add. Contains lintian warnings/errors to + override for each package (plus comments). + + debian/move_files: Automatically install applying overrides into + each package. + + Steve Langasek : + * configure.in: reinstate the remainder of the fix for 195990 from + 2.1.22-2: give preference to -lpthread over -pthread in configure.in, + because some archs (mipsel, at least) don't like -pthread. + + -- Steve Langasek Sun, 24 Apr 2005 05:01:02 -0700 + +openldap2.2 (2.2.23-4) unstable; urgency=low + + Torsten Landschoff : + * debian/control: Make the requirement for debconf a pre-dependency as + we are using it from the maintainer scripts. + * debian/slapd.preinst: Always use debconf (don't check for availability). + * debian/slapd.scripts-common: Remove the alert_user function which + was there to output an error message in case debconf is not available. + + Steve Langasek : + * debian/fix_ldif: Add code to fix up oddly formatted integer attribs; + limited use because it only fixes those attributes that we have + prior knowledge of (i.e., those in the default schemas we ship), but + it's something at least. Closes: #302629. + * debian/fix_ldif: Also change fix_ldif to not chew up everything that + has a # in the line: treat lines beginning with # as comments, but # + is a valid character in an attribute value. + * debian/rules: Fix the check for missing lib symbols to use + LD_LIBRARY_PATH, so the package builds on systems that don't already + have libldap-2.2-7 installed. Closes: #305785. + * debian/po/ja.po: Use the partial translation provided by Kenshi Muto. + + Stephen Frost : + * debian/slapd.scripts-common: Make sure - ends up at the end of the + bracket expression given to grep so it's not treated as a range + (closes: #302743). + + -- Steve Langasek Sat, 23 Apr 2005 22:01:20 -0700 + +openldap2.2 (2.2.23-3) unstable; urgency=low + + Steve Langasek + * libraries/libldap_r/Makefile.in: Code that uses pthreads *must* be + linked with -pthread, even if it's a library; without this, the + libldap_r library ends up with dangling unversioned reference to + pthread_create() which gets resolved to a wrong version that causes + segfaults on 64-bit platforms. Closes: #304549. + * debian/rules: error out on build if an installed library has + undefined symbols; future-proofing against a repeat of #304549. + * debian/slapd.postinst: don't dump and reload directories unless we + know we're upgrading from an incompatible version! Closes: #304840. + * debian/slapd.scripts-common: don't use merge_logical_lines for + functions that will be writing back to the config; the code is not + as pretty now, but the output is much less ugly. Closes: #303243. + * debian/slapd.examples, debian/slapd.scripts-common, + debian/slapd.links, debian/move_files: install DB_CONFIG in + /usr/share/slapd/ instead of /usr/share/doc/slapd/examples/; this + simplifies the code, and ensures users who don't install + /usr/share/doc aren't penalized. Create links for the DB_CONFIG and + slapd.confg templates to /usr/share/doc/slapd/examples, since these + are worthwhile examples as well. + * Updated maintainer scripts to keep DB_CONFIG for LDAP databases over + upgrades (closes: #265860). + * Move slappasswd to the slapd package, since it's now a symlink and + isn't actually useful without the slapd binary (closes: #304339). + + -- Torsten Landschoff Thu, 21 Apr 2005 01:29:57 +0200 + +openldap2.2 (2.2.23-2) unstable; urgency=low + + * debian/configure.options: Change localstatedir to /var from /var/run + as the current upstream version adds /run to that during runtime for + slapi sockets etc. Problem: The database location is specified relative + to localstatedir/openldap-data. Another thing to fix... + (closes: #298271, #304491). + * debian/slapd.scripts-common (load_databases): Reimplement automatic + fixing of LDIF data via the fix_ldif script. Only tried if an + initial slapadd using the original LDIF data fails. With this change + upgrading from woody for some simple cases does work again. + * Disabled the version check for Berkeley DB in upstream code. Any + libdb4.2 package should work but of course using the latest will give + you the best results (closes: #300851). + * debian/slapd.scripts-common (import_database): Removed, no longer used. + * debian/slapd.scripts-common: Store the diagnostic output from + slapadd and output it before aborting if the command failed. + * debian/po/fr.po: Use the translations provided by Christian Perrier + (closes: #304141). + * debian/slapd.scripts-common: Use the -q option during slapadd to + improve performance. + * debian/slapd.templates (slapd/dump_database_destdir): Apply rewording + changes from Thomas Prokosch. Gives the user more information about + the usage of that directory. + + Run debconf-updatepo to update the translation templates. + * debian/slapd.templates: Clean up the debconf templates of the slapd + packages by merging the changes suggested by Christian Perrier + (closes: #302829). Thanks, Christian! + + Changed the wording of some of the templates. + + Adapt to the DTSG (Debconf Templates Style Guide). + + Removed item slapd/admin which is not used anymore. + + Run debconf-updatepo and send new fr.po to Christian Perrier. + * debian/slapd.postinst: Make a backup copy of slapd.conf before changing + anything (closes: #304485). + * Trivial improvements: + + Don't ask to move contents of /var/lib/ldap if it does not even + exist (but also is not an empty directory...) in initial config. + + Move check for current installation status out of configure_dumping. + + -- Torsten Landschoff Thu, 14 Apr 2005 19:57:11 +0200 + +openldap2.2 (2.2.23-1) unstable; urgency=low + + * debian/slapd.scripts-common: Move all shell functions of the maintainer + scripts here to have it all in one place. + * Another pass over the maintainer scripts to remove cruft and tidy up + the code a bit. Fixed some bugs on the way. + * Test upgrade and installation revealed some bugs, mostly typos: + + return in shell actually is "return $?", not "return 0" as I though + + Referenced $src where $srcdir was meant. + + Only load old directories on upgrade and not during initial + installation. + + -- Torsten Landschoff Fri, 1 Apr 2005 18:50:21 +0200 + +openldap2.2 (2.2.23-0.pre6) experimental; urgency=low + + Torsten Landschoff : + * debian/slapd.postinst: Add a testing interface to test the helper + functions. + * debian/slapd.postinst: Make sure that debconf actually displays the + error message even if the user has already seen it before. + * debian/slapd.postinst (compute_backup_path): Make function more robust + in case we don't know the old version or the suffix of the database. + Converted the backup dir to a more simple scheme which should be save + against accidental overwriting. + * Rewrote part of the maintainer scripts for correct handling of + directory dumps in preinst. New debconf questions etc. + * Move the manpage of slappasswd to ldap-utils where slappasswd itself + is included (closes: #300212). + + debian/control: Add Replaces: slapd << 2.2.23-0.pre6 to ldap-utils. + + debian/move_files: Move slappasswd manpage into ldap-utils. + * debian/slapd.config: Don't fail if hostname is unset (pulled from + Ubuntu, thanks to Jeff Bailey). + * Applied patch by Quanah Gibson-Mount (directory administrator of Stanford) + to add -q option to some tools for quick operation without updating + logs. This is mostly for importing directories from LDIF backups. + * Go back to libdb4.2 as OpenLDAP is known to have problems with BDB 4.3. + + debian/control: Update dependencies for BDB 4.2. + + debian/slapd.scripts-common: Mark all databases before this version + as incompatible. + * Fix some bashisms in maintainer scripts. + * debian/slapd.postinst: Include the version of the backup in the + backup of a database directory. + + Carlo Contavalli : + * debian/slapd.init: Print command line if starting a daemon failed. + * debian/slapd.postinst: Handle hdb backend just as if it was bdb. + * debian/README.Debian: Add some notes about DB_CONFIG and how to run + slapd under a different uid/gid. + * Install an example DB_CONFIG file during initial configuration + + slapd.postinst: Add a function to implement this and hook it into + create_new_configuration. + + debian/DB_CONFIG: Example DB_CONFIG that is installed. + + debian/slapd.examples: Mark DB_CONFIG as an example. + * servers/slapd/daemon.c: Actually change the permissions of the + unix socket if requested using an ldapi url with x-mod. + * debian/slapd.scripts-common: change privileges of upgraded databases + as indicated by SLAPD_USER and SLAPD_GROUP variables. + * debian/slapd.scripts-common,slapd.postinst: corrected some minor + typos. + + -- Torsten Landschoff Fri, 1 Apr 2005 12:26:35 +0200 + +openldap2.2 (2.2.23-0.pre5) experimental; urgency=low + + * Apply NTLM patch from ximian-connector source package. + * debian/slapd.postinst: Fix small typo leading to upgrade failures. + Added some notes while wading through maintainer scripts. + * debian/slapd.postinst: Make slapadd more noisy, writing the new + directory to stderr if something goes wrong (should help for + bug #236097). + * Make slapd.init idempotent by adding --oknodo to start-stop-daemon + invocations (closes: #298741). Kudos to Bill Allombert for this + patch. + * slapd.postinst: Try to fix slapd.conf for syntactic and semantic changes + introduced upstream into 2.2.x. + * slapd.scripts-common: Make sure directories before 2.2.23 are dumped + and reloaded on upgrade. + + -- Torsten Landschoff Fri, 11 Mar 2005 18:54:57 +0100 + +openldap2.2 (2.2.23-0.pre4) experimental; urgency=low + + * Rename libldap2.2 to libldap-2.2-7 to match soname. Updated + debian/{control,rules,...}. + * Checked the usage of the ucdata files shipped with libldap2 before. + Actually they stem from liblunicode which is only linked to slapd. + Therefore those files are shipped with slapd now. This change is + relevant so that multiple libldap-2.2-x packages can coexist later. + * debian/control: Updated for slapd replacing files from libldap2. + * debian/control: Recommend db4.3-util instead of db4.2-util as we are + using the former version now for slapd. + * debian/control: Add Build-Depends for libperl-dev, this time for + real. I wonder what went wrong last time as it built correctly with + pdebuild (closes: #297123). + + -- Torsten Landschoff Mon, 28 Feb 2005 15:17:52 +0100 + +openldap2.2 (2.2.23-0.pre3) experimental; urgency=low + + * debian/slapd.prerm: Reformat and fix double stopping of slapd. Find + out which bug we are working around and document it. + * debian/configure.options: Enable ACI support (closes: #101602). + Looked through the source code and it seems to be properly + insulated to not make a difference when not used. + * .../Makefile.in: Remove -s option from install invocations and let + dh_strip handle stripping binaries (closes: #264448). + * debian/slapd.postinst: Code cleanup and reading, unused and duplicate + code removed. Main body still needs fixing. + * debian/slapd.postinst: Fixed chmod --reference calls to keep the + permissions of slapd.conf. Putting data into the file using shell + redirection recreates the file with default umask and owner, killing + the permissions we applied using chod --reference after creating the + file. Instead we change the permissions directly before renaming the + file now. Wrapped it into a function and update the owner as well. + How do we do this correctly for ACLs etc.!? Thanks to Carlo Contavalli + for pointing this out. + * servers/slapd/main.c: Log a warning if writing the pidfile or writing + the arguments file fails (closes: #261696). + * debian/control: Add missing build dependency for perl development + library (closes: #297123). + + -- Torsten Landschoff Sun, 27 Feb 2005 17:44:03 +0100 + +openldap2.2 (2.2.23-0.pre2) experimental; urgency=low + + * servers/slurpd/slurp.h: Relocate the default spool directory to + /var/spool/slurpd again. + * Merged some changes done by Fabio M. Di Nitto for the ubuntu + distribution (thanks, Fabio!): + + debian/slapd.{postinst,conf}: Checkpoint BDB databases every 512kb + or 30 minutes by default. + + debian/slapd.scripts-common: Make is_empty_dir less noisy on first + install (cosmetic). + * Applied some changes suggested by Ondrej Sury: + + debian/rules: Add MAKEVARS variable and set datadir = + /usr/share/libldap2.2/ucdata instead of changing build/top.mk as + suggested. + + debian/move_files: Install /usr/share/libldap2.2 into libldap2.2 + and remove duplicate ldap.conf manpage. + + debian/control: Let libldap2.2 dependon libldap2 for config files. + * Also in Ondrej's patch: + + doc/man/man8/slapd.8: Refer to slapd.conf instead of ldap.h for + loglevel documentation. Changed by ubuntu? I don't know... + * debian/slapd.README.Debian: Update TLS/SSL information. + + -- Torsten Landschoff Fri, 25 Feb 2005 14:44:59 +0100 + +openldap2.2 (2.2.23-0.pre1) experimental; urgency=low + + * Merge new upstream release 2.2.23. + * Change name of source package to openldap2.2. + * configure.in: Fix AC_LIBOBJ for configure2.50. + * Run libtoolize, aclocal-1.4 and autoconf2.50 to get a working + configure script. + * debian/slapd.init: Output failure reasons using "$failure" so that + no glob substitution is done. Had a hard time grokking why slapd + would mention the contents of the current directory in its error + message... + * debian/rules: Disable building -dev packages as we don't want + other packages to link against the new libraries before sarge. + Remove the binary-indep target from the binary dependends list. + * debian/control: Move packages that are no longer build into control-dev. + * debian/configure.options: Build against OpenSSL with --with-tls + (this can only be done for slapd itself, we need GnuTLS support + before enabling this for libldap2.2-dev). + * debian/control: Update build dependencies for libdb4.3 and OpenSSL. + + -- Torsten Landschoff Wed, 23 Feb 2005 19:29:38 +0100 + +openldap2 (2.2.18-0.pre2) experimental; urgency=low + + * debian/check_config: Make sasl2 check more robust against file + format changes in config.status. + * debian/libldap2.shlibs: Remove. + * Update configure script using libtoolize, aclocal-1.4 and autoconf2.50 + to fix wrong shared library dependency in libldap2.2 (depended on + libldap2 by linking against the system's liblber). + * debian/libldap2.README.Debian: Move to libldap2.2.README.Debian. + * Lintian cleanup: + + Run debconf-updatepo for debian/rules clean and manually as + requested. + + Update config.guess and config.sub in debian/rules clean as well. + First update done. + + debian/rules (install): Fix the manpage section of the admin commands + from 8C to 8. + + debian/rules (binary-arch): Run dh_fixperms to fix the permissions + on shared libraries. + + -- Torsten Landschoff Thu, 13 Jan 2005 11:53:28 +0100 + +openldap2 (2.2.18-0.pre1) experimental; urgency=low + + * New upstream release. + * Disable TLS for now. + * debian/rules: Don't run autoheader and autoconf. + * debian/configure.options: Recreated and updated for new setup. + * debian/rules: Move slapd, slurpd from /usr/lib to /usr/sbin. + * Rename library packages to include the OpenLDAP version. + * Remove /etc/ldap/ldap*.conf from libldap2.2 to avoid clash with + libldap2. Also add Replaces entry for libldap2 to allow overwriting + for now. Needs fixing... + * Instead of moving slapd from /usr/lib to /usr/sbin create a symlink. + Seems like slapadd etc. are now all included in the slapd binary + and all link to its binary. + * debian/rules: Run dh_link for arch dependend packages. + * configure: Fix broken libdb checking which forced static building of + back-bdb. + * debian/slapd.conf: Fix access directive to use "attrs=" instead of + "attribute=" which wasn't officially supported anyway. + + -- Torsten Landschoff Wed, 3 Nov 2004 09:57:14 +0100 + +openldap2 (2.1.30-3) unstable; urgency=high + + * Urgeny high since previous releases were hardly usable (at least + with TLS). + * Roland Bauerschmidt + + libraries/libldap/gnutls.c, libraries/libldap/tls.c, + include/ldap_pvt_gnutls.h: Use callback with + gnutls_certificate_set_params_function to generate dh_params and + rsa_params (this is also the way, it's done with OpenSSL). We need + GNUTLS 1.0.9 for this. With the new version of libgcrypt, we also + need to initialize threading explicitly. The previous + segmentation faults resulted from the *global* param structure + being recreated and freed for every session. Many thanks to + Matthias Urlichs who helped debugging a lot and also packaged + GNUTLS 1.0.16 very quickly... Closes: #244827. + + debian/control: Add build dependency to libgcrypt11-dev (we're + initializing it directly now) and change libgnutls10-dev to + libgnutls11-dev. + + libraries/libldap/gnutls.c: in tls_gnutls_need_{dh,rsa}_params + (formerly ldap_gnutls_need_...), create temp files more securely, + doing unlink before opening and opening them with O_EXCL. This is + necessary because under Linux 2.6 all threads have the same PID. + Thanks to Andrew Suffield for pointing this out. + + debian/slapd.cron.daily: cron job to remove GNUTLS rsa_export and + dh param cache files every day. + + debian/slapd.README.Debian: add note that we use GNUTLS rather + than OpenSSL. + + -- Roland Bauerschmidt Mon, 26 Jul 2004 18:41:23 +0200 + +openldap2 (2.1.30-2) unstable; urgency=low + + * Roland Bauerschmidt + + debian/slapd.scripts-common: add missing space before ! + Closes: #251036, #253633, #257513. + * Torsten Landschoff + + Applied patch by Ralf Hack to support non-standard config file + location in /etc/default/slapd (closes: #229195). + + Applied patch to fix handling of abandoned commands + (closes: #254183). Thanks to Peter Marschall for submitting it. + + Applied patch to fix memory leak after search (closes: #254184). + Thanks again, Peter! + + Applied trivial patch to support logging to DAEMON facility + as well as LOCAL* (closes: #254186). Here you are, Peter ;) + + -- Roland Bauerschmidt Fri, 09 Jul 2004 15:56:06 +0200 + +openldap2 (2.1.30-1) unstable; urgency=low + + * Torsten Landschoff : + + debian/control: Have slapd conflict with libltdl3 version 1.5.4-1 + as with that version loading of .so files is broken which breaks + slapd (closes: #249152). + + Applied patch to fix Perl backend (closes: #245347). Kudos + to Peter Marschall. + + debian/configure.options: Enable building of Perl backend. + + * Roland Bauerschmidt + + debian/slapd.templates: replace 'domain' with 'DNS domain name' + which is little more specific + + debian/slapd.config: check if the domain has a valid syntax to + prevent slapadd from failing. Closes: #235749. + + New upstream version with fix for NS-MTA-MD5 hash length + checking. Closes: #226583. + + -- Torsten Landschoff Mon, 24 May 2004 23:33:21 +0200 + +openldap2 (2.1.29-2) unstable; urgency=low + + * Roland Bauerschmidt + + debian/rules: Revert change to install ldapadd as symlink. + Somehow, with that change, ldapadd didn't get installed at all. + Closes: #243537. + + -- Roland Bauerschmidt Tue, 13 Apr 2004 19:49:55 +0200 + +openldap2 (2.1.29-1) unstable; urgency=low + + * Stephen Frost + + libraries/gnutls.c: Generate and store RSA/DH parameters, + based off a patch by Petr Vandrovec (though changed alot). + Closes: #234639, #234593 + + * Roland Bauerschmidt + + Merged new upstream release. + + debian/slapd.prerm: add #DEBHELPER# token. + + debian/control: have slapd depend on debconf (>= 0.5) to ensure + it supports the seen flag. + + debian/rules: ldapadd is installed as a hardlink to ldapmodify; + use a symlink instead. + + debian/slapd.{scripts-common,postinst,preinst,config}: Add new + function read_slapd_conf that evaluates include statements. + + -- Torsten Landschoff Mon, 12 Apr 2004 15:27:55 +0200 + +openldap2 (2.1.26-1) unstable; urgency=low + + * Torsten Landschoff : + + Merged new upstream release. + + debian/slapd.templates (slapd/purge_database): Set default value to + false. + + debian/slapd.config (manual_configuration_wanted): Don't exit + from the script directly if the user wants to configure + slapd manually (exit 0 -> return 0). + + Build-depend on libgnutls10-dev instead of libgnutls7-dev and + rebuild (closes: #233833). + + Move previous content of /var/lib/ldap away during creation of + an initial directory (closes: #228886, #233512). + + debian/slapd.postrm: Remove flag files in /var/lib/slapd on purge. + + Removed functionality (verbose error messages) from gnutls.c until + it compiled with libgnutls10-dev :-(( + + debian/slapd.postinst: Overwrite existing /etc/ldap/slapd.conf (only + reached during initial installation/dpkg-reconfigure). + + -- Torsten Landschoff Mon, 23 Feb 2004 09:36:32 +0100 + +openldap2 (2.1.25-1) unstable; urgency=low + + * Roland Bauerschmidt : + + New upstream version. + - Build against libdb4.2. Hopefully, this resolves the BDB + lock ups when configured improperly. + + debian/control: Have ldap-utils depend on the same version of + libldap2, and libldap2 conflict with ldap-utils (<= 2.1.23-1). + Closes: #216661. + + debian/slapd.{templates,config}: Check if there are slave + databases in slapd.conf lacking an updateref option, and warn + about it. Closes: #216797. + + debian/slapd.{templates,config,postinst,conf}: Ask which + database backend to use (BDB or LDBM). + + debian/slapd.README.Debian: cleanup + + servers/slapd/back-bdb/dbcache.c: Turn off subdatabases. This + is an incompatible database format change, but according to + Howard Chu "using them (subdatabases) is known to cause deadlocks + on multiprocessor machines, among other issues." + + debian/control: add Recommends: db4.2-util to slapd + + debian/control: add Recommends: libsasl2-modules to slapd and + ldap-utils. Closes: #224058. + + debian/slapd.{scripts-common,preinst,postinst}: Extended dump + and restore code to deal with different versions for different + backends. + + debian/control: Geez, centipede seems to have vanished a long + time ago. So don't claim it's included in the slapd package. + + debian/slapd.docs: created with servers/slapd/back-sql/ + rdbms_depends. Closes: #225807. + + * Torsten Landschoff : + + debian/move_files: Install slappasswd into ldap-utils instead + of slapd as it's useful without slapd as well (closes: #228705). + + debian/control: Make ldap-utils Replaces: slapd < 2.1.25 because + of that change. + + debian/control: Use libdb4.2-dev instead of libdb4.1-dev as a + number of problems seem to be related to DB 4.1. + + -- Torsten Landschoff Fri, 6 Feb 2004 20:48:22 +0100 + +openldap2 (2.1.23-1) unstable; urgency=low + + * Roland Bauerschmidt : + + New upstream version. + + Applied fix for admin password breakage from Michael Beattie + . Closes: #214270. + + Added Dutch Debconf template translation by cobaco@linux.be. + Closes: #215373. + + Bumped Standards-Version (no changes needed). + + * Torsten Landschoff : + + debian/move_files: Install slappasswd into ldap-utils instead + of slapd (closes: #228705). + + -- Roland Bauerschmidt Sat, 18 Oct 2003 19:56:54 +0200 + +openldap2 (2.1.22-3) unstable; urgency=low + + * Call perl -w to run debian/dh_installscripts-common. Closes: #214054. + + -- Roland Bauerschmidt Sat, 4 Oct 2003 14:22:11 +0200 + +openldap2 (2.1.22-2) unstable; urgency=high + + * Stephen Frost + + servers/slapd/daemon.c: Apply patch from head for select handling. + + debian/rules: Fix build options to optimize correctly and to use + DEB_BUILD_OPTIONS (Policy, 10.1). Closes: #202306 + + debian/slapd.conf: Add in ACL for root DSE explicitly. + + debian/slapd.init: Add --oknodo in stop_slurpd. Closes: #202592 + + debian/rules: Need quotes around $(CFLAGS) on configure line. + + debian/slapd.init: Remove \'s before quotes around pidfile. + + debian/slapd.init: Add support for -h slapd flag. Closes: #201991 + + debian/slapd.default: Add variable $SLAPD_SERVICES for slapd -h. + + libraries/libldap/tls.c: Apply patch from asuffield in #202741 to + fix subjectAltName usage. Closes: #202741 + + * Torsten Landschoff : + + Fix invocation of "head" in maintainer scripts and replace usage of + [ foo -a bar ] by [ foo ] && [ bar ] (closes: #203292). + + debian/slapd.postrm: Small cleanup, only remove the directory, not + the backups, on purge. + + debian/rules: Don't run the upstream install target if we did not + rebuild the whole tree. Makes debugging maintainer script much more + tolerable. + + debian/slapd.config: Cleaned up and restructured for readability. + + debian/slapd.templates: Replaced the invalid_suffix template with + invalid_config which is more general and can be used for any + inconsistency in the initial configuration. + + debian/slapd.postinst: Rewritten to eliminate all that spaghetti. + Did not yet implement all old features again... + - Now the #DEBHELPER# part is always reached so that the daemon + will be restarted even if no automatic configuration is wanted + (closes: #204008). + + Fixed the undefined symbols in libldap_r.so.2 (closes: #195990). + | configure.in: Try -lpthread before -pthread to link the thread + library. libtool does not pass -pthread through, -lpthread seems + to work though. + | libraries/libldap_r/Makefile.in: Add $(LTHREAD_LIBS) to + UNIX_LINK_LIBS so that pthread is linked when creating a shared library + as well. + + * Roland Bauerschmidt : + + debian/configure.options: change --localstatedir=/var/lib to + --localstatedir=/var/run. Since localstatedir isn't used anywhere + in the code, except for the ldapi socket (and examples in the + manpages which are correct at the moment anyway), all this change + does should be changing the default location of the ldapi socket + from /var/lib/ldapi to /var/run/ldapi. Closes: #160965. + + libraries/libldap/tls.c: In get_ca_list, walk through CACERTDIR + manually if building against GNUTLS (since there is no equivalent + to SSL_add_dir_cert_subjects_to_stack). Closes: #205609. + + debian/slapd.preinst: create /var/backups/ldap/$oldver with + permissions 0700. Also change permissions for /var/backups/ldap + to 0700 if it already exists. Closes: #209019. + + Added Japanese translation of Debconf templates by Kenshi Muto + . Closes: #210731. + + debian/slapd.{postinst,preinst,config}: Replaced duplicate + implementations of the same functions with one version and moved + those into debian/slapd.scripts-common which will be included by + debian/dh_installscripts-common. + + debian/slapd.preinst: before dumping the database, check if the + backend is supported + + debian/slapd.postinst: + - add -q to grep call for allow bind_v2 + - readded pre-2.1 (woody) upgrade path (that is, dumping, fixing + and reimporting the database) + + -- Roland Bauerschmidt Fri, 3 Oct 2003 15:35:29 +0200 + +openldap2 (2.1.22-1) unstable; urgency=low + + * Stephen Frost : + + New upstream version (minor changes). + + debian/control: Change build-deps to autoconf2.13, Closes: #201482 + + debian/rules: Add dh_compress -i for binary-indep. + + debian/slapd.postinst: Give variable for read (avoids bashism). + + configure/.in: Use upstream's version of back-meta/back-ldap fix. + + -- Stephen Frost Wed, 16 Jul 2003 08:42:23 -0400 + +openldap2 (2.1.21-2) unstable; urgency=low + + * Stephen Frost : + + debian/slapd.preinst: slapcat here if possible, if slapcat not + available then slapcat in postinst. Also remove old unused + function. + + debian/slapd.postinst: Check if slapcat in preinst worked and use + those results in preference. Also moved to using /var/backups/ldap. + + servers/slapd/daemon.c: Provide more information on socket/bind + failures. Patch submitted upstream. Closes: #94967. + + ./configure, ./configure.in: Fix check for back_ldap in back_meta. + back_ldap now included as module. back_ldap and back_meta appear + to load fine, though order may matter. Closes: #196995. + + debian/control: Add versioned Depends on perl, need recent version + for migration script. + + debian/slapd.{pre,post}inst: Allow for whitespace in postinst + before database definitions + + debian/control: Drop the libldap2-dev Depends that aren't actually + necessary. + + debian/slapd.preinst: Add create_sed_script to create the script to + deal with multi-line commands in slapd.conf. Modify things to use + sed script to preprocess slapd.conf before using it. Remove + support for whitespace preceeding commands. + + debian/slapd.postinst: Add create_sed_script here too and modify + everything to use it as necessary. Also change everything to + reference $SLAPD_CONF instead of /etc/ldap/slapd.conf everywhere. + Remove support for whitespace preceeding commands. + + debian/slapd.postinst: Removed all tabs. Changed all sed scripts + to used [:space:] instead of [space tab]. + + debian/slapd.postinst: Removed debugging statements from ldap_v2 + support handling code. + + debian/slapd.preinst: Changed to use mktemp for sed script. + + debian/slapd.postinst: Changed to use mktemp for sed script. + + debian/slapd.config: If no hostname set just use debian.org. + + contrib/ldapc++/config.{sub,guess}: Resync back to upstream, no + reason not to, we don't even build this stuff... + + debian/control: Change build-depends to libgnutls7-dev instead of + libssl-dev. + + debian/rules: Now run autoconf && autoheader to pick up on the + configure.in changes needed for GNU TLS. + + debian/copyright: Added Steve Langasek (SL) copyright statement. + + Patch from Steve Langasek for GNU TLS support, Closes: #198553 + | include/ldap_pvt_gnutls.h: Added for GNU TLS + | configure.in: Now uses GNU TLS where available. + | servers/slapd/schema_init.c: Modified for GNU TLS- some functions + removed because GNU TLS layer does not support them yet. + | build/install-sh: Added for new autoconf. + | libraries/libldap/Makefile.in: Changed to compile GNU TLS portions. + | libraries/libldap/getdn.c: Stub function added, GNU TLS layer does + not support TLS certificates for authentication yet. + | libraries/libldap/tls.c: Now calls GNU TLS functions instead of + OpenSSL. + | libraries/libldap/gnutls.c: Added to support GNU TLS in place of + OpenSSL for TLS connections. + | libraries/libldap_r/Makefile.in: Changed to compile GNU TLS portions. + + debian/slapd.postinst: remove temp file if upgrading or doing a + reconfigure but the OLDSUFFIX and basedn match so that we do not + move an empty file overtop of slapd.conf. Closes: #190797. + + debian/slapd.init: Inform user when not starting slapd due to + no configuration file found. Deals with users who select to not + configure slapd during installation. + + debian/slapd.init: Removed cat <<-EOF and got rid of associated + tabs; best to not depend on tab vs. space distinction. + + debian/slapd.config: Change debconf question names to be fully + qualified in the $var from the for loop- organization is under + shared/ and domain is under slapd/, not both under slapd/. + + debian/slapd.postrm: Can not depend on debconf being around in + postrm so check before attempting to source it. Also protect + against failure from db_get. + + debian/slapd.postinst: Check for old directory and move it out + of the way if it exists on new configure or reconfigure. + + debian/slapd.postinst: Fix db_input's for error messages, + should be high priority and need to || true them. + + debian/slapd.postinst: Do not error exit once we've told the + user about the problem, if there was one, with slapcat/slapadd. + + debian/slapd.postinst: Make sure we get the organization before + we attempt to fix_ldif on old slapcat output. Default to unknown + if the organization is not set. + + debian/slapd.postinst: Be sure that slapd has been stopped before + attempting to fix and slapadd old slapcat. + + debian/slapd.postinst: Do not use --exec with s-s-d in postinst. + + debian/slapd.postinst: grep calls need to be || true'd when no + matching lines found is possible (this case is handled). + + debian/slapd.postinst: Be very sure slapd has stopped before + attempting to upgrade database. + + debian/slapd.preinst: Use either the pidfile or exec if pidfile + is not available when stopping. Do not put \"\" around pidfile. + Use $oldver instead of $2. + + debian/slapd.config: Reask questions on a reconfigure. Use the + same logic as slapd.postinst for when to ask questions regarding + the db. Be sure to db_go after db_input's. + + debian/slapd.templates: Fix allow_bind_v2 short description to + make more sense since the default is off. + + debian/slapd.preinst: Use perl instead of sed for handling conf. + + debian/slapd.postinst: Use perl instead of sed for handling conf, + use old sed method to insert \n's, user invoke-rc.d when slapd + needs to be stopped. Assume preinst shuts slapd down for upgrade. + + debian/slapd.postinst: Only stop slapd on reconfigure. + + * Torsten Landschoff : + + doc/man/man8/slapd.8: Refer to slapd.conf(5) for a description of + the debugging level (closes: #176980). + + debian/move_files: Kill of the static archives of our backend + modules as they are of absolutely no use. + + * Steve Langasek : + + debian/slapd.postinst: Add a new function, get_database_list, that + prints out the list of configured databases from slapd.conf + one row at a time. Move all of the upgrade handling into a + loop, and iterate through the configured databases. Since the + while loop is in fact a subshell, be sure to handle errors + correctly. We also have to look at the configured directory + for each database, instead of assuming /var/lib/ldap. + Closes: #190155, #190156. + + debian/slapd.preinst: Simplify the handling of error status: if + the slapcat fails, just remove the ldif file. Also, add the + suffix to the name of the output file, and add the + get_database_list function here as well. + + * Roland Bauerschmidt : + + debian/rules: call dh_makeshlibs with -plibldap2 rather than just + with libldap2 + + debian/slapd.postinst: Add question about no configuration. + + debian/slapd.templates: Add template for no config question. + + debian/slapd.templates: Add template for invalid suffix. + + debian/slapd.config: Add no configuration option. Closes: #87986 + + debian/slapd.config: Complain to the user on invalid domain/org. + + -- Stephen Frost Tue, 15 Jul 2003 12:37:05 -0400 + +openldap2 (2.1.21-1) unstable; urgency=low + + * Torsten Landschoff : + + Merged new upstream release. + + * Stephen Frost : + + debian/control: Add libbind-dev and bind-dev to the conflicts for + slapd, the libs in them can end up being used even when not + compiled against causing getaddrinfo() to fail. Closes: #166777 + + debian/copyright: Flush out the copyright file to include all found + copyrights and updates to those. + + debian/copyright: Add clarification of MA license + + debian/copyright: Add clarification of JC license + + debian/slapd.templates: More clearly inform users of important + config change. Closes: #194192. + + debian/control: Remove patch from build-depends (dpkg-dev depends on it) + + debian/fix_ldif: Correctly handle base64-encoded DNs. Closes: #197014. + + debian/slapd.templates: Added templates for asking about LDAPv2 support + and telling the user of slapcat/slapadd failures during upgrade. + + debian/slapd.postinst: Added support for adding LDAPv2 support + + debian/slapd.postinst: Modified to handle slapcat/slapadd failure. + In the event of an upgrade failure the database will be left untouched + and the user notified. Closes: #192431 + + debian/slapd.postinst: Use ldif_dump_location in more places... + + debian/slapd.prerm: Check if upgrade failed and assume bad old init.d + script was used and attempt to shut down slapd with --oknodo in case + slapd isn't running. Closes: #193854. (Again) + + debian/slapd.conf: Add commented out allow line + + debian/rules: Tell dh_installinit to not touch slapd.prerm now. + + debian/slapd.postinst: Do a dry-run with slapadd first and check if + that worked or not. If it did not work then tell the user, otherwise + do a real slapadd which should work. + + debian/slapd.postinst: Make sure slapd is stopped before doing + slapadd/slapcat's and the like. (Note: The woody version does not + stop slapd). Closes: #189777. + + debian/slapd.postinst: Check if directories exist before attempting + to mkdir them. Closes: #189947 + + debian/slapd.README.debian: Add note about runlevel issue. + Closes: #175736 + + debian/move_files: Copy ldiftopasswd into /usr/share/slapd for users + to use, if they find it useful. Closes: #94963. + + debian/slapd.README.Debian: Added note about ldiftopasswd. + + * Roland Bauerschmidt : + + debian/slapd.postinst: fixed typos and check for the existence of + slapd.conf before reading it. + + -- Torsten Landschoff Thu, 19 Jun 2003 17:35:32 +0200 + +openldap2 (2.1.17-3) unstable; urgency=low + + * Stephen Frost : + + debian/slapd.init: Add --oknodo for stopping slapd. Closes: #192423, #193854. + + debian/slapd.init: Change START_SLURPD to SLURPD_START. Closes: #190724. + + debian/libldap2.shlibs: Bump to 2.1.17- 2.1.12 never hit the archive. + These should only be bumped when new symbols are added so we should + figure out a way to handle checking that. + + debian/slapd.dirs: Added /var/run/slapd for pidfile + + debian/slapd.conf: Moved pidfile to /var/run/slapd; Needed if running + non-root. + + debian/slapd.conf: Clean up config file, be more explicit about what + directives are 'general', 'backend', and 'database'. Moved and + commented out 'replogfile' since it is database specific, wasn't doing + anything where it was and use of it depends on slurpd usage. + I consider this solving #151511 since we don't ask if you want to use + replication anymore anyway. Closes: #151511 + + debian/copy_slapd_dev_files: Added to copy the include files for + building slapd back-ends. + + debian/control: Add warning about libslapd2-dev + + debian/control: Add build-depend on po-debconf for dh_installdebconf + + debian/slapd.default: Add option for settings SLAPD_CONF file + + debian/slapd.init: Changed to use SLAPD_CONF, setting it to + /etc/ldap/slapd.conf if it is not specified. Closes: #91318 + + debian/control: Added libslapd2-dev to control file. Closes: #192163. + + debian/rules: Added binary-indep to the binary: build line and flushed + it out to build the libslapd2-dev deb. Added -k to dh_clean since we're + building arch and indep debs now. + + Maintainer upload, acknowledge NMU. Closes: #98039. + + Add debian/po/fr.po from 194740. Closes: #194740 + + Add space before ']' on line 113 of postinst. Closes: #194192, #194943 + + * Torsten Landschoff : + + debian/control: Enforce libldap2 to be the same version as slapd + as slapd (legitimately) uses internal functions of that library + (closes: #190164). + + debian/slapd.postinst: Fix the regexp for finding the database + definitions. + + * Steve Langasek : + + debian/slapd.preinst: don't use debconf or ldapsearch in the + preinst, as this is a policy violation (even if a previous + version was installed, it could've been removed-but-not-purged). + Closes: #189811, #195029. + + debian/slapd.{pre,post}inst: dump & fix up the directory in the + postinst, not in the preinst -- using slapcat/slapadd, not + ldapmodify. This ensures that the dump will succeed whenever the + database is present, rather than depending on access to an admin + dn. Closes: #190085. + + debian/fix_ldif, debian/move_files, debian/copyright: add Dave + Horsfall's dn-fixing script, to handle objectClass upgrading + + debian/slapd.postinst: Skip the duplicate prompting for the + organization name; we're guaranteed to always have one. + + -- Torsten Landschoff Fri, 6 Jun 2003 16:56:16 +0200 + +openldap2 (2.1.17-2) unstable; urgency=low + + * The who-says-slavery-is-dead upload. + * Steve Langasek : + + debian/slapd.postinst: Fix the database regexp. + + debian/slapd.postinst: Only add moduleload lines *once* on upgrade + from 2.0. Wrap the backup code with a check for + /var/lib/slapd/upgrade_2.0, to guarantee idempotency. + Closes: #190401. + + debian/slapd.{config,templates,postinst}: On dpkg-reconfigure, + don't wipe out an existing config; only merge in any requested + changes. Also, prompt before wiping out the existing db. + Closes: #190799. + + debian/slapd.{postinst,examples},debian/rules: Move slapd.conf + from doc/slapd/examples to /usr/share/slapd, per policy. + + debian/slapd.postinst: make sure slapd.conf is always created + atomically. + + debian/slapd.postrm: If removing databases on package purge, + remove any database backups as well. + + * Torsten Landschoff : + + debian/configure.options: Disable ACIs because they are still + experimental. + + debian/control: Change section and priority of libldap2-dev to + libdevel and extra respectively (dinstall message). + + debian/slapd.preinst: Only query the object classes of the root + dn if there was no error parsing the config. + + Update templates for po-debconf using the patch submitted by + Andre Luis Lopes (closes: #189933). + + Use [[:space:]] instead of [\t ] in sed invocations since the + latter does not seem to work (reported by Daniel Lutz). + + debian/control: Add Replaces: entry for openldapd since ldif.5.gz + was included in the potato package of that name (closes: #190660). + + debian/control: Tighten the build dependency on libtldl3-dev as + versions before 1.4.3 required the .la file for dynamic binding + (thanks to Josip Rodin for pointing this out). + + -- Torsten Landschoff Sat, 19 Apr 2003 02:28:32 +0200 + +openldap2 (2.1.17-1) unstable; urgency=low + + * New upstream release. + * Torsten Landschoff : + + debian/slapd.init: Improve the error reporting. If nothing is output + by the failing command don't leave the user alone but print a hint + to look into the logfile etc. + + debian/control: Require at least version 2.1.3 of libsasl2-dev + as this is what the configure script checks for. Pointed out by + Norbert Tretkowski. + + debian/slapd.{pre,post}inst: Small cleanups, added some comments, + adapted for the removal of the .la files in slapd package. + + -- Torsten Landschoff Sat, 19 Apr 2003 01:59:26 +0200 + +openldap2.1 (2.1.16-1) unstable; urgency=low + + * New upstream release. + + build/top.mk: Remove patch to omit "-static" at linking time. Upstream + now respects the --enable-shared flag used at configuration time. + + debian/slapd.postinst: Automagically add the module load directives + after upgrade as needed. + + debian/slapd.config: + - Only ask questions to create a new directory on fresh install. + - Ask wether the right modules should automatically be loaded in + slapd.conf. + + debian/slapd.templates: Add the templates for autoloading modules + and fixing the directory. + + debian/slapd.preinst: New script to support upgrading from 2.0. + The old prerm did not stop the daemon so we have to do it here. + Also a first attempt to fix broken LDAP directories not acceptable + to 2.1. + - Conditionally load debconf when upgrading as it only has to + be available in that case. + + debian/slapd.preinst: Dump database before upgrade. + + debian/slapd.postinst: Recreate database from dump after upgrade. + Move old database out of the way. + + * Roland Bauerschmidt + + debian/slapd.README.Debian: mention that backend database modules are + now compiled as shared objects + + * Stephen Frost + + debian/slapd.conf: Drop the '.la' file extension + + debian/move_files: Drop and rm the .la files, they aren't necessary. + + debian/slapd.README.Debian: Dropped the .la from the module_load line. + + servers/slapd/daemon.c: check slapd_srvurls is not NULL before + deref; included in upstream CVS. + + servers/slapd/back-*/init.c: Change the munged symbol names to + init_module, they do not need to be munged, and cause problems when + they are and not using .la files (which cause other problems) + + servers/slapd/module.c: Change to use lt_dlopenext() so we don't + need the .la files + + -- Torsten Landschoff Wed, 26 Mar 2003 20:34:35 +0100 + +openldap2.1 (2.1.12-1) experimental; urgency=low + + * Initial release of OpenLDAP 2.1 packages. Closes: #167566, #178014. + - this includes support for the >= and <= operators. Closes: #159078. + - fixes various upstream bugs. Closes: #171008. + + * Torsten Landschoff + - debian/check_config: Added script to check if OpenLDAP was configured + the way we want it. + - Don't build special TLS packages anymore - SSL is enabled in the + stock ldap library. Everything else will just give me more headaches. + - Build against libsasl2 instead of libsasl1. Closes: #176462. + - debian/control: + - Build-depend on debhelper 4.0 as debian/rules uses DH_COMPAT=4. + - Depend on coreutils | fileutils. Closes: #175704, #185676. + - Make libldap2 conflict with libldap2-tls which is obsolete now. + - debian/rules: Move the long list of configure options to a new + file debian/configure.options and read $(CONFIG) from that file. + - configure with --enable-aci. Closes: #101602. + - debian/slapd.init: Rewrite and add comments. + - Add support for running as non-root (closes: #111765, #157037). + - servers/slapd/main.c (main): Remove pid file on exit (closes: #162284). + - servers/slurpd/slurp.h: Change the default spool directory to + /var/spool/slurpd (avoids passing it via -t in init.d). + - servers/{slapd,slurpd}/Makefile.in: Install binaries into sbindir + instead of libexecdir. + - debian/control: Add Stephen Frost to the Uploaders field. Thanks + for your help, Stephen! + - contrib/ldapc++/config.{guess,sub}: Replaced with current files from + autotools-dev (lintian). Not actually neccessary since this part of + the package is not currently built but I think this is the best way + to shut up lintian :) + - build/mod.mk: Use -m 644 instead of -m 755 in installing shared + libraries. Shared libraries should not be marked as executable + (lintian). + - debian/libldap2.conffiles: Remove, since we are using version 4 + of debhelper which tags everything in /etc as conffile by default. + - debian/rules: Change the mode of everything upstream installed into + /etc to 0644 as required by policy (lintian). + - debian/rules: Call dh_installdeb later in the binary target so that + the conffiles are already there for listing. Without this nothing in + /etc gets tagged as conffile... (lintian). + - debian/rules: Pass the start and stop priority of slapd to + dh_installinit in preparation for a postinst supported by debhelper. + - debian/rules: Call dh_installdirs again. + - Rewrite slapd.config, slapd.postinst, slapd.templates - a first try + in getting slapd to configure itself. Way to go. + + * Roland Bauerschmidt + - debian/control: + - build-depend on libdb4.1-dev instead of libdb4.0-dev + - conflict, replace, and provide libldap2-tls (libldap2) + - removed ldap-gateways binary package + - drop suggestion to obsolete openldap-guide. Closes: #171894, #146968. + - debian/rules: + - build with BDB backend + - run dh_installdeb + - only run dh_makeshlibs for libldap2 + - debian/slapd.dirs: added to create /var/lib/ldap and /var/spool/slurpd + - debian/slapd.postinst: + - properly remove temporary files on errors. Closes: #160412. + - install init.d link if slapd.conf already exists. Closes: #159542. + - run db_stop even if package isn't configured for the first time. This + prevents hanging during upgrades. + - added debian/slapd.default and use it from debian/slapd.init. + Closes: #160964, #176832. + - added debian/slapd.README.Debian + - added versioned dependency on coreutils to make lintian quiet. + - added debian/slapd.postrm + - remove slapd.conf when package is purged + - remove /var/lib/ldap when slapd/purge_database is true + - remove /etc/ldap/schema if empty. Closes: #185173. + - debian/templates: added slapd/purge_database template + - build/top.mk: link against libcrypt before other SECURITY_LIBS + - debian/libldap2.shlibs: tighten dependencies. Closes: #181168. + + * Stephen Frost + - debian/control: added libltdl2-dev and libslp-dev to the build-depends + - Correct typo for back-sql init routine; already in OpenLDAP upstream + CVS + - Correct free of SASL interact results; already in OpenLDAP upstream CVS + - Duplicate the DN from SASL to ensure '\0' termination; already in + OpenLDAP upstream CVS + - debian/control: added Replaces: slapd (<< 2.1) for ldap-utils due to + ldif.5 move. + - Add modulepath /usr/lib/ldap to default slapd config + - Add moduleload back_bdb to default slapd config + - Changed libexecdir to ${prefix}/lib + - Add usr/lib/ldap to slapd portion of move_files + - Modified backend types to be built as modules for dynamic loading + - Fixed pt_BR translation + + -- Roland Bauerschmidt Sat, 15 Mar 2003 21:35:24 +0100 + +openldap2 (2.0.27-3) unstable; urgency=high + + * [SECURITY]: Apply the patch used by SuSE in SuSE-SA:2002:047 + (or rather the parts of it not yet included upstream). + + -- Torsten Landschoff Fri, 20 Dec 2002 04:47:15 +0100 + +openldap2 (2.0.27-2) unstable; urgency=low + + * debian/control: Make libldap2-dev depend on libssl-dev and + libsasl-dev, since those libs are pulled via the libldap.la file + (closes: #164791). + * debian/control: Add shlibs:Depends to libldap2-tls as well. Most + of those depends are pulled via libldap2 but of course libssl + is not among those. (closes: #169950). + * debian/libldap2-tls: Remove old divertions on "configure" and not + on "upgrade" - the latter is not really called. + + -- Torsten Landschoff Fri, 22 Nov 2002 00:35:29 +0100 + +openldap2 (2.0.27-1) unstable; urgency=low + + * New upstream release. + + -- Torsten Landschoff Wed, 6 Nov 2002 01:12:06 +0100 + +openldap2 (2.0.23-14) unstable; urgency=low + + * debian/rules: Remove search paths from .la files using some perl + trickery (closes: #110479). + * debian/libldap2.README.debian: Document the NSS problem which stops /usr + from being unmounted cleanly when using libnss-ldap (for more info + see bug#159771). + + * Started cleaning up the maintainer scripts: + - Remove creation of the /usr/doc symlinks (lintian). + - Don't run ldconfig in prerm scripts (lintian). + + -- Torsten Landschoff Mon, 30 Sep 2002 12:10:05 +0200 + +openldap2 (2.0.23-13) unstable; urgency=low + + * As Ashley Clark found out the preinst of libldap-tls fails for a new + install. My fault - I did not check that (removing ldap is cumbersome + if you are using it... :) and the scripts were only checked without + "set -e" in effect. + + debian/libldap2-tls.preinst: Apply Ashley's patch (thanks a lot, + Ashley. closes: #162123). + + Coincidently the other installation scripts seem to be okay, the + failing command is in the middle of a pipe and therefore ignored. + + -- Torsten Landschoff Tue, 24 Sep 2002 12:56:18 +0200 + +openldap2 (2.0.23-12) unstable; urgency=low + + * Apply the patch from upstream ITS#2012 to support MD5 hashes. Problem + is that OpenSSL comes with its own version of the crypt() function + which is linked in instead of the system's version from libcrypt. + The patch changes the link order so that slapd takes the system's + implementation. + * debian/rules: Pass --enable-crypt-first to configure to enable the + patch (closes: #160763). + * Fix the diversion handling of libldap2-tls: + - preinst: Only install diversions that are not there. + - postrm: Remove this package's diversions. + - postinst: Remove obsolete diversions after upgrade. + - Removal of diversions is done in reverted order of the installation. + + * Enable DNSSRV support as requested by Turbo. No Kerberos for now, sorry. + * debian/control: Updates Standards-Version to 3.5.7 and fix running + of ldconfig in maintainer scripts. + + -- Torsten Landschoff Mon, 23 Sep 2002 12:18:40 +0200 + +openldap2 (2.0.23-11) unstable; urgency=low + + * debian/rules: Build with --with-tls (closes: #80591, #155937). + * debian/control: + + Add build dependency on libssl-dev. + + Specify Roland Bauerschmidt as co maintainer. + * Added the trickery to have libldap2 without TLS and libldap2-tls + with the TLS stuff. Otherwise we have to change the base system, + and god knows how long that would take. + + Most of the changes done by Roland Bauerschmidt. We now build the + source two times - with and without ssl. We mostly use the ssl enabled + stuff with the exception of a libldap2 package which does not have + support for that. If you need TLS support you have to install + libldap2-tls, which diverts the libraries from libldap2 out of the + way and replaces them with the TLS enabled version. + + -- Torsten Landschoff Thu, 29 Aug 2002 13:35:39 +0200 + +openldap2 (2.0.23-10) unstable; urgency=low + + * debian/control: Build depend on libdb4.0-dev instead of libdb3-dev. + This should fix the index corruption problems (closes: #152959). + + -- Torsten Landschoff Sun, 18 Aug 2002 19:47:02 +0200 + +openldap2 (2.0.23-9) unstable; urgency=low + + * debian/slapd.init: Wait for the daemons to actually terminate for + the stop action (which is used for restart) and trap all errors + (closes: #148033). + * debian/rules: Build with -D_FILE_OFFSET_BITS=64 to support files + bigger than 2GB on all architectures (closes: #155197). As off_t is + about never used in the source that should not create any problems. + * debian/control: Make libldap2-dev depend on libsasl-dev + (closes: #135223, #96957). + * doc/man/man1/ldapmodify.1: Fix typo (closes: #105905). + * debian/rules: Create symlinks for some manpages (closes: #99547). + * Fix spelling error in description of ldap-gateways (closes: #124859). + * debian/copyright: Include the full content of the LICENSE file + (closes: #151222). + + -- Torsten Landschoff Thu, 8 Aug 2002 15:54:46 +0200 + +openldap2 (2.0.23-8) unstable; urgency=low + + * New maintainer. + * debian/control: Build-Conflict with libbind-dev to use the right + resolver library everywhere (closes: #112459). Of course, the + real solution must be to fix the configure script to not detect + libbind-dev and use the right resolver all the time. But a work around + is better than nothing I would say... + + -- Torsten Landschoff Wed, 7 Aug 2002 14:53:39 +0200 + +openldap2 (2.0.23-7) unstable; urgency=low + + * Add Brazilian translation for debconf templates. Closes: Bug#114021 + * Fix hostless LDAP URLs, patch from Lamont Jones. Closes: Bug#140387 + + -- Wichert Akkerman Sat, 4 May 2002 20:05:32 +0200 + +openldap2 (2.0.23-6) unstable; urgency=high + + * Make slapd.config idempotent, so that calling it once (during + preconfiguration) and again (during postinst) doesn't break things. + Patch from Anthony Towns. Closes: Bug#137552). + + -- Wichert Akkerman Sun, 14 Apr 2002 19:10:50 +0200 + +openldap2 (2.0.23-5) unstable; urgency=high + + * Fix slurpd invocation in slapd.init. Closes: Bug#141959 + * Ask for admin DN when using LDIF initialization as well. + Lets hope this finally Closes: Bug#137552 + * Merge German translation for debconf templates. Closes: Bug#141712 + * Add Build-Depends on debconf-utils since we use debconf-mergetemplate + * Remove bogus error from slapd.init. Closes: Bug#137718 + + -- Wichert Akkerman Tue, 9 Apr 2002 14:49:27 +0200 + +openldap2 (2.0.23-4) unstable; urgency=high + + * Only show already-configured note on initial installs. Closes: Bug#137100 + * Supply -t option to slurpd when starting it, not when stopping it. + Closes: Bug#136240 + * Use db_input instead of db_get for notes in the slapd postinst. + * Only fetch password from debconf when not using ldif initialization. + Closes: Bug#138558,#137552 + * Check if slapd.conf exists in slapd postinst. Closes: Bug#138136 + + -- Wichert Akkerman Sat, 6 Apr 2002 23:02:42 +0200 + +openldap2 (2.0.23-3) unstable; urgency=high + + * If can not get a password for the admin entry when installing slapd + generate one randomly. Closes: Bug#134774 + * Bump shlibs dependency to 2.0.23 + + -- Wichert Akkerman Thu, 21 Feb 2002 23:23:57 +0100 + +openldap2 (2.0.23-2) unstable; urgency=high + + * Create /var/spool/slurpd and tell slurpd to use that as temporary + directory. Closes: Bug#134564 + * Improve debconf prompts a bit. Closes: Bug#134945 + * Properly set default value for domain + * Clear crypted password from debconf after creating the LDAP directory + + -- Wichert Akkerman Sun, 17 Feb 2002 16:07:18 +0100 + +openldap2 (2.0.23-1) unstable; urgency=high + + * Upstream updated config.{guess,sub} so we are back to zero patches + again. + * Apply fix from Klaus Duscher for the missing password problem: the + config script did not check if it was run twice without slapd.conf + being generated in between and would abort with a missing password + error. Closes: Bug#132566 + * Change slapd priority for boot sequence to start earlier and stop + later so people can use LDAP for NSS purposes. Closes: Bug#130277 + + -- Wichert Akkerman Sun, 17 Feb 2002 16:07:18 +0100 + +openldap2 (2.0.22-2) unstable; urgency=low + + * Update config.{guess,sub} again. Closes: Bug#131469 + + -- Wichert Akkerman Thu, 7 Feb 2002 22:33:01 +0100 + +openldap2 (2.0.22-1) unstable; urgency=low + + * New upstream version + * Build properly as non-native package + + -- Wichert Akkerman Wed, 6 Feb 2002 00:17:20 +0100 + +openldap2 (2.0.21-3) unstable; urgency=high + + * Add logic to config and postinst to configure replication as well + * Don't fail in slapd postinst if we can't stop slapd. Closes: Bug#131617 + * Change localstatedir to /var/lib + * Remove /var/lib/ldap when purging slapd + * Don't remove user-supplied ldif file after creating the directory + * Set default replogfile + * Fix typo in severity for no_password note + * Encrypt admin password and remove it from the debconf database + + -- Wichert Akkerman Thu, 31 Jan 2002 17:03:36 +0100 + +openldap2 (2.0.21-2) unstable; urgency=medium + + * Update config.{guess,sub} and forwarded upstream (ITS#1567). + Closes: Bug#131469 + * Remove -x from slapd postinst. Closes: Bug#131502 + + -- Wichert Akkerman Wed, 30 Jan 2002 10:53:45 +0100 + +openldap2 (2.0.21-1) unstable; urgency=high + + * New upstream version, + * Update copyright + * Update config.guess and config.sub + * Redone packaging, no more dbs or debhelper + * Drop all patches, they are either unnecessary or alternatives have + been made upstream + + -- Wichert Akkerman Tue, 29 Jan 2002 17:04:10 +0100 + +openldap2 (2.0.14-1) unstable; urgency=high + + * New upstream version, which includes a billion second bug. + Closes: Bug#111833 + * Drop 005_libldbm_dbopen, upgrading the database in place no longer works + with the new db-env code. + * Redo 008_porting_maxpathlen + + -- Wichert Akkerman Sat, 15 Sep 2001 13:39:46 +0200 + +openldap2 (2.0.11-2) unstable; urgency=low + + * Test if /etc/init.d/slapd is executable when purging slapd. + Closes: Bug#100938 + * Update 008_porting_maxpathlen. Closes: Bug#100584 + * Don't use four11 as referral example anymore. Closes: Bug#99998 + * Fix synopsis of slapindex manpage. Added to 002_man_fixes. + Closes: Bug#98805 + * Removed stray backup file from 002_man_fixes + + -- Wichert Akkerman Tue, 19 Jun 2001 01:01:17 +0200 + +openldap2 (2.0.11-1) unstable; urgency=low + + * New upstream version + * Add autoconf to Build-Depends. Closes: Bug#99440 + * Fix new db upgrade patch. Closes: Bug#98853 + + -- Wichert Akkerman Sun, 3 Jun 2001 00:25:47 +0200 + +openldap2 (2.0.10-2) unstable; urgency=low + + * Tighten shlibs dependency to >= 2.0.1-1. Closes: Bug#98683 + + -- Wichert Akkerman Fri, 25 May 2001 16:32:35 +0200 + +openldap2 (2.0.10-1) unstable; urgency=low + + * New upstream version + * New maintainer + * Remove useless LINE_WIDTH bit from patch 000_clients + * Patch 004_ssl_fix has been merged upstream, removed + * Redo 005_db3_upgrade + * Rediff all other patches + + -- Wichert Akkerman Thu, 24 May 2001 14:56:02 +0200 + +openldap2 (2.0.7-6) unstable; urgency=low + + * Make sure autoconf is run if configure.in is changed (for Hurd patch), + closes: #96145 + * Fix slapd.postinst in the case of using an ldif file, closes: #95600 + * Use a var for slapd.conf in slapd init script. Partially fixes bug + 91318. + * Fixed hurd patch for strrchr in replog.c, closes: #93605 + + -- Ben Collins Mon, 7 May 2001 23:00:27 -0400 + +openldap2 (2.0.7-5) unstable; urgency=low + + * Fixed db3 upgrade code, closes: #92331, #92916 + * m68k should compile fine with db3 now, closes: #90165 + * Included provided patch for Hurd compilation, closes: #88079 + + -- Ben Collins Wed, 4 Apr 2001 17:46:47 -0400 + +openldap2 (2.0.7-4) unstable; urgency=low + + * slapd.conf is no longer a conffile, and not provided by the package. + Instead, it is only generated. closes: #81359 + * Fixed by previous upload, closes: #71852, #78950, #82491 + * Actually install the netscape schema, closes: #90323 + * Add comment to README.Debian about being compiled with libwrap, + closes: #84954 + * Provide example sasl config file, closes: #90855 + * Conflict replace openldap-utils (ldap-utils), and libopenldap-dev + (libldap2-dev), closes: #71471 + * Revert to using some code to upgrade previous db's. Remove slapd's dep + on db3-util, and remove postinst code that upgrades the db's. + + -- Ben Collins Sat, 24 Mar 2001 21:59:20 -0500 + +openldap2 (2.0.7-3) unstable; urgency=low + + * netscape-profile.schema: new schema for old roaming support + * 004_ssl_fix.diff: Fix for SSL support (not compiled in, but some + people use it). + * slapd.config: FINALLY fix the "dc=" base bug. + * Build-Depend on libdb3-dev now that it is available. + * Now that we use db3, make sure we upgrade existing databases to the + db3 format with db3_upgrade. + + -- Ben Collins Sun, 11 Mar 2001 23:36:34 -0500 + +openldap2 (2.0.7-2) unstable; urgency=low + + * slapd.postinst: fix debhelper wraper so it gets the right @argv, + closes: #71854 + * sendmail appears to be compiled against glibc2.2/libdb2 now, + closes: #71602 + * %strace ldapsearch cn=admin | & grep /etc | grep ldap + open("/etc/ldap/ldap.conf", O_RDONLY) = 3 + closes: #71716 + * ldap_first_attribute.3: s/ber_free(3)/ber_free/. closes: #76719 + * init.d/slapd: fix reference to pidfile, and also remove the pidfile + after killing the daemon, closes: #77633, #77635 + * Fix fgets buffer size thinko in slurpd. closes: #78003 + * slapd.8: s/ldap.h/slapd.conf(5)/. closes: #80457 + + -- Ben Collins Sun, 31 Dec 2000 00:02:46 -0500 + +openldap2 (2.0.7-1) unstable; urgency=low + + * New upstream + * Removed hack for shlibs now that dpkg 1.7 is available, added dpkg-dev + 1.7.1 to build-depends. + * start using DH_COMPAT=2 + + -- Ben Collins Fri, 10 Nov 2000 18:53:25 -0500 + +openldap2 (2.0.2-2) unstable; urgency=low + + * Recompile against libdb2/glibc 2.1.94/sasl + + -- Ben Collins Wed, 27 Sep 2000 11:31:59 -0400 + +openldap2 (2.0.2-1) unstable; urgency=low + + * New upstream version, includes some patches from me that fix some + stability issues + * debian/control:Build-Depends: change libwrap-dev to libwrap0-dev for + clarity, closes: #71366 + * debian/rules: make sure mail500 docs do not get installed under bogus + subdirs, closes: #71473 + * debian/README.build,debian/scripts/dbs-build.mk: Fix and document + build system better, closes: #71584 + * debian/local/slapd.conf: Setup default ACL's to work with openldap2 + correctly, closes: #71127, #71131 + * debian/README: document how to access OpenLDAP 1 servers via + ldap-utils, closes: #71469 + * debian/rules:CFLAGS: add -I/usr/include/db2 to make sure we get the + right header, closes: #71470 + * I cannot reproduce this. In debian/rules I have done exactly what is + needed to keep it from happening, and sparc, i386 and powerpc builds + do not show it, closes: #71472 + + -- Ben Collins Wed, 13 Sep 2000 22:32:35 -0400 + +openldap2 (2.0.1-2) unstable; urgency=low + + * Fixed up depend for libldap2 on itself + + -- Ben Collins Wed, 6 Sep 2000 13:24:06 -0400 + +openldap2 (2.0.1-1) unstable; urgency=low + + * New upstream version + * Added libsasl-dev to build-deps, closes: #70923 + + -- Ben Collins Tue, 5 Sep 2000 06:49:05 -0400 + +openldap2 (2.0-1) unstable; urgency=low + + * Initial release of OpenLDAP 2 test code + + -- Ben Collins Tue, 29 Aug 2000 14:28:39 -0400 --- openldap2.3-2.3.38.orig/debian/rules +++ openldap2.3-2.3.38/debian/rules @@ -0,0 +1,174 @@ +#!/usr/bin/make -f + +#export DH_VERBOSE = 1 + +# Set this variable if you're building packages outside of Debian and don't +# want the checks for DFSG-freeness. +#DFSG_NONFREE = 1 + +CFLAGS = -Wall -g -D_FILE_OFFSET_BITS=64 +INSTALL = install +INSTALL_FILE = $(INSTALL) -p -o root -g root -m 644 +INSTALL_PROGRAM = $(INSTALL) -p -o root -g root -m 755 +INSTALL_SCRIPT = $(INSTALL) -p -o root -g root -m 755 +INSTALL_DIR = $(INSTALL) -p -d -o root -g root -m 755 + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) +CFLAGS += -O0 +else +CFLAGS += -O2 +endif + +CONFIG = $(shell grep -v "^\#" debian/configure.options) + +installdir := $(CURDIR)/debian/install +tmpdir := $(CURDIR)/debian/tmp +builddir := $(CURDIR)/debian/build + +MAKEVARS := DESTDIR=$(installdir) STRIP= + +# Include the quilt patch system. +include /usr/share/quilt/quilt.make + +$(builddir)/Makefile: + # Check if we include the RFCs and Internet-Drafts (which are non + # DFSG-free). You can set DFSG_NONFREE to build the packages from the + # unchanged upstream sources but Debian can not ship the RFCs in main + # so this test is here to make sure it does not get in by accident + # again. -- Torsten + if [ -z "$(DFSG_NONFREE)" ]; then \ + if [ -e doc/drafts]; then exit 1; fi; \ + if [ -e doc/rfc ]; then exit 1; fi; \ + fi + + # Copy our stripped schema versions into where upstream expects them. + if [ -z "$(DFSG_NONFREE)" ]; then \ + set -e; for s in debian/schema/*.schema debian/schema/*.ldif; do \ + cp $$s servers/slapd/schema/`basename $$s`; \ + done; \ + fi + + cp -f /usr/share/misc/config.* build/ + cp -f /usr/share/misc/config.* contrib/ldapc++/ + mkdir -p $(builddir) + cd $(builddir) && CFLAGS="$(CFLAGS)" $(CURDIR)/configure \ + $(CONFIG) + perl debian/check_config + $(MAKE) -C $(builddir) depend + +build: patch build-stamp +build-stamp: $(builddir)/Makefile + $(MAKE) -C $(builddir) $(MAKEVARS) + touch $@ + +# Check all built libraries for unresolved symbols except for the libslapi +# library. It is a special case since the SLAPI interface depends on symbols +# defined in slapd itself. Those symbols will remain unresolved until the +# plugin is loaded into slapd. +install: install-stamp +install-stamp: build-stamp + $(MAKE) -C $(builddir) $(MAKEVARS) install + for F in $(installdir)/usr/lib/*.so.*.*.*; do \ + if echo "$$F" | grep -q libslapi ; then \ + continue; \ + fi; \ + if LD_LIBRARY_PATH=$(installdir)/usr/lib ldd -d -r $$F 2>&1 | grep '^undefined symbol:'; then \ + echo; \ + echo "library $$F has undefined references. Please fix this before continuing."; \ + exit 1; \ + fi; \ + done + # Upstream installs schema files in mode 0444 - policy wants 0644 + find $(installdir)/etc -type f|xargs chmod 0644 + # Upstream manpages are section 8C but installed as section 8 + find $(installdir)/usr/share/man -name \*.8 \ + | xargs perl -pi -e 's#(\.TH \w+ 8)C#$$1#' + touch $@ + + +binary: binary-arch +# Don't build binary-indep for now (only liblslapd-dev was in there) +# Reenable after sarge... + +binary-indep: + dh_testdir + dh_testroot + dh_clean -k + + dh_installdirs -i + sh debian/copy_slapd_dev_files + dh_installchangelogs -i + dh_installdocs -i + dh_installdebconf -i + dh_installdeb -i + dh_compress -i + dh_gencontrol -i + dh_md5sums -i + # Don't build the libslapd2.3-dev package so nobody builds against + # it. We'll support it after sarge release... + #dh_builddeb -i -Nlibslapd2.3-dev + dh_builddeb -i + +binary-arch: install-stamp + dh_testdir + dh_testroot + dh_clean -k + # XXX: remove after libldap2.3-dev is officially built + #rm -Rf debian/libldap2.3-dev + + dh_installdirs -a + cp -al $(installdir) $(tmpdir) + + dh_install -a + + # Make fix_ldif and ldiftopasswd executable. + chmod 0755 $(CURDIR)/debian/slapd/usr/share/slapd/fix_ldif $(CURDIR)/debian/slapd/usr/share/slapd/ldiftopasswd + dh_installchangelogs -a + dh_installdocs -a + dh_installexamples -a + dh_installman -a + dh_installinit -Xslapd.prerm -a -- "defaults 19 80" + dh_installdebconf -a + # when using OpenSSL, we do not need to add crontab entries + #dh_installcron -a + dh_strip -plibldap-2.3-0 --dbg-package=libldap-2.3-0-dbg + dh_strip -pslapd --dbg-package=slapd-dbg + dh_strip -pldap-utils + dh_link -a + dh_compress -a + dh_fixperms -a + dh_makeshlibs -plibldap-2.3-0 + dh_installdeb -a + perl -w debian/dh_installscripts-common -p slapd + dh_shlibdeps -a -L libldap-2.3-0 -l $(installdir)/usr/lib + # Strip duplicate dependency out of substvars. + sed -i -e 's/ libldap-2.3-0,//' debian/*.substvars + dh_gencontrol -a + dh_md5sums -a + # Don't build the libldap2.3-dev package until after sarge release + # so nobody can build against it. + dh_builddeb -a -Nlibldap2.3-dev + +clean: clean1 unpatch +clean1: + dh_testdir + dh_testroot + # Update translation templates for debconf + debconf-updatepo + # Remove our stripped schema from the upstream source area. + if [ -z "$(DFSG_NONFREE)" ]; then \ + set -e; for s in debian/schema/*.schema debian/schema/*.ldif; do \ + rm -f servers/slapd/schema/`basename $$s`; \ + done; \ + fi + # Remove updated config.guess and config.sub for a clean diff. + rm -f build/config.sub build/config.guess + rm -f contrib/ldapc++/config.sub contrib/ldapc++/config.guess + rm -f install-stamp build-stamp + rm -rf $(builddir) $(builddir_notls) $(installdir) + + dh_clean + # XXX: remove after libldap2.3-dev is officially built + rm -Rf debian/libldap2.3-dev + +.PHONY: binary binary-arch binary-indep build clean --- openldap2.3-2.3.38.orig/debian/slapd.NEWS +++ openldap2.3-2.3.38/debian/slapd.NEWS @@ -0,0 +1,10 @@ +openldap2.3 (2.3.20-1) unstable; urgency=low + + The Debian slapd package no longer includes support for the LDBM backend. + It has been disabled as a result of concerns over data loss and lack of + upstream support. For more information, see: + http://www.openldap.org/faq/index.cgi?_highlightWords=ldbm&file=756 + The BDB backend is now the main backend to use. This backend is supported + upstream and has several fixes included for known problems. + + -- Matthijs Mohlmann Sun, 26 Feb 2006 20:05:44 +0100 --- openldap2.3-2.3.38.orig/debian/slapd.default +++ openldap2.3-2.3.38/debian/slapd.default @@ -0,0 +1,49 @@ +# Default location of the slapd.conf file. If empty, use the compiled-in +# default (/etc/ldap/slapd.conf). +SLAPD_CONF= + +# System account to run the slapd server under. If empty the server +# will run as root. +SLAPD_USER="openldap" + +# System group to run the slapd server under. If empty the server will +# run in the primary group of its user. +SLAPD_GROUP="openldap" + +# Path to the pid file of the slapd server. If not set the init.d script +# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf) +SLAPD_PIDFILE= + +# Configure if the slurpd daemon should be started. Possible values: +# - yes: Always start slurpd +# - no: Never start slurpd +# - auto: Start slurpd if a replica option is found in slapd.conf (default) +SLURPD_START=auto + +# slapd normally serves ldap only on all TCP-ports 389. slapd can also +# service requests on TCP-port 636 (ldaps) and requests via unix +# sockets. +# Example usage: +# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" + +# If SLAPD_NO_START is set, the init script will not start or restart +# slapd or slurpd (but stop will still work). Uncomment this if you are +# starting slapd via some other means or if you don't want slapd normall +# started at boot. +#SLAPD_NO_START=1 + +# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, +# the init script will not start or restart slapd (but stop will still +# work). Use this for temporarily disabling startup of slapd (when doing +# maintenance, for example, or through a configuration management system) +# when you don't want to edit a configuration file. +SLAPD_SENTINEL_FILE=/etc/ldap/noslapd + +# For Kerberos authentication (via SASL), slapd by default uses the system +# keytab file (/etc/krb5.keytab). To use a different keytab file, +# uncomment this line and change the path. +#export KRB5_KTNAME=/etc/krb5.keytab + +# Additional options to pass to slapd and slurpd +SLAPD_OPTIONS="" +SLURPD_OPTIONS="" --- openldap2.3-2.3.38.orig/debian/fix_ldif +++ openldap2.3-2.3.38/debian/fix_ldif @@ -0,0 +1,658 @@ +#!/usr/bin/perl -w +# Copyright (c) Dave Horsfall. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# 3. Neither the name of the University nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# +# @(#)$Id: rdnchk.e,v 1.12 2003-05-09 15:40:51+10 daveh Exp $ +# $Log: rdnchk.e,v $ +# Revision 1.12 2003-05-09 15:40:51+10 daveh +# Enforce single-value attributes for CI stuff. +# +# Revision 1.11 2003-05-08 16:46:47+10 daveh +# Add missing attributes when auto-fixing. +# +# Revision 1.10 2003-05-02 11:46:55+10 daveh +# Sort DNs before writing out, and minor mods. +# +# Revision 1.9 2003-04-24 10:39:19+10 daveh +# Always encode the userPassword attribute on output. +# +# Revision 1.8 2003-04-16 15:21:49+10 daveh +# Don't use non-core LDIF module; treat values as case-insensitive; binary. +# +# Revision 1.7 2003-04-02 11:16:20+10 daveh +# Delete ciComment (it's an attribute, not an objclass) and add ciLdapConfig +# +# Revision 1.6 2003-04-01 17:52:04+10 daveh +# Fix errors on request, and minor mods. +# +# Revision 1.5 2003-03-28 17:15:34+11 daveh +# More minor mods. +# +# Revision 1.4 2003-03-28 09:19:21+11 daveh +# Use reference to ARGV typeglob for input. +# +# Revision 1.3 2003-03-27 16:08:57+11 daveh +# Use Net::LDAP::LDIF, and minor speedups. +# +# Revision 1.2 2003-03-11 11:17:03+11 daveh +# Look for orphan DNs. +# +# Revision 1.1 2003-02-27 14:28:09+11 daveh +# Initial revision +# +# +# RDNCHK +# +# Given a slapcat input file, check for mismatched DN/RDN pairs etc. +# Optionally make fixes (use with care). +# +# The data structure is a hash of references to hashes of anonymous lists: +# +# $entries{$dn} = # $dn has been normalised +# { +# origDN => "original DN", +# attr1 => [ "value1-a", "value1-b" ], +# attr2 => [ "value2" ] +# } +# +# which is accessed as (e.g): +# +# @{entries{$dn}{"attr1"}} +# +# to return an array of the value(s) of $dn's attr1. +# +# Note that this structure is optimised for access to the DNs, *not* +# for searches. +# +# The DN is low-cased and leading/trailing/multiple spaces stripped +# (and the original stored for posterity). +# +# I assume that caseIgnoreMatch applies across the board, as otherwise +# it's too damned difficult. This only fails, in practice, for encoded +# fields such as passwords, but I'm not looking at those (passwords are +# rarely, if ever, a candidate for being an RDN). Remember: the specific +# purpose of this program is to perform a quick but reasonably thorough +# check for DN/RDN consistency, and it sorta grew from there. +# +# We can't use Perl Net::LDAP::LDIF, because it's not a core module +# (too hard to maintain our remote branches when upgrading). +# +# TODO: +# Check custom stuff: +# +# ciDefPrinter is single-value per ciPrinterClass. +# Fundamentally difficult, because these are keys +# into printcap, not LDAP. +# + +use Data::Dumper; +use Getopt::Long; +use MIME::Base64; + +my $origDN = '.origDN'; # Attribute stores original DN + +&parse_options; +$opt_write = 1 if $opt_fix; + +# +# Process each entry. +# A list (returned in @_) holds each line, with the DN first. +# +while (@_ = &GetEntry) # Loop per entry (exit on EOF) +{ + my $dn = shift @_; + # Check if base64 encoded + next if ! $dn =~ /^dn::? /i; + if($dn =~ /^dn:: /i) { + $dn =~ s/dn:: (.*)/$1/; + $dn = decode_base64($dn); + $dn =~ s/\s$//; + $encoded = 1; + } else { + $dn =~ s/dn: (.*)/$1/; + $encoded = 0; + } + my $cdn = &canon($dn); + $entries{$cdn}{$origDN} = $dn; + $entries{$cdn}{"encoded"} = $encoded; + + # + # Infer the suffix. + # Assume it's the shortest DN. + # + if (!$opt_suffix) + { + $suffix = $cdn + if (!defined $suffix) || (length $cdn < length $suffix); + } + + # + # Extract the first component (the RDN) + # for later tests. + # + ($rdn, undef) = split(/,/, $cdn); + ($rdnattr, $rdnval) = split(/=/, $rdn); + + # + # Get the attributes/values. + # Attributes are low-cased. + # + for (@_) + { + ($attr, $val) = split(/\s/, $_, 2); # In case of "::" + $attr =~ s/://; + if ($attr =~ /:/) # Must be binary (base-64) + { + $attr =~ s/://; + $val = &demime($val); + } + push @{$entries{$cdn}{lc $attr}}, $val; + } + + # + # Does the RDN exist? + # + if (!defined @{$entries{$cdn}{$rdnattr}}) + { + print STDERR "dn: $dn\nMissing RDN"; + if ($opt_fix) + { + push @{$entries{$cdn}{$rdnattr}}, $rdnval; + print STDERR "; inserted \"$rdnattr=$rdnval\""; + } + print STDERR "\n\n"; + } + + # + # And how many? Multiples are permitted + # in some contexts, but not in ours. + # + my $attrs = $entries{$cdn}{$rdnattr}; # Actually a reference + my $nrdn = @{$attrs}; + if ($nrdn > 1) + { + print STDERR "dn: $dn\nMultiple RDNs: \"@{$attrs}[0]\""; + for (my $i = 1; $i < $nrdn; $i++) + { + print STDERR ", \"@{$attrs}[$i]\""; + } + if ($opt_fix) + { + print STDERR "; using \"$rdnval\""; + $entries{$cdn}{$rdnattr} = [ $rdnval ]; + } + print STDERR "\n\n"; + } + + # + # Do they match? + # + if (defined @{$attrs} && $rdnval ne &canon(@{$attrs}[0])) + { + print STDERR "dn: $dn\nMismatched RDN: \"$rdnattr=@{$attrs}[0]\""; + if ($opt_fix) + { + print STDERR "; using \"$rdnval\""; + $entries{$cdn}{$rdnattr} = [ $rdnval ]; + } + print STDERR "\n\n"; + } + + # + # Check single-value attributes. + # + foreach my $attr (@single) + { + my $nval = 0; + my $attrs = $entries{$cdn}{lc $attr}; + $nval = @{$attrs} if defined @{$attrs}; + if ($nval > 1) + { + print STDERR "dn: $dn\nMultiple attrs for \"$attr\": \"@{$attrs}[0]\""; + for (my $i = 1; $i < $nval; $i++) + { + print STDERR ", \"@{$attrs}[$i]\""; + } + if ($opt_fix) + { + print STDERR "; using \"@{$attrs}[0]\""; + $entries{$cdn}{lc $attr} = [ @{$attrs}[0] ]; + } + print STDERR "\n\n"; + } + } + + # + # Check the objectclass inheritance. + # + if ($opt_inheritance) # Will soon be mandatory + { + foreach my $i (@{$entries{$cdn}{"objectclass"}}) + { + next if $i eq "top"; # top is topless :-) + if (!defined $sup{$i}) + { + print STDERR "dn: $dn\nUnknown objectclass: \"$i\""; + if ($opt_fix) + { + print STDERR "; ignored"; + &remove($i, \@{$entries{$cdn}{"objectclass"}}); + } + print STDERR "\n\n"; + } + if (defined $sup{$i} && + !&present($sup{$i}, \@{$entries{$cdn}{"objectclass"}})) + { + print STDERR "dn: $dn\nNo sup for \"$i\": \"$sup{$i}\""; + if ($opt_fix) + { + print STDERR "; inserted"; + push @{$entries{$cdn}{"objectclass"}}, $sup{$i}; + } + print STDERR "\n\n"; + } + } # each objectclass + } # inheritance + + # + # Check required attributes. + # Can't do in above loop, because the keys + # may have changed from inserting new classes. + # + foreach my $i (@{$entries{$cdn}{"objectclass"}}) + { + &checkattrs($cdn, $i); + } +} # main loop + +# +# Make sure each entry has a parent. +# For now, we kill orphans on sight... +# +$suffix = $opt_suffix if $opt_suffix; +foreach my $thisdn (keys %entries) +{ + my $i = $thisdn; + $i =~ s/[^,]*,//; + if (!$entries{$i} && $thisdn ne &canon($suffix)) + { + print STDERR "dn: $thisdn\nOrphan"; + if ($opt_fix) + { + print STDERR "; deleted"; + delete $entries{$thisdn}; + } + print STDERR "\n\n"; + } + + # Fix up the suffix dn if it's our mess, adding a structural objectclass. + if ($thisdn eq &canon($suffix)) { + if (@{$entries{$thisdn}{'objectclass'}} == 1 + && lc $entries{$thisdn}{'objectclass'}[0] eq 'dcobject') + { + if (defined($opt_org)) + { + push(@{$entries{$thisdn}{'objectclass'}}, 'organization'); + push(@{$entries{$thisdn}{'o'}}, $opt_org); + } else { + push(@{$entries{$thisdn}{'objectclass'}}, 'domain'); + } + } + # check for $classes == dcObject. + } +} + +print STDERR Dumper(%entries) if $opt_dump; + +# +# Write out (possibly fixed) file if requested. +# +# The DN keys are sorted by length, which ensures that +# parents come before children. +# +if ($opt_write) +{ + foreach my $dn (sort { length($a) <=> length($b) } keys %entries) + { + &write_out($dn) + } +} + +exit 0; + +########################################################################### + +# +# Canonicalise a string. +# Delete leading/trailing blanks around commas, and lowcase. +# +sub canon +{ + ($_) = @_; + s/\s+/ /g; # Catch tabs as well + s/ ,/,/g; + s/, /,/g; + lc; +} + +# +# Check required attributes, and fix up known attributes for which the +# syntax has changed +# Bad hack: the "fix up" should be replaced by something which knows +# about schemas and can fix all instances for all attributes of the +# relevant attribute syntax (1.3.6.1.4.1.1466.115.121.1.27). For now, +# we only check the most commonly affected attributes, which we also +# happen to know are SINGLE-VALUE (with the exception of +# mailPreferenceOption and ipServiceProtocol). +# +sub checkattrs +{ + (my $dn, $class) = @_; + foreach my $attr (@{$reqd{lc $class}}) + { + if (!defined @{$entries{$dn}{lc $attr}}) + { + my $odn = $entries{$dn}{$origDN}; + print STDERR "dn: $odn\nMissing reqd \"$class\" attr \"$attr\""; + if ($opt_fix) + { + # Quick hack for CI + my $fix = "UNKNOWN"; + if ($attr eq "cn" && $fix ne "") + { + $fix = $entries{$dn}{"givenname"}[0]; + } + push @{$entries{$dn}{$attr}}, $fix; + print STDERR "; inserted \"$fix\""; + } + print STDERR "\n\n"; + } + } + foreach my $attr (@integer) { + $entries{$dn}{lc $attr}[0] = 0 + if ($entries{$dn}{lc $attr} && $entries{$dn}{lc $attr}[0] =~ /^0+$/); + } +} + +# +# Write an entry to standard output. +# +# Ought to wrap at 78 cols as well. +# +sub write_out +{ + my ($dn) = @_; + my $odn = $entries{$dn}{$origDN}; + if ($entries{$dn}{"encoded"} == 1) { + $encoded = encode_base64($odn,""); + print "dn:: $encoded\n"; + } else { + print "dn: $odn\n"; + } + foreach my $attr (keys %{$entries{$dn}}) + { + next if $attr eq $origDN; + foreach my $value (@{$entries{$dn}{$attr}}) + { + print "$attr:"; + if ($attr =~ /userpassword/i + || $value =~ /(^[ :]|[\x00-\x1f\x7f-\xff])/) + { + print ": ", &enmime($value, ""); + } + else + { + print " $value"; + } + print "\n"; + } + } + print "\n"; +} + +# +# Test for presence of element in list. +# +sub present +{ + my ($element, $list) = @_; + my $found = 0; + + foreach my $i (@$list) + { + if ($i eq $element) + { + $found = 1; + last; + } + } + return $found; +} + +# +# Remove specified element from list. +# It's a unique element, but multiple +# occurances will be removed. It will +# change the order of the list. +# +sub remove +{ + my ($element, $list) = @_; + + for (my $i = 0; $i < @$list; $i++) + { + if ($element eq @$list[$i]) + { + @$list[$i] = @$list[$#$list]; + pop @$list; + } + } +} + +# +# Initialise some stuff (automatically called). +# +sub INIT +{ + # + # Initialise the superior objectclasses. + # Ought to get this from the schema. + # + $sup{"dcObject"} = "top"; + $sup{"inetOrgPerson"} = "organizationalPerson"; + $sup{"organizationalPerson"} = "person"; + $sup{"organizationalRole"} = "top"; + $sup{"organizationalUnit"} = "top"; + $sup{"person"} = "top"; + $sup{"posixAccount"} = "top"; + $sup{"room"} = "top"; + $sup{"simpleSecurityObject"} = "top"; + + # + # These are incomplete/wrong/WIP. + # + $sup{"ciAdministrator"} = "top"; + $sup{"ciApplication"} = "top"; + $sup{"ciEmployee"} = "inetOrgPerson"; + $sup{"ciLdapConfig"} = "top"; + $sup{"ciPrinter"} = "top"; + $sup{"ciServer"} = "top"; + + # + # Required attributes. + # + $reqd{"person"} = [ "sn", "cn" ]; # Special - can be autofixed + $reqd{"ciadministrator"} = [ "uid", "userPassword" ]; + $reqd{"ciapplication"} = [ "ciApp", "ciAppType", "ciHost", "ciStatus", "ciPortNum" ]; + $reqd{"ciemployee"} = [ "employeeNumber", "sn" ]; + $reqd{"cildapconfig"} = [ "ciHost" ]; + $reqd{"ciprinter"} = [ "ciPrinterName" ]; + $reqd{"ciserver"} = [ "name" ]; + + # + # Single-value attributes. + # + @single = + ( + "ciAppType", + "ciDBPath", + "ciDomainName", + "ciLdapEnabled", + "ciLdapServer", + "ciOSType", + "ciPortNum", + "ciPrinterClass", + "ciRegion", + "ciStatus", + ); + + # + # Integer attributes + # + @integer = + ( + 'uidNumber', + 'gidNumber', + 'mailPreferenceOption', + 'shadowLastChange', + 'shadowMin', + 'shadowMax', + 'shadowWarning', + 'shadowInactive', + 'shadowExpire', + 'shadowFlag', + 'ipServicePort', + 'ipServiceProtocol', + 'ipProtocolNumber', + 'oncRpcNumber', + ); + + # + # Random stuff. + # + $/ = ""; # Read input in paragraph mode +} + +# +# Process options. +# +sub parse_options +{ + $SIG{'__WARN__'} = sub { die $_[0] }; # Exit on bad options + + Getopt::Long::Configure("bundling"); # Old-style (-xyz, --word) + GetOptions + ( + "--dump" => \$opt_dump, # Dump data structure + "-D" => \$opt_dump, + + "--fix" => \$opt_fix, # Fix errors if possible + "-f" => \$opt_fix, # (also implies "write") + + "--inheritance" => \$opt_inheritance, # Check obj inheritance + "-i" => \$opt_inheritance, # (too many false alarms) + + "--suffix=s" => \$opt_suffix, # Specify directory suffix + "-s=s" => \$opt_suffix, + + "--write" => \$opt_write, # Write ordered file + "-w" => \$opt_write, + + "--org=s" => \$opt_org, # Organization to use for + "-o=s" => \$opt_org, # fixing up the suffix + ) +} + +# +# Get a complete entry as a list of lines. +# We use the trick of setting the input delimiter +# to "", to read a paragraph at a time, so we can +# join continued lines. +# +sub GetEntry +{ + my @a; + do + { + $_ = (<>); + return () if !defined; # EOF + s/$/\n/; # In case we strip last newline below + s/^#.*\n//g; # Comments + chomp; # Always strips >= 2 newlines + s/\n //g; # Join lines + @a = split /\n/; + } + while (@a < 2); # Skips phantom entries (caused by comments) + return @a; +} + +# +# Given a string, return a de-mimed version. +# Can't use MIME::Base64 because it's not a core module. +# Instead, I pinched the code from it... +# +sub demime +{ + local($^W) = 0; # unpack("u",...) gives bogus warning in 5.00[123] + + my $str = shift; + $str =~ tr|A-Za-z0-9+=/||cd; # remove non-base64 chars + if (length($str) % 4) { + require Carp; + Carp::carp("Length of base64 data not a multiple of 4") + } + $str =~ s/=+$//; # remove padding + $str =~ tr|A-Za-z0-9+/| -_|; # convert to uuencoded format + + return join'', map( unpack("u", chr(32 + length($_)*3/4) . $_), + $str =~ /(.{1,60})/gs); +} + +# +# En-mime same. +# I didn't write this bletcherous code either. +# +sub enmime +{ + my $res = ""; + my $eol = $_[1]; + $eol = "\n" unless defined $eol; + pos($_[0]) = 0; # ensure start at the beginning + + $res = join '', map( pack('u',$_)=~ /^.(\S*)/, ($_[0]=~/(.{1,45})/gs)); + + $res =~ tr|` -_|AA-Za-z0-9+/|; # `# help emacs + # fix padding at the end + my $padding = (3 - length($_[0]) % 3) % 3; + $res =~ s/.{$padding}$/'=' x $padding/e if $padding; + # break encoded string into lines of no more than 76 characters each + if (length $eol) { + $res =~ s/(.{1,76})/$1$eol/g; + } + return $res; +} --- openldap2.3-2.3.38.orig/debian/libldap2.3-dev.dirs +++ openldap2.3-2.3.38/debian/libldap2.3-dev.dirs @@ -0,0 +1,3 @@ +usr/lib +usr/include +usr/share/man --- openldap2.3-2.3.38.orig/debian/configure.options +++ openldap2.3-2.3.38/debian/configure.options @@ -0,0 +1,181 @@ +#`configure' configures this package to adapt to many kinds of systems. +# +#Usage: ./configure [OPTION]... [VAR=VALUE]... +# +#To assign environment variables (e.g., CC, CFLAGS...), specify them as +#VAR=VALUE. See below for descriptions of some of the useful variables. +# +#Defaults for the options are specified in brackets. +# +#Configuration: +#-h, --help display this help and exit +#--help=short display options specific to this package +#--help=recursive display the short help of all the included packages +#-V, --version display version information and exit +#-q, --quiet, --silent do not print `checking...' messages +#--cache-file=FILE cache test results in FILE [disabled] +#-C, --config-cache alias for `--cache-file=config.cache' +#-n, --no-create do not create output files +#--srcdir=DIR find the sources in DIR [configure dir or `..'] +# +#Installation directories: +#--prefix=PREFIX install architecture-independent files in PREFIX +--prefix=/usr +#--exec-prefix=EPREFIX install architecture-dependent files in EPREFIX +#[PREFIX] +# +#By default, `make install' will install all the files in +#`/usr/local/bin', `/usr/local/lib' etc. You can specify +#an installation prefix other than `/usr/local' using `--prefix', +#for instance `--prefix=$HOME'. +# +#For better control, use the options below. +# +#Fine tuning of the installation directories: +#--bindir=DIR user executables [EPREFIX/bin] +#--sbindir=DIR system admin executables [EPREFIX/sbin] +#--libexecdir=DIR program executables [EPREFIX/libexec] +--libexecdir='${prefix}/lib' +#--datadir=DIR read-only architecture-independent data [PREFIX/share] +#--sysconfdir=DIR read-only single-machine data [PREFIX/etc] +--sysconfdir=/etc +#--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] +#--localstatedir=DIR modifiable single-machine data [PREFIX/var] +--localstatedir=/var +#--libdir=DIR object code libraries [EPREFIX/lib] +#--includedir=DIR C header files [PREFIX/include] +#--oldincludedir=DIR C header files for non-gcc [/usr/include] +#--infodir=DIR info documentation [PREFIX/info] +#--mandir=DIR man documentation [PREFIX/man] +--mandir='${prefix}/share/man' +# +#Program names: +#--program-prefix=PREFIX prepend PREFIX to installed program names +#--program-suffix=SUFFIX append SUFFIX to installed program names +#--program-transform-name=PROGRAM run sed PROGRAM on installed program names +# +#System types: +#--build=BUILD configure for building on BUILD [guessed] +#--host=HOST cross-compile to build programs to run on HOST [BUILD] +#--target=TARGET configure for building compilers for TARGET [HOST] +# +#Optional Features: +#--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) +#--enable-FEATURE[=ARG] include FEATURE [ARG=yes] +#--enable-debug enable debugging [yes] +--enable-debug +#--enable-dynamic enable linking built binaries with dynamic libs [no] +--enable-dynamic +#--enable-syslog enable syslog support [auto] +--enable-syslog +#--enable-proctitle enable proctitle support [yes] +--enable-proctitle +## Debian tries to fully support IPv6 so we need this +#--enable-ipv6 enable IPv6 support [auto] +--enable-ipv6 +#--enable-local enable AF_LOCAL (AF_UNIX) socket support [auto] +--enable-local +# +#SLAPD (Standalone LDAP Daemon) Options: +#--enable-slapd enable building slapd [yes] +--enable-slapd +#--enable-aci enable per-object ACIs (experimental) [no] +--enable-aci +#--enable-cleartext enable cleartext passwords [yes] +--enable-cleartext +#--enable-crypt enable crypt(3) passwords [no] +--enable-crypt +#--enable-lmpasswd enable LAN Manager passwords [no] +--enable-lmpasswd +#--enable-spasswd enable (Cyrus) SASL password verification [no] +--enable-spasswd +#--enable-modules enable dynamic module support [no] +--enable-modules +#--enable-rewrite enable DN rewriting in back-ldap and rwm overlay [auto] +--enable-rewrite +#--enable-rlookups enable reverse lookups of client hostnames [no] +--enable-rlookups +#--enable-slapi enable SLAPI support (experimental) [no] +--enable-slapi +#--enable-slp enable SLPv2 support [no] +--enable-slp +#--enable-wrappers enable tcp wrapper support [no] +--enable-wrappers +# +#SLAPD Backend Options: +#--enable-backends enable all available backends no|yes|mod +--enable-backends=mod +#--enable-bdb enable Berkeley DB backend no|yes|mod [yes] +#--enable-dnssrv enable dnssrv backend no|yes|mod [no] +#--enable-hdb enable Hierarchical DB backend no|yes|mod [yes] +#--enable-ldap enable ldap backend no|yes|mod [no] +#--enable-ldbm enable ldbm backend no|yes|mod [no] +--enable-ldbm=no +#--enable-ldbm-api use LDBM API auto|berkeley|bcompat|mdbm|gdbm [auto] +#--enable-ldbm-type use LDBM type auto|btree|hash [auto] +#--enable-meta enable metadirectory backend no|yes|mod [no] +#--enable-monitor enable monitor backend no|yes|mod [yes] +#--enable-null enable null backend no|yes|mod [no] +#--enable-passwd enable passwd backend no|yes|mod [no] +#--enable-perl enable perl backend no|yes|mod [no] +#--enable-relay enable relay backend no|yes|mod [yes] +#--enable-shell enable shell backend no|yes|mod [no] +#--enable-sql enable sql backend no|yes|mod [no] +# +#SLAPD Overlay Options: +#--enable-overlays enable all available overlays no|yes|mod +--enable-overlays=mod +#--enable-accesslog In-Directory Access Logging overlay no|yes|mod [no] +#--enable-denyop Deny Operation overlay no|yes|mod [no] +#--enable-dyngroup Dynamic Group overlay no|yes|mod [no] +#--enable-dynlist Dynamic List overlay no|yes|mod [no] +#--enable-lastmod Last Modification overlay no|yes|mod [no] +#--enable-ppolicy Password Policy overlay no|yes|mod [no] +#--enable-proxycache Proxy Cache overlay no|yes|mod [no] +#--enable-refint Referential Integrity overlay no|yes|mod [no] +#--enable-retcode Return Code testing overlay no|yes|mod [no] +#--enable-rwm Rewrite/Remap overlay no|yes|mod [no] +#--enable-syncprov Syncrepl Provider overlay no|yes|mod [yes] +#--enable-translucent Translucent Proxy overlay no|yes|mod [no] +#--enable-unique Attribute Uniqueness overlay no|yes|mod [no] +#--enable-valsort Value Sorting overlay no|yes|mod [no] +# +#SLURPD (Replication Daemon) Options: +#--enable-slurpd enable building slurpd [auto] +--enable-slurpd +# +#Library Generation & Linking Options +#--enable-static[=PKGS] +#build static libraries [default=yes] +#--enable-shared[=PKGS] +#build shared libraries [default=yes] +#--enable-fast-install[=PKGS] +#optimize for fast installation [default=yes] +#--disable-dependency-tracking speeds up one-time build +#--enable-dependency-tracking do not reject slow dependency extractors +#--disable-libtool-lock avoid locking (might break parallel builds) +# +#Optional Packages: +#--with-PACKAGE[=ARG] use PACKAGE [ARG=yes] +#--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) +#--with-subdir=DIR change default subdirectory used for installs +--with-subdir=ldap +#--with-cyrus-sasl with Cyrus SASL support [auto] +--with-cyrus-sasl +#--with-fetch with fetch(3) URL support [auto] +#--with-threads with threads [auto] +--with-threads +#--with-tls with TLS/SSL support [auto] +--with-tls +#--with-yielding-select with implicitly yielding select [auto] +#--with-multiple-precision +#multiple precision support for statistics +#auto|bignum|gmp [auto] +# +#--with-gnu-ld assume the C compiler uses GNU ld [default=no] +#--with-pic try to use only PIC/non-PIC objects [default=use +#both] +#--with-tags[=TAGS] +#include additional configurations [automatic] +# +#See INSTALL file for further details. --- openldap2.3-2.3.38.orig/debian/slapd.backup +++ openldap2.3-2.3.38/debian/slapd.backup @@ -0,0 +1,62 @@ +#!/bin/bash +# +# Backup LDAP directories +# +# This script can be put in cron to create backups. +# +# Author: Matthijs Mohlmann +# Date: Sat, 15 Jul 2006 21:13:14 +0200 +# License: GPLv2 + +# Make sure the backups are secured. +umask 077 + +BACKUPDIR="/var/backups/slapd" +DEFAULTS="/etc/default/slapd" + +# Check if there is a directory slapd, otherwise create it. +if [ ! -d "$BACKUPDIR" ]; then + mkdir -p -m 0700 "$BACKUPDIR" +fi + +# Load default settings. +if [ -e "$DEFAULTS" ]; then + . "$DEFAULTS" +fi + +# Specify a slapd.conf if not specified. +if [ -z "$SLAPD_CONF" ]; then + SLAPD_CONF="/etc/ldap/slapd.conf" +fi + +# Set IFS to end of line. +ORIGIFS=$IFS +IFS=`echo -en "\n\b"` + +# Backup recursive through all configfiles all suffix's in the form: +# suffix.ldif in /var/backups/slapd +function backupDirectories() { + local conf=$1 + local directory="" + local include="" + + suffix=`grep "^suffix" $conf | sed -e "s/\(^suffix\s\+\|\"\|\'\)//g"` + for directory in "$suffix"; do + if [ ! -z "$suffix" ]; then + slapcat -l "$BACKUPDIR/$suffix.ldif" -b "$suffix" + fi + done + + includes=`grep "^include" $conf | awk '{print $2}'` + for include in $includes; do + backupDirectories "$include" + done +} + +backupDirectories "$SLAPD_CONF" + +# Put IFS back. +IFS=$ORIGIFS + +exit 0 + --- openldap2.3-2.3.38.orig/debian/slapd.install +++ openldap2.3-2.3.38/debian/slapd.install @@ -0,0 +1,9 @@ +debian/tmp/etc/ldap/schema etc/ldap +debian/tmp/usr/lib/slapd usr/sbin +debian/tmp/usr/lib/slurpd usr/sbin +debian/tmp/usr/lib/ldap/*.so* usr/lib/ldap +debian/tmp/usr/lib/ldap/*.la usr/lib/ldap +debian/lintian-overrides/slapd usr/share/lintian/overrides +debian/fix_ldif usr/share/slapd +debian/ldiftopasswd usr/share/slapd +debian/DB_CONFIG usr/share/slapd --- openldap2.3-2.3.38.orig/debian/slapd.links +++ openldap2.3-2.3.38/debian/slapd.links @@ -0,0 +1,10 @@ +usr/share/doc/slapd/examples/DB_CONFIG usr/share/slapd/DB_CONFIG +usr/share/doc/slapd/examples/slapd.conf usr/share/slapd/slapd.conf +usr/sbin/slapd usr/sbin/slapacl +usr/sbin/slapd usr/sbin/slapadd +usr/sbin/slapd usr/sbin/slapauth +usr/sbin/slapd usr/sbin/slapcat +usr/sbin/slapd usr/sbin/slapdn +usr/sbin/slapd usr/sbin/slapindex +usr/sbin/slapd usr/sbin/slappasswd +usr/sbin/slapd usr/sbin/slaptest --- openldap2.3-2.3.38.orig/debian/dh_installscripts-common +++ openldap2.3-2.3.38/debian/dh_installscripts-common @@ -0,0 +1,22 @@ +#!/usr/bin/perl -w + +use strict; +use Debian::Debhelper::Dh_Lib; + +init(); + +foreach my $package (@{$dh{DOPACKAGES}}) { + my $tmp=tmpdir($package); + my $ext=pkgext($package); + + if (! -d "$tmp/DEBIAN") { + next; + } + + foreach my $file (qw{postinst preinst prerm postrm config}) { + my $f="$tmp/DEBIAN/$file"; + if ($f) { + complex_doit("perl -pe 's~#SCRIPTSCOMMON#~qx{cat debian/${ext}scripts-common}~eg' -i $f"); + } + } +} --- openldap2.3-2.3.38.orig/debian/slapd.init +++ openldap2.3-2.3.38/debian/slapd.init @@ -0,0 +1,236 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: slapd +# Required-Start: networking syslog +# Required-Stop: networking syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 6 +# Short-Description: OpenLDAP standalone server (Lightweight Directory Access Protocol) +### END INIT INFO + +# Specify path variable +PATH=/sbin:/usr/sbin:/bin:/usr/bin + +# Kill me on all errors +set -e + +# Set the paths to slapd and slurpd as variables so that someone who really +# wants to can override the paths in /etc/default/slapd. +SLAPD=/usr/sbin/slapd +SLURPD=/usr/sbin/slurpd + +# Stop processing if slapd is not there +[ -x $SLAPD ] || exit 0 + +# debconf may have this file descriptor open and it makes things work a bit +# more reliably if we redirect it as a matter of course. db_stop will take +# care of this, but this won't hurt. +exec 3>/dev/null + +# Source the init script configuration +if [ -f "/etc/default/slapd" ]; then + . /etc/default/slapd +fi + +# Load the default location of the slapd config file +if [ -z "$SLAPD_CONF" ]; then + SLAPD_CONF="/etc/ldap/slapd.conf" +else + SLAPD_OPTIONS="-f $SLAPD_CONF $SLAPD_OPTIONS" + SLURPD_OPTIONS="-f $SLAPD_CONF $SLURPD_OPTIONS" +fi + +# Stop processing if the config file is not there +if [ ! -r "$SLAPD_CONF" ]; then + cat <&2 +No configuration file was found for slapd at $SLAPD_CONF. +If you have moved the slapd configuration file please modify +/etc/default/slapd to reflect this. If you chose to not +configure slapd during installation then you need to do so +prior to attempting to start slapd. +An example slapd.conf is in /usr/share/slapd +EOF + exit 0 # Should this be 1? +fi + +# Figure out some default settings +# Check wether slurpd should get started +if [ "$SLURPD_START" != "yes" ] && [ "$SLURPD_START" != "no" ]; then + if grep -q '^replica' "$SLAPD_CONF" > /dev/null 2>&1 ; then + SLURPD_START=yes + else + SLURPD_START=no + fi +fi + +# Find out the name of slapd's pid file +if [ -z "$SLAPD_PIDFILE" ]; then + SLAPD_PIDFILE=`sed -ne 's/^pidfile[[:space:]]\+\(.\+\)/\1/p' \ + "$SLAPD_CONF"` +fi + +# XXX: Breaks upgrading if there is no pidfile (invoke-rc.d stop will fail) +# -- Torsten +if [ -z "$SLAPD_PIDFILE" ]; then + cat <&2 +The pidfile for slapd is neither specified in "$SLAPD_CONF" nor +in /etc/default/slapd. Consequently, slapd will not be started. +EOF + exit 1 +fi + +# Make sure the pidfile directory exists with correct permissions +piddir=`dirname "$SLAPD_PIDFILE"` +if [ ! -d "$piddir" ]; then + mkdir -p "$piddir" + [ -z "$SLAPD_USER" ] || chown -R "$SLAPD_USER" "$piddir" + [ -z "$SLAPD_GROUP" ] || chgrp -R "$SLAPD_GROUP" "$piddir" +fi + +# Pass the user and group to run under to slapd +if [ "$SLAPD_USER" ]; then + SLAPD_OPTIONS="-u $SLAPD_USER $SLAPD_OPTIONS" +fi + +if [ "$SLAPD_GROUP" ]; then + SLAPD_OPTIONS="-g $SLAPD_GROUP $SLAPD_OPTIONS" +fi + +# Check whether we were configured to not start the services. +check_for_no_start() { + if [ -n "$SLAPD_NO_START" ]; then + echo 'Not starting slapd: SLAPD_NO_START set in /etc/default/slapd' >&2 + exit 0 + fi + if [ -n "$SLAPD_SENTINEL_FILE" ] && [ -e "$SLAPD_SENTINEL_FILE" ]; then + echo "Not starting slapd: $SLAPD_SENTINEL_FILE exists" >&2 + exit 0 + fi +} + +# Tell the user that something went wrong and give some hints for +# resolving the problem. +report_failure() { + if [ -n "$reason" ]; then + echo " - failed: " + echo "$reason" + else + echo " - failed." + cat <&1`" + else + reason="`start-stop-daemon --start --quiet --oknodo \ + --pidfile "$SLAPD_PIDFILE" \ + --exec $SLAPD -- -h "$SLAPD_SERVICES" $SLAPD_OPTIONS 2>&1`" + fi + + # Backward compatibility with OpenLDAP 2.1 client libraries. + if [ ! -h /var/run/ldapi ] && [ ! -e /var/run/ldapi ] ; then + ln -s slapd/ldapi /var/run/ldapi + fi +} + +# Start the slurpd daemon and capture the error message if any to +# $reason. +start_slurpd() { + if [ "$SLURPD_START" != yes ]; then + return 0 + fi + echo -n " slurpd" + reason="`start-stop-daemon --start --quiet --oknodo \ + --exec $SLURPD -- $SLURPD_OPTIONS 2>&1`" +} + +# Stop the slapd daemon and capture the error message (if any) to +# $reason. +stop_slapd() { + echo -n " slapd" + reason="`start-stop-daemon --stop --quiet --oknodo --retry 10 \ + --pidfile "$SLAPD_PIDFILE" \ + --exec $SLAPD 2>&1`" +} + +# Stop the slurpd daemon and capture the error message (if any) to +# $reason. +stop_slurpd() { + if [ "$SLURPD_START" != yes ]; then + return 0 + fi + echo -n " slurpd" + reason="`start-stop-daemon --stop --quiet --oknodo --retry 10 \ + --exec $SLURPD 2>&1`" +} + +# Start the OpenLDAP daemons +start_ldap() { + echo -n "Starting OpenLDAP:" + trap 'report_failure' 0 + start_slapd + start_slurpd + trap "-" 0 + echo . +} + +# Stop the OpenLDAP daemons +stop_ldap() { + echo -n "Stopping OpenLDAP:" + trap 'report_failure' 0 + stop_slurpd + stop_slapd + trap "-" 0 + echo . +} + +case "$1" in + start) + check_for_no_start + start_ldap ;; + stop) + stop_ldap ;; + restart|force-reload) + check_for_no_start + stop_ldap + start_ldap + ;; + *) + echo "Usage: $0 {start|stop|restart|force-reload}" + exit 1 + ;; +esac --- openldap2.3-2.3.38.orig/debian/libldap2.3-dev.manpages +++ openldap2.3-2.3.38/debian/libldap2.3-dev.manpages @@ -0,0 +1,146 @@ +debian/tmp/usr/share/man/man3/ber_alloc_t.3 +debian/tmp/usr/share/man/man3/ldap_explode_rdn.3 +debian/tmp/usr/share/man/man3/ber_bvarray_add.3 +debian/tmp/usr/share/man/man3/ldap_first_attribute.3 +debian/tmp/usr/share/man/man3/ber_bvarray_free.3 +debian/tmp/usr/share/man/man3/ldap_first_entry.3 +debian/tmp/usr/share/man/man3/ber_bvdup.3 +debian/tmp/usr/share/man/man3/ldap_first_message.3 +debian/tmp/usr/share/man/man3/ber_bvecadd.3 +debian/tmp/usr/share/man/man3/ldap_first_reference.3 +debian/tmp/usr/share/man/man3/ber_bvecfree.3 +debian/tmp/usr/share/man/man3/ldap_free_urldesc.3 +debian/tmp/usr/share/man/man3/ber_bvfree.3 +debian/tmp/usr/share/man/man3/ldap_get_dn.3 +debian/tmp/usr/share/man/man3/ber_bvstr.3 +debian/tmp/usr/share/man/man3/ldap_get_values.3 +debian/tmp/usr/share/man/man3/ber_bvstrdup.3 +debian/tmp/usr/share/man/man3/ldap_get_values_len.3 +debian/tmp/usr/share/man/man3/ber_dupbv.3 +debian/tmp/usr/share/man/man3/ldap_init.3 +debian/tmp/usr/share/man/man3/ber_first_element.3 +debian/tmp/usr/share/man/man3/ldap_is_ldap_url.3 +debian/tmp/usr/share/man/man3/ber_flush.3 +debian/tmp/usr/share/man/man3/ldap_matchingrule2name.3 +debian/tmp/usr/share/man/man3/ber_free.3 +debian/tmp/usr/share/man/man3/ldap_matchingrule2str.3 +debian/tmp/usr/share/man/man3/ber_get_bitstring.3 +debian/tmp/usr/share/man/man3/ldap_matchingrule_free.3 +debian/tmp/usr/share/man/man3/ber_get_boolean.3 +debian/tmp/usr/share/man/man3/ldap_modify.3 +debian/tmp/usr/share/man/man3/ber_get_enum.3 +debian/tmp/usr/share/man/man3/ldap_modify_ext.3 +debian/tmp/usr/share/man/man3/ber_get_int.3 +debian/tmp/usr/share/man/man3/ldap_modify_ext_s.3 +debian/tmp/usr/share/man/man3/ber_get_next.3 +debian/tmp/usr/share/man/man3/ldap_modify_s.3 +debian/tmp/usr/share/man/man3/ber_get_null.3 +debian/tmp/usr/share/man/man3/ldap_modrdn2.3 +debian/tmp/usr/share/man/man3/ber_get_stringa.3 +debian/tmp/usr/share/man/man3/ldap_modrdn2_s.3 +debian/tmp/usr/share/man/man3/ber_get_stringb.3 +debian/tmp/usr/share/man/man3/ldap_modrdn.3 +debian/tmp/usr/share/man/man3/ber_next_element.3 +debian/tmp/usr/share/man/man3/ldap_modrdn_s.3 +debian/tmp/usr/share/man/man3/ber_peek_tag.3 +debian/tmp/usr/share/man/man3/ldap_mods_free.3 +debian/tmp/usr/share/man/man3/ber_printf.3 +debian/tmp/usr/share/man/man3/ldap_msgfree.3 +debian/tmp/usr/share/man/man3/ber_put_enum.3 +debian/tmp/usr/share/man/man3/ldap_msgid.3 +debian/tmp/usr/share/man/man3/ber_put_int.3 +debian/tmp/usr/share/man/man3/ldap_msgtype.3 +debian/tmp/usr/share/man/man3/ber_put_null.3 +debian/tmp/usr/share/man/man3/ldap_next_attribute.3 +debian/tmp/usr/share/man/man3/ber_put_ostring.3 +debian/tmp/usr/share/man/man3/ldap_next_entry.3 +debian/tmp/usr/share/man/man3/ber_put_seq.3 +debian/tmp/usr/share/man/man3/ldap_next_message.3 +debian/tmp/usr/share/man/man3/ber_put_set.3 +debian/tmp/usr/share/man/man3/ldap_next_reference.3 +debian/tmp/usr/share/man/man3/ber_put_string.3 +debian/tmp/usr/share/man/man3/ldap_objectclass2name.3 +debian/tmp/usr/share/man/man3/ber_scanf.3 +debian/tmp/usr/share/man/man3/ldap_objectclass2str.3 +debian/tmp/usr/share/man/man3/ber_skip_tag.3 +debian/tmp/usr/share/man/man3/ldap_objectclass_free.3 +debian/tmp/usr/share/man/man3/ber_start_set.3 +debian/tmp/usr/share/man/man3/ldap_open.3 +debian/tmp/usr/share/man/man3/ber_str2bv.3 +debian/tmp/usr/share/man/man3/ldap_parse_extended_result.3 +debian/tmp/usr/share/man/man3/lber-decode.3 +debian/tmp/usr/share/man/man3/ldap_parse_reference.3 +debian/tmp/usr/share/man/man3/lber-encode.3 +debian/tmp/usr/share/man/man3/ldap_parse_result.3 +debian/tmp/usr/share/man/man3/lber-memory.3 +debian/tmp/usr/share/man/man3/ldap_parse_sasl_bind_result.3 +debian/tmp/usr/share/man/man3/lber-types.3 +debian/tmp/usr/share/man/man3/ldap_perror.3 +debian/tmp/usr/share/man/man3/ldap.3 +debian/tmp/usr/share/man/man3/ldap_result2error.3 +debian/tmp/usr/share/man/man3/ldap_abandon.3 +debian/tmp/usr/share/man/man3/ldap_result.3 +debian/tmp/usr/share/man/man3/ldap_abandon_ext.3 +debian/tmp/usr/share/man/man3/ldap_sasl_bind.3 +debian/tmp/usr/share/man/man3/ldap_add.3 +debian/tmp/usr/share/man/man3/ldap_sasl_bind_s.3 +debian/tmp/usr/share/man/man3/ldap_add_ext.3 +debian/tmp/usr/share/man/man3/ldap_schema.3 +debian/tmp/usr/share/man/man3/ldap_add_ext_s.3 +debian/tmp/usr/share/man/man3/ldap_scherr2str.3 +debian/tmp/usr/share/man/man3/ldap_add_s.3 +debian/tmp/usr/share/man/man3/ldap_search.3 +debian/tmp/usr/share/man/man3/ldap_attributetype2name.3 +debian/tmp/usr/share/man/man3/ldap_search_ext.3 +debian/tmp/usr/share/man/man3/ldap_attributetype2str.3 +debian/tmp/usr/share/man/man3/ldap_search_ext_s.3 +debian/tmp/usr/share/man/man3/ldap_attributetype_free.3 +debian/tmp/usr/share/man/man3/ldap_search_s.3 +debian/tmp/usr/share/man/man3/ldap_bind.3 +debian/tmp/usr/share/man/man3/ldap_search_st.3 +debian/tmp/usr/share/man/man3/ldap_bind_s.3 +debian/tmp/usr/share/man/man3/ldap_simple_bind.3 +debian/tmp/usr/share/man/man3/ldap_compare.3 +debian/tmp/usr/share/man/man3/ldap_simple_bind_s.3 +debian/tmp/usr/share/man/man3/ldap_compare_ext.3 +debian/tmp/usr/share/man/man3/ldap_sort.3 +debian/tmp/usr/share/man/man3/ldap_compare_ext_s.3 +debian/tmp/usr/share/man/man3/ldap_sort_entries.3 +debian/tmp/usr/share/man/man3/ldap_compare_s.3 +debian/tmp/usr/share/man/man3/ldap_sort_strcasecmp.3 +debian/tmp/usr/share/man/man3/ldap_count_entries.3 +debian/tmp/usr/share/man/man3/ldap_sort_values.3 +debian/tmp/usr/share/man/man3/ldap_count_messages.3 +debian/tmp/usr/share/man/man3/ldap_str2attributetype.3 +debian/tmp/usr/share/man/man3/ldap_count_references.3 +debian/tmp/usr/share/man/man3/ldap_str2dn.3 +debian/tmp/usr/share/man/man3/ldap_count_values.3 +debian/tmp/usr/share/man/man3/ldap_str2matchingrule.3 +debian/tmp/usr/share/man/man3/ldap_count_values_len.3 +debian/tmp/usr/share/man/man3/ldap_str2objectclass.3 +debian/tmp/usr/share/man/man3/ldap_dcedn2dn.3 +debian/tmp/usr/share/man/man3/ldap_str2syntax.3 +debian/tmp/usr/share/man/man3/ldap_delete.3 +debian/tmp/usr/share/man/man3/ldap_syntax2name.3 +debian/tmp/usr/share/man/man3/ldap_delete_ext.3 +debian/tmp/usr/share/man/man3/ldap_syntax2str.3 +debian/tmp/usr/share/man/man3/ldap_delete_ext_s.3 +debian/tmp/usr/share/man/man3/ldap_syntax_free.3 +debian/tmp/usr/share/man/man3/ldap_delete_s.3 +debian/tmp/usr/share/man/man3/ldap_unbind.3 +debian/tmp/usr/share/man/man3/ldap_dn2ad_canonical.3 +debian/tmp/usr/share/man/man3/ldap_unbind_ext.3 +debian/tmp/usr/share/man/man3/ldap_dn2dcedn.3 +debian/tmp/usr/share/man/man3/ldap_unbind_ext_s.3 +debian/tmp/usr/share/man/man3/ldap_dn2str.3 +debian/tmp/usr/share/man/man3/ldap_unbind_s.3 +debian/tmp/usr/share/man/man3/ldap_dn2ufn.3 +debian/tmp/usr/share/man/man3/ldap_url.3 +debian/tmp/usr/share/man/man3/ldap_err2string.3 +debian/tmp/usr/share/man/man3/ldap_url_parse.3 +debian/tmp/usr/share/man/man3/ldap_errlist.3 +debian/tmp/usr/share/man/man3/ldap_value_free.3 +debian/tmp/usr/share/man/man3/ldap_error.3 +debian/tmp/usr/share/man/man3/ldap_value_free_len.3 +debian/tmp/usr/share/man/man3/ldap_explode_dn.3 +debian/tmp/usr/share/man/man3/ld_errno.3 --- openldap2.3-2.3.38.orig/debian/check_config +++ openldap2.3-2.3.38/debian/check_config @@ -0,0 +1,17 @@ +#! /usr/bin/perl -w + +$| = 1; + +print "Reading configuration... "; +open CONF, "; +close CONF; +print "done\n"; + +print "Checking if sasl2 was found... "; +if (not grep /SASL_LIBS.*-lsasl2/, @CONF) { + print "no\n"; + die "SASL2 support not enabled"; +} +print "okay\n"; --- openldap2.3-2.3.38.orig/debian/TODO +++ openldap2.3-2.3.38/debian/TODO @@ -0,0 +1,32 @@ +openldap2.2 (2.2.23-4) unstable; urgency=low + + * debian/slapd.NEWS: Summarize the upstream changes and make clear that + the upgrade may be problemated. Sketch the upgrade procedure. + * debian/README.Debian: Explain what to check for if upgrading fails and + how to recover. + * CARLO: debian/slapd.scripts-common: Handle all UTF-8 supported characters + in organization field by converting the locale specific input into + utf-8 and base64 encoding the result (closes: #236097). + * Maintainer scripts: Handle the configuration to enable ldif dumping + correctly: Dump if requested and only slapadd the data if it is + supposed to be there. + * Check ITS#3267 (possible data loss) and apply the patch to the + package. + * CARLO: Escape special chars in the names of backup LDIF files using + the %xx syntax. + * Check lintian warning: Postinst uses db_input. I think the usage is + okay as it is an error message IIRC which is also output using cat + in case debconf is not available. + + -- Torsten Landschoff Sun, 3 Apr 2005 20:24:52 +0200 + +openldap2.2 (2.2.23-5) unstable; urgency=low + + * Refactoring of the maintainer scripts. Goals: + + No more direct access to global variables but accessor functions + to check for invalid uses. Example: Don't use $OLD_VERSION but + `get_previous_version`. That way invalid uses can easily be flagged + if that information is not available anymore. + * Remove perl script to hash a password and use slappasswd instead. + + -- Torsten Landschoff Sun, 3 Apr 2005 20:24:52 +0200 --- openldap2.3-2.3.38.orig/debian/control +++ openldap2.3-2.3.38/debian/control @@ -0,0 +1,71 @@ +Source: openldap2.3 +Section: net +Priority: optional +Maintainer: Debian OpenLDAP Maintainers +Uploaders: Roland Bauerschmidt , Stephen Frost , Steve Langasek , Torsten Landschoff , Matthijs Mohlmann , Russ Allbery +Build-Depends: libdb4.2-dev, libwrap0-dev, libiodbc2-dev, libsasl2-dev (>= 2.1.18-1), dpkg-dev (>= 1.7.1), libncurses5-dev, debconf-utils, debhelper (>= 5), libltdl3-dev (>= 1.4.3), libslp-dev, po-debconf, libssl-dev (>= 0.9.7), libperl-dev (>= 5.8.0), perl, quilt (>= 0.40), autotools-dev +Build-Conflicts: libbind-dev, bind-dev +Standards-Version: 3.7.2.0 + +Package: slapd +Section: net +Priority: optional +Architecture: any +Pre-Depends: debconf (>= 0.5) | debconf-2.0 +Depends: ${shlibs:Depends}, libldap-2.3-0 (= ${binary:Version}), coreutils (>= 4.5.1-1), psmisc, perl (>> 5.8.0) | libmime-base64-perl, adduser +Recommends: libsasl2-modules +Suggests: ldap-utils +Conflicts: umich-ldapd, ldap-server, libltdl3 (= 1.5.4-1) +Replaces: libldap2, ldap-utils (<< 2.2.23-3) +Provides: ldap-server +Description: OpenLDAP server (slapd) + This is the OpenLDAP (Lightweight Directory Access Protocol) standalone + server (slapd). The server can be used to provide a standalone directory + service and also includes the slurpd replication server. + +Package: ldap-utils +Section: net +Priority: optional +Architecture: any +Depends: ${shlibs:Depends}, libldap-2.3-0 (= ${binary:Version}) +Recommends: libsasl2-modules +Conflicts: umich-ldap-utils, openldap-utils, ldap-client +Replaces: openldap-utils, slapd (<< 2.2.23-0.pre6), openldapd +Provides: ldap-client, openldap-utils +Description: OpenLDAP utilities + Utilities from the OpenLDAP (Lightweight Directory Access Protocol) + package. These utilities can access a local or remote LDAP server + and contain all the client programs required to access LDAP servers. + +Package: libldap-2.3-0 +Section: libs +Priority: optional +Architecture: any +Conflicts: ldap-utils (<= 2.1.23-1) +Depends: ${shlibs:Depends}, libldap2 +Replaces: libldap2 +Description: OpenLDAP libraries + These are the run-time libraries for the OpenLDAP (Lightweight Directory + Access Protocol) servers and clients. + +Package: libldap-2.3-0-dbg +Section: libdevel +Priority: extra +Architecture: any +Depends: libldap-2.3-0 (= ${binary:Version}) +Description: Debugging information for OpenLDAP libraries + Detached debugging information for the OpenLDAP (Lightweight Directory + Access Protocol) libraries. It is useful primarily to permit better + backtraces and crash dump analysis after problems with the libraries. + GDB will find this debug information automatically. + +Package: slapd-dbg +Section: net +Priority: extra +Architecture: any +Depends: slapd (= ${binary:Version}) +Description: Debugging information for the OpenLDAP server (slapd) + Detached debugging information for the OpenLDAP (Lightweight Directory + Access Protocol) standalone server (slapd). It is useful primarily to + permit better backtraces and crash dump analysis after problems with the + libraries. GDB will find this debug information automatically. --- openldap2.3-2.3.38.orig/debian/USE-CASES +++ openldap2.3-2.3.38/debian/USE-CASES @@ -0,0 +1,7 @@ +Some ideas what to check and what the desired results would be: + +- running dpkg-reconfigure with an already configured slapd + + Should either backup the database or ask before killing it. + Same for slapd.conf. Neither old configuration or old database + should be lost without the user confirming that this is what he wants. --- openldap2.3-2.3.38.orig/debian/slapd.docs +++ openldap2.3-2.3.38/debian/slapd.docs @@ -0,0 +1 @@ +debian/README.DB_CONFIG --- openldap2.3-2.3.38.orig/debian/slapd.cron.daily +++ openldap2.3-2.3.38/debian/slapd.cron.daily @@ -0,0 +1,3 @@ +#!/bin/sh -e + +rm -f /var/run/slapd/params_cache_dh /var/run/slapd/params_cache_rsa --- openldap2.3-2.3.38.orig/debian/libldap2.3-dev.links +++ openldap2.3-2.3.38/debian/libldap2.3-dev.links @@ -0,0 +1,10 @@ +lber-encode.3 usr/share/man/man3/ber_put_bitstring.3 +lber-encode.3 usr/share/man/man3/ber_put_boolean.3 +lber-encode.3 usr/share/man/man3/ber_start_seq.3 +lber-memory.3 usr/share/man/man3/ber_memalloc.3 +lber-memory.3 usr/share/man/man3/ber_memcalloc.3 +lber-memory.3 usr/share/man/man3/ber_memfree.3 +lber-memory.3 usr/share/man/man3/ber_memrealloc.3 +lber-types.3 usr/share/man/man3/ber_int_t.3 +lber-types.3 usr/share/man/man3/ber_len_t.3 +lber-types.3 usr/share/man/man3/ber_tag_t.3 --- openldap2.3-2.3.38.orig/debian/compat +++ openldap2.3-2.3.38/debian/compat @@ -0,0 +1 @@ +5 --- openldap2.3-2.3.38.orig/debian/ldap-utils.install +++ openldap2.3-2.3.38/debian/ldap-utils.install @@ -0,0 +1,8 @@ +debian/tmp/usr/bin/ldapadd usr/bin +debian/tmp/usr/bin/ldapdelete usr/bin +debian/tmp/usr/bin/ldapmodrdn usr/bin +debian/tmp/usr/bin/ldapsearch usr/bin +debian/tmp/usr/bin/ldapcompare usr/bin +debian/tmp/usr/bin/ldapmodify usr/bin +debian/tmp/usr/bin/ldappasswd usr/bin +debian/tmp/usr/bin/ldapwhoami usr/bin --- openldap2.3-2.3.38.orig/debian/control.dev +++ openldap2.3-2.3.38/debian/control.dev @@ -0,0 +1,26 @@ +Package: libldap2.3-dev +Section: libdevel +Priority: extra +Architecture: any +Conflicts: libldap-dev, libopenldap-dev +Replaces: libopenldap-dev +Provides: libldap-dev +Depends: libldap2.2 (= ${Source-Version}) +Description: OpenLDAP development libraries + This package allows development of LDAP applications using the OpenLDAP + libraries. It includes headers, libraries and links to allow static and + dynamic linking. + +Package: libslapd2.3-dev +Section: libdevel +Priority: extra +Architecture: all +Depends: libldap2.2 (= ${Source-Version}) +Description: OpenLDAP slapd back-end development headers + This package allows development of back-ends for the OpenLDAP slapd. + It includes headers used when developing a back-end for slapd. + These headers are, per upstream, *not* intended to be used outside of + their build system so you are on your own with them. Things can and + probably will break, feel free to file bugs about them but don't expect + them to be fixed. + --- openldap2.3-2.3.38.orig/debian/slapd.preinst +++ openldap2.3-2.3.38/debian/slapd.preinst @@ -0,0 +1,24 @@ +#! /bin/sh + +set -e + +. /usr/share/debconf/confmodule + +# This will be replaced with debian/slapd.scripts-common which includes +# various helper functions and $OLD_VERSION and $SLAPD_CONF +#SCRIPTSCOMMON# + +# If we are upgrading from an old version then stop slapd and attempt to +# slapcat out the data so we can use it in postinst to do the upgrade + +if [ "$MODE" = upgrade ]; then + break_on_ldbm_to_bdb_migration_disagree + stop_slapd + dump_databases +fi + +#DEBHELPER# + +exit 0 + +# vim: set sw=8 foldmethod=marker: --- openldap2.3-2.3.38.orig/debian/README.DB_CONFIG +++ openldap2.3-2.3.38/debian/README.DB_CONFIG @@ -0,0 +1,187 @@ +For good performance using the BDB backend, a good DB_CONFIG file in the +database directory (usually /var/lib/ldap) is crucial. The following two +articles should help you to determine a good configuration for your +requirements. A standard DB_CONFIG is installed but it may not be adequate +for your system. + +The current version of OpenLDAP supports putting DB_CONFIG parameters into +slapd.conf instead by prefixing those options with dbconfig. See the +slapd-bdb(5) man page for more information. If there is no DB_CONFIG file +when slapd starts and there are dbconfig lines in slapd.conf, slapd will +write out a DB_CONFIG file with those settings before initializing the +database. + +With the current version of OpenLDAP, any changes to DB_CONFIG will take +effect automatically after restarting slapd. Running db_recover is no +longer required. + + -- Torsten Landschoff Sun, 29 May 2005 18:08:10 +0200 + Russ Allbery Fri, 01 Jun 2007 23:57:33 -0700 + +How do I configure the BDB backend? +----------------------------------- +(Taken from http://www.openldap.org/faq/data/cache/893.html, author unknown) + +The BDB backend ("back-bdb") uses a lot of special features of Sleepycat's +Berkeley DB library, and there are a lot of details that must be set correctly +to get the best results from it. Even though the LDBM backend ("back-ldbm") can +use the BerkeleyDB library, the BDB and LDBM backends have some very important +differences, as already noted in (Xref) What are the different backends? What +are their differences?. + +Because back-bdb is transaction-based and uses write-ahead logging to ensure +data consistency, it has much heavier I/O demands than back-ldbm. Also, the +transaction log files accumulate as data is written to the directory, and these +log files must be cleaned out periodically. Otherwise the log files will +consume enormous amounts of disk space. The cleanup procedures are described in +(Xref) How to maintain Berkeley DB (logs etc.) ?. + +The information needed to fully understand things and to properly configure +back-bdb is divided among the slapd-bdb(5) manual page and the SleepyCat +BerkeleyDB documentation (http://www.sleepycat.com/docs/). + +You should read the entire slapd-bdb(5) manpage before proceeding. The only +mandatory keyword is "directory" for setting the location of the database +files. The other keywords control tradeoffs between data reliability, +performance, and memory use. To ensure that committed transactions actually get +flushed to disk, you should use the "checkpoint" keyword, otherwise your data +is vulnerable to loss due to system failures. See the SleepyCat documentation +for more information about checkpoints. (In fact, you should read all of +chapter 9 "Berkeley DB Transactional Data Store Applications" in the SleepyCat +reference manual. At least, read sections 1-3 and 13-24.) + +The "dbnosync" keyword is provided for compatibility with back-ldbm; the +preferred method of setting this is to use the BDB DB_CONFIG file option +set_flags DB_TXN_NOSYNC. The "lockdetect" keyword is also deprecated, you +should instead use the BDB DB_CONFIG file set_lk_detect keyword. (It's safe to +leave this at the default setting.) + +A number of important items must be configured in the BDB DB_CONFIG file and +not in slapd.conf. You should, at least, read about these items: + +set_cachesize + The BDB library maintains its own cache separate from the back-bdb entry + cache. You must set this cache to a size appropriate for your database and + physical memory size. Note that this is a persistent setting - after you + set it the first time, further changes will be ignored until you recreate + the environment using db_recover. +set_lg_dir + Set the directory for storing transaction logs. For best performance, + the transaction logs must be located on a different physical disk from + the database files. +set_lg_bsize + Set the buffer size for the transaction log. Larger is better, but it + doesn't have much effect unless you're also using the DB_TXN_NOSYNC + option. With a default log file size of 10MB I usually set this to 2MB. + The default is only 32K, which is too small for back-bdb. + +On a very busy system you might see error messages talking about running out of +locks, lockers, or lock objects. Usually the default values are plenty, and in +older versions of the BDB library the errors were more likely due to library +bugs than actual system load. However, it is possible that you have actually +run out of lock resources due to heavy system usage. If this happens, you +should read about the set_lk_max_lockers, set_lk_max_locks, and +set_lk_max_objects keywords. + +How do I determine the proper BDB/HDB database cache size? +---------------------------------------------------------- +(Taken from http://www.openldap.org/faq/data/cache/1075.html, written by +hyc@openldap.org, Kurt@OpenLDAP.org) + +Not having a proper database cache size will cause performance issues. (Note: +in older versions of Berkeley DB, an improper database case size could also +cause the server to hang.) + +These issues are not an indication of corruption occurring in the database. It +is merely the fact that the cache is thrashing itself that causes +performance/response time to slowdown. If you take the time to read and +understand the Berkeley DB documentation, measure the library performance using +db_stat, and tune your settings, you will avoid these problems. + +It is not absolutely necessary to configure a BerkeleyDB cache equal in size to +your entire database. All that you need is a cache that's large enough for your +"working set." That means, large enough to hold all of the most frequently +accessed data, plus a few less-frequently accessed items. + +You should really read the BDB documentation referenced above, but let me spell +out what that really means here, in detail. The discussion here is focused on +back-bdb and back-hdb, but most of it also applies to back-ldbm when using +BerkeleyDB as the underlying database engine. + +Start with the most obvious - the back-bdb database lives in two main files, +dn2id.bdb and id2entry.bdb. These are B-tree databases. We have never +documented the back-bdb internal layout before, because it didn't seem like +something anyone should have to worry about, nor was it necessarily cast in +stone. But here's how it works today, in OpenLDAP 2.1 and 2.2. (All of the +database files in back-ldbm are B-trees by default.) + +A B-tree is a balanced tree; it stores data in its leaf nodes and bookkeeping +data in its interior nodes. (If you don't know what tree data structures look +like in general, Google for some references, because that's getting far too +elementary for the purposes of this discussion.) + +For decent performance, you need enough cache memory to contain all the nodes +along the path from the root of the tree down to the particular data item +you're accessing. That's enough cache for a single search. For the general +case, you want enough cache to contain all the internal nodes in the database. +"db_stat -d" will tell you how many internal pages are present in a database. +You should check this number for both dn2id and id2entry. + +Also note that id2entry always uses 16KB per "page", while dn2id uses whatever +the underlying filesystem uses, typically 4 or 8KB. To avoid thrashing the +cache and triggering these infinite hang bugs in BDB 4.1.25, your cache must be +at least as large as the number of internal pages in both the dn2id and +id2entry databases, plus some extra space to accomodate the actual leaf data +pages. + +For example, in my OpenLDAP 2.2 test database, I have an input LDIF file that's +about 360MB. With the back-hdb backend this creates a dn2id.bdb that's 68MB, +and an id2entry that's 800MB. db_stat tells me that dn2id uses 4KB pages, has +433 internal pages, and 6378 leaf pages. The id2entry uses 16KB pages, has 52 +internal pages, and 45912 leaf pages. In order to efficiently retrieve any +single entry in this database, the cache should be at least + +(433+1) * 4KB + (52+1) * 16KB in size: 1736KB + 848KB =~ 2.5MB. + +This doesn't take into account other library overhead, so this is even lower +than the barest minimum. The default cache size, when nothing is configured, is +only 256KB. If you tried to do much of anything with this database and only +default settings, BDB 4.1.25 would lock up in an infinite loop. + +This 2.5MB number also doesn't take indexing into account. Each indexed +attribute uses another database file of its own, using a Hash structure. +(Again, in back-ldbm, the indexes also use B-trees by default, so this part of +the discussion doesn't apply unless back-ldbm was explicitly compiled to use +Hashes instead. Also, in OpenLDAP 2.2 onward, all of the indexes use B-trees, +there are no more Hash database files. So just use the B-tree information above +and ignore this Hash discussion.) + +Unlike the B-trees, where you only need to touch one data page to find an entry +of interest, doing an index lookup generally touches multiple keys, and the +point of a hash structure is that the keys are evenly distributed across the +data space. That means there's no convenient compact subset of the database +that you can keep in the cache to insure quick operation, you can pretty much +expect references to be scattered across the whole thing. My strategy here +would be to provide enough cache for at least 50% of all of the hash data. +(Number of hash buckets + number of overflow pages + number of duplicate pages) +* page size / 2. + +The objectClass index for my example database is 5.9MB and uses 3 hash buckets +and 656 duplicate pages. So ( 3 + 656 ) * 4KB / 2 =~ 1.3MB. + +With only this index enabled, I'd figure at least a 4MB cache for this backend. +(Of course you're using a single cache shared among all of the database files, +so the cache pages will most likely get used for something other than what you +accounted for, but this gives you a fighting chance.) + +With this 4MB cache I can slapcat this entire database on my 1.3GHz PIII in 1 +minute, 40 seconds. With the cache doubled to 8MB, it still takes the same +1:40s. Once you've got enough cache to fit the B-tree internal pages, +increasing it further won't have any effect until the cache really is large +enough to hold 100% of the data pages. I don't have enough free RAM to hold all +the 800MB id2entry data, so 4MB is good enough. + +With back-bdb and back-hdb you can use "db_stat -m" to check how well the +database cache is performing. Unfortunately you can't do this with back-ldbm, +as the statistics are not accessible when slapd is running, nor are they saved +anywhere when slapd is stopped. (Yet another reason not to use back-ldbm.) --- openldap2.3-2.3.38.orig/debian/slapd.prerm +++ openldap2.3-2.3.38/debian/slapd.prerm @@ -0,0 +1,71 @@ +#!/bin/sh + +set -e + +. /usr/share/debconf/confmodule + +# Work around bug introduced in 2.1.x, fixed in 2.1.22-2 {{{ + +# The slapd 2.1.x packages before 2.1.17-3 had a problem in the init.d +# script. Namely if /etc/init.d/slapd stop was called and slapd was not +# running, the init script failed with an error code. Problem is that +# the prerm called /etc/init.d/slapd stop which failed so the upgrade +# breaks. Same problem with slurpd, fixed in 2.1.22-2. +# +# dpkg calls the new prerm script if the old prerm failed so this is +# our chance to work around that problem by trying to kill slapd +# ourselves and ignoring the case that no slapd is running. +# +# Work around implemented by Stephen Frost, should go away one release +# after sarge +# +# -- Torsten Landschoff Fri, 25 Feb 2005 15:28:23 +0100 + +if [ "$1" = "failed-upgrade" ] \ + && dpkg --compare-versions "$2" -lt 2.1.22-2 \ + && dpkg --compare-versions "$2" -ge 2.1.0-1; then + + # Source the init script configuration + if [ -f "/etc/default/slapd" ]; then + . /etc/default/slapd + fi + + # Load the default location of the slapd config file + if [ -z "$SLAPD_CONF" ]; then + SLAPD_CONF="/etc/ldap/slapd.conf" + fi + + # Find out the name of slapd's pid file + if [ -z "$SLAPD_PIDFILE" ] && [ -f "$SLAPD_CONF" ]; then + SLAPD_PIDFILE=`sed -ne 's/^pidfile[[:space:]]\+\(.\+\)/\1/p' \ + "$SLAPD_CONF"` + fi + + # Use the pidfile if it is there, if not then just do without + if [ -z "$SLAPD_PIDFILE" ]; then + start-stop-daemon --stop --quiet --oknodo --retry 10 \ + --exec /usr/sbin/slapd + else + start-stop-daemon --stop --quiet --oknodo --retry 10 \ + --pidfile \"$SLAPD_PIDFILE\" \ + --exec /usr/sbin/slapd + fi + + # Slurpd does not use a pidfile so just kill it via the exec + start-stop-daemon --stop --quiet --oknodo --retry 10 \ + --exec /usr/sbin/slurpd + + # Don't let debhelper try the same thing + exit +fi +# }}} + +# Set seen flag of this question to false to get it asked if someone disagrees +# with the upgrade from ldbm to bdb backend. +db_fset slapd/migrate_ldbm_to_bdb seen false + +#DEBHELPER# + +exit 0 + +# vim: set foldmethod=marker: --- openldap2.3-2.3.38.orig/debian/slapd.postrm +++ openldap2.3-2.3.38/debian/slapd.postrm @@ -0,0 +1,42 @@ +#!/bin/sh + +set -e + +# Load debconf if available (might have been removed before purging +# slapd) + +if [ -e "/usr/share/debconf/confmodule" ]; then + . /usr/share/debconf/confmodule +fi + +# Check if the user wants the database removed on purging slapd +remove_database_on_purge() { + db_get slapd/purge_database || RET=false + if [ "$RET" = "true" ]; then + return 0 + else + return 1 + fi +} + +if [ "$1" = "purge" ]; then + echo -n "Removing slapd configuration... " + rm -f /etc/ldap/slapd.conf 2>/dev/null || true + rmdir /etc/ldap/schema || true + echo done + + echo -n "Removing maintainer script flag files... " + rm -f /var/lib/slapd/upgrade* + echo done + + if remove_database_on_purge; then + echo -n "Purging OpenLDAP database... " + rm -rf /var/lib/ldap || true + echo done + fi +fi + +#DEBHELPER# + +exit 0 + --- openldap2.3-2.3.38.orig/debian/check_upgradepath +++ openldap2.3-2.3.38/debian/check_upgradepath @@ -0,0 +1,171 @@ +#! /bin/sh + +set -e + +# WARNING: This script is in sometimes-works-for-me state. Only use if +# you understand what's going on. + +# Setup +: ${chroot_dir:=../chroot} +: ${debmirror:=http://ftp.de.debian.org/debian} +: ${proxy:=http://proxy.galaxy:3128/} +unset LC_ALL +unset LC_CTYPE +unset LC_MESSAGES +# XXX: comment out when testing new versions. Needed so libc6 does not +# ask for restarting services. +export DEBIAN_FRONTEND=noninteractive + +woodytar=$chroot_dir/woody_base.tar.gz + +# List our packages +list_packages() { + local p ver + ver=`dpkg-parsechangelog|sed -ne 's/^Version: //p'` + for p in `dh_listpackages`; do + (cd .. && echo ${p}_$ver*deb) + done +} + +# Run a command inside the chroot + +in_target() { + chroot $chroot_dir/woody "$@" +} + +# Set a debconf variable inside the chroot + +debconf_set() { + local name=$1 + shift + cat >>$chroot_dir/woody/var/cache/debconf/config.dat < $chroot_dir/woody/etc/apt/sources.list + echo "Acquire::HTTP::Proxy \"$proxy\";" \ + > $chroot_dir/woody/etc/apt/apt.conf + in_target apt-get update + in_target mount -t proc none /proc + + # We don't want any debconf interaction + #debconf_set debconf/frontend Noninteractive +} + +# These are our example configurations for testing the upgrade + +conf_domain_or_host() { + debconf_set slapd/fill_method auto + debconf_set slapd/suffix_type "domain or host" + debconf_set slapd/domain "some.example.net" + debconf_set slapd/replicate false + debconf_set shared/organization Some Organization +} + + +check_domain_or_host() { + sleep 2 # wait for slapd to startup + in_target ldapsearch -h localhost -b dc=some,dc=example,dc=net -x \ + objectclass=\* +} + +conf_location() { + debconf_set slapd/fill_method auto + debconf_set slapd/suffix_type "location" + debconf_set shared/locale/countrycode de + debconf_set shared/organization "Sample Organization" + debconf_set slapd/replicate false + debconf_set shared/organization Some Organization +} + +check_location() { + sleep 2 # wait for slapd to startup + in_target ldapsearch -h localhost -b "o=Some Organization, c=de" \ + -x objectclass=\* +} +# Install slapd inside the chroot + +install_slapd() { + in_target apt-get -y install slapd ldap-utils +} + +# Do an upgrade of our packages inside the chroot + +upgrade() { + # Link our packages into the chroot + for p in `list_packages`; do + ln ../$p $chroot_dir/woody/root/ + done + + # Create a packages file + (cd $chroot_dir/woody/root && dpkg-scanpackages . /dev/null >Packages) + + # Switch to unstable + echo "deb $debmirror unstable main" \ + > $chroot_dir/woody/etc/apt/sources.list + echo "deb file:/root ./" >> $chroot_dir/woody/etc/apt/sources.list + + # Update package lists + in_target apt-get update + + # Tell our scripts to fix the config + debconf_set slapd/fix_directory true + debconf_set slapd/password1 foobar + debconf_set slapd/autoconf_modules true + debconf_set slapd/allow_ldap_v2 + + # Do an upgrade of our packages + in_target apt-get install -y `dh_listpackages` +} + +# Checks if upgrading a woody system with slapd configured with the +# command given works. + +check_upgrade() { + setup_chroot + conf_$1 + debconf_set slapd/password1 foobar + debconf_set slapd/password2 foobar + install_slapd + check_$1 + upgrade + check_$1 + in_target /etc/init.d/slapd stop + in_target umount /proc +} + +# Try upgrading our example setups + +for i in location domain_or_host; do + check_upgrade $i +done + +echo "SUCCESS testing upgrading from woody" --- openldap2.3-2.3.38.orig/debian/slapd.config +++ openldap2.3-2.3.38/debian/slapd.config @@ -0,0 +1,51 @@ +#! /bin/sh + +set -e + +# Load debconf +. /usr/share/debconf/confmodule + +# This will be replaced with debian/slapd.scripts-common which includes +# various helper functions and $OLD_VERSION and $SLAPD_CONF +#SCRIPTSCOMMON# + +# Create an initial directory on fresh install +if is_initial_configuration "$@"; then + if ! want_manual_configuration; then + set_defaults_for_unseen_entries + query_initial_config + crypt_admin_pass + configure_allow_v2_binds + fi +fi + +# Configure the dumping component if we are upgrading some older version +if [ "$1" = configure ] && [ -n "$2" ]; then + configure_ldbm_to_bdb_migration + configure_dumping + configure_allow_v2_binds +fi + +# On upgrade from pre-2.1 we have to ask if we shall fix the config file (if +# it exists anyway). +if previous_version_older 2.1; then + if [ -e "$SLAPD_CONF" ]; then + db_input medium slapd/autoconf_modules || true + db_go || true + fi +fi + +# Since version 2.1.23, slapd requires slave databases to have the updateref +# option set +if [ -e "$SLAPD_CONF" ]; then + if slave_databases_without_updateref; then + db_input critical slapd/slave_databases_require_updateref || true + db_go || true + fi +fi + +db_go || true +db_stop || true + +exit 0 + --- openldap2.3-2.3.38.orig/debian/copy_slapd_dev_files +++ openldap2.3-2.3.38/debian/copy_slapd_dev_files @@ -0,0 +1,16 @@ +#! /bin/sh + +set -e + +echo -n "Installing: " +target=libslapd2.2-dev +echo -n " $target" +find include -name "*.h" -print | sed -e 's:^include/::' | +while read line; do + dir="`dirname $line`" + name="`basename $line`" + + mkdir -p debian/libslapd2.2-dev/usr/include/slapd/$dir + cp include/$dir/$name debian/libslapd2.2-dev/usr/include/slapd/$dir/ +done +echo "." --- openldap2.3-2.3.38.orig/debian/libldap2.3-dev.install +++ openldap2.3-2.3.38/debian/libldap2.3-dev.install @@ -0,0 +1,16 @@ +debian/tmp/usr/include/slapi-plugin.h usr/include +debian/tmp/usr/include/lber.h usr/include +debian/tmp/usr/include/lber_types.h usr/include +debian/tmp/usr/include/ldap_cdefs.h usr/include +debian/tmp/usr/include/ldap_features.h usr/include +debian/tmp/usr/include/ldap.h usr/include +debian/tmp/usr/include/ldap_schema.h usr/include +debian/tmp/usr/include/ldap_utf8.h usr/include +debian/tmp/usr/lib/libldap.a usr/lib +debian/tmp/usr/lib/libldap.so usr/lib +debian/tmp/usr/lib/liblber.a usr/lib +debian/tmp/usr/lib/liblber.so usr/lib +debian/tmp/usr/lib/libldap_r.a usr/lib +debian/tmp/usr/lib/libldap_r.so usr/lib +debian/tmp/usr/lib/libslapi.a usr/lib +debian/tmp/usr/lib/libslapi.so usr/lib --- openldap2.3-2.3.38.orig/debian/slapd.dirs +++ openldap2.3-2.3.38/debian/slapd.dirs @@ -0,0 +1,4 @@ +var/lib/slapd +usr/share/slapd +usr/share/lintian/overrides +etc/ldap/sasl2 --- openldap2.3-2.3.38.orig/debian/slapd.scripts-common +++ openldap2.3-2.3.38/debian/slapd.scripts-common @@ -0,0 +1,1329 @@ +# This file can be included with #SCRIPTSCOMMON# + + +# ===== Dumping and reloading using LDIF files ========================= {{{ +# +# If incompatible changes are done to the database underlying a LDAP +# directory we need to dump the contents and reload the data into a newly +# created database after the new server was installed. The following +# functions deal with this functionality. + + +# ----- Configuration of this component -------------------------------- {{{ +# +# Dumping the database can have negative effects on the system we are +# running on. If there is a lot of data dumping it might fill a partition +# for example. Therefore we must give the user exact control over what we +# are doing. + +configure_dumping() { # {{{ +# Ask the user for the configuration of the dumping component +# Usage: configure_dumping + + # Look if the user wants to migrate to the BDB backend + if ! database_dumping_enabled; then + return 0 + fi + + # Configure if and where to dump the LDAP databases + db_input medium slapd/dump_database || true + db_go || true + db_get slapd/dump_database + + # Abort if the user does not want dumping + if [ "$RET" = never ]; then + return 0 + fi + + db_input medium slapd/dump_database_destdir || true + db_go || true + + # If the user entered the empty value, go back to the default + db_get slapd/dump_database_destdir + if [ "$RET" = "" ]; then + db_reset slapd/dump_database_destdir + fi +} + +# }}} +configure_ldbm_to_bdb_migration() { # {{{ +# If there are any LDBM databases in use we suggest to the user to migrate +# to the more stable and better maintained BDB backend. +# Usage: configure_ldbm_to_bdb_migration + + if [ -e "$SLAPD_CONF" ] && grep -qE \ + -e '^moduleload[[:space:]]+back_ldbm' \ + -e '^(database|backend)[[:space:]]+ldbm' \ + "$SLAPD_CONF"; then + db_input critical slapd/migrate_ldbm_to_bdb || true + db_go || true + else + # Nothing to migrate + db_set slapd/migrate_ldbm_to_bdb false + fi +} +# }}} +configure_allow_v2_binds() { # {{{ +# Ask if the user would like their package to support LDAPv2.. +# This was the default in older versions but we want to ask +# for new installs too in case the user needs it.. + + db_input medium slapd/allow_ldap_v2 || true +} +# }}} +break_on_ldbm_to_bdb_migration_disagree() { # {{{ + if [ -e "$SLAPD_CONF" ] && grep -qE \ + -e '^moduleload[[:space:]]+back_ldbm' \ + -e '^(database|backend)[[:space:]]+ldbm' \ + "$SLAPD_CONF"; then + db_get slapd/migrate_ldbm_to_bdb + if [ "$RET" = "false" ]; then + db_fset slapd/migrate_ldbm_to_bdb seen false + return 1 + fi + return 0 + fi + return 0 +} # }}} +database_dumping_enabled() { # {{{ +# Check if the user has enabled database dumping for the current situation. +# Return success if yes. +# Usage: if database_dumping_enabled; then ... fi + + db_get slapd/dump_database + case "$RET" in + always) + ;; + "when needed") + database_format_changed || return 1 + ;; + never) + return 1 + ;; + *) + echo >&2 "Unknown value for slapd/dump_database: $RET" + echo >&2 "Please report!" + exit 1 + ;; + esac +} + +# }}} +database_format_changed() { # {{{ +# Check if the database format has changed since the old installed version +# Return success if yes. +# Usage: if database_format_changed; then + + db_get slapd/migrate_ldbm_to_bdb + if [ "$RET" = "true" ] || dpkg --compare-versions \ + "$OLD_VERSION" lt-nl "2.3.19"; then + return 0 + else + return 1 + fi +} + +# }}} +database_dumping_destdir() { # {{{ +# Figure out the directory we are dumping the database to and create it +# if it does not exist. +# Usage: destdir=`database_dumping_destdir` + + local dir + db_get slapd/dump_database_destdir + dir=`echo "$RET"|sed -e "s/VERSION/$OLD_VERSION/"` + mkdir -p -m 700 "$dir" + echo $dir +} + +# }}} +configure_ldbm_to_bdb_transition() { # {{{ +# The LDBM backend seems to be quite unusable with OpenLDAP 2.2. Therefore +# we ask the user if he wants to switch to BDB which is the recommended +# backend for 2.2. + + if grep -q '^moduleload[[:space:]]\+back_ldbm' $SLAPD_CONF || + grep -q '^database[[:space:]]\+ldbm' $SLAPD_CONF || + grep -q '^backend[[:space:]]\+ldbm' $SLAPD_CONF; then + db_input critical slapd/convert_ldbm_to_bdb || true + db_go || true + else + db_set slapd/convert_ldbm_to_bdb false + fi +} + +# }}} +create_new_user() { # {{{ + if [ -z "`getent group openldap`" ]; then + addgroup --quiet --system openldap + fi + if [ -z "`getent passwd openldap`" ]; then + echo -n " Creating new user openldap... " >&2 + adduser --quiet --system --home /var/lib/ldap --shell /bin/false \ + --ingroup openldap --disabled-password --disabled-login \ + --gecos "OpenLDAP Server Account" openldap + echo "done." >&2 + fi +} +# }}} +create_ldap_directories() { # {{{ + if [ ! -d /var/lib/ldap ]; then + mkdir -m 0700 /var/lib/ldap + fi + if [ ! -d /var/spool/slurpd ]; then + mkdir -m 0700 /var/spool/slurpd + fi + if [ ! -d /var/run/slapd ]; then + mkdir -m 0755 /var/run/slapd + fi + update_permissions /var/lib/ldap + update_permissions /var/spool/slurpd + update_permissions /var/run/slapd +} +# }}} +update_permissions() { # {{{ + dir="$1" + if [ -d "$dir" ]; then + [ -z "$SLAPD_USER" ] || chown -R "$SLAPD_USER" "$dir" + [ -z "$SLAPD_GROUP" ] || chgrp -R "$SLAPD_GROUP" "$dir" + fi +} +# }}} +update_databases_permissions() { # {{{ + parse_configuration_file + for db in `get_database_list`; do + dbdir=`get_directory $db` + update_permissions "$dbdir" + chmod 0700 "$dbdir" + done +} +# }}} +# }}} +# ----- Dumping and loading the data ------------------------------------ {{{ + +automatic_ldif_fixing_wanted_for() { # {{{ +# Check if the user wants us to automatically fix the given LDIF file. +# Usage: if automatic_ldif_fixing_wanted_for "$file"; then ... +# XXX: Use debconf to configure this + + local file size maxsize + file="$1" + size=`wc -c < "$file"` + maxsize=$((1024 * 1024 * 20)) + + if [ "$size" -lt "$maxsize" ]; then + return 0 + else + return 1 + fi +} + +# }}} +corrective_ldif_filter() { # {{{ +# Try to fix any errors found in an LDIF stream. +# Usage: source | corrective_ldif_filter | target +# XXX: Store the stderr output of the script somewhere. + + /usr/share/slapd/fix_ldif -f 2>/dev/null +} + +# }}} + +dump_databases() { # {{{ +# If the user wants us to dump the databases they are dumped to the +# configured directory. + + local db suffix file dir failed + + database_dumping_enabled || return 0 + + dir=`database_dumping_destdir` + echo >&2 " Dumping to $dir: " + parse_configuration_file + for db in `get_database_list`; do + suffix=`get_suffix $db` + file="$dir/$suffix.ldif" + echo -n " - directory $suffix... " >&2 + slapcat -b "$suffix" > "$file" || failed=1 + if [ "$failed" ]; then + rm -f "$file" + echo failed. >&2 + exit 1 + fi + echo "done." >&2 + done +} + +# }}} +load_databases() { # {{{ + local dir file db dbdir backupdir + + dir=`database_dumping_destdir` + echo >&2 " Loading from $dir: " + parse_configuration_file + for db in `get_database_list`; do + suffix=`get_suffix $db` + dbdir=`get_directory $db` + if ! is_empty_dir "$dbdir"; then + echo >&2 \ + " Directory $dbdir for $suffix not empty, aborting." + exit 1 + fi + + file="$dir/$suffix.ldif" + echo -n " - directory $suffix... " >&2 + + # If there is an old DB_CONFIG file, restore it before + # running slapadd + backupdir=`compute_backup_path -n "$dbdir" "$suffix"` + if [ -e "$backupdir"/DB_CONFIG ]; then + cp -a "$backupdir"/DB_CONFIG "$dbdir"/ + else + copy_example_DB_CONFIG "$dbdir"/ + fi + + capture_diagnostics slapadd -q -b "$suffix" -l "$file" \ + || failed=1 + if [ "$failed" ] && \ + automatic_ldif_fixing_wanted_for "$file"; then + rm -f "$dbdir"/* + # If there is an old DB_CONFIG file, restore it + # before running slapadd + if [ -e "$backupdir"/DB_CONFIG ]; then + cp -a "$backupdir"/DB_CONFIG "$dbdir"/ + else + copy_example_DB_CONFIG "$dbdir"/ + fi + failed= + echo -n "fixing" >&2 + # This only works because we used capture_diag + # above already and the FD for the capture is + # already assigned in the master shell. There + # should be a cleaner way for this... + # -- Torsten + corrective_ldif_filter < "$file" \ + | capture_diagnostics slapadd -q -b "$suffix" \ + || failed=1 + echo -n ", " >&2 + fi + if [ "$failed" ]; then + rm -f "$dbdir"/* + echo failed. >&2 + echo >&2 + cat <<-EOF + Loading the database from the LDIF dump failed with the following + error while running slapadd: +EOF + release_diagnostics " " + exit 1 + fi + echo "done." >&2 + + if [ -n "$SLAPD_USER" ] || [ -n "$SLAPD_GROUP" ]; then + echo -n " - chowning database directory ($SLAPD_USER:$SLAPD_GROUP)... " + [ -z "$SLAPD_USER" ] || \ + chown -R "$SLAPD_USER" "$dbdir" + [ -z "$SLAPD_GROUP" ] || \ + chgrp -R "$SLAPD_GROUP" "$dbdir" + echo "done"; + fi + done +} + +# }}} +move_incompatible_databases_away() { # {{{ + echo >&2 " Moving old database directories to /var/backups:" + parse_configuration_file + for db in `get_database_list`; do + suffix=`get_suffix $db` + dbdir=`get_directory $db` + move_old_database_away "$dbdir" "$suffix" + done +} + +# }}} +# }}} +# }}} + +# ===== Parsing the slapd configuration file ============================ {{{ +# +# For some operations we have to know the slapd configuration. These +# functions are for parsing the slapd configuration file. + +merge_logical_lines() { # {{{ +# slapd supports continuation lines in the slapd.conf. Continuation lines +# start with spaces and are merged with the preceding line. This function +# uses perl to merge physical lines into logical lines as seen by the +# slapd config parser. +# Usage: merge_logical_lines < input > output + + perl -pe 'BEGIN { undef $/ }; s/\n(?!\n)\s+/ /g;' +} + +# }}} +read_slapd_conf() { # {{{ +# read slapd.conf file and evaluate include statements +# FIXME: circular loops will cause this to block forever + merge_logical_lines | while read command data; do + if [ "$command" = "include" ]; then + file=`eval echo $data` + read_slapd_conf < $file + else + echo $command $data + fi + done +} + +# }}} +write_slapd_conf() { # {{{ +# Change a configuration setting in a configuration file, follow includes. +# Usage: write_slapd_conf configuration_file regexpression +# FIXME: circular loops will cause this to block forever + + conf=$1 + reg=$2 + + # Perl script to change configuration files. + script=' + use File::Temp; + use File::Compare; + use File::Copy; + + sub changeConfig { + my ($conf, $regexp) = @_; + my ($fh, $name) = mkstemp("/tmp/tmp.XXXXXX"); + + open(HANDLE, "<". $conf) || return; + my @data = ; + close(HANDLE); + + foreach $line (@data) { + + # Parse includes, but forget the schema files. + if ($line =~ /^include/ && $line !~ /\/etc\/ldap\/schema\//) { + my @file = split(/\s+/, $line); + changeConfig($file[1], $regexp); + } + + # Modify the config with the given regexpression. + $doit = "\$line =~ $regexp"; + eval $doit; + print $fh $line; + } + + # Close the tempfile handle opened by mkstemp. + close($fh); + + # If file is changed by the regexp replace the original file. + if (compare($conf, $name) != 0) { + move($name, $conf); + } else { + unlink($name); + } + } + + $config = shift; + $regexp = shift; + changeConfig($config, $regexp);' + + # Use perl to execute the function above. + perl -e "$script" $conf $reg +} +# }}} +write_database_info() { # {{{ +# Print out the information about one database +# Usage: write_database_info + + local backend suffix directory + backend=$1 + suffix=$2 + directory=$3 + + if upgrade_supported_from_backend "$backend"; then + # If no directory was given use the compiled in value + if [ -z "$directory" ]; then + directory=/var/lib/ldap + fi + echo "$backend" + echo "$suffix" + echo "$directory" + fi +} + +# }}} +parse_configuration_file() { # {{{ +# Get the list of configured databases from the slapd configuration file +# Usage: for db in `get_database_list`; do ... done + + # Create a temporary file with our data + local infofile + infofile=`mktemp` + exec 9<>"$infofile" + rm "$infofile" + + # Read config and put information into the temp file + (read_slapd_conf < $SLAPD_CONF && echo database) | \ + while read command data; do + case "$command" in + database) + # Write information about previous database section + # if any + if [ -n "$backend" ] && [ -n "$suffix" ]; then + write_database_info >&9 \ + "$backend" "$suffix" "$directory" + fi + backend=$data + suffix="" + directory="" + ;; + suffix) + suffix=`eval echo $data` + ;; + directory) + directory=`eval echo $data` + ;; + esac + done +} + +# }}} +read_database_info() { # {{{ + local script + script=' + seek STDIN, 0, 0; + @data = ; + print $data[3 * $ARGV[0] + $ARGV[1]];' + + perl <&9 -e "$script" "$@" +} + +# }}} +get_backend() { + read_database_info "$1" 0 +} +get_suffix() { + read_database_info "$1" 1 +} +get_directory() { + read_database_info "$1" 2 +} +get_database_list() { + local script + script=' + seek STDIN, 0, 0; + @data = ; + print join(" ", 0..(@data/3 - 1));' + + perl <&9 -e "$script" +} + +# }}} + + +compute_backup_path() { # {{{ +# Compute the path to backup a database directory +# Usage: compute_backup_path [-n] + +# XXX: should ask the user via debconf + + local dirname basedn ok_exists + if [ "$1" = "-n" ]; then + ok_exists=yes + shift + fi + dirname="$1" + basedn="$2" + + # Computing the name of the backup directory from the old version, + # the suffix etc. all makes me feel worried. I'd rather have a + # directory name which is not going to exist. So the simple + # scheme we are using now is to compute the filename from the + # directory name and appending date and time. And we check if it + # exists to be really sure... -- Torsten + + local target + local id + id="$OLD_VERSION" + [ -n "$id" ] || id=`date +%Y%m%d-%H%M%S` + target="/var/backups/$basedn-$id.ldapdb" + if [ -e "$target" ] && [ -z "$ok_exists" ]; then + echo >&2 + echo >&2 " Backup path $target exists. Giving up..." + exit 1 + fi + + echo "$target" +} + +# }}} +move_old_database_away() { # {{{ +# Move the old database away if it is still there +# +# In fact this function makes sure that the database directory is empty +# and can be populated with a new database. If something is in the way +# it is moved to a backup directory if the user accepted the debconf +# option slapd/move_old_database. Otherwise we output a warning and let +# the user fix it himself. +# Usage: move_old_database_away [] + + local databasedir backupdir + databasedir="$1" + suffix="${2:-unknown}" + + if [ ! -e "$databasedir" ] || is_empty_dir "$databasedir"; then + return 0 + fi + + + # Note that we can't just move the database dir as it might be + # a mount point. Instead me move the content which might + # include mount points as well anyway, but it's much less likely. + db_get slapd/move_old_database + if [ "$RET" = true ]; then + backupdir=`compute_backup_path "$databasedir" "$suffix"` + echo -n " - directory $suffix... " >&2 + mkdir -p "$backupdir" + find "$databasedir" -mindepth 1 -maxdepth 1 \ + -exec mv {} "$backupdir" \; + echo done. >&2 + else + cat >&2 < + local directory srcdir + + directory="$1" + srcdir="/usr/share/slapd" + + if ! [ -f "${directory}/DB_CONFIG" ] && [ -d "$directory" ]; then + cp $srcdir/DB_CONFIG "${directory}/DB_CONFIG" + fi +} + +# }}} +create_new_configuration() { # {{{ +# Create a new configuration and directory + + local basedn dc backend + + # For the domain really.argh.org we create the basedn + # dc=really,dc=argh,dc=org with the dc entry dc: really + db_get slapd/domain + local basedn="dc=`echo $RET | sed 's/^\.//; s/\./,dc=/g'`" + dc="`echo $RET | sed 's/^\.//; s/\..*$//'`" + + db_get slapd/backend + backend="`echo $RET|tr A-Z a-z`" + + # Looks like the following code is not needed as slapd is unconfigured + # first and stopped at that time. So no need to stop slapd at all here. + + if [ -e "/var/lib/ldap" ] && ! is_empty_dir /var/lib/ldap; then + echo >&2 " Moving old database directory to /var/backups:" + move_old_database_away /var/lib/ldap + fi + create_new_slapd_conf "$basedn" "$backend" + create_ldap_directories + create_new_directory "$basedn" "$dc" + + # Put the right permissions on this directory. + update_permissions /var/lib/ldap + + # Now that we created the new directory we don't need the passwords in the + # debconf database anymore. So wipe them. + wipe_admin_pass +} +# }}} +create_new_slapd_conf() { # {{{ +# Creates a new slapd.conf for the suffix given +# Usage: create_new_slapd_conf + + local basedn backend backendoptions checkpoint conf_new conf_template + + basedn="$1" + backend="$2" + checkpoint="" + conf_template="/usr/share/slapd/slapd.conf" + + # Checkpoint if using the BDB backend + if [ "$backend" = "bdb" ] || [ "$backend" = "hdb" ]; then + checkpoint="checkpoint 512 30" + backendoptions="# For the Debian package we use 2MB as default but be sure to update this\n# value if you have plenty of RAM\ndbconfig set_cachesize 0 2097152 0\n\n# Sven Hartge reported that he had to set this value incredibly high\n# to get slapd running at all. See http:\/\/bugs.debian.org\/303057\n# for more information.\n\n# Number of objects that can be locked at the same time.\ndbconfig set_lk_max_objects 1500\n# Number of locks (both requested and granted)\ndbconfig set_lk_max_locks 1500\n# Number of lockers\ndbconfig set_lk_max_lockers 1500" + fi + + conf_new=`mktemp -q ${SLAPD_CONF}.XXXXXX` + echo -n " Creating initial slapd configuration... " >&2 + sed <"$conf_template" >"$conf_new" \ + -e "s/@SUFFIX@/$basedn/g" \ + -e "s/@ADMIN@/cn=admin,$basedn/g" \ + -e "s/@CHECKPOINT@/$checkpoint/g" \ + -e "s/@BACKEND@/$backend/g" \ + -e "s/@BACKENDOPTIONS@/$backendoptions/g" + install_new_slapd_conf "$conf_new" + echo "done." >&2 + + # If /etc/ldap/schema/core.schema doesn't exist, the configuration + # file we're about to write will be horribly broken. Try to give the + # user some warning rather than failing later. + if [ ! -e /etc/ldap/schema/core.schema ]; then + echo >&2 + cat >&2 <<-EOF + /etc/ldap/schema/core.schema does not exist, which means the slapd + configuration will not work. If you have moved the schema files + elsewhere, you will need to modify $SLAPD_CONF accordingly. + If you deleted the schema files inadvertantly, you may need to + purge this package and then reinstall it to restore them (be + careful to back up your database first if necessary). + +EOF + exit 1 + fi +} +# }}} +noisy_slapadd() { # {{{ +# Run slapadd and output the ldif file if something goes wrong. +# Usage: noisy_slapadd [options] < ldif-file + local ldif_tmp + + ldif_tmp=`mktemp -t slapadd.XXXXXX` + cat > "$ldif_tmp" + if ! slapadd "$@" < "$ldif_tmp"; then + echo >&2 "Failed to slapadd this data: " + cat >&2 < "$ldif_tmp" + rm "$ldif_tmp" + exit 1 + fi + rm "$ldif_tmp" +} # }}} +encode_utf8() { #{{{ +# Make the value utf8 encoded. Takes one argument and utf8 encode it. +# Usage: val=`encode_utf8 ` + perl -e 'use Encode; print encode_utf8($ARGV[0]);' "$1" +} #}}} +create_new_directory() { # {{{ +# Create a new directory. Takes the basedn and the dc value of that entry. +# Other information is extracted from debconf. +# Usage: create_new_directory + + local basedn dc organization adminpass + basedn="$1" + dc="$2" + + # Encode to utf8 and base64 encode the organization. + db_get shared/organization + organization=`encode_utf8 "$RET"` + db_get slapd/internal/adminpw + adminpass="$RET" + + echo -n " Creating initial LDAP directory... " >&2 + + cat <<-EOF | noisy_slapadd + dn: $basedn + objectClass: top + objectClass: dcObject + objectClass: organization + o: $organization + dc: $dc + + dn: cn=admin,$basedn + objectClass: simpleSecurityObject + objectClass: organizationalRole + cn: admin + description: LDAP administrator + userPassword: {crypt}$adminpass + EOF + + echo "done." >&2 +} +# }}} +config_migrate_backend() { # {{{ +# Changes all uses of one backend to another (like ldbm to bdb) in the +# configuration file. This includes the moduleload, backend and database +# directives. +# Usage: migrate_databases + + local old new + old="$1" + new="$2" + + write_slapd_conf "$SLAPD_CONF" "s|^(moduleload\s+)back_$old|\$1back_$new|" + write_slapd_conf "$SLAPD_CONF" "s|^(database\s+)$old|\$1$new|" + write_slapd_conf "$SLAPD_CONF" "s|^(backend\s+)$old|\$1$new|" +} + +# }}} +autoconfigure_modules() { # {{{ +# On upgrades from pre-2.1 we might have to update the configuration +# file for loading the backend modules. This function tries to figure out +# the needed changes automatically. +# This function should probably go away some time after sarge release. + + local new_conf + + # Without a configuration we have nothing to update + if [ ! -e "$SLAPD_CONF" ]; then + echo " Did not find slapd.conf to update modules" >&2 + return 0 + fi + + # If the modulepath directive is already used in slapd.conf we assume + # that the configuration was already adjusted + if grep -q ^modulepath $SLAPD_CONF; then return 0; fi + + # If the user does not want us to do the module config we bail out + db_get slapd/autoconf_modules || true + if [ "$RET" != "true" ]; then return 0; fi + + echo -n " Updating config for dynamic backends... " >&2 + new_conf=`mktemp -q ${SLAPD_CONF}.XXXXXX` + cat <<-EOF >$new_conf + # Loading of backend modules - automatically generated + + modulepath /usr/lib/ldap + EOF + read_slapd_conf < $SLAPD_CONF | sed -n >>"$new_conf" \ + 's/^database[[:space:]]\+\([a-z]\+\)/moduleload back_\1/p' + echo >>$new_conf + cat $SLAPD_CONF >>$new_conf + install_new_slapd_conf "$new_conf" + echo done. >&2 +} +# }}} +update_path_argsfile_pidfile() { # {{{ + write_slapd_conf "$SLAPD_CONF" 's|^(argsfile\s+).*|$1/var/run/slapd/slapd.args|' + write_slapd_conf "$SLAPD_CONF" 's|^(pidfile\s+).*|$1/var/run/slapd/slapd.pid|' +} +# }}} +configure_v2_protocol_support() { # {{{ +# Adds the "allow bind_v2" directive to the configuration if the user decided +# he wants to have ldap v2 enabled. + + local new_conf + + db_get slapd/allow_ldap_v2 + if [ "$RET" != "true" ]; then return 0; fi + + echo -n " Enabling LDAPv2 support... " >&2 + + # Check if already enabled + if read_slapd_conf < $SLAPD_CONF | \ + grep -q -E '^allow[[:space:]][^#]*bind_v2'; then + echo "already enabled." >&2 + return 0 + fi + + # Create a temporary file for the new config + new_conf=`mktemp -q ${SLAPD_CONF}.XXXXXX` + + # If there is an existing global allow command, add our option + if extend_existing_allow_directive < $SLAPD_CONF > $new_conf; then + # Succeeded + echo -n "updated existing allow line" >&2 + else + # That failed, so we have to add a new line for it + echo '# Allow LDAPv2 binds' > $new_conf + echo 'allow bind_v2' >> $new_conf + echo >> $new_conf + cat $SLAPD_CONF >> $new_conf + echo -n "done" >&2 + fi + + # Activate the new configuration file + install_new_slapd_conf "$new_conf" + echo . >&2 +} +# }}} +extend_existing_allow_directive() { # {{{ +# Filter the config file for an allow directive and add "bind_v2" to it +# if found. + + local script + script=' + $done = 0; + while (<>) { + $done = 1 if s/^allow/allow bind_v2/; + last if m/^database/; + print; + } + exit ! $done;' + + perl -e "$script" || return 1 +} +# }}} +fix_ldif() { # {{{ +# Fix the directory when upgrading from before 2.1 and the root +# dn has no structural objectclass +# Usage: fix_ldif + + local location fixed_location + location="$1" + fixed_location="$2" + + db_get shared/organization + organization="$RET" + if [ -z "$organization" ]; then organization=Unknown; fi + + /usr/share/slapd/fix_ldif -w -o "$organization" \ + < "$location" > "$fixed_location" +} +# }}} +assign_permissions() { # {{{ +# Apply the same permissions as on a reference file to another file. +# Usage: apply_permissions + + chmod --reference="$1" "$2" + chown --reference="$1" "$2" +} +# }}} +update_access_config_directives() { # {{{ +# Update the config file for some changes done for 2.2.x (vs. 2.1.x): +# access to attribute= becomes access to attrs= +# access to dn=".*,..." becomes access to dn.regex=".*,..." + + # Check if we have to apply these changes + # Users can have it in the config file. 2.2.26 allowed to have attr in the + # config files due to a bug in the config parser. + if previous_version_newer 2.3.24; then + return 0 + fi + + # Without a configuration we have nothing to update + if [ ! -e "$SLAPD_CONF" ]; then + echo >&2 \ + " Did not find slapd.conf to update access directives." + return 0 + fi + + echo -n " Updating config access directives... " >&2 + + write_slapd_conf "$SLAPD_CONF" 's/^(access\s+to\s+)dn=/$1dn.regex=/g' + write_slapd_conf "$SLAPD_CONF" 's/^(access\s+to\s+)(attribute=|attr=)/$1attrs=/g' + + echo "done." >&2 + +} # }}} +stop_slapd() { # {{{ +# Make sure slapd is shut down before mucking with the db files +# and whatnot... +# Usage: stop_slapd +# XXX: Why are we stopping slapd manually? That should be done via +# the init.d script and invoke-rc.d. Leaving this alone for now +# -- Torsten + + # Find out the name of slapd's pid file + if [ -z "$SLAPD_PIDFILE" ] && [ -f "$SLAPD_CONF" ]; then + SLAPD_PIDFILE=`read_slapd_conf < $SLAPD_CONF \ + | sed -ne 's/^pidfile[[:space:]]\+\(.\+\)/\1/p'` + fi + + # Use the pidfile if it is there, if not then just do without + if [ -z "$SLAPD_PIDFILE" ]; then + start-stop-daemon --stop --retry 10 --quiet --oknodo \ + --exec /usr/sbin/slapd >&2 + else + start-stop-daemon --stop --retry 10 --quiet --oknodo \ + --pidfile "$SLAPD_PIDFILE" >&2 + fi +} + +# }}} +install_new_slapd_conf() { # {{{ +# Installs a given file as new slapd.conf configuration file. +# Usage: install_new_slapd_conf + + local conf_new + conf_new="$1" + + # On install and remove we don't have to backup the configuration file. Only + # on upgrade. + if [ "$MODE" = "upgrade" ]; then + backup_config_once + fi + + # Make sure we keep the permissions of an old slapd.conf + if [ -e "$SLAPD_CONF" ]; then + assign_permissions "$SLAPD_CONF" "$conf_new" + fi + mv "$conf_new" "$SLAPD_CONF" +} +# }}} +install_new_configuration() { # {{{ +# Installs a given $2 (new) as new $1 (old) configuration file +# Usage: install_new_configuration oldconf newconf + local conf_old="$1" + local conf_new="$2" + + # Make sure we keep the permissions of an old configuration file, this is not + # really needed anymore because slapd reads it configuration before it drops + # the privileges. + if [ -e "$conf_old" ]; then + assign_permissions "$conf_old" "$conf_new" + fi + + # Move configuration file in place. + mv "$conf_new" "$conf_old" +} +# }}} +backup_config_once() { # {{{ +# Create a backup of the current configuration files. +# Usage: backup_config_once + + local backupdir + + if [ -z "$FLAG_CONFIG_BACKED_UP" ]; then + backupdir=`database_dumping_destdir` + if [ -e "$SLAPD_CONF" ]; then + cp -a "$SLAPD_CONF" "$backupdir" + fi + FLAG_CONFIG_BACKED_UP=yes + fi +} + +# }}} + + +# Set up the defaults for our templates +set_defaults_for_unseen_entries() { + DOMAIN=`hostname -d 2>/dev/null` || true + if [ -z "$DOMAIN" ]; then DOMAIN='nodomain'; fi + + db_fget slapd/domain seen + if [ "$RET" = false ]; then + db_set slapd/domain "$DOMAIN" + fi + + db_fget shared/organization seen + if [ "$RET" = false ]; then + db_set shared/organization "$DOMAIN" + fi +} + +# Check if the user wants to configure slapd manually +want_manual_configuration() { + db_input medium slapd/no_configuration || true + db_go || true + db_get slapd/no_configuration + no_configuration="$RET" + + if [ "$no_configuration" = "true" ]; then + return 0 + fi + return 1 +} + +# Query the information we need to create an initial directory +query_initial_config() { + while true; do + db_input medium slapd/domain || true + db_input medium shared/organization || true + db_input high slapd/password1 || true + db_input high slapd/password2 || true + db_input low slapd/backend || true + db_input low slapd/purge_database || true + # XXX - should be done more general, but for now this should do + # the trick + if [ -e "/var/lib/ldap" ] && ! is_empty_dir /var/lib/ldap; then + db_input low slapd/move_old_database || true + fi + db_go || true + + if validate_initial_config; then + break + fi + done +} + +# Make sure the values entered make sense +validate_initial_config() { + local invalid + invalid="" + + # Make sure the domain name is valid + # The regexp doesn't work for UTF-8 domain names, but for that to + # work, we would also need to Base64 encode it in the LDIF; since + # we're not doing it at the moment, this should be fine for now + db_get slapd/domain + if [ -z "$RET" ] || ! echo "$RET" | grep -q '^[a-zA-Z0-9.-]*$'; then + db_fset slapd/domain seen false + invalid=true + fi + + # Suffix and Organization may not be empty + db_get shared/organization + if [ -z "$RET" ]; then + db_fset shared/organization seen false + invalid=true + fi + + # Make sure the passwords match + local pass1 pass2 + db_get slapd/password1 + pass1="$RET" + db_get slapd/password2 + pass2="$RET" + + if [ "$pass1" != "$pass2" ]; then + db_fset slapd/password1 seen false + db_fset slapd/password2 seen false + invalid=true + fi + + # Tell the user + if [ "$invalid" ]; then + db_fset slapd/invalid_config seen false + db_input critical slapd/invalid_config || true + db_go || true + db_get slapd/invalid_config + if [ "$RET" != "true" ]; then + db_set slapd/no_configuration true + invalid= + fi + fi + + if [ "$invalid" ]; then + return 1 + else + return 0 + fi +} + +crypt_admin_pass() { # {{{ +# Store the encrypted admin password into the debconf db +# Usage: crypt_admin_pass +# XXX: This is the standard unix crypt. Maybe we can get something stronger? + + db_get slapd/password1 + if [ ! -z "$RET" ]; then + db_set slapd/internal/adminpw `create_password_hash "$RET"` + fi +} + +wipe_admin_pass() { +# Remove passwords after creating the initial ldap database. +# Usage: wipe_admin_pass + db_set slapd/password1 "" + db_set slapd/password2 "" + db_set slapd/internal/adminpw "" +} + +# }}} +create_password_hash() { # {{{ +# Create the password hash for the given password +# Usage: hash=`create_password_hash "$password"` + + perl - "$1" <<'EOF' +# --------------- +sub GenRandom { + local ($len) = @_; + local ($char, $data, @chars); + @chars = split(//, "abcdefghijklmnopqrstuvwxyz" + . "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"); + + open(RD, " + + if dpkg --compare-versions "$OLD_VERSION" lt-nl "$1"; then + return 0 + else + return 1 + fi +} + +# }}} +previous_version_newer() { # {{{ +# Check if the previous version is newer than the reference version passed. +# If we are not upgrading the previous version is assumed to be newer than +# any reference version. +# Usage: previous_version_newer + + if dpkg --compare-versions "$OLD_VERSION" gt-nl "$1"; then + return 0 + else + return 1 + fi +} # }}} +upgrade_supported_from_backend() { # {{{ +# Check if upgrading a database in the named backend is supported by +# our scripts. +# Usage: if upgrade_supported_from_backend "backend"; then ... fi + + case "$1" in ldbm|bdb|hdb) return 0; esac + return 1 +} + +# }}} +is_initial_configuration() { # {{{ +# Check if this is the initial configuration and not an upgrade of an +# existing configuration +# Usage: if is_initial_configuration "$@"; then ... fi from top level + + # Plain installation + if [ "$1" = configure ] && [ -z "$2" ]; then + return 0 + fi + # Configuration via dpkg-reconfigure + if [ "$1" = reconfigure ] || [ "$DEBCONF_RECONFIGURE" ]; then + return 0 + fi + # Upgrade but slapd.conf doesn't exist. If the user is doing this + # intentionally because they want to put it somewhere else, they + # should select manual configuration in debconf. + if [ "$1" = configure ] && [ ! -e "$SLAPD_CONF" ]; then + return 0 + fi + return 1 +} + +# }}} +is_empty_dir() { # {{{ +# Check if a path refers to an empty directory +# Usage: if is_empty_dir "$dir"; then ... fi + + output=`find "$1" -type d -maxdepth 0 -empty 2>/dev/null` + if [ "$output" ]; then + return 0 + else + return 1 + fi +} + +# }}} + +# ===== Global variables ================================================ {{{ +# +# At some points we need to know which version we are upgrading from if +# any. More precisely we only care about the configuration and data we +# might have laying around. Some parts also want to know which mode the +# script is running in. + +MODE="$1" # install, upgrade, etc. - see debian-policy +OLD_VERSION="$2" + +# Source the init script configuration +# See example file debian/slapd.default for variables defined here +if [ -f "/etc/default/slapd" ]; then + . /etc/default/slapd +fi + +# Load the default location of the slapd config file +if [ -z "$SLAPD_CONF" ]; then + SLAPD_CONF="/etc/ldap/slapd.conf" +fi + +# }}} + +# ----- Handling diagnostic output ------------------------------------ {{{ +# +# Often you want to run a program while you are showing progress +# information to the user. If the program you are running outputs some +# diagnostics it will mess up your screen. +# +# This is what the following functions are designed for. When running the +# program, use capture_diagnostics to store what the program outputs to +# stderr and use release_diagnostics to write out the captured output. + + +capture_diagnostics() { # {{{ +# Run the command passed and capture the diagnostic output in a temporary +# file. You can dump that file using release_diagnostics. + + # Create the temporary file + local tmpfile + tmpfile=`mktemp` + exec 7<>"$tmpfile" + rm "$tmpfile" + + # Run the program and capture stderr. If the program fails the + # function fails with the same status. + "$@" 2>&7 || return $? +} + +# }}} +release_diagnostics() { # {{{ +# Dump the diagnostic output captured via capture_diagnostics, optionally +# prefixing each line. +# Usage: release_diagnostics "prefix" + + local script + script=' + seek STDIN, 0, 0; + print "$ARGV[0]$_" while ();'; + perl -e "$script" "$1" <&7 +} + +# }}} + + +# }}} + +# vim: set sw=8 foldmethod=marker: + --- openldap2.3-2.3.38.orig/debian/slapd.conf +++ openldap2.3-2.3.38/debian/slapd.conf @@ -0,0 +1,118 @@ +# This is the main slapd configuration file. See slapd.conf(5) for more +# info on the configuration options. + +####################################################################### +# Global Directives: + +# Features to permit +#allow bind_v2 + +# Schema and objectClass definitions +include /etc/ldap/schema/core.schema +include /etc/ldap/schema/cosine.schema +include /etc/ldap/schema/nis.schema +include /etc/ldap/schema/inetorgperson.schema + +# Where the pid file is put. The init.d script +# will not stop the server if you change this. +pidfile /var/run/slapd/slapd.pid + +# List of arguments that were passed to the server +argsfile /var/run/slapd/slapd.args + +# Read slapd.conf(5) for possible values +loglevel none + +# Where the dynamically loaded modules are stored +modulepath /usr/lib/ldap +moduleload back_@BACKEND@ + +# The maximum number of entries that is returned for a search operation +sizelimit 500 + +# The tool-threads parameter sets the actual amount of cpu's that is used +# for indexing. +tool-threads 1 + +####################################################################### +# Specific Backend Directives for @BACKEND@: +# Backend specific directives apply to this backend until another +# 'backend' directive occurs +backend @BACKEND@ +@CHECKPOINT@ + +####################################################################### +# Specific Backend Directives for 'other': +# Backend specific directives apply to this backend until another +# 'backend' directive occurs +#backend + +####################################################################### +# Specific Directives for database #1, of type @BACKEND@: +# Database specific directives apply to this databasse until another +# 'database' directive occurs +database @BACKEND@ + +# The base of your directory in database #1 +suffix "@SUFFIX@" + +# rootdn directive for specifying a superuser on the database. This is needed +# for syncrepl. +# rootdn "cn=admin,@SUFFIX@" + +# Where the database file are physically stored for database #1 +directory "/var/lib/ldap" + +@BACKENDOPTIONS@ + +# Indexing options for database #1 +index objectClass eq + +# Save the time that the entry gets modified, for database #1 +lastmod on + +# Where to store the replica logs for database #1 +# replogfile /var/lib/ldap/replog + +# The userPassword by default can be changed +# by the entry owning it if they are authenticated. +# Others should not be able to see it, except the +# admin entry below +# These access lines apply to database #1 only +access to attrs=userPassword,shadowLastChange + by dn="@ADMIN@" write + by anonymous auth + by self write + by * none + +# Ensure read access to the base for things like +# supportedSASLMechanisms. Without this you may +# have problems with SASL not knowing what +# mechanisms are available and the like. +# Note that this is covered by the 'access to *' +# ACL below too but if you change that as people +# are wont to do you'll still need this if you +# want SASL (and possible other things) to work +# happily. +access to dn.base="" by * read + +# The admin dn has full write access, everyone else +# can read everything. +access to * + by dn="@ADMIN@" write + by * read + +# For Netscape Roaming support, each user gets a roaming +# profile for which they have write access to +#access to dn=".*,ou=Roaming,o=morsnet" +# by dn="@ADMIN@" write +# by dnattr=owner write + +####################################################################### +# Specific Directives for database #2, of type 'other' (can be @BACKEND@ too): +# Database specific directives apply to this databasse until another +# 'database' directive occurs +#database + +# The base of your directory for database #2 +#suffix "dc=debian,dc=org" --- openldap2.3-2.3.38.orig/debian/copyright +++ openldap2.3-2.3.38/debian/copyright @@ -0,0 +1,492 @@ +This package was downloaded from: + + + +The upstream distribution has been repackaged to remove the RFCs and +Internet-Drafts included in the upstream distribution, since the Internet +Society license does not meet the Debian Free Software Guidelines. The +schema files that contain verbatim text from RFCs or Internet-Drafts have +similarly been removed and are replaced during the package build with +versions stripped of the literal RFC or Internet-Draft text. + +Copyright: + +Copyright 1998-2007 The OpenLDAP Foundation +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. A copy of this license is available at +http://www.OpenLDAP.org/license.html or in file LICENSE in the +top-level directory of the distribution (included at the end of +this file). + +OpenLDAP is a registered trademark of the OpenLDAP Foundation. + +Individual files and/or contributed packages may be copyright by +other parties and subject to additional restrictions. + +This work is derived from the University of Michigan LDAP v3.3 +distribution. Information concerning this software is available +at: http://www.umich.edu/~dirsvcs/ldap/ + +This work also contains materials derived from public sources. + +The fix_ldif script is Copyright (c) Dave Horsfall and is available +under the terms of the BSD license. On Debian GNU/Linux systems, the +complete text of the BSD license can be found in +/usr/share/common-licenses/BSD. + +Additional Information about OpenLDAP can be obtained at: + http://www.openldap.org/ + +or by sending e-mail to: + info@OpenLDAP.org + +--- + +The OpenLDAP Public License + Version 2.7, 7 September 2001 + +Redistribution and use of this software and associated documentation +("Software"), with or without modification, are permitted provided +that the following conditions are met: + +1. Redistributions of source code must retain copyright statements + and notices, + +2. Redistributions in binary form must reproduce applicable copyright + statements and notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution, and + +3. Redistributions must contain a verbatim copy of this document. + +The OpenLDAP Foundation may revise this license from time to time. +Each revision is distinguished by a version number. You may use +this Software under terms of this license revision or under the +terms of any subsequent revision of the license. + +THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS +CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) +OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + +The names of the authors and copyright holders must not be used in +advertising or otherwise to promote the sale, use or other dealing +in this Software without specific, written prior permission. Title +to copyright in this Software shall at all times remain with +copyright holders. + +--- +Noted above is that various files can be copyrighted individually. +The licenses found in the OpenLDAP tree are as follows: + +SL +----------------------------------- + * Copyright 2003 Steve Langasek + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. +----------------------------------- + +CRL +----------------------------------- +# Copyright 1999 Computing Research Labs, New Mexico State University +# +# Permission is hereby granted, free of charge, to any person obtaining a +# copy of this software and associated documentation files (the "Software"), +# to deal in the Software without restriction, including without limitation +# the rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Software, and to permit persons to whom the +# Software is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +# THE COMPUTING RESEARCH LAB OR NEW MEXICO STATE UNIVERSITY BE LIABLE FOR ANY +# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT +# OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR +# THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +----------------------------------- + + +FSF +----------------------------------- +# Copyright (C) 1994, 1995-8, 1999, 2001 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +----------------------------------- + + +HC +----------------------------------- + * Permission is granted to anyone to use this software for any purpose + * on any computer system, and to alter it and redistribute it, subject + * to the following restrictions: + * + * 1. The author is not responsible for the consequences of use of this + * software, no matter how awful, even if they arise from flaws in it. + * + * 2. The origin of this software must not be misrepresented, either by + * explicit claim or by omission. Since few users ever read sources, + * credits should appear in the documentation. + * + * 3. Altered versions must be plainly marked as such, and must not be + * misrepresented as being the original software. Since few users + * ever read sources, credits should appear in the + * documentation. + * + * 4. This notice may not be removed or altered. + +----------------------------------- + + +IBM +----------------------------------- + * Portions Copyright (c) 1995 by International Business Machines, Inc. + * + * International Business Machines, Inc. (hereinafter called IBM) grants + * permission under its copyrights to use, copy, modify, and distribute this + * Software with or without fee, provided that the above copyright notice and + * all paragraphs of this notice appear in all copies, and that the name of IBM + * not be used in connection with the marketing of any product incorporating + * the Software or modifications thereof, without specific, written prior + * permission. + * + * To the extent it has a right to do so, IBM grants an immunity from suit + * under its patents, if any, for the use, sale or manufacture of products to + * the extent that such products are used for performing Domain Name System + * dynamic updates in TCP/IP networks by means of the Software. No immunity is + * granted for any product per se or for any other function of any product. + * + * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL, + * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN + * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. + +----------------------------------- + + +IS +----------------------------------- +# Full Copyright Statement +# +# Copyright (C) The Internet Society (1999). All Rights Reserved. +# +# This document and translations of it may be copied and furnished to +# others, and derivative works that comment on or otherwise explain it +# or assist in its implementation may be prepared, copied, published +# and distributed, in whole or in part, without restriction of any +# kind, provided that the above copyright notice and this paragraph are +# included on all such copies and derivative works. However, this +# document itself may not be modified in any way, such as by removing +# the copyright notice or references to the Internet Society or other +# Internet organizations, except as needed for the purpose of +# developing Internet standards in which case the procedures for +# copyrights defined in the Internet Standards process must be +# followed, or as required to translate it into languages other than +# English. +# +# The limited permissions granted above are perpetual and will not be +# revoked by the Internet Society or its successors or assigns. +# +# This document and the information contained herein is provided on an +# "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +# TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +# BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +# HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +# MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +This license was present in the copies of several schema files and one +LDIF file as distributed upstream. The relevant content has been removed +except where it is purely functional (descriptions of an LDAP schema). +The copyright notice has been retained with a clarifying comment. The +provisions in the above license that prohibit modification therefore +should no longer apply to any files distributed with the Debian package. + +Several files in libraries/libldap also reference this license as the +copyright on ABNF sequences embedded as comments in those files. These +too are purely functional interface specifications distributed as part of +the LDAP protocol standard and do not contain creative work such as +free-form text. +----------------------------------- + + +ISC +----------------------------------- + * Copyright (c) 1996, 1998 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + +----------------------------------- + + +JC +----------------------------------- + * This software is not subject to any license of Silicon Graphics + * Inc. or Purdue University. + * + * Redistribution and use in source and binary forms are permitted + * without restriction or fee of any kind as long as this notice + * is preserved. + +The following is additional information from Juan C. Gomez on how +this license is to be interpreted: +----- +Local-Date: Fri, 06 Jun 2003 13:18:52 -0400 +Date: Fri, 6 Jun 2003 10:18:52 -0700 +From: Juan Gomez +To: Stephen Frost +X-Mailer: Lotus Notes Release 5.0.2a (Intl) 23 November 1999 +Subject: Re: Juan C. Gomez license in OpenLDAP Source + +Stephen, + +"There is no restriction on modifications and derived works" on the work I +did for the openldap server as long as this is consistent with the openldap +license. Please forward this email to Kurt so he does the appropriate +changes to the files to reflect this. + + +Regards, Juan +----------------------------------- + + +MA +----------------------------------- + * Copyright (c) 2000, Mark Adamson, Carnegie Mellon. All rights reserved. + * This software is not subject to any license of Carnegie Mellon University. + * + * Redistribution and use in source and binary forms are permitted without + * restriction or fee of any kind as long as this notice is preserved. + * + * The name "Carnegie Mellon" must not be used to endorse or promote + * products derived from this software without prior written permission. + +The following is additional information from Mark Adamson on how this license +is to be interpreted: +------ +Local-Date: Thu, 05 Jun 2003 16:53:32 -0400 +Date: Thu, 5 Jun 2003 16:53:32 -0400 (EDT) +From: Mark Adamson +To: Stephen Frost +Subject: Re: Mark Adamson license in OpenLDAP source + +Hi Stephen, + + I don't see how this conflicts with the Debian FSG. The first statement +in the copyright pertaining to CMU say only that we don't license out the +software. The second mention denies the right to say things like, +"Now! Powered by software from Carnegie Mellon!" There is no restriction +on modifications and derived works. + +-Mark +------ +----------------------------------- + + +MIT +----------------------------------- +# Copyright 1991 by the Massachusetts Institute of Technology +# +# Permission to use, copy, modify, distribute, and sell this software and its +# documentation for any purpose is hereby granted without fee, provided that +# the above copyright notice appear in all copies and that both that +# copyright notice and this permission notice appear in supporting +# documentation, and that the name of M.I.T. not be used in advertising or +# publicity pertaining to distribution of the software without specific, +# written prior permission. M.I.T. makes no representations about the +# suitability of this software for any purpose. It is provided "as is" +# without express or implied warranty. + +----------------------------------- + + +OL2 +----------------------------------- +Copyright 1999-2001 The OpenLDAP Foundation, Redwood City, +California, USA. All Rights Reserved. Permission to copy and +distribute verbatim copies of this document is granted. +----------------------------------- + + +PM +----------------------------------- + * Copyright (C) 2000 Pierangelo Masarati, + * All rights reserved. + * + * Permission is granted to anyone to use this software for any purpose + * on any computer system, and to alter it and redistribute it, subject + * to the following restrictions: + * + * 1. The author is not responsible for the consequences of use of this + * software, no matter how awful, even if they arise from flaws in it. + * + * 2. The origin of this software must not be misrepresented, either by + * explicit claim or by omission. Since few users ever read sources, + * credits should appear in the documentation. + * + * 3. Altered versions must be plainly marked as such, and must not be + * misrepresented as being the original software. Since few users + * ever read sources, credits should appear in the documentation. + * + * 4. This notice may not be removed or altered. + * +----------------------------------- + + +PM2 +----------------------------------- + * Redistribution and use in source and binary forms are permitted only + * as authorized by the OpenLDAP Public License. A copy of this + * license is available at http://www.OpenLDAP.org/license.html or + * in file LICENSE in the top-level directory of the distribution. +----------------------------------- + + +UoC +----------------------------------- + * Redistribution and use in source and binary forms are permitted + * provided that the above copyright notice and this paragraph are + * duplicated in all such forms and that any documentation, + * advertising materials, and other materials related to such + * distribution and use acknowledge that the software was developed + * by the University of California, Berkeley. The name of the + * University may not be used to endorse or promote products derived + * from this software without specific prior written permission. + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + +NOTE: The Regents have since retroactively removed the advertising +clause from above. + +----------------------------------- + + +UoC2 +----------------------------------- + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + +NOTE: The Regents have since retroactively removed the advertising +clause from above. +See: +ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change + +----------------------------------- + + +UoM +----------------------------------- + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and that due credit is given + * to the University of Michigan at Ann Arbor. The name of the University + * may not be used to endorse or promote products derived from this + * software without specific prior written permission. This software + * is provided ``as is'' without express or implied warranty. +--- +After discussing this license with the OpenLDAP Foundation we received +clarification on it: +--- + + * To: Stephen Frost + * Subject: Re: OpenLDAP Licenseing issues + * From: "Kurt D. Zeilenga" + * Date: Wed, 28 May 2003 10:55:44 -0700 + * Cc: Steve Langasek ,debian-legal@lists.debian.org, openldap-devel@OpenLDAP.org + * In-reply-to: <20030528162613.GB8524@ns.snowman.net> + * Message-id: <5.2.0.9.0.20030528094229.02924780@127.0.0.1> + * Old-return-path: + +Steven, + +The OpenLDAP Foundation believes it the Regents' statement grants a +license to redistribute derived works and is confident that the University, +who is quite aware of our actions (as they actively participate in them), +does not consider our actions to infringe on their rights. You are +welcomed to your opinions. I suggest, however, that before you rely +on your or other people's opinions (including ours), that you consult +with a lawyer familiar with applicable law and the particulars of your +situation. + +The Foundation sees no reason for it to expend its limited resources +seeking clarifications which it believes are unnecessary. You are, +of course, welcomed to expend time and energy seeking clarifications +you think are necessary. I suggest you contact University's general +counsel office (http://www.umich.edu/~vpgc/). + +Regards, Kurt +----------------------------------- + + --- openldap2.3-2.3.38.orig/debian/ldap-utils.dirs +++ openldap2.3-2.3.38/debian/ldap-utils.dirs @@ -0,0 +1,3 @@ +usr/bin +usr/share/man +usr/share/lintian/overrides --- openldap2.3-2.3.38.orig/debian/slapd.manpages +++ openldap2.3-2.3.38/debian/slapd.manpages @@ -0,0 +1,43 @@ +debian/tmp/usr/share/man/man5/slapd.access.5 +debian/tmp/usr/share/man/man5/slapd-hdb.5 +debian/tmp/usr/share/man/man5/slapd-meta.5 +debian/tmp/usr/share/man/man5/slapd-perl.5 +debian/tmp/usr/share/man/man5/slapd-shell.5 +debian/tmp/usr/share/man/man5/slapd-bdb.5 +debian/tmp/usr/share/man/man5/slapd-hdb.5 +debian/tmp/usr/share/man/man5/slapd-ldap.5 +debian/tmp/usr/share/man/man5/slapd-monitor.5 +debian/tmp/usr/share/man/man5/slapd.plugin.5 +debian/tmp/usr/share/man/man5/slapd-sql.5 +debian/tmp/usr/share/man/man5/slapd.conf.5 +debian/tmp/usr/share/man/man5/slapd-null.5 +debian/tmp/usr/share/man/man5/slapd-relay.5 +debian/tmp/usr/share/man/man5/slapd-tcl.5 +debian/tmp/usr/share/man/man5/slapd-dnssrv.5 +debian/tmp/usr/share/man/man5/slapd-ldif.5 +debian/tmp/usr/share/man/man5/slapd-passwd.5 +debian/tmp/usr/share/man/man5/slapd.replog.5 +debian/tmp/usr/share/man/man5/slapo-accesslog.5 +debian/tmp/usr/share/man/man5/slapo-auditlog.5 +debian/tmp/usr/share/man/man5/slapo-chain.5 +debian/tmp/usr/share/man/man5/slapo-dynlist.5 +debian/tmp/usr/share/man/man5/slapo-lastmod.5 +debian/tmp/usr/share/man/man5/slapo-pcache.5 +debian/tmp/usr/share/man/man5/slapo-ppolicy.5 +debian/tmp/usr/share/man/man5/slapo-refint.5 +debian/tmp/usr/share/man/man5/slapo-retcode.5 +debian/tmp/usr/share/man/man5/slapo-rwm.5 +debian/tmp/usr/share/man/man5/slapo-syncprov.5 +debian/tmp/usr/share/man/man5/slapo-translucent.5 +debian/tmp/usr/share/man/man5/slapo-unique.5 +debian/tmp/usr/share/man/man5/slapo-valsort.5 +debian/tmp/usr/share/man/man8/slurpd.8 +debian/tmp/usr/share/man/man8/slapd.8 +debian/tmp/usr/share/man/man8/slapadd.8 +debian/tmp/usr/share/man/man8/slapcat.8 +debian/tmp/usr/share/man/man8/slapacl.8 +debian/tmp/usr/share/man/man8/slapauth.8 +debian/tmp/usr/share/man/man8/slapdn.8 +debian/tmp/usr/share/man/man8/slapindex.8 +debian/tmp/usr/share/man/man8/slappasswd.8 +debian/tmp/usr/share/man/man8/slaptest.8 --- openldap2.3-2.3.38.orig/debian/libldap-2.3-0.install +++ openldap2.3-2.3.38/debian/libldap-2.3-0.install @@ -0,0 +1,8 @@ +debian/tmp/usr/lib/liblber-2.3.so.0 usr/lib +debian/tmp/usr/lib/liblber-2.3.so.0.*.* usr/lib +debian/tmp/usr/lib/libldap-2.3.so.0 usr/lib +debian/tmp/usr/lib/libldap-2.3.so.0.*.* usr/lib +debian/tmp/usr/lib/libldap_r-2.3.so.0 usr/lib +debian/tmp/usr/lib/libldap_r-2.3.so.0.*.* usr/lib +debian/tmp/usr/lib/libslapi-2.3.so.0 usr/lib +debian/tmp/usr/lib/libslapi-2.3.so.0.*.* usr/lib --- openldap2.3-2.3.38.orig/debian/DB_CONFIG +++ openldap2.3-2.3.38/debian/DB_CONFIG @@ -0,0 +1,78 @@ +# WARNING: Before tuning the following parameters, _PLEASE READ_ +# /usr/share/doc/slapd/README.DB_CONFIG.gz + +# Set the database in memory cache size. +# +# set_cachesize +# Sets the database in memory cache size. +# Database entries and indexes will be stored in this cache to +# avoid disk access during database read and write operations. +# Tuning this value can greatly effect your database performance. +# The parameters are: +# : The number of gigabytes of memory to allocate to the cache. +# : The number of bytes of memory to allocate to the cache. +# : The number of cache segments to use. If this value is set to +# 0 or 1 then Berkeley DB will try to allocate one contiguous section +# of memory for the cache. If this value is greater than 1, the cache +# will be split into that number of segments. +#set_cachesize 0 52428800 0 + +# For the Debian package we use 2MB as default but be sure to update this +# value if you have plenty of RAM +set_cachesize 0 2097152 0 + +# Sets the database startup flags. +# +# set_flags +# There are various flag options that may be set. The DB_TXN_NOSYNC flag +# tells the database not to immediately flush transaction buffers to disk. +# Setting this flag can help speed up database access during periods of +# database write activity BUT at expense of data safety. Enable it only +# to load data with slapadd, while slapd is not running. +#set_flags DB_TXN_NOSYNC + + +# Set the maximum in memory cache in for database file name caching. +# +# set_lg_regionmax +# This value should be increased as the number of database files increases +# (tables and indexes). +#set_lg_regionmax 1048576 + +# Set the maximum size of log files in . +# +# set_lg_max +# Logs will be rotated when amount of data have been written to +# one log file. This value should be at least four times the size of +# set_lg_bsize. +#set_lg_max 10485760 + +# Set the in memory cache for log information. +# +# set_lg_bsize +# When amount of logging information have been written to this +# cache it will be flushed to disk. +#set_lg_bsize 2097152 +# For the Debian package we use 512kByte which should suffice for typical +# directory usage (read often, write seldom) +set_lg_bsize 524288 + +# Set the log file directory to . +# +# set_lg_dir /usr/local/var/openldap-logs +# Log files should preferably be on a different disk than the +# database files. This both improves reliability (for disastrous +# recovery) and speed of the database. +#set_lg_dir + + +# Sven Hartge reported that he had to set this value incredibly high +# to get slapd running at all. See http://bugs.debian.org/303057 +# for more information. + +# Number of objects that can be locked at the same time. +set_lk_max_objects 5000 +# Number of locks (both requested and granted) +set_lk_max_locks 5000 +# Number of lockers +set_lk_max_lockers 5000 --- openldap2.3-2.3.38.orig/debian/slapd.examples +++ openldap2.3-2.3.38/debian/slapd.examples @@ -0,0 +1,3 @@ +debian/DB_CONFIG +debian/slapd.conf +debian/slapd.backup --- openldap2.3-2.3.38.orig/debian/slapd.postinst +++ openldap2.3-2.3.38/debian/slapd.postinst @@ -0,0 +1,90 @@ +#! /bin/sh + +set -e + +. /usr/share/debconf/confmodule + +# This will be replaced with debian/slapd.scripts-common which includes +# various helper functions and $OLD_VERSION and $SLAPD_CONF +#SCRIPTSCOMMON# + +postinst_initial_configuration() { # {{{ +# Configure slapd for the first time (when first installed) +# Usage: postinst_initial_configuration + + if manual_configuration_wanted; then + echo " Omitting slapd configuration as requested." >&2 + else + create_new_configuration + configure_v2_protocol_support + fi +} + +# }}} +postinst_upgrade_configuration() { # {{{ +# Handle upgrading slapd from some older version +# Usage: postinst_upgrade_configuration + + # Better back up the config file in any case + echo -n " Backing up $SLAPD_CONF in `database_dumping_destdir`... " >&2 + backup_config_once + echo done. >&2 + + configure_v2_protocol_support + if previous_version_older 2.1; then + autoconfigure_modules + fi + update_access_config_directives + + if previous_version_older 2.3.25-1; then + update_path_argsfile_pidfile + + # Directory /var/run/slapd is suddenly gone, dpkg removes it because it's + # now generated from the postinst scripts. See create_ldap_directories. + if [ ! -d "/var/run/slapd" ]; then + mkdir -m 0755 /var/run/slapd + fi + fi + + if database_format_changed; then + # During upgrading we have to load the old data + move_incompatible_databases_away + # Change the configuration if we want to migrate DBs + db_get slapd/migrate_ldbm_to_bdb + if [ "$RET" = "true" ]; then + config_migrate_backend ldbm bdb + # Make sure we don't dump the DB for migration + # again... + db_set slapd/migrate_ldbm_to_bdb false + fi + load_databases + fi + + # Update permissions of all database directories and /var/run/slapd, + # /var/spool/slurpd + update_databases_permissions + update_permissions /var/run/slapd + update_permissions /var/spool/slurpd +} + +# }}} + +# Create a new user +if [ "$MODE" = "configure" ]; then + create_new_user +fi + +# Configuration. +if is_initial_configuration "$@"; then + postinst_initial_configuration +else + postinst_upgrade_configuration +fi + +db_stop || true + +#DEBHELPER# + +exit 0 + +# vim: set sw=8 foldmethod=marker: --- openldap2.3-2.3.38.orig/debian/slapd.README.Debian +++ openldap2.3-2.3.38/debian/slapd.README.Debian @@ -0,0 +1,112 @@ +Notes about Debian's slapd package +---------------------------------- + +++ TCP Wrappers + + The Debian slapd package is compiled with TCP wrappers. This means that you + are able to restrict access to the LDAP server using /etc/hosts.deny or + /etc/hosts.allow. + +++ No LDBM backend support + + The Debian slapd package no longer includes support for the LDBM backend. + It has been disabled as a result of concerns over data loss and lack of + upstream support. For more information, see: + http://www.openldap.org/faq/index.cgi?_highlightWords=ldbm&file=756 + The BDB backend is now the main backend to use. This backend is supported + upstream and has several fixes included for known problems. + +++ Using BDB/HDB backends + + slapd BDB and HDB backends rely on libdb to store data on your + disks. libdb uses a configuration file to tune database + specific parameters. This file is called DB_CONFIG, and should + be created in each directory containing one of your ldap + databases, usually /var/lib/ldap. With libdb4.2 and previous + versions, and thus with slapd 2.2, it is _VERY IMPORTANT_ to + correctly setup a DB_CONFIG file. + It is not just a matter of performance: depending on the + version of slapd and libdb being used, your slapd may just + hang and stop answering queries. To correctly setup your + DB_CONFIG file, please refer to README.DB_CONFIG.gz in this directory. + +++ Running slapd under a different uid/gid + + In order to run slapd under a different uid/gid, you + need to: + - create the user/group for slapd/slurpd -- usually: + adduser --system --group ldap + - stop slapd -- /etc/init.d/slapd stop + - tell slapd to run under a different uid: + - edit /etc/default/slapd + - set SLAPD_USER, SLAPD_GROUP + (ie, SLAPD_USER="ldap", SLAPD_GROUP="ldap") + - tell linux slapd can access all database files -- usually: + chown -R ldap.ldap /var/lib/ldap + - tell linux slapd can access configuration files -- usually: + chgrp ldap /etc/ldap/slapd.conf + chmod 0640 /etc/ldap/slapd.conf + - tell linux slapd can access /var/run/slapd and writes his pid file + chgrp ldap /var/run/slapd + chmod 0770 /var/run/slapd + - edit /etc/init.d/slapd and run the db_recover command as the non root + user + - start slapd -- /etc/init.d/slapd start + + Once you have done so, if you are using a bdb o hdb backend, + always remember to execute the chown after running utilities + such as db4.x_recover or db4.x_checkpoint. + +++ When upgrading from OpenLDAP 2.0 + + Starting with OpenLDAP 2.1, backend modules are compiled as dynamically + loadable shared objects in Debian. As a consequence thereof, you need to + specify the path of the modules and the modules to load in your slapd.conf + file for now. This can be done by lines such as the following: + + modulepath /usr/lib/ldap + moduleload back_bdb + + for the BDB database backend module. + + To switch the database backend, you should export your current database + in LDIF format with the slapcat command (be sure to stop slapd before + doing so if you're using LDBM), move the old database files away, change + /etc/ldap/slapd.conf, and then reimport your database from the LDIF file + via slapadd. + +++ TLS/SSL support + + This version of the OpenLDAP server and its library is compiled with the + OpenSSL library as supported by the upstream sources. Other packages + are not allowed to link against this version of OpenLDAP (or rather + its library) but this way we have a working OpenLDAP server. + + Client packages will have to continue using the old libldap2 package + for ldap access as that version is linked against GNUTLS to allow + for example dynamic linking into Samba. We are working on updating that + GNUTLS patch for OpenLDAP 2.2 and getting it into the upstream package. + + When that is accomplished the old libldap2 packages will disappear + and OpenLDAP 2.2 will be used together with GNUTLS in Debian. + +++ If slapd depends on other service (such as SQL) + + In the event that you are running slapd with a different back-end module + that depends on other programs (such as an SQL database) you may need to + adjust the runlevels of slapd to start after the SQL database. + +++ Creating NSS flat files from LDAP + + If you have need to create passwd/shadow/etc files from an LDAP + directory there is now a script included with these Debian packages + which may help you. The script is in /usr/share/slapd/ and is named + 'ldiftopasswd'. In general you should be able to do: + ldapsearch | ldiftopasswd + and it will generate the files for you. You will need appropriate + privileges, of course. + + -- The Debian OpenLDAP maintainers + Torsten Landschoff + Roland Bauerschmidt + Stephen Frost --- openldap2.3-2.3.38.orig/debian/upstream_strip_nondfsg.sh +++ openldap2.3-2.3.38/debian/upstream_strip_nondfsg.sh @@ -0,0 +1,43 @@ +#! /bin/sh +# +# Strips non-DFSG-free content from the OpenLDAP upstream tarball. This +# script must be run from the top directory of the Debian package source +# since it needs debian/schema to know what schema to remove from upstream. + +set -e + +if [ "$#" -ne 1 ]; then + echo >&2 "Usage: $0 " + exit 1 +fi +if [ ! -d "debian/schema" ] ; then + echo >&2 "$0 must be run from the top directory of the Debian source" + exit 1 +fi + +archive=$1 + + +# Unpack the upstream archive to a temporary directory +tempdir=`mktemp -d` +tar -C $tempdir -xzf $archive + + +# Remove RFCs and drafts as they are not DFSG-free +rm -R $tempdir/openldap-*/doc/drafts +rm -R $tempdir/openldap-*/doc/rfc + +# Remove schema for which we have a local stripped version. +for schema in debian/schema/*.schema debian/schema/*.ldif ; do + file=`basename "$schema"` + rm $tempdir/openldap-*/servers/slapd/schema/$file +done + + +# Recreate the archive from the data +temparchive=`mktemp $archive.XXXXXX` +tar -C $tempdir -cf - .|gzip -9 > "$temparchive" +mv $temparchive $archive + +# Remove temporary files +rm -R $tempdir --- openldap2.3-2.3.38.orig/debian/libldap-2.3-0.manpages +++ openldap2.3-2.3.38/debian/libldap-2.3-0.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man5/ldap.conf.5 --- openldap2.3-2.3.38.orig/debian/libldap-2.3-0.README.Debian +++ openldap2.3-2.3.38/debian/libldap-2.3-0.README.Debian @@ -0,0 +1,22 @@ +Notes about Debian's libldap2 package +------------------------------------- + +It has been reported that using libnss-ldap can cause a failure to +unmount /usr on system shutdown. The reason is that the nss module +uses libldap from /usr and is used by the shell in the system +scripts executed on shutdown/reboot. + +More precisely bash uses the getpwuid function to get the data of +the current user which pulls in the nss modules which includes +the ldap libraries if you are using that module. + +Possible solutions to this problem are: + +a) use another shell that does not utilize getpwuid for getting info + about the current user (take dash for example). +b) make sure that the nsswitch.conf is replaced by a version which does + not mention ldap before the system is shut down (and have a startup + script that installs the "full" version of that file). +c) move the libraries to /lib (not recommended). + + -- Torsten Landschoff Mon, 30 Sep 2002 11:06:22 +0200 --- openldap2.3-2.3.38.orig/debian/slapd.templates +++ openldap2.3-2.3.38/debian/slapd.templates @@ -0,0 +1,222 @@ +Template: slapd/no_configuration +Type: boolean +Default: false +_Description: Omit OpenLDAP server configuration? + If you enable this option, no initial configuration or database will be + created for you. + +Template: slapd/dump_database +Type: select +Choices: always, when needed, never +Default: when needed +_Description: Dump databases to file on upgrade: + Before upgrading to a new version of the OpenLDAP server the data of + your LDAP directories can be dumped to plain text files (LDIF format) + which is a standardized description of that data (LDIF stands for + LDAP Data Interchange Format). + . + Selecting "always" will make the maintainer scripts dump your + databases before upgrading unconditionally. Selecting "when needed" + will only dump the database if the new version is incompatible with + the old database format and it has to be reimported. The "never" + choice will just go ahead without ever dumping your database. + +Template: slapd/dump_database_destdir +Type: string +Default: /var/backups/slapd-VERSION +_Description: Directory to dump databases: + Please specify the directory where the LDAP databases will be exported. + Within this directory several LDIF files are created which correspond + to the search bases located on the server. Make sure you have enough + free space on the partition the directory is located. The first + occurrence of the string "VERSION" is replaced with the server version + you are upgrading from. The default is /var/backups/slapd-VERSION + +Template: slapd/move_old_database +Type: boolean +Default: true +_Description: Move old database? + There are still files in /var/lib/ldap which will probably break + the configuration process. If you enable this option, the maintainer + scripts will move the old database files out of the way before + creating a new database. + +Template: slapd/invalid_config +Type: boolean +Default: true +_Description: Invalid configuration. Retry configuration? + The configuration you entered is invalid. Make sure that the DNS domain name + has a valid syntax, the organization is not left empty and that the admin + passwords match. If you decide not to retry the configuration the LDAP server + will not be set up. Run "dpkg-reconfigure" if you want to retry later. + +Template: slapd/domain +Type: string +_Description: DNS domain name: + The DNS domain name is used to construct the base DN of your LDAP directory. + Entering foo.bar.org will give you the base DN dc=foo, dc=bar, dc=org. + +Template: shared/organization +Type: string +_Description: Name of your organization: + Whatever you enter here will be stored as the name of your organization in + the base DN of your LDAP directory. + +Template: slapd/password1 +Type: password +_Description: Admin password: + Please enter the password for the admin entry in your LDAP directory. + +Template: slapd/password2 +Type: password +_Description: Confirm password: + Please reenter the admin password for your LDAP directory for + verification. + +Template: slapd/password_mismatch +Type: note +_Description: Password mismatch + The admin password and its confirmation must match. Please note that + differences such as uppercase/lowercase and added whitespace matter. + +Template: slapd/purge_database +Type: boolean +Default: false +_Description: Do you want your database to be removed when slapd is purged? + +Template: slapd/internal/adminpw +Type: password +_Description: Encrypted admin password: + +Template: slapd/autoconf_modules +Type: boolean +Default: true +_Description: Change configuration to load backend modules? + Starting with OpenLDAP 2.1 backends are not longer built into the + server but are instead dynamically loaded at startup. This means that + the slapd configuration has to be changed to load the modules for the + backends you are using. + . + If you choose this option, an attempt to fix the configuration will be + made. If you don't select this, you *must* fix your configuration file + yourself or slapd (and slapcat if you are upgrading from an older version) + will fail and the package will not be installed. For more information, + read /usr/share/doc/slapd/README.Debian. + +Template: slapd/allow_ldap_v2 +Type: boolean +Default: false +_Description: Allow LDAPv2 protocol? + The slapd daemon now disables the old LDAPv2 protocol by default. + Programs and users are generally expected to be upgraded to LDAPv3. + If you have old programs which have not been moved to use LDAPv3 + and you still need LDAPv2 support then select this option and + 'allow bind_v2' will be added to your slapd.conf to tell slapd to + accept LDAPv2 connections. + +Template: slapd/fix_directory +Type: boolean +Default: true +_Description: Fix LDAP directory on upgrade? + The installation scripts of the old OpenLDAP 2.0 packages create a + directory that does not conform to the ldap schema. The new version is + more strict about this and you won't be able to access your directory + after the upgrade without fixing it. + . + If you choose this option, an attempt to fix it for you will occur. + +Template: slapd/suffix_change +Type: boolean +Default: false +_Description: Move aside current database and create a new one? + You have specified a directory suffix (domain) that doesn't match the + one currently in /etc/ldap/slapd.conf. Changing the directory suffix + requires moving aside the current LDAP database and creating a new + one. Please confirm whether you want to abandon the current database + (a backup will be made). + +Template: slapd/upgrade_slapcat_failure +Type: note +_Description: slapcat failed during upgrade + An error occurred during the attempt to upgrade your LDAP directory. + This error occurred when performing the 'slapcat' which attempts to + extract your LDAP directory. This failure could be because of an + incorrect config file. For example, if the appropriate moduleload + lines for your backend database type are missing. This failure + will cause 'slapadd' later to fail too. The old database files are + about to be moved to /var/backups. If you want to try this upgrade + again then move the old database files back into place, fix whatever + caused slapcat to fail, and run: + slapcat | /usr/share/slapd/fix_ldif -w -o "$organization" > $location + . + Then move the database files back to a backup area and then try running + slapadd from $location. + +Template: slapd/upgrade_slapadd_failure +Type: note +_Description: slapadd failed during upgrade + An error occurred during the attempt to upgrade your LDAP directory. + This error occurred when performing the 'slapadd' which attempts to + populate an empty new LDAP directory using the information from your + original LDAP directory. Your original LDAP directory files have + been saved in /var/backups. The results of the attempted upgrade + is the ldif file in /var/backups. slapadd may have failed due to + a configuration problem (in which case slapcat would have failed + too) or due to a problem in the LDIF file. If the problem was with the + LDIF file, you may be able to fix it and attempt the slapadd again. + +Template: slapd/slave_databases_require_updateref +Type: note +_Description: Slave databases require updateref option + In your slapd configuration file at least one database is + configured as slave, and the updateref option is not set. + The updateref option specifies the referral(s) to pass back + when slapd is asked to modify a replicated local database. + See slapd.conf(5) for more details. + . + Starting with version 2.1.23, slapd requires the updateref + option to be set on slaves. You should make sure to fix + your slapd.conf configuration file. + +Template: slapd/migrate_ldbm_to_bdb +Type: boolean +Default: true +_Description: Change backend type from LDBM to BDB? + The LDBM backend type has been deprecated in OpenLDAP 2.2 and has shown to not + work well. BDB is the recommended choice of the OpenLDAP developers. + . + When using the BDB backend make sure you configure BDB properly. For + information to do so, see /usr/share/doc/slapd/README.DB_CONFIG.gz + . + If you enable this option an attempt will be made to update your + configuration to use BDB instead of LDBM and convert your databases. + +Template: slapd/backend +Type: select +Choices: BDB, HDB +Default: BDB +_Description: Database backend to use: + The BDB backend is the recommended choice of the OpenLDAP developers. + When using the BDB backend make sure that you configure the underlying + database for your requirements. + Look into /usr/share/doc/slapd/README.DB_CONFIG.gz + . + HDB is the next generation of BDB which might replace it sometime in + the future. There are some problems still in the HDB code of the 2.2 + series of OpenLDAP so you should probably stick to BDB until version 2.3. + . + The BDB backend (back-bdb) and LDBM backend (back-ldbm) are comparable in + purpose and back-bdb evolved from experience gained from back-ldbm, but the + two are quite distinct today. They both store entries based on a 32-bit entry + ID key, and they use a dn2id table to map from DNs to entry IDs. They both + perform attribute indexing using the same code, and store index data as lists + of entry IDs. As such, the LDAP-specific features they offer are nearly + identical. The differences are in the APIs used to implement the databases. + back-ldbm uses a generic database API that can plug into several different + database packages. In Debian, it's built against BerkeleyDB (BDB). While + BerkeleyDB supports this generic interface, it also offers a much richer API + that has a lot more power and a lot more complexity. back-bdb is written + specifically for the full BDB API, and uses some of BDB's more advanced + features to offer transaction processing, fine grained locking, and other + features that offer improved concurrency and reliability. For more + information, see /usr/share/doc/slapd/README.DB_CONFIG.gz --- openldap2.3-2.3.38.orig/debian/patches/man-slapd +++ openldap2.3-2.3.38/debian/patches/man-slapd @@ -0,0 +1,51 @@ +Index: doc/man/man8/slapd.8 +=================================================================== +--- doc/man/man8/slapd.8.orig ++++ doc/man/man8/slapd.8 +@@ -5,7 +5,7 @@ + .SH NAME + slapd \- Stand-alone LDAP Daemon + .SH SYNOPSIS +-.B LIBEXECDIR/slapd ++.B /usr/sbin/slapd + .B [\-[4|6]] + .B [\-T {acl|add|auth|cat|dn|index|passwd|test}] + .B [\-d debug\-level] +@@ -85,7 +85,9 @@ + will not fork or disassociate from the invoking terminal. Some general + operation and status messages are printed for any value of \fIdebug\-level\fP. + \fIdebug\-level\fP is taken as a bit string, with each bit corresponding to a +-different kind of debugging information. See for details. ++different kind of debugging information. The meaning is the same as for ++the \fBloglevel\fP configuration option documented in ++.BR slapd.conf (5). + Remember that if you turn on packet logging, packets containing bind passwords + will be output, so if you redirect the log to a logfile, that file should + be read-protected. +@@ -234,7 +236,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd ++ /usr/sbin/slapd + .ft + .fi + .LP +@@ -245,7 +247,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd -f /var/tmp/slapd.conf -d 255 ++ /usr/sbin/slapd -f /var/tmp/slapd.conf -d 255 + .ft + .fi + .LP +@@ -253,7 +255,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd -Tt ++ /usr/sbin/slapd -Tt + .ft + .fi + .LP --- openldap2.3-2.3.38.orig/debian/patches/wrong-database-location +++ openldap2.3-2.3.38/debian/patches/wrong-database-location @@ -0,0 +1,68 @@ +Index: doc/man/man5/slapd-bdb.5 +=================================================================== +--- doc/man/man5/slapd-bdb.5.orig 2007-05-23 13:05:50.000000000 -0700 ++++ doc/man/man5/slapd-bdb.5 2007-05-23 13:05:53.000000000 -0700 +@@ -96,7 +96,7 @@ Specify the directory where the BDB file + associated indexes live. + A separate directory must be specified for each database. + The default is +-.BR LOCALSTATEDIR/openldap-data . ++.BR LOCALSTATEDIR/lib/ldap . + .TP + .B dirtyread + Allow reads of modified but not yet committed data. +Index: doc/man/man5/slapd-ldbm.5 +=================================================================== +--- doc/man/man5/slapd-ldbm.5.orig 2007-05-23 13:05:50.000000000 -0700 ++++ doc/man/man5/slapd-ldbm.5 2007-05-23 13:05:53.000000000 -0700 +@@ -84,7 +84,7 @@ Specify the directory where the LDBM fil + associated indexes live. + A separate directory must be specified for each database. + The default is +-.BR LOCALSTATEDIR/openldap-data . ++.BR LOCALSTATEDIR/lib/ldap . + .TP + .B + index {|default} [pres,eq,approx,sub,] +Index: doc/man/man5/slapd.conf.5 +=================================================================== +--- doc/man/man5/slapd.conf.5.orig 2007-05-23 13:05:50.000000000 -0700 ++++ doc/man/man5/slapd.conf.5 2007-05-23 13:05:53.000000000 -0700 +@@ -1873,7 +1873,7 @@ suffix "dc=our-domain,dc=com" + # The database directory MUST exist prior to + # running slapd AND should only be accessible + # by the slapd/tools. Mode 0700 recommended. +-directory LOCALSTATEDIR/openldap-data ++directory LOCALSTATEDIR/lib/ldap + # Indices to maintain + index objectClass eq + index cn,sn,mail pres,eq,approx,sub +Index: include/ldap_defaults.h +=================================================================== +--- include/ldap_defaults.h.orig 2007-05-23 13:05:53.000000000 -0700 ++++ include/ldap_defaults.h 2007-05-23 13:06:15.000000000 -0700 +@@ -47,7 +47,7 @@ + /* location of the default slapd config file */ + #define SLAPD_DEFAULT_CONFIGFILE LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf" + #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d" +-#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data" ++#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "ldap" + #define SLAPD_DEFAULT_DB_MODE 0600 + #define SLAPD_DEFAULT_UCDATA LDAP_DATADIR LDAP_DIRSEP "ucdata" + /* default max deref depth for aliases */ +Index: servers/slapd/Makefile.in +=================================================================== +--- servers/slapd/Makefile.in.orig 2007-05-23 13:05:50.000000000 -0700 ++++ servers/slapd/Makefile.in 2007-05-23 13:05:53.000000000 -0700 +@@ -430,9 +430,9 @@ install-conf: FORCE + + install-db-config: FORCE + @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir) +- @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data ++ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/ldap + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ +- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example ++ $(DESTDIR)$(localstatedir)/lib/ldap/DB_CONFIG.example + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ + $(DESTDIR)$(sysconfdir)/DB_CONFIG.example + --- openldap2.3-2.3.38.orig/debian/patches/man-slurpd +++ openldap2.3-2.3.38/debian/patches/man-slurpd @@ -0,0 +1,49 @@ +Index: doc/man/man8/slurpd.8 +=================================================================== +--- doc/man/man8/slurpd.8.orig ++++ doc/man/man8/slurpd.8 +@@ -5,7 +5,7 @@ + .SH NAME + slurpd \- Standalone LDAP Update Replication Daemon + .SH SYNOPSIS +-.B LIBEXECDIR/slurpd [\-d debug\-level] ++.B /usr/sbin/slurpd [\-d debug\-level] + .B [\-f slapd\-config\-file] [\-r slapd\-replog\-file] + .B [\-t temp\-dir] [\-o] + .B +@@ -82,7 +82,7 @@ + .TP + .BI \-f " slapd\-config\-file" + Specifies the slapd configuration file. The default is +-.BR ETCDIR/slapd.conf . ++.BR /etc/ldap/slapd.conf . + .TP + .BI \-r " slapd\-replog\-file" + Specifies the name of the +@@ -120,7 +120,7 @@ + temporary files may contain sensitive information. + This option allows you to specify the location of these temporary files. + The default is +-.BR LOCALSTATEDIR/openldap-slurp . ++.BR /var/spool/slurpd/replica . + .SH EXAMPLES + To start + .I slurpd +@@ -131,7 +131,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slurpd ++ /usr/sbin/slurpd + .ft + .fi + .LP +@@ -144,7 +144,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slurpd -f ETCDIR/slapd.conf -d 255 ++ /usr/sbin/slurpd -f /etc/ldap/slapd.conf -d 255 + .ft + .fi + .LP --- openldap2.3-2.3.38.orig/debian/patches/series +++ openldap2.3-2.3.38/debian/patches/series @@ -0,0 +1,13 @@ +man-slapd -p0 +slurpd-in-spool +ntlm-ldap_h-hack -p0 +ntlm_c +libldap-makefile_in +slapi-errorlog-file -p0 +ldapi-socket-place -p0 +read-config-before-dropping-privileges -p0 +wrong-database-location -p0 +index-files-created-as-root -p0 +sasl-default-path -p0 +man-slurpd -p0 +ITS5119 -p0 --- openldap2.3-2.3.38.orig/debian/patches/slurpd-in-spool +++ openldap2.3-2.3.38/debian/patches/slurpd-in-spool @@ -0,0 +1,12 @@ +diff -urNad openldap2.3-2.3.11~/servers/slurpd/slurp.h openldap2.3-2.3.11/servers/slurpd/slurp.h +--- openldap2.3-2.3.11~/servers/slurpd/slurp.h 2005-12-01 13:48:46.000000000 +0100 ++++ openldap2.3-2.3.11/servers/slurpd/slurp.h 2005-12-02 11:22:47.856278500 +0100 +@@ -67,7 +67,7 @@ + #define SERVICE_NAME OPENLDAP_PACKAGE "-slurpd" + + /* Default directory for slurpd's private copy of replication logs */ +-#define DEFAULT_SLURPD_REPLICA_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-slurp" ++#define DEFAULT_SLURPD_REPLICA_DIR LDAP_RUNDIR LDAP_DIRSEP "spool/slurpd" + + /* Default name for slurpd's private copy of the replication log */ + #define DEFAULT_SLURPD_REPLOGFILE "slurpd.replog" --- openldap2.3-2.3.38.orig/debian/patches/libldap-makefile_in +++ openldap2.3-2.3.38/debian/patches/libldap-makefile_in @@ -0,0 +1,57 @@ +Part of this patch adds the necessary makefile logic for the NTLM code. +The rest explicitly links libldap_r against the threading libraries to +prevent unversioned references to pthread symbols. + +The threading part only is ITS#4982. + +diff -urNad openldap2.3-2.3.11~/libraries/libldap/Makefile.in openldap2.3-2.3.11/libraries/libldap/Makefile.in +--- openldap2.3-2.3.11~/libraries/libldap/Makefile.in 2005-12-01 13:48:50.000000000 +0100 ++++ openldap2.3-2.3.11/libraries/libldap/Makefile.in 2005-12-02 10:04:11.513209500 +0100 +@@ -20,7 +20,7 @@ + SRCS = bind.c open.c result.c error.c compare.c search.c \ + controls.c messages.c references.c extended.c cyrus.c \ + modify.c add.c modrdn.c delete.c abandon.c \ +- sasl.c sbind.c kbind.c unbind.c cancel.c \ ++ sasl.c ntlm.c sbind.c kbind.c unbind.c cancel.c \ + filter.c free.c sort.c passwd.c whoami.c \ + getdn.c getentry.c getattr.c getvalues.c addentry.c \ + request.c os-ip.c url.c sortctrl.c vlvctrl.c \ +@@ -31,7 +31,7 @@ + OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \ + controls.lo messages.lo references.lo extended.lo cyrus.lo \ + modify.lo add.lo modrdn.lo delete.lo abandon.lo \ +- sasl.lo sbind.lo kbind.lo unbind.lo cancel.lo \ ++ sasl.lo ntlm.lo sbind.lo kbind.lo unbind.lo cancel.lo \ + filter.lo free.lo sort.lo passwd.lo whoami.lo \ + getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \ + request.lo os-ip.lo url.lo sortctrl.lo vlvctrl.lo \ +diff -urNad openldap2.3-2.3.11~/libraries/libldap_r/Makefile.in openldap2.3-2.3.11/libraries/libldap_r/Makefile.in +--- openldap2.3-2.3.11~/libraries/libldap_r/Makefile.in 2005-12-01 13:48:50.000000000 +0100 ++++ openldap2.3-2.3.11/libraries/libldap_r/Makefile.in 2005-12-02 10:05:17.637342000 +0100 +@@ -22,7 +22,7 @@ + bind.c open.c result.c error.c compare.c search.c \ + controls.c messages.c references.c extended.c cyrus.c \ + modify.c add.c modrdn.c delete.c abandon.c \ +- sasl.c sbind.c kbind.c unbind.c cancel.c \ ++ sasl.c ntlm.c sbind.c kbind.c unbind.c cancel.c \ + filter.c free.c sort.c passwd.c whoami.c \ + getdn.c getentry.c getattr.c getvalues.c addentry.c \ + request.c os-ip.c url.c sortctrl.c vlvctrl.c \ +@@ -38,7 +38,7 @@ + bind.lo open.lo result.lo error.lo compare.lo search.lo \ + controls.lo messages.lo references.lo extended.lo cyrus.lo \ + modify.lo add.lo modrdn.lo delete.lo abandon.lo \ +- sasl.lo sbind.lo kbind.lo unbind.lo cancel.lo \ ++ sasl.lo ntlm.lo sbind.lo kbind.lo unbind.lo cancel.lo \ + filter.lo free.lo sort.lo passwd.lo whoami.lo \ + getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \ + request.lo os-ip.lo url.lo sortctrl.lo vlvctrl.lo \ +@@ -56,7 +56,7 @@ + XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS) + XXXLIBS = $(LTHREAD_LIBS) + NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) +-UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) ++UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS) + + .links : Makefile + @for i in $(XXSRCS); do \ --- openldap2.3-2.3.38.orig/debian/patches/ldapi-socket-place +++ openldap2.3-2.3.38/debian/patches/ldapi-socket-place @@ -0,0 +1,13 @@ +Index: include/ldap_defaults.h +=================================================================== +--- include/ldap_defaults.h.orig ++++ include/ldap_defaults.h +@@ -39,7 +39,7 @@ + #define LDAP_ENV_PREFIX "LDAP" + + /* default ldapi:// socket */ +-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" ++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "slapd" LDAP_DIRSEP "ldapi" + + /* + * SLAPD DEFINITIONS --- openldap2.3-2.3.38.orig/debian/patches/slapi-errorlog-file +++ openldap2.3-2.3.38/debian/patches/slapi-errorlog-file @@ -0,0 +1,13 @@ +Index: servers/slapd/slapi/slapi_overlay.c +=================================================================== +--- servers/slapd/slapi/slapi_overlay.c.orig ++++ servers/slapd/slapi/slapi_overlay.c +@@ -882,7 +882,7 @@ + ldap_pvt_thread_mutex_init( &slapi_printmessage_mutex ); + + if ( slapi_log_file == NULL ) +- slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "errors" ); ++ slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "log" LDAP_DIRSEP "slapi-errors" ); + + rc = slapi_int_init_object_extensions(); + if ( rc != 0 ) --- openldap2.3-2.3.38.orig/debian/patches/sasl-default-path +++ openldap2.3-2.3.38/debian/patches/sasl-default-path @@ -0,0 +1,54 @@ +Index: include/ldap_defaults.h +=================================================================== +--- include/ldap_defaults.h.orig ++++ include/ldap_defaults.h +@@ -65,4 +65,6 @@ + /* dn of the default "monitor" subentry */ + #define SLAPD_MONITOR_DN "cn=Monitor" + ++#define SASL_CONFIGPATH LDAP_SYSCONFDIR LDAP_DIRSEP "sasl2" ++ + #endif /* _LDAP_CONFIG_H */ +Index: servers/slapd/sasl.c +=================================================================== +--- servers/slapd/sasl.c.orig ++++ servers/slapd/sasl.c +@@ -951,12 +951,38 @@ + + #endif /* HAVE_CYRUS_SASL */ + ++static int ++slap_sasl_getconfpath( void * context, char ** path ) ++{ ++ char * sasl_default_configpath; ++ size_t len; ++ ++#if SASL_VERSION_MAJOR >= 2 ++ sasl_default_configpath = "/usr/lib/sasl2"; ++#else ++ sasl_default_configpath = "/usr/lib/sasl"; ++#endif ++ ++ len = strlen(SASL_CONFIGPATH) + 1 /* colon */ + ++ strlen(sasl_default_configpath) + 1 /* \0 */; ++ *path = malloc( len ); ++ if ( *path == NULL ) ++ return SASL_FAIL; ++ ++ if (snprintf( *path, len, "%s:%s", SASL_CONFIGPATH, ++ sasl_default_configpath ) != len-1 ) ++ return SASL_FAIL; ++ ++ return SASL_OK; ++} ++ + int slap_sasl_init( void ) + { + #ifdef HAVE_CYRUS_SASL + int rc; + static sasl_callback_t server_callbacks[] = { + { SASL_CB_LOG, &slap_sasl_log, NULL }, ++ { SASL_CB_GETCONFPATH, &slap_sasl_getconfpath, NULL }, + { SASL_CB_LIST_END, NULL, NULL } + }; + --- openldap2.3-2.3.38.orig/debian/patches/ntlm_c +++ openldap2.3-2.3.38/debian/patches/ntlm_c @@ -0,0 +1,142 @@ +diff -urNad openldap2.3-2.3.11~/libraries/libldap/ntlm.c openldap2.3-2.3.11/libraries/libldap/ntlm.c +--- openldap2.3-2.3.11~/libraries/libldap/ntlm.c 1970-01-01 01:00:00.000000000 +0100 ++++ openldap2.3-2.3.11/libraries/libldap/ntlm.c 2005-12-02 09:47:08.226364500 +0100 +@@ -0,0 +1,138 @@ ++/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */ ++/* ++ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. ++ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file ++ */ ++ ++/* Mostly copied from sasl.c */ ++ ++#include "portable.h" ++ ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#include "ldap-int.h" ++ ++int ++ldap_ntlm_bind( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ ber_tag_t tag, ++ struct berval *cred, ++ LDAPControl **sctrls, ++ LDAPControl **cctrls, ++ int *msgidp ) ++{ ++ BerElement *ber; ++ int rc; ++ ber_int_t id; ++ ++ Debug( LDAP_DEBUG_TRACE, "ldap_ntlm_bind\n", 0, 0, 0 ); ++ ++ assert( ld != NULL ); ++ assert( LDAP_VALID( ld ) ); ++ assert( msgidp != NULL ); ++ ++ if( msgidp == NULL ) { ++ ld->ld_errno = LDAP_PARAM_ERROR; ++ return ld->ld_errno; ++ } ++ ++ /* create a message to send */ ++ if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) { ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } ++ ++ assert( LBER_VALID( ber ) ); ++ ++ LDAP_NEXT_MSGID( ld, id ); ++ rc = ber_printf( ber, "{it{istON}" /*}*/, ++ id, LDAP_REQ_BIND, ++ ld->ld_version, dn, tag, ++ cred ); ++ ++ /* Put Server Controls */ ++ if( ldap_int_put_controls( ld, sctrls, ber ) != LDAP_SUCCESS ) { ++ ber_free( ber, 1 ); ++ return ld->ld_errno; ++ } ++ ++ if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) { ++ ld->ld_errno = LDAP_ENCODING_ERROR; ++ ber_free( ber, 1 ); ++ return ld->ld_errno; ++ } ++ ++ /* send the message */ ++ *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id ); ++ ++ if(*msgidp < 0) ++ return ld->ld_errno; ++ ++ return LDAP_SUCCESS; ++} ++ ++int ++ldap_parse_ntlm_bind_result( ++ LDAP *ld, ++ LDAPMessage *res, ++ struct berval *challenge) ++{ ++ ber_int_t errcode; ++ ber_tag_t tag; ++ BerElement *ber; ++ ber_len_t len; ++ ++ Debug( LDAP_DEBUG_TRACE, "ldap_parse_ntlm_bind_result\n", 0, 0, 0 ); ++ ++ assert( ld != NULL ); ++ assert( LDAP_VALID( ld ) ); ++ assert( res != NULL ); ++ ++ if ( ld == NULL || res == NULL ) { ++ return LDAP_PARAM_ERROR; ++ } ++ ++ if( res->lm_msgtype != LDAP_RES_BIND ) { ++ ld->ld_errno = LDAP_PARAM_ERROR; ++ return ld->ld_errno; ++ } ++ ++ if ( ld->ld_error ) { ++ LDAP_FREE( ld->ld_error ); ++ ld->ld_error = NULL; ++ } ++ if ( ld->ld_matched ) { ++ LDAP_FREE( ld->ld_matched ); ++ ld->ld_matched = NULL; ++ } ++ ++ /* parse results */ ++ ++ ber = ber_dup( res->lm_ber ); ++ ++ if( ber == NULL ) { ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } ++ ++ tag = ber_scanf( ber, "{ioa" /*}*/, ++ &errcode, challenge, &ld->ld_error ); ++ ber_free( ber, 0 ); ++ ++ if( tag == LBER_ERROR ) { ++ ld->ld_errno = LDAP_DECODING_ERROR; ++ return ld->ld_errno; ++ } ++ ++ ld->ld_errno = errcode; ++ ++ return( ld->ld_errno ); ++} ++ --- openldap2.3-2.3.38.orig/debian/patches/ITS5119 +++ openldap2.3-2.3.38/debian/patches/ITS5119 @@ -0,0 +1,12 @@ +Index: servers/slapd/modify.c +=================================================================== +--- servers/slapd/modify.c.orig ++++ servers/slapd/modify.c +@@ -734,6 +734,7 @@ + "%s: value #%ld normalization failed", + ml->sml_type.bv_val, (long) nvals ); + *text = textbuf; ++ BER_BVZERO( &ml->sml_nvalues[nvals] ); + return rc; + } + } --- openldap2.3-2.3.38.orig/debian/patches/read-config-before-dropping-privileges +++ openldap2.3-2.3.38/debian/patches/read-config-before-dropping-privileges @@ -0,0 +1,30 @@ +Index: servers/slapd/main.c +=================================================================== +--- servers/slapd/main.c.orig ++++ servers/slapd/main.c +@@ -648,12 +648,6 @@ + } + #endif + +-#if defined(HAVE_SETUID) && defined(HAVE_SETGID) +- if ( username != NULL || groupname != NULL ) { +- slap_init_user( username, groupname ); +- } +-#endif +- + extops_init(); + lutil_passwd_init(); + slap_op_init(); +@@ -675,6 +669,12 @@ + goto destroy; + } + ++#if defined(HAVE_SETUID) && defined(HAVE_SETGID) ++ if ( username != NULL || groupname != NULL ) { ++ slap_init_user( username, groupname ); ++ } ++#endif ++ + if ( debug_unknowns ) { + rc = parse_debug_unknowns( debug_unknowns, &slap_debug ); + ldap_charray_free( debug_unknowns ); --- openldap2.3-2.3.38.orig/debian/patches/ntlm-ldap_h-hack +++ openldap2.3-2.3.38/debian/patches/ntlm-ldap_h-hack @@ -0,0 +1,30 @@ +Index: include/ldap.h +=================================================================== +--- include/ldap.h.orig 2007-05-23 13:05:50.000000000 -0700 ++++ include/ldap.h 2007-05-23 13:05:53.000000000 -0700 +@@ -2118,5 +2118,25 @@ LDAP_F( const char * ) + ldap_passwordpolicy_err2txt LDAP_P(( LDAPPasswordPolicyError )); + #endif /* LDAP_CONTROL_PASSWORDPOLICYREQUEST */ + ++/* ++ * hacks for NTLM ++ */ ++#define LDAP_AUTH_NTLM_REQUEST ((ber_tag_t) 0x8aU) ++#define LDAP_AUTH_NTLM_RESPONSE ((ber_tag_t) 0x8bU) ++LDAP_F( int ) ++ldap_ntlm_bind LDAP_P(( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ ber_tag_t tag, ++ struct berval *cred, ++ LDAPControl **sctrls, ++ LDAPControl **cctrls, ++ int *msgidp )); ++LDAP_F( int ) ++ldap_parse_ntlm_bind_result LDAP_P(( ++ LDAP *ld, ++ LDAPMessage *res, ++ struct berval *challenge)); ++ + LDAP_END_DECL + #endif /* _LDAP_H */ --- openldap2.3-2.3.38.orig/debian/patches/index-files-created-as-root +++ openldap2.3-2.3.38/debian/patches/index-files-created-as-root @@ -0,0 +1,28 @@ +Index: doc/man/man8/slapindex.8 +=================================================================== +--- doc/man/man8/slapindex.8.orig ++++ doc/man/man8/slapindex.8 +@@ -90,6 +90,10 @@ + should not be running (at least, not in read-write + mode) when you do this to ensure consistency of the database. + .LP ++slapindex ought to be run as the user specified for ++.BR slapd (8) ++to ensure correct database permissions. ++.LP + This command provides ample opportunity for the user to obtain + and drink their favorite beverage. + .SH EXAMPLES +Index: servers/slapd/slapindex.c +=================================================================== +--- servers/slapd/slapindex.c.orig ++++ servers/slapd/slapindex.c +@@ -34,6 +34,8 @@ + int + slapindex( int argc, char **argv ) + { ++ if (geteuid() == 0) ++ fprintf( stderr, "\nWARNING!\nRunnig as root!\nThere's a fair chance slapd will fail to start.\nCheck file permissions!\n\n"); + ID id; + int rc = EXIT_SUCCESS; + const char *progname = "slapindex"; --- openldap2.3-2.3.38.orig/debian/tests/create_account +++ openldap2.3-2.3.38/debian/tests/create_account @@ -0,0 +1,24 @@ +#! /usr/bin/perl -w + +# Shows how to create an entry on the LDAP server + +$host = "localhost"; # LDAP server +$basedn = "dc=galaxy"; # Base DN +$admindn = "cn=admin, $basedn"; # Admin entry +$adminpass = "foo"; # Password + +use Net::LDAP; + +$ldap = Net::LDAP->new("$host", onerror => "die"); +$ldap->bind($admindn, password => $adminpass); + +# Create "ou=People" entry if not there + +$results = $ldap->search(base => "$basedn", + filter => "ou=People", scope => "one"); +unless ($results->count > 0) { + $ldap->add("ou=People, $basedn", attr => [ + ou => "People", + objectClass => [ "top", "organizationalUnit" ] + ]); +} --- openldap2.3-2.3.38.orig/debian/tests/find_unused_functions +++ openldap2.3-2.3.38/debian/tests/find_unused_functions @@ -0,0 +1,30 @@ +#! /usr/bin/perl -w + +use autouse Data::Dumper, qw{Dumper}; + +# Script to find the unused shell functions in slapd.scripts-common + +our @code; + +# Get all shell code from maintainer scripts + +foreach my $file ((, , , + )) { + open SCRIPT, "<$file" or + die "Can't open $file: $!"; + push @code,