Ubuntu
openldap package

debian/apparmor-profile (+60/-0)
debian/changelog (+2450/-0)
debian/configure.options (+1/-0)
debian/control (+6/-3)
debian/libldap-2.4-2.symbols (+7/-0)
debian/patches/contrib-makefiles (+21/-0)
debian/patches/fix-ldap-distribution.patch (+24/-0)
debian/patches/gssapi.diff (+140/-0)
debian/patches/series (+2/-0)
debian/rules (+23/-3)
debian/slapd.README.Debian (+13/-2)
debian/slapd.default (+1/-1)
debian/slapd.init.ldif (+0/-1)
debian/slapd.install (+2/-0)
debian/slapd.manpages (+1/-0)
debian/slapd.py (+51/-0)
debian/slapd.scripts-common (+7/-2)
debian/slapd.ufw.profile (+9/-0)

Undecided

Fix Released

Link a bug report

Reviewer	Date Requested	Status
Christian Ehrhardt  (community)	2020-03-06	Approve on 2020-03-09
Canonical Server	2020-03-06	Pending
Review via email: mp+380368@code.launchpad.net

Description of the change

Merge from debian to grab a bug fix for a crash.

Testing instructions:

* get the files from the bug:
mkdir slapd-test-case; cd slapd-test-case
wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script

* run the script:
sudo apt update && sudo sh ./script

* With the bug, the result is:
ldap_bind: Invalid credentials (49)
slapd dead

* With the fixed packages, you get a living slapd at the end (you can run the script again on the same system):
sudo add-apt-repository ppa:ahasenack/slapd-crash-bug-1866303 -y -u
sudo sh ./script
...
slapd running
ldap_bind: Invalid credentials (49)
slapd running

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-03-09:

Thanks git rande-diff !
10: 1432313c ! 10: c8c73d89
Just context noise in d/p/patches
13: 7df62af4 < -: -------- - was an empty commit for "dropped"
14: 848d4820 ! 13: aa3c53cd - changelog being different (ok)
15: 88f31ebd ! 14: 3834f198 - changelog being different (ok)
All others are ==

Changelog:
- [√] old content and logical tag match as expected
- [√] changelog entry correct version and targeted codename
- [√] changelog entries correct
- [√] update-maintainer has been run

Actual changes:
- [√] no major upstream changes to consider
- [√] no further upstream version to consider
- [√] debian changes look safe
And in particular for now they don't need an FFe IMHO

Old Delta:
- [√] nothing else to drop
- [√] changes forwarded upstream/debian (no new content, and we had done in the past)

New Delta:
- [√] no new patches added

Build/Test:
- [√] build is ok
- [√] verified PPA package installs/uninstalls
- [√] sanity checks test fine

P.S. I see you also plan an SRU for this fix, I hope it backports well - at least it is small.

review: Approve

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-03-09:

Thanks, tagging and uploading 2f77298068c07b2c101f55d9ead3fda799e882bc

$ git push pkg upload/2.4.49+dfsg-2ubuntu1
Enumerating objects: 95, done.
Counting objects: 100% (95/95), done.
Delta compression using up to 4 threads
Compressing objects: 100% (77/77), done.
Writing objects: 100% (79/79), 28.89 KiB | 1.16 MiB/s, done.
Total 79 (delta 57), reused 5 (delta 2)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/openldap
* [new tag] upload/2.4.49+dfsg-2ubuntu1 -> upload/2.4.49+dfsg-2ubuntu1

$ dput ubuntu ../openldap_2.4.49+dfsg-2ubuntu1_source.changes
Checking signature on .changes
gpg: ../openldap_2.4.49+dfsg-2ubuntu1_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../openldap_2.4.49+dfsg-2ubuntu1.dsc: Valid signature from AC983EB5BF6BCBA9
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openldap_2.4.49+dfsg-2ubuntu1.dsc: done.
  Uploading openldap_2.4.49+dfsg.orig.tar.gz: done.
  Uploading openldap_2.4.49+dfsg-2ubuntu1.debian.tar.xz: done.
  Uploading openldap_2.4.49+dfsg-2ubuntu1_source.buildinfo: done.
  Uploading openldap_2.4.49+dfsg-2ubuntu1_source.changes: done.
Successfully uploaded packages.

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-03-16:

This migrated.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Andreas Hasenack

git-ubuntu developers

 diff --git a/debian/apparmor-profile b/debian/apparmor-profile
 new file mode 100644
 index 0000000..793fa7b
 --- /dev/null
 +++ b/debian/apparmor-profile
@@ -0,0 +1,60 @@
++# vim:syntax=apparmor
++# Last Modified: Fri Jan  4 15:18:13 2008
++# Author: Jamie Strandboge <jamie@ubuntu.com>
++
++#include <tunables/global>
++
++/usr/sbin/slapd {
++  #include <abstractions/base>
++  #include <abstractions/nameservice>
++  #include <abstractions/p11-kit>
++
++  #include <abstractions/ssl_certs>
++  /etc/ssl/private/ r,
++  /etc/ssl/private/* r,
++
++  /etc/sasldb2 r,
++
++  capability dac_override,
++  capability net_bind_service,
++  capability setgid,
++  capability setuid,
++
++  /etc/gai.conf r,
++  /etc/hosts.allow r,
++  /etc/hosts.deny r,
++
++  # ldap files
++  /etc/ldap/** kr,
++  /etc/ldap/slapd.d/** rw,
++
++  # kerberos/gssapi
++  /dev/tty rw,
++  /etc/gss/mech.d/   r,
++  /etc/gss/mech.d/* kr,
++  /etc/krb5.keytab kr,
++  /etc/krb5/user/*/client.keytab kr,
++  owner /tmp/krb5cc_* rwk,
++  /var/tmp/ rw,
++  /var/tmp/** rw,
++
++  # the databases and logs
++  /var/lib/ldap/ r,
++  /var/lib/ldap/** rwk,
++
++  # lock file
++  /var/lib/ldap/alock kw,
++
++  # pid files and sockets
++  /{,var/}run/slapd/* w,
++  /{,var/}run/slapd/ldapi rw,
++  /{,var/}run/nslcd/socket rw,
++
++  /usr/lib/ldap/ r,
++  /usr/lib/ldap/* mr,
++
++  /usr/sbin/slapd mr,
++
++  # Site-specific additions and overrides. See local/README for details.
++  #include <local/usr.sbin.slapd>
++}
 diff --git a/debian/changelog b/debian/changelog
 index 56ce1ee..e4fd52b 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,55 @@
++openldap (2.4.49+dfsg-2ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable (LP: #1866303). Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++        [Dropped the ldap_gssapi_bind_s() hunk as that is already
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/rules:
++        - add nssov to CONTRIB_MODULES
++        - add sysconfdir to CONTRIB_MAKEVARS
++      - d/slapd.install:
++        - install nssov overlay
++      - d/slapd.manpages:
++        - install slapo-nssov(5) man page
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++    - d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
++      Debian bug #919136, we also have to patch the nssov makefile
++      accordingly and thus update this patch.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 06 Mar 2020 11:39:12 -0300
++
  openldap (2.4.49+dfsg-2) unstable; urgency=medium
    * slapd.README.Debian: Document the initial setup performed by slapd's
@@ -9,6 +61,62 @@ openldap (2.4.49+dfsg-2) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Thu, 05 Mar 2020 12:59:46 -0800
++openldap (2.4.49+dfsg-1ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++        [Dropped the ldap_gssapi_bind_s() hunk as that is already
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/rules:
++        - add nssov to CONTRIB_MODULES
++        - add sysconfdir to CONTRIB_MAKEVARS
++      - d/slapd.install:
++        - install nssov overlay
++      - d/slapd.manpages:
++        - install slapo-nssov(5) man page
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++    - d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
++      Debian bug #919136, we also have to patch the nssov makefile
++      accordingly and thus update this patch.
++  * Dropped:
++    - d/control: slapd can depend on perl:any since it only uses perl for
++      some maintainer and helper scripts.
++      [In 2.4.49+dfsg-1]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 10 Feb 2020 12:13:47 -0300
++
  openldap (2.4.49+dfsg-1) unstable; urgency=medium
    * New upstream release.
@@ -37,6 +145,102 @@ openldap (2.4.49+dfsg-1) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Thu, 06 Feb 2020 10:08:12 -0800
++openldap (2.4.48+dfsg-1ubuntu4) focal; urgency=medium
++
++  * d/control: slapd can depend on perl:any since it only uses perl for
++    some maintainer and helper scripts. The perl backend links against
++    the correct architecture perl libraries already. Can be dropped
++    after https://salsa.debian.org/openldap-team/openldap/commit/794c736
++    is in a Debian upload.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 06 Jan 2020 16:46:11 -0300
++
++openldap (2.4.48+dfsg-1ubuntu3) focal; urgency=medium
++
++  * No-change rebuild against libnettle7
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 31 Oct 2019 22:13:44 +0000
++
++openldap (2.4.48+dfsg-1ubuntu2) focal; urgency=medium
++
++  * No-change rebuild for the perl update.
++
++ -- Matthias Klose <doko@ubuntu.com>  Fri, 18 Oct 2019 19:37:23 +0000
++
++openldap (2.4.48+dfsg-1ubuntu1) eoan; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/rules:
++        - add nssov to CONTRIB_MODULES
++        - add sysconfdir to CONTRIB_MAKEVARS
++      - d/slapd.install:
++        - install nssov overlay
++      - d/slapd.manpages:
++        - install slapo-nssov(5) man page
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++    - d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
++      Debian bug #919136, we also have to patch the nssov makefile
++      accordingly and thus update this patch.
++  * Dropped:
++    - Fix sysv-generator unit file by customizing parameters (LP #1821343)
++      + d/slapd-remain-after-exit.conf: Override RemainAfterExit to allow
++        correct systemctl status for slapd daemon.
++      + d/slapd.install: place override file in correct location.
++      [Included in 2.4.48+dfsg-1]
++    - SECURITY UPDATE: rootDN proxyauthz not restricted to its own databases
++      + debian/patches/CVE-2019-13057-1.patch: add restriction to
++        servers/slapd/saslauthz.c.
++      + debian/patches/CVE-2019-13057-2.patch: add tests to
++        tests/data/idassert.out, tests/data/slapd-idassert.conf,
++        tests/data/test-idassert1.ldif, tests/scripts/test028-idassert.
++      + debian/patches/CVE-2019-13057-3.patch: fix typo in
++        tests/scripts/test028-idassert.
++      + debian/patches/CVE-2019-13057-4.patch: fix typo in
++        tests/scripts/test028-idassert.
++      + CVE-2019-13057
++      [Fixed upstream]
++    - SECURITY UPDATE: SASL SSF not initialized per connection
++      + debian/patches/CVE-2019-13565.patch: zero out sasl_ssf in
++        connection_init in servers/slapd/connection.c.
++      + CVE-2019-13565
++      [Fixed upstream]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 31 Jul 2019 18:01:14 -0300
++
  openldap (2.4.48+dfsg-1) unstable; urgency=medium
    * New upstream release.
@@ -64,6 +268,87 @@ openldap (2.4.48+dfsg-1) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Thu, 25 Jul 2019 08:32:00 -0700
++openldap (2.4.47+dfsg-3ubuntu3) eoan; urgency=medium
++
++  * SECURITY UPDATE: rootDN proxyauthz not restricted to its own databases
++    - debian/patches/CVE-2019-13057-1.patch: add restriction to
++      servers/slapd/saslauthz.c.
++    - debian/patches/CVE-2019-13057-2.patch: add tests to
++      tests/data/idassert.out, tests/data/slapd-idassert.conf,
++      tests/data/test-idassert1.ldif, tests/scripts/test028-idassert.
++    - debian/patches/CVE-2019-13057-3.patch: fix typo in
++      tests/scripts/test028-idassert.
++    - debian/patches/CVE-2019-13057-4.patch: fix typo in
++      tests/scripts/test028-idassert.
++    - CVE-2019-13057
++  * SECURITY UPDATE: SASL SSF not initialized per connection
++    - debian/patches/CVE-2019-13565.patch: zero out sasl_ssf in
++      connection_init in servers/slapd/connection.c.
++    - CVE-2019-13565
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 26 Jul 2019 13:21:00 -0400
++
++openldap (2.4.47+dfsg-3ubuntu2) disco; urgency=medium
++
++  * Fix sysv-generator unit file by customizing parameters (LP: #1821343)
++    - d/slapd-remain-after-exit.conf: Override RemainAfterExit to allow
++      correct systemctl status for slapd daemon.
++    - d/slapd.install: place override file in correct location.
++
++ -- Heitor Alves de Siqueira <halves@canonical.com>  Mon, 08 Apr 2019 12:39:12 -0300
++
++openldap (2.4.47+dfsg-3ubuntu1) disco; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/rules:
++        - add nssov to CONTRIB_MODULES
++        - add sysconfdir to CONTRIB_MAKEVARS
++      - d/slapd.install:
++        - install nssov overlay
++      - d/slapd.manpages:
++        - install slapo-nssov(5) man page
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++  * Added changes:
++    - d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
++      Debian bug #919136, we also have to patch the nssov makefile
++      accordingly and thus update this patch.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 11 Feb 2019 09:20:47 -0200
++
  openldap (2.4.47+dfsg-3) unstable; urgency=medium
    * Restore patches to contrib Makefiles to set CFLAGS, CPPFLAGS, and LDFLAGS
@@ -79,6 +364,63 @@ openldap (2.4.47+dfsg-3) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Sat, 02 Feb 2019 10:30:10 -0800
++openldap (2.4.47+dfsg-2ubuntu1) disco; urgency=medium
++
++  * Merge from Debian unstable (LP: #1811630).  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/rules:
++        - add nssov to CONTRIB_MODULES
++        - add sysconfdir to CONTRIB_MAKEVARS
++      - d/slapd.install:
++        - install nssov overlay
++      - d/slapd.manpages:
++        - install slapo-nssov(5) man page
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++  * Update nssov build and packaging for Debian changes:
++    - Drop patch nssov-build
++    - d/rules:
++      - add nssov to CONTRIB_MODULES
++      - add sysconfdir to CONTRIB_MAKEVARS
++    - d/slapd.install:
++      - install nssov overlay
++    - d/slapd.manpages:
++      - install slapo-nssov(5) man page
++
++ -- Ryan Tandy <ryan@nardis.ca>  Sun, 13 Jan 2019 04:47:09 +0000
++
  openldap (2.4.47+dfsg-2) unstable; urgency=medium
    * Reintroduce slapi-dev binary package. (Closes: #711469)
@@ -116,6 +458,63 @@ openldap (2.4.47+dfsg-1) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Sun, 23 Dec 2018 12:50:40 -0800
++openldap (2.4.46+dfsg-5ubuntu3) disco; urgency=medium
++
++  * d/apparmor-profile: update apparmor profile to allow reading of
++    files needed when slapd is behaving as a kerberos/gssapi client
++    and acquiring its own ticket. (LP: #1783183)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 09 Nov 2018 21:29:51 -0200
++
++openldap (2.4.46+dfsg-5ubuntu2) disco; urgency=medium
++
++  * No-change rebuild for the perl 5.28 transition.
++
++ -- Adam Conrad <adconrad@ubuntu.com>  Fri, 02 Nov 2018 18:14:37 -0600
++
++openldap (2.4.46+dfsg-5ubuntu1) cosmic; urgency=medium
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Wed, 09 May 2018 13:44:37 +0200
++
  openldap (2.4.46+dfsg-5) unstable; urgency=medium
    * Restore slapd-smbk5pwd now that libldap is installable in unstable.
@@ -135,6 +534,49 @@ openldap (2.4.46+dfsg-3) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Fri, 04 May 2018 07:36:58 -0700
++openldap (2.4.46+dfsg-2ubuntu1) cosmic; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Fri, 04 May 2018 10:19:24 +0200
++
  openldap (2.4.46+dfsg-2) unstable; urgency=medium
    * Remove version constraint from libldap-2.4-2 dependency on libldap-common.
@@ -164,6 +606,49 @@ openldap (2.4.46+dfsg-1) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Thu, 03 May 2018 07:03:30 -0700
++openldap (2.4.45+dfsg-1ubuntu1) artful; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Fri, 28 Jul 2017 14:49:07 +0200
++
  openldap (2.4.45+dfsg-1) unstable; urgency=medium
    * New upstream release.
@@ -205,6 +690,49 @@ openldap (2.4.45+dfsg-1) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Thu, 27 Jul 2017 18:04:41 -0700
++openldap (2.4.44+dfsg-8ubuntu1) artful; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Mon, 17 Jul 2017 10:58:24 +0200
++
  openldap (2.4.44+dfsg-8) unstable; urgency=medium
    * Disable test060-mt-hot on ppc64el temporarily to avoid failing tests until
@@ -215,6 +743,52 @@ openldap (2.4.44+dfsg-8) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Sun, 16 Jul 2017 12:57:41 -0700
++openldap (2.4.44+dfsg-7ubuntu1) artful; urgency=medium
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    [ d/rules modification mentioned above was dropped in
++      2.4.23-6ubuntu1, re-adding it ]
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++      [ Refreshed patch ]
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Tue, 27 Jun 2017 10:21:41 +0200
++
  openldap (2.4.44+dfsg-7) unstable; urgency=medium
    * Relax the dependency of libldap-2.4-2 on libldap-common to also permit
@@ -222,6 +796,52 @@ openldap (2.4.44+dfsg-7) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Tue, 27 Jun 2017 18:53:12 -0700
++openldap (2.4.44+dfsg-6ubuntu1) artful; urgency=medium
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    [ d/rules modification mentioned above was dropped in
++      2.4.23-6ubuntu1, re-adding it ]
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++      [ Refreshed patch ]
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Tue, 27 Jun 2017 10:21:41 +0200
++
  openldap (2.4.44+dfsg-6) unstable; urgency=medium
    * Update the list of non-translatable strings for the
@@ -230,6 +850,54 @@ openldap (2.4.44+dfsg-6) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Mon, 26 Jun 2017 19:42:02 -0700
++openldap (2.4.44+dfsg-5ubuntu1) artful; urgency=medium
++
++   * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    [ d/rules modification mentioned above was dropped in
++      2.4.23-6ubuntu1, re-adding it ]
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++      [ Refreshed patch ]
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++    [ undocumented in prior merge, added in 2.4.41+dfsg-1ubuntu1 ]
++    - Fix use after free with GnuTLS. (LP #1557248)
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Sun, 28 May 2017 22:43:50 +0200
++
  openldap (2.4.44+dfsg-5) unstable; urgency=medium
    * debian/patches/ITS-8644-wait-for-slapd-to-start-in-test064.patch: Fix an
@@ -241,6 +909,54 @@ openldap (2.4.44+dfsg-5) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Sun, 28 May 2017 09:59:46 -0700
++openldap (2.4.44+dfsg-4ubuntu1) artful; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    [ d/rules modification mentioned above was dropped in
++      2.4.23-6ubuntu1, re-adding it ]
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++      [ Refreshed patch ]
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++    [ undocumented in prior merge, added in 2.4.41+dfsg-1ubuntu1 ]
++    - Fix use after free with GnuTLS. (LP #1557248)
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Sat, 22 Apr 2017 14:28:54 +0200
++
  openldap (2.4.44+dfsg-4) unstable; urgency=medium
    * Improve the slapd/ppolicy_schema_needs_update debconf template. Thanks to
@@ -287,6 +1003,67 @@ openldap (2.4.44+dfsg-4) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Sun, 16 Apr 2017 20:10:43 -0700
++openldap (2.4.44+dfsg-3ubuntu2) zesty; urgency=medium
++
++  * d/rules: Fix typo in previous upload.
++
++ -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Fri, 10 Feb 2017 12:17:02 -0800
++
++openldap (2.4.44+dfsg-3ubuntu1) zesty; urgency=medium
++
++  * Merge with Debian unstable (LP: #1663702, LP: #1654416). Remaining
++    changes
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    [ d/rules modification mentioned above was dropped in
++      2.4.23-6ubuntu1, re-adding it ]
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++      [ Refreshed patch ]
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++    [ undocumented in prior merge, added in 2.4.41+dfsg-1ubuntu1 ]
++    - Fix use after free with GnuTLS. (LP #1557248)
++  * Drop:
++    - d/slapd.scripts-common:
++      + Remove unused variable new_conf.
++    [ configure_v2_protocol_support function removed in 2.4.44+dfsg-1 ]
++    - d/b/config.log: add config.log
++    [ previously undocumented, stray change ]
++
++ -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Fri, 10 Feb 2017 11:38:57 -0800
++
  openldap (2.4.44+dfsg-3) unstable; urgency=medium
    * Apply upstream patch to fix FTBFS on kFreeBSD. (Closes: #845394)
@@ -359,6 +1136,73 @@ openldap (2.4.44+dfsg-1) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Mon, 14 Nov 2016 18:59:30 -0800
++openldap (2.4.42+dfsg-2ubuntu5) zesty; urgency=medium
++
++  * No-change rebuild for perl 5.24 transition
++
++ -- Iain Lane <iain@orangesquash.org.uk>  Mon, 24 Oct 2016 10:37:13 +0100
++
++openldap (2.4.42+dfsg-2ubuntu4) yakkety; urgency=medium
++
++  * Fix use after free with GnuTLS. (LP: #1557248)
++
++ -- Maciej Puzio <maciej@work.swmed.edu>  Fri, 25 Mar 2016 15:24:25 -0500
++
++openldap (2.4.42+dfsg-2ubuntu3) xenial; urgency=medium
++
++  * Fix building with gssapi suppport:
++    - Explicitly add -I/usr/include/heimdal to CFLAGS.
++    - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++
++ -- Matthias Klose <doko@ubuntu.com>  Thu, 18 Feb 2016 09:17:27 +0100
++
++openldap (2.4.42+dfsg-2ubuntu2) xenial; urgency=medium
++
++  * No-change rebuild for gnutls transition.
++
++ -- Matthias Klose <doko@ubuntu.com>  Wed, 17 Feb 2016 22:27:04 +0000
++
++openldap (2.4.42+dfsg-2ubuntu1) xenial; urgency=medium
++
++  * Merge from Debian testing (LP: #1532648). Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Remove unused variable new_conf.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++  * Drop CVE-2015-6908.patch, included in Debian.
++  * Remove DEB_HOST_ARCH from debian/rules: left over from when mdb was
++    disabled on ppc64el, no longer used, and missed in the previous merge.
++
++ -- Ryan Tandy <ryan@nardis.ca>  Sun, 10 Jan 2016 15:50:53 -0800
++
  openldap (2.4.42+dfsg-2) unstable; urgency=medium
    [ Ryan Tandy ]
@@ -426,6 +1270,71 @@ openldap (2.4.42+dfsg-1) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Fri, 21 Aug 2015 13:07:51 -0700
++openldap (2.4.41+dfsg-1ubuntu3) xenial; urgency=medium
++
++  * Rebuild for Perl 5.22.1.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Fri, 18 Dec 2015 15:10:17 +0000
++
++openldap (2.4.41+dfsg-1ubuntu2) wily; urgency=medium
++
++  * SECURITY UPDATE: denial of service via crafted BER data
++    - debian/patches/CVE-2015-6908.patch: remove obsolete assert in
++      libraries/liblber/io.c.
++    - CVE-2015-6908
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 14 Sep 2015 10:25:04 -0400
++
++openldap (2.4.41+dfsg-1ubuntu1) wily; urgency=medium
++
++  * Merge from Debian testing (LP: #1471831). Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Remove unused variable new_conf.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++  * Dropped changes:
++    - Fix cpp calls for GCC 5: fixed upstream (ITS#8056)
++  * Upstream fixes:
++    - slapd crash with auditlog overlay and large (~27KB) attribute values
++      (ITS#8003) (LP: #1461276)
++    - nssov updated to support recent nss-pam-ldapd client libraries
++      (ITS#8097) (LP: #1393306)
++  * Update d/patches/nssov-build for upstream changes.
++  * Tweak d/patches/gssapi.diff to apply without fuzz.
++  * d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++    - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++    - GSSAPI support was enabled in 2.4.18-0ubuntu2
++
++ -- Ryan Tandy <ryan@nardis.ca>  Fri, 24 Jul 2015 14:12:06 -0700
++
  openldap (2.4.41+dfsg-1) unstable; urgency=medium
    * New upstream release.
@@ -445,6 +1354,62 @@ openldap (2.4.40+dfsg-2) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Sun, 28 Jun 2015 20:40:37 -0700
++openldap (2.4.40+dfsg-1ubuntu2) wily; urgency=medium
++
++  * No-change rebuild for the libnettle6 transition.
++
++ -- Adam Conrad <adconrad@ubuntu.com>  Sun, 14 Jun 2015 03:58:30 -0600
++
++openldap (2.4.40+dfsg-1ubuntu1) wily; urgency=low
++
++  * Merge from Debian testing (LP: #1395098, LP: #1316124). Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Remove unused variable new_conf.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++  * Drop patches included upstream:
++    - d/patches/0001-ITS-7430-GnuTLS-Avoid-use-of-deprecated-function.patch
++    - d/patches/bdb-deadlock.patch
++    - d/patches/its-7354-fix-delta-sync-mmr.diff
++  * Drop hardening-wrapper as Debian now sets PIE and bindnow flags.
++  * debian/patches/nssov-build: Adjust for upstream changes.
++  * debian/apparmor-profile:
++    - Change 'r' to 'rw' for ldapi and nslcd sockets, required for apparmor
++      kernel ABI v7 (utopic and later). (LP: #1392018)
++    - Reduce permissions on /run/nslcd to just the nslcd socket.
++  * Enable the mdb backend again on ppc64el, fixed upstream in ITS#7713.
++    (LP: #1293250)
++
++ -- Ryan Tandy <ryan@nardis.ca>  Mon, 25 May 2015 19:49:21 -0700
++
  openldap (2.4.40+dfsg-1) unstable; urgency=medium
    * Remove inetorgperson.schema from the upstream source. Replace it with a
@@ -633,6 +1598,187 @@ openldap (2.4.39-1) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Mon, 17 Mar 2014 15:27:31 -0700
++openldap (2.4.31-1+nmu2ubuntu12) vivid; urgency=medium
++
++  * Fix cpp calls for GCC 5.
++
++ -- Matthias Klose <doko@ubuntu.com>  Fri, 06 Mar 2015 13:23:29 +0100
++
++openldap (2.4.31-1+nmu2ubuntu11) utopic; urgency=medium
++
++  * debian/apparmor-profile:
++    - allow p11-kit abstraction
++    - allow read of /etc/gss/mech.d/*
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 02 Sep 2014 15:29:05 -0500
++
++openldap (2.4.31-1+nmu2ubuntu10) utopic; urgency=medium
++
++  * Rebuild for Perl 5.20.0.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Thu, 21 Aug 2014 13:29:20 +0100
++
++openldap (2.4.31-1+nmu2ubuntu9) utopic; urgency=medium
++
++  * Cherry-pick upstream patch for compat with recent GNUTLS.
++  * Build-depend on libgnutls28-dev.
++  * Build-depend on libgcrypt20-dev.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 08 Aug 2014 11:01:56 +0100
++
++openldap (2.4.31-1+nmu2ubuntu8) trusty; urgency=medium
++
++  * Bump database_format_changed value to 2.4.31-1+nmu2ubuntu5 for db5.3.
++
++ -- Adam Conrad <adconrad@ubuntu.com>  Mon, 17 Mar 2014 12:50:18 -0600
++
++openldap (2.4.31-1+nmu2ubuntu7) trusty; urgency=medium
++
++  * Disable mdb backend on ppc64el due to test-suite failures.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 17 Mar 2014 16:32:29 +0000
++
++openldap (2.4.31-1+nmu2ubuntu6) trusty; urgency=low
++
++  * Fix segfault issue with master-master syncrepl (LP: #1287730):
++    - d/patches/its-7354-fix-delta-sync-mmr.diff: Cherry picked
++      patch from upstream VCS.
++
++ -- Pierre Fersing <pfersing@sierrawireless.com>  Tue, 04 Mar 2014 16:04:57 +0100
++
++openldap (2.4.31-1+nmu2ubuntu5) trusty; urgency=low
++
++  * Build-depend on libdb5.3-dev, instead of libdb5.1-dev.
++
++ -- Dmitrijs Ledkovs <xnox@ubuntu.com>  Mon, 04 Nov 2013 08:04:30 +0000
++
++openldap (2.4.31-1+nmu2ubuntu4) trusty; urgency=low
++
++  * Rebuild for Perl 5.18.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Tue, 22 Oct 2013 12:16:39 +0100
++
++openldap (2.4.31-1+nmu2ubuntu3) saucy; urgency=low
++
++  * Update build/config.guess and build/config.sub at build time; this was
++    not done automatically because the top-level configure.in does not use
++    Automake.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Tue, 08 Oct 2013 17:24:59 +0100
++
++openldap (2.4.31-1+nmu2ubuntu2) saucy; urgency=low
++
++  * debian/control: added lsb-release
++  * debian/patches/fix-ldap-distribution.patch: show distribution in version
++
++ -- Yolanda Robla <yolanda.robla@canonical.com>  Mon, 08 Jul 2013 16:53:09 +0200
++
++openldap (2.4.31-1+nmu2ubuntu1) saucy; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++      - d/slapd.dirs: add etc/apparmor.d/force-complain
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added libkrb5-dev as a build depend
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,/rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Remove unused variable new_conf.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - d/{control,rules}: enable PIE hardening
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 30 May 2013 13:03:25 -0400
++
++openldap (2.4.31-1+nmu2) unstable; urgency=high
++
++  * Non-maintainer upload.
++  * No-change rebuild in a clean environment
++
++ -- Jonathan Wiltshire <jmw@debian.org>  Tue, 23 Apr 2013 13:10:00 +0100
++
++openldap (2.4.31-1+nmu1) unstable; urgency=medium
++
++  * Non-maintainer upload.
++  * Avoid deadlocks in back-bdb that truncate slapcat output (closes: #673038).
++
++ -- Michael Gilbert <mgilbert@debian.org>  Tue, 16 Apr 2013 03:35:31 +0000
++
++openldap (2.4.31-1ubuntu2) quantal-proposed; urgency=low
++
++  * debian/slapd.py: Add AppArmor info and logs to apport hook.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 20 Aug 2012 08:46:02 -0400
++
++openldap (2.4.31-1ubuntu1) quantal; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++      - d/slapd.dirs: add etc/apparmor.d/force-complain
++    - Enable GSSAPI support (LP: #495418):
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added libkrb5-dev as a build depend
++    - Enable ufw support (LP: #423246):
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay (LP: #675391):
++      - d/{patches/nssov-build,/rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook. (LP: #610544)
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Remove unused variable new_conf.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open (LP: #390579)
++    - d/{control,rules}: enable PIE hardening
++  * Dropped changes:
++    - d/patches/its-7107-fix-Operation-init-on-reuse.diff: Included in upstream release.
++    - d/patches/CVE-2011-4079: Included in upstream release.
++    - d/patches/service-operational-before-detach: Included in upstream release.
++    - d/schema/extra/misc.ldif: Included upstream.
++    - d/{rules,schema/extra}: Fix configure and clean rules to support
++      extra schemas shipped as part of the debian/schema/ directory; no longer required.
++    - Included in Debian:
++      + Document cn=config in README file.
++      + Install a default DIT; actually a minimal configuration.
++      + d/patches/heimdal-fix.
++  * General tidy of d/patches to remove obsolete patches being held in Ubuntu delta.
++
++ -- James Page <james.page@ubuntu.com>  Fri, 20 Jul 2012 13:48:32 +0100
++
  openldap (2.4.31-1) unstable; urgency=low
    * New upstream release.
@@ -659,6 +1805,121 @@ openldap (2.4.31-1) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Wed, 27 Jun 2012 03:27:34 +0000
++openldap (2.4.28-1.1ubuntu6) quantal; urgency=low
++
++  * Fix issue with intermittent connection issues when using LDAPv3
++    protocol (LP: #1023025):
++    - d/patches/its-7107-fix-Operation-init-on-reuse.diff: Cherry picked
++      patch from upstream VCS which ensures objects are initialized before
++      re-use.
++
++ -- Pierre Fersing <pfersing@sierrawireless.com>  Thu, 19 Jul 2012 14:05:09 +0100
++
++openldap (2.4.28-1.1ubuntu5) quantal; urgency=low
++
++  * debian/rules: Add smbk5pwd build.
++  * debian/control: Add slapd-smbk5pwd binary package.
++  * debian/patches/heimdal-fix: adapt parameters of
++    hdb_generate_key_set_password() to heimdal 1.6~git20120311
++    (patch from Debian #664930).
++
++ -- Jorge Salamero Sanz <bencer@debian.org>  Wed, 18 Jul 2012 09:30:28 -0400
++
++openldap (2.4.28-1.1ubuntu4) precise; urgency=low
++
++  * debian/control: Build-Depends on dh-apparmor (LP: #948481)
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Thu, 05 Apr 2012 09:34:37 -0500
++
++openldap (2.4.28-1.1ubuntu3) precise; urgency=low
++
++  * Add its-7176-only-poll-sockets-for-write-as-needed.diff
++    (LP: #932823).
++
++ -- Timo Aaltonen <tjaalton@ubuntu.com>  Tue, 21 Feb 2012 15:36:29 +0200
++
++openldap (2.4.28-1.1ubuntu2) precise; urgency=low
++
++  * Remove debian/patches/CVE-2011-4079; it's already in this upstream
++    version. Fixes FTBFS.
++
++ -- Daniel T Chen <crimsun@ubuntu.com>  Wed, 25 Jan 2012 17:26:17 -0500
++
++openldap (2.4.28-1.1ubuntu1) precise; urgency=low
++
++  * Merge from Debian testing.  Remaining changes:
++    - Install a default DIT (LP: #442498).
++    - Document cn=config in README file (LP: #370784).
++    - remaining changes:
++      + AppArmor support:
++        - debian/apparmor-profile: add AppArmor profile
++        - use dh_apparmor:
++          - debian/rules: use dh_apparmor
++          - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
++        - updated debian/slapd.README.Debian for note on AppArmor
++        - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      + Enable GSSAPI support (LP: #495418):
++        - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++          - Add --with-gssapi support
++          - Make guess_service_principal() more robust when determining
++            principal
++        - debian/patches/series: apply gssapi.diff patch.
++        - debian/configure.options: Configure with --with-gssapi
++        - debian/control: Added libkrb5-dev as a build depend
++      + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++        in the openldap library, as required by Likewise-Open (LP: #390579)
++     + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
++        - debian/control:
++          - remove build-dependency on heimdal-dev.
++          - remove slapd-smbk5pwd binary package.
++        - debian/rules: don't build smbk5pwd slapd module.
++      + debian/{control,rules}: enable PIE hardening
++      + ufw support (LP: #423246):
++        - debian/control: suggest ufw.
++        - debian/rules: install ufw profile.
++        - debian/slapd.ufw.profile: add ufw profile.
++      + Enable nssoverlay:
++        - debian/patches/nssov-build, debian/series, debian/rules:
++          Apply, build and package the nss overlay.
++        - debian/schema/extra/misc.ldif: add ldif file for the misc schema
++          which defines rfc822MailMember (required by the nss overlay).
++      + debian/rules, debian/schema/extra/:
++        Fix configure rule to supports extra schemas shipped as part
++        of the debian/schema/ directory.
++      + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
++      + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
++       neither the default DIT nor via an Authn mapping.
++      + debian/slapd.scripts-common: adjust minimum version that triggers a
++        database upgrade. Upgrade from maverick shouldn't trigger database
++        upgrade (which would happen with the version used in Debian).
++      + debian/slapd.scripts-common: add slapcat_opts to local variables.
++        Remove unused variable new_conf.
++      + debian/slapd.script-common: Fix package reconfiguration.
++        - Fix backup directory naming for multiple reconfiguration.
++      + debian/slapd.default, debian/slapd.README.Debian:
++        use the new configuration style.
++      + Install nss overlay (LP: #675391):
++        - debian/rules: run install target for nssov module.
++        - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
++      + debian/patches/gssapi.diff:
++        - Update patch so that likewise-open is usuable again. (LP: #661547)
++      + debian/patches/service-operational-before-detach: New patch replacing old one
++        of the same name as previous could cause database corruption based on upstream commits.
++        (LP: #727973)
++      + debian/patches/CVE-2011-4079: fix off by one error in postalAddressNormalize()
++        (CVE-2011-4079)
++
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 23 Jan 2012 10:01:13 -0500
++
++openldap (2.4.28-1.1) unstable; urgency=low
++
++  * Non-maintainer upload.
++  * Disable the mdb backend on non-Linux, it looks like it doesn't work with
++    linuxthreads (closes: #654824).
++
++ -- Julien Cristau <jcristau@debian.org>  Mon, 16 Jan 2012 19:45:42 +0100
++
  openldap (2.4.28-1) unstable; urgency=low
    * New upstream release.
@@ -686,6 +1947,72 @@ openldap (2.4.28-1) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Thu, 05 Jan 2012 06:07:11 +0000
++openldap (2.4.25-4ubuntu1) precise; urgency=low
++
++  * Merge from Debian testing.  Remaining changes:
++    - Install a default DIT (LP: #442498).
++    - Document cn=config in README file (LP: #370784).
++    - remaining changes:
++      + AppArmor support:
++        - debian/apparmor-profile: add AppArmor profile
++        - use dh_apparmor:
++          - debian/rules: use dh_apparmor
++          - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
++        - updated debian/slapd.README.Debian for note on AppArmor
++        - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      + Enable GSSAPI support (LP: #495418):
++        - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++          - Add --with-gssapi support
++          - Make guess_service_principal() more robust when determining
++            principal
++        - debian/patches/series: apply gssapi.diff patch.
++        - debian/configure.options: Configure with --with-gssapi
++        - debian/control: Added libkrb5-dev as a build depend
++      + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++        in the openldap library, as required by Likewise-Open (LP: #390579)
++     + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
++        - debian/control:
++          - remove build-dependency on heimdal-dev.
++          - remove slapd-smbk5pwd binary package.
++        - debian/rules: don't build smbk5pwd slapd module.
++      + debian/{control,rules}: enable PIE hardening
++      + ufw support (LP: #423246):
++        - debian/control: suggest ufw.
++        - debian/rules: install ufw profile.
++        - debian/slapd.ufw.profile: add ufw profile.
++      + Enable nssoverlay:
++        - debian/patches/nssov-build, debian/series, debian/rules:
++          Apply, build and package the nss overlay.
++        - debian/schema/extra/misc.ldif: add ldif file for the misc schema
++          which defines rfc822MailMember (required by the nss overlay).
++      + debian/rules, debian/schema/extra/:
++        Fix configure rule to supports extra schemas shipped as part
++        of the debian/schema/ directory.
++      + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
++      + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
++       neither the default DIT nor via an Authn mapping.
++      + debian/slapd.scripts-common: adjust minimum version that triggers a
++        database upgrade. Upgrade from maverick shouldn't trigger database
++        upgrade (which would happen with the version used in Debian).
++      + debian/slapd.scripts-common: add slapcat_opts to local variables.
++        Remove unused variable new_conf.
++      + debian/slapd.script-common: Fix package reconfiguration.
++        - Fix backup directory naming for multiple reconfiguration.
++      + debian/slapd.default, debian/slapd.README.Debian:
++        use the new configuration style.
++      + Install nss overlay (LP: #675391):
++        - debian/rules: run install target for nssov module.
++        - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
++      + debian/patches/gssapi.diff:
++        - Update patch so that likewise-open is usuable again. (LP: #661547)
++      + debian/patches/service-operational-before-detach: New patch replacing old one
++        of the same name as previous could cause database corruption based on upstream commits.
++        (LP: #727973)
++      + debian/patches/CVE-2011-4079: fix off by one error in postalAddressNormalize()
++        (CVE-2011-4079)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 22 Nov 2011 06:17:49 +0000
++
  openldap (2.4.25-4) unstable; urgency=low
    * Drop explicit depends on libdb4.8, since we're now linking against
@@ -719,6 +2046,85 @@ openldap (2.4.25-4) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Tue, 18 Oct 2011 01:08:34 +0000
++openldap (2.4.25-3ubuntu3) precise; urgency=low
++
++  * Rebuild for Perl 5.14.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Tue, 15 Nov 2011 20:50:09 +0000
++
++openldap (2.4.25-3ubuntu2) precise; urgency=low
++
++  * SECURITY UPDATE: potential denial of service (LP: #884163)
++    - debian/patches/CVE-2011-4079: fix off by one error in
++      postalAddressNormalize()
++    - CVE-2011-4079
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Mon, 14 Nov 2011 13:59:56 -0600
++
++openldap (2.4.25-3ubuntu1) precise; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    - Install a default DIT (LP: #442498).
++    - Document cn=config in README file (LP: #370784).
++    - remaining changes:
++      + AppArmor support:
++        - debian/apparmor-profile: add AppArmor profile
++        - use dh_apparmor:
++          - debian/rules: use dh_apparmor
++          - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
++        - updated debian/slapd.README.Debian for note on AppArmor
++        - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      + Enable GSSAPI support (LP: #495418):
++        - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++          - Add --with-gssapi support
++          - Make guess_service_principal() more robust when determining
++            principal
++        - debian/patches/series: apply gssapi.diff patch.
++        - debian/configure.options: Configure with --with-gssapi
++        - debian/control: Added libkrb5-dev as a build depend
++      + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++        in the openldap library, as required by Likewise-Open (LP: #390579)
++     + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
++        - debian/control:
++          - remove build-dependency on heimdal-dev.
++          - remove slapd-smbk5pwd binary package.
++        - debian/rules: don't build smbk5pwd slapd module.
++      + debian/{control,rules}: enable PIE hardening
++      + ufw support (LP: #423246):
++        - debian/control: suggest ufw.
++        - debian/rules: install ufw profile.
++        - debian/slapd.ufw.profile: add ufw profile.
++      + Enable nssoverlay:
++        - debian/patches/nssov-build, debian/series, debian/rules:
++          Apply, build and package the nss overlay.
++        - debian/schema/extra/misc.ldif: add ldif file for the misc schema
++          which defines rfc822MailMember (required by the nss overlay).
++      + debian/rules, debian/schema/extra/:
++        Fix configure rule to supports extra schemas shipped as part
++        of the debian/schema/ directory.
++      + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
++      + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
++       neither the default DIT nor via an Authn mapping.
++      + debian/slapd.scripts-common: adjust minimum version that triggers a
++        database upgrade. Upgrade from maverick shouldn't trigger database
++        upgrade (which would happen with the version used in Debian).
++      + debian/slapd.scripts-common: add slapcat_opts to local variables.
++        Remove unused variable new_conf.
++      + debian/slapd.script-common: Fix package reconfiguration.
++        - Fix backup directory naming for multiple reconfiguration.
++      + debian/slapd.default, debian/slapd.README.Debian:
++        use the new configuration style.
++      + Install nss overlay (LP: #675391):
++        - debian/rules: run install target for nssov module.
++        - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
++      + debian/patches/gssapi.diff:
++        - Update patch so that likewise-open is usuable again. (LP: #661547)
++      + debian/patches/service-operational-before-detach: New patch replacing old one
++        of the same name as previous could cause database corruption based on upstream commits.
++        (LP: #727973)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 19 Oct 2011 20:53:08 +0000
++
  openldap (2.4.25-3) unstable; urgency=low
    * Brown paper bag: really fix the .links.in handling, so we don't generate
@@ -741,6 +2147,92 @@ openldap (2.4.25-2) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sun, 14 Aug 2011 23:17:09 -0700
++openldap (2.4.25-1.1ubuntu4) oneiric; urgency=low
++
++  * Brown paper bag: really fix the .links.in handling, so we don't generate
++    broken /usr/lib/${DEB_HOST_MULTIARCH} dirs.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 15 Aug 2011 09:43:29 +0000
++
++openldap (2.4.25-1.1ubuntu3) oneiric; urgency=low
++
++  * Cherry-pick multiarch support from Debian (LP: #826601):
++    - Bump to compat level 7, so we don't have to spell out debian/tmp in
++      every single .install file
++    - Build for multiarch.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 15 Aug 2011 02:23:43 -0700
++
++openldap (2.4.25-1.1ubuntu2) oneiric; urgency=low
++
++  * debian/apparmor-profile: Allow /var/run and /run. (LP: #810270)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Thu, 14 Jul 2011 15:18:02 +0200
++
++openldap (2.4.25-1.1ubuntu1) oneiric; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    - Install a default DIT (LP: #442498).
++    - Document cn=config in README file (LP: #370784).
++    - remaining changes:
++      + AppArmor support:
++        - debian/apparmor-profile: add AppArmor profile
++        - use dh_apparmor:
++          - debian/rules: use dh_apparmor
++          - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
++        - updated debian/slapd.README.Debian for note on AppArmor
++        - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      + Enable GSSAPI support (LP: #495418):
++        - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++          - Add --with-gssapi support
++          - Make guess_service_principal() more robust when determining
++            principal
++        - debian/patches/series: apply gssapi.diff patch.
++        - debian/configure.options: Configure with --with-gssapi
++        - debian/control: Added libkrb5-dev as a build depend
++      + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++        in the openldap library, as required by Likewise-Open (LP: #390579)
++      + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
++        - debian/control:
++          - remove build-dependency on heimdal-dev.
++          - remove slapd-smbk5pwd binary package.
++        - debian/rules: don't build smbk5pwd slapd module.
++      + debian/{control,rules}: enable PIE hardening
++      + ufw support (LP: #423246):
++        - debian/control: suggest ufw.
++        - debian/rules: install ufw profile.
++        - debian/slapd.ufw.profile: add ufw profile.
++      + Enable nssoverlay:
++        - debian/patches/nssov-build, debian/series, debian/rules:
++          Apply, build and package the nss overlay.
++        - debian/schema/extra/misc.ldif: add ldif file for the misc schema
++          which defines rfc822MailMember (required by the nss overlay).
++      + debian/rules, debian/schema/extra/:
++        Fix configure rule to supports extra schemas shipped as part
++        of the debian/schema/ directory.
++      + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
++      + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
++        neither the default DIT nor via an Authn mapping.
++      + debian/slapd.scripts-common: adjust minimum version that triggers a
++        database upgrade. Upgrade from maverick shouldn't trigger database
++        upgrade (which would happen with the version used in Debian).
++      + debian/slapd.scripts-common: add slapcat_opts to local variables.
++        Remove unused variable new_conf.
++      + debian/slapd.script-common: Fix package reconfiguration.
++        - Fix backup directory naming for multiple reconfiguration.
++      + debian/slapd.default, debian/slapd.README.Debian:
++        use the new configuration style.
++      + Install nss overlay (LP: #675391):
++        - debian/rules: run install target for nssov module.
++        - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
++      + debian/patches/gssapi.diff:
++        - Update patch so that likewise-open is usuable again. (LP: #661547)
++      + debian/patches/service-operational-before-detach: New patch replacing old one
++        of the same name as previous could cause database corruption based on upstream commits.
++        (LP: #727973)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Sun, 05 Jun 2011 17:38:40 +0100
++
  openldap (2.4.25-1.1) unstable; urgency=low
    * Non-maintainer upload to fix RC bug.
@@ -748,6 +2240,75 @@ openldap (2.4.25-1.1) unstable; urgency=low
   -- Thijs Kinkhorst <thijs@debian.org>  Tue, 31 May 2011 11:57:29 +0200
++openldap (2.4.25-1ubuntu1) oneiric; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    - Install a default DIT (LP: #442498).
++    - Document cn=config in README file (LP: #370784).
++    - remaining changes:
++      + AppArmor support:
++        - debian/apparmor-profile: add AppArmor profile
++        - use dh_apparmor:
++          - debian/rules: use dh_apparmor
++          - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
++        - updated debian/slapd.README.Debian for note on AppArmor
++        - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      + Enable GSSAPI support (LP: #495418):
++        - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++          - Add --with-gssapi support
++          - Make guess_service_principal() more robust when determining
++            principal
++        - debian/patches/series: apply gssapi.diff patch.
++        - debian/configure.options: Configure with --with-gssapi
++        - debian/control: Added libkrb5-dev as a build depend
++      + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++        in the openldap library, as required by Likewise-Open (LP: #390579)
++      + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
++        - debian/control:
++          - remove build-dependency on heimdal-dev.
++          - remove slapd-smbk5pwd binary package.
++        - debian/rules: don't build smbk5pwd slapd module.
++      + debian/{control,rules}: enable PIE hardening
++      + ufw support (LP: #423246):
++        - debian/control: suggest ufw.
++        - debian/rules: install ufw profile.
++        - debian/slapd.ufw.profile: add ufw profile.
++      + Enable nssoverlay:
++        - debian/patches/nssov-build, debian/series, debian/rules:
++          Apply, build and package the nss overlay.
++        - debian/schema/extra/misc.ldif: add ldif file for the misc schema
++          which defines rfc822MailMember (required by the nss overlay).
++      + debian/rules, debian/schema/extra/:
++        Fix configure rule to supports extra schemas shipped as part
++        of the debian/schema/ directory.
++      + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
++      + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
++        neither the default DIT nor via an Authn mapping.
++      + debian/slapd.scripts-common: adjust minimum version that triggers a
++        database upgrade. Upgrade from maverick shouldn't trigger database
++        upgrade (which would happen with the version used in Debian).
++      + debian/slapd.scripts-common: add slapcat_opts to local variables.
++        Remove unused variable new_conf.
++      + debian/slapd.script-common: Fix package reconfiguration.
++        - Fix backup directory naming for multiple reconfiguration.
++      + debian/slapd.default, debian/slapd.README.Debian:
++        use the new configuration style.
++      + Install nss overlay (LP: #675391):
++        - debian/rules: run install target for nssov module.
++        - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
++      + debian/patches/gssapi.diff:
++        - Update patch so that likewise-open is usuable again. (LP: #661547)
++      + debian/patches/service-operational-before-detach: New patch replacing old one
++        of the same name as previous could cause database corruption based on upstream commits.
++        (LP: #727973)
++       + Dropped:
++         - debian/patches/gold: Use the debian version instead
++         - debian/patches/CVE-2011-1024: Fixed upstream
++         - debian/patches/CVE-2011-1025: Fixed upstream
++         - debian/patches/CVE-2011-1081: Fixed upstream
++
++ -- Chuck Short <zulcss@ubuntu.com>  Sun, 08 May 2011 16:34:09 +0100
++
  openldap (2.4.25-1) unstable; urgency=low
    * New upstream version (Closes: #617606, #618904, #606815, #608813)
@@ -779,6 +2340,116 @@ openldap (2.4.23-7) unstable; urgency=low
   -- Matthijs Mohlmann <matthijs@cacholong.nl>  Sat, 06 Nov 2010 12:13:01 +0100
++openldap (2.4.23-6ubuntu7) oneiric; urgency=low
++
++  * Rebuild for Perl 5.12.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Sun, 08 May 2011 13:40:28 +0100
++
++openldap (2.4.23-6ubuntu6) natty; urgency=low
++
++  * SECURITY UPDATE: fix successful anonymous bind via chain overlay when
++    using forwarded authentication failures
++    - debian/patches/CVE-2011-1024
++    - CVE-2011-1024
++  * SECURITY UPDATE: verify password when authenticating to rootdn and using ndb
++    backend. Note: Ubuntu is not compiled with --enable-ndb by default
++    - debian/patches/CVE-2011-1025
++    - CVE-2011-1025
++  * SECURITY UPDATE: fix DoS when processing unauthenticated modrdn requests
++    and requestDN is empty
++    - debian/patches/CVE-2011-1081
++    - CVE-2011-1081
++    - LP: #742104
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Thu, 07 Apr 2011 11:36:53 -0500
++
++openldap (2.4.23-6ubuntu5) natty; urgency=low
++
++  * debian/patches/service-operational-before-detach: New patch replacing
++    old one of same name as previous could cause database corruption,
++    based on upstream commits. (LP: #727973)
++
++ -- Dave Walker (Daviey) <DaveWalker@ubuntu.com>  Wed, 02 Mar 2011 20:33:08 +0000
++
++openldap (2.4.23-6ubuntu4) natty; urgency=low
++
++  * Fix FTBFS with ld.gold.
++
++ -- Matthias Klose <doko@ubuntu.com>  Wed, 19 Jan 2011 07:39:49 +0100
++
++openldap (2.4.23-6ubuntu3) natty; urgency=low
++
++  * debian/patches/gssapi.diff:
++    Update patch so that likewise-open is usable again (LP: #661547)
++
++ -- Thierry Carrez (ttx) <thierry.carrez@ubuntu.com>  Fri, 26 Nov 2010 15:50:11 +0100
++
++openldap (2.4.23-6ubuntu2) natty; urgency=low
++
++  * Install nss overlay (LP: #675391):
++    - debian/rules: run install target for nssov module.
++    - debian/patches/nssov-build: fix patch to install schema in
++      /etc/ldap/schema.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Wed, 17 Nov 2010 18:16:42 -0500
++
++openldap (2.4.23-6ubuntu1) natty; urgency=low
++
++  * Merge from Debian unstable:
++    - Install a default DIT (LP: #442498).
++    - Document cn=config in README file (LP: #370784).
++    - remaining changes:
++      + AppArmor support:
++        - debian/apparmor-profile: add AppArmor profile
++        - use dh_apparmor:
++          - debian/rules: use dh_apparmor
++          - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
++        - updated debian/slapd.README.Debian for note on AppArmor
++        - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      + Enable GSSAPI support (LP: #495418):
++        - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++          - Add --with-gssapi support
++          - Make guess_service_principal() more robust when determining
++            principal
++        - debian/patches/series: apply gssapi.diff patch.
++        - debian/configure.options: Configure with --with-gssapi
++        - debian/control: Added libkrb5-dev as a build depend
++      + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++        in the openldap library, as required by Likewise-Open (LP: #390579)
++      + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
++        - debian/control:
++          - remove build-dependency on heimdal-dev.
++          - remove slapd-smbk5pwd binary package.
++        - debian/rules: don't build smbk5pwd slapd module.
++      + debian/{control,rules}: enable PIE hardening
++      + ufw support (LP: #423246):
++        - debian/control: suggest ufw.
++        - debian/rules: install ufw profile.
++        - debian/slapd.ufw.profile: add ufw profile.
++      + Enable nssoverlay:
++        - debian/patches/nssov-build, debian/series, debian/rules:
++          Apply, build and package the nss overlay.
++        - debian/schema/extra/misc.ldif: add ldif file for the misc schema
++          which defines rfc822MailMember (required by the nss overlay).
++      + debian/rules, debian/schema/extra/:
++        Fix configure rule to supports extra schemas shipped as part
++        of the debian/schema/ directory.
++      + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
++      + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
++        neither the default DIT nor via an Authn mapping.
++      + debian/slapd.scripts-common: adjust minimum version that triggers a
++        database upgrade. Upgrade from maverick shouldn't trigger database
++        upgrade (which would happen with the version used in Debian).
++      + debian/slapd.scripts-common: add slapcat_opts to local variables.
++        Remove unused variable new_conf.
++      + debian/slapd.script-common: Fix package reconfiguration.
++        - Fix backup directory naming for multiple reconfiguration.
++      + debian/slapd.default, debian/slapd.README.Debian:
++        use the new configuration style.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Fri, 12 Nov 2010 15:19:07 -0500
++
  openldap (2.4.23-6) unstable; urgency=high
    * Check for an empty directory to prevent an rm -f /*. (Closes: #597704)
@@ -901,6 +2572,80 @@ openldap (2.4.23-1) unstable; urgency=low
   -- Matthijs Mohlmann <matthijs@cacholong.nl>  Mon, 12 Jul 2010 13:25:00 +0200
++openldap (2.4.23-0ubuntu4) natty; urgency=low
++
++  * debian/slapd.templates: amended typo in slapd/move_old_database
++    (LP: #666028)
++
++ -- James Page <james.page@canonical.com>  Mon, 08 Nov 2010 10:00:58 +0000
++
++openldap (2.4.23-0ubuntu3.2) maverick-proposed; urgency=low
++
++  * debian/slapd.templates: re-add slapd/move_old_database template as it's
++    used during the package upgrade. Thanks to James Page for pointing it.
++  * debian/slapd.config: restore debconf question slapd/move_old_database.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Thu, 14 Oct 2010 16:56:38 -0400
++
++openldap (2.4.23-0ubuntu3.1) maverick-proposed; urgency=low
++
++  [ James Page ]
++  * Fixed install/upgrade process to dump/restore databases due
++    to uplift to libdb4.8-dev (LP: #658227)
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Thu, 14 Oct 2010 14:50:49 -0400
++
++openldap (2.4.23-0ubuntu3) maverick; urgency=low
++
++  * debian/rules: move dh_apparmor before dh_installinit
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Fri, 06 Aug 2010 17:34:21 -0500
++
++openldap (2.4.23-0ubuntu2) maverick; urgency=low
++
++  * convert to using dh_apparmor:
++    - debian/rules, debian/slapd.post{inst,rm}: use dh_apparmor
++    - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
++  * debian/apparmor-profile: use local include
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Fri, 06 Aug 2010 15:08:55 -0500
++
++openldap (2.4.23-0ubuntu1) maverick; urgency=low
++
++  * New release, features include:
++    + Fixed libldap to return server's error code (ITS#6569)
++    + Fixed libldap memleaks (ITS#6568)
++    + Fixed liblutil off-by-one with delta (ITS#6541)
++    + Fixed slapd acls with glued databases (ITS#6468)
++    + Fixed slapd syncrepl rid logging (ITS#6533)
++    + Fixed slapd modrdn handling of invalid values (ITS#6570)
++    + Fixed slapd-bdb hasSubordinates computation (ITS#6549)
++    + Fixed slapd-bdb to use memcpy instead for strcpy (ITS#6474)
++    + Fixed slapd-bdb entry cache delete failure (ITS#6577)
++    + Fixed slapd-ldap to return control responses (ITS#6530)
++    + Fixed slapo-ppolicy to use Debug (ITS#6566)
++    + Fixed slapo-refint to zero out freed DN vals (ITS#6572)
++    + Fixed slapo-rwm to use Debug (ITS#6566)
++    + Fixed slapo-sssvlv to use Debug (ITS#6566)
++    + Fixed slapo-syncprov lost deletes in refresh phase (ITS#6555)
++    + Fixed slapo-valsort to use Debug (ITS#6566)
++    + Fixed contrib/nssov network.c missing patch (ITS#6562)
++    + Fixed test043 attribute sorting (ITS#6553)
++    + slapd-config(5) note default rootdn (ITS#6546)
++  * Rebased patches debian/patches/dropped nssov-build
++  * Resynchronize with Debian:
++    + debian/control:
++      - Bump standards-version to 3.9.0
++      - Use libdb4.8-dev (LP: #572489)
++    + Added debian/patches/issue-6534-patch
++    + Added debian/patches/ldap-conf-tls-cacertdir
++  * Add ufw support, thanks to  PatRiehecky (LP: #423246)
++
++   [Adam Sommer]
++   * debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 28 Jul 2010 11:35:16 -0400
++
  openldap (2.4.21-1) unstable; urgency=low
    [ Steve Langasek ]
@@ -932,6 +2677,79 @@ openldap (2.4.21-1) unstable; urgency=low
   -- Matthijs Mohlmann <matthijs@cacholong.nl>  Thu, 22 Apr 2010 23:40:30 +0200
++openldap (2.4.21-0ubuntu5) lucid; urgency=low
++
++  * Fix local root connection access: replace olcAuthzRegexp mapping to
++    cn=localroot,cn=config with using the SASL dn directly in olcAccess.
++    Makes upgrades much simpler and robust (LP: #563829).
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Fri, 23 Apr 2010 00:23:31 -0400
++
++openldap (2.4.21-0ubuntu4) lucid; urgency=low
++
++  [ Simon Olofsson ]
++  * debian/slapd.postinst:
++    - Show a message after successful migration (LP: #538848)
++
++  [ Jorgen Rosink ]
++  * debian/slapd.init: add simple status checking with LSB compatible exit
++    codes (LP: #562377)
++  * debian/slapd.init.ldif:
++    - remove admin user in default config database (LP: #556176)
++    - in default config, add olcAccess entries giving access to controls
++      available and cn=subschema (LP: #427842)
++
++  [ Scott Moser ]
++  *  debian/slapd.scripts-common: Do not create /nonexistent directory
++     for openldap user's home (LP: #556176)
++  *  debian/slapd.postinst: fix cn=config olcAccess migration (LP: #559070)
++
++ -- Scott Moser <smoser@ubuntu.com>  Mon, 12 Apr 2010 16:16:47 -0400
++
++openldap (2.4.21-0ubuntu3) lucid; urgency=low
++
++  * debian/slapd.postinst, debian/slapd.scripts-common: Upgrade databases
++    before trying to convert to slapd.d, to avoid upgrade failure from hardy
++    (LP: #536958)
++  * debian/slapd.postinst: Add a {1} numeric index to olcAccess entry in
++    olcDatabase={0}config.ldif to avoid upgrade failures (LP: #538516, #526230)
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Mon, 29 Mar 2010 13:31:47 +0200
++
++openldap (2.4.21-0ubuntu2) lucid; urgency=low
++
++  * debian/apparmor-profile: Update apparmor profile. (LP: #508190)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 09 Mar 2010 13:33:35 -0500
++
++openldap (2.4.21-0ubuntu1) lucid; urgency=low
++
++  * New upstream release.
++  * debian/rules, debian/schema/extra/:
++    Fix get-orig-source rule to supports extra schemas shipped as part of the
++    debian/schema/ directory.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Thu, 18 Feb 2010 00:58:13 -0500
++
++openldap (2.4.18-0ubuntu2) lucid; urgency=low
++
++  * debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++    - Add --with-gssapi support
++    - Make guess_service_principal() more robust when determining principal
++  * Enable GSSAPI support (LP: #495418):
++    - debian/configure.options: Configure with --with-gssapi
++    - debian/control: Added libkrb5-dev as a build depend
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Fri, 11 Dec 2009 11:31:11 +0100
++
++openldap (2.4.18-0ubuntu1) karmic; urgency=low
++
++  * New upstream release: (LP: #419515):
++    + pcache overlay supports disconnected mode.
++  * Fix nss overlay load (LP: #417163).
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Mon, 07 Sep 2009 13:41:10 -0400
++
  openldap (2.4.17-2.1) unstable; urgency=high
    * Non-maintainer upload by the Security Team.
@@ -958,6 +2776,108 @@ openldap (2.4.17-2) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Tue, 22 Sep 2009 20:06:34 -0700
++openldap (2.4.17-1ubuntu3) karmic; urgency=low
++
++   * Install a minimal slapd configuration instead of creating a default
++     database with a default DIT:
++     + Move openldap user home from /var/lib/ldap to /nonexistent.
++     + Remove all code and templates dealing with the default database and DIT
++       creation.
++     + Add an Authz map from root user (UID=0) to cn=localroot,cn=config and
++       grant all access to the latter in the cn=config database as well as the
++       default backend configuration.
++   * Add cn=localroot,cn=config authz mapping on upgrades.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Tue, 11 Aug 2009 14:48:56 -0400
++
++openldap (2.4.17-1ubuntu2) karmic; urgency=low
++
++  [ Thierry Carrez ]
++  * debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++    in the openldap library, as required by Likewise-Open (LP: #390579)
++
++  [ Mathias Gug ]
++  * debian/patches/its6077-uniqueness-overlay: fixes some issues with the
++    uniqueness overlay.
++  * debian/patches/its6220-writetimeout-directive: fixes a problem with the
++    writetimeout directive being in effect even if it wasn't set,
++    closing connections incorrectly.
++  * debian/patches/its6222-dncachesize-parameter: fixes the behavior of the
++    dncachesize parameter that was added in RE24, so that if it is set to
++    "0" (now the default), it has an unlimited DN cache (RE23 always
++    had an unlimited DN cache).
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Fri, 31 Jul 2009 13:43:46 -0400
++
++openldap (2.4.17-1ubuntu1) karmic; urgency=low
++
++  [ Steve Langasek ]
++  * Fix up the lintian warnings:
++    - add missing misc-depends on all packages
++    - slapd, libldap-2.4-2-dbg sections changed to 'debug' to match archive
++      overrides
++    - bump Standards-Version to 3.8.2, no changes required.
++
++  [ Mathias Gug ]
++  * Resynchronise with Debian. Remaining changes:
++    - AppArmor support:
++      - debian/apparmor-profile: add AppArmor profile
++      - updated debian/slapd.README.Debian for note on AppArmor
++      - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      - debian/slapd.postrm: remove symlink in force-complain/ on purge
++      - debian/rules: install apparmor profile.
++    - Don't use local statement in config script as it fails if /bin/sh
++      points to bash.
++    - debian/slapd.postinst, debian/slapd.script-common: set correct
++      ownership and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group
++      readable) and /var/run/slapd (world readable).
++    - Enable nssoverlay:
++      - debian/patches/nssov-build, debian/rules: Build and package the nss
++        overlay.
++      - debian/schema/misc.ldif: add ldif file for the misc schema which
++        defines rfc822MailMember (required by the nss overlay).
++    - debian/{control,rules}: enable PIE hardening
++    - Use cn=config as the default configuration backend instead of
++      slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade
++      asking the end user to enter a new password to control the access to
++      the cn=config tree.
++    - debian/slapd.postinst: create /var/run/slapd before updating its
++      permissions.
++    - debian/slapd.init: Correctly set slapd config backend option even if
++      the pidfile is configured in slapd default file.
++  * Dropped:
++    - Merged in Debian:
++      - Update priority of libldap-2.4-2 to match the archive override.
++      - Add the missing ldapexop and ldapurl tools to ldap-utils, as well as
++        the ldapurl(1) manpage.
++      - Bump build-dependency on debhelper to 6 instead of 5, since that's
++        what we're using.
++      - Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using
++        the built-in default of ldap:/// only.
++    - Fixed in upstream release:
++      - debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034
++        failure when built with PIE.
++      - debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be
++        trusted.
++    - Update Apparmor profile support: don't support upgrade from pre-hardy
++      systems:
++      - debian/slapd.postinst: Reload AA profile on configuration
++      - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++      - debian/control: Conflicts with apparmor-profiles <<
++        2.1+1075-0ubuntu4 to make sure that if earlier version of
++        apparmor-profiles gets installed it won't overwrite our profile.
++      - follow ApparmorProfileMigration and force apparmor complain mode on
++        some upgrades
++      - debian/slapd.preinst: create symlink for force-complain on
++        pre-feisty upgrades, upgrades where apparmor-profiles profile is
++        unchanged (ie non-enforcing) and upgrades where apparmor profile
++        does not exist.
++    - debian/patches/autogen.sh: no longer needed with karmic libtool.
++      - Call libtoolize with the --install option to install
++        config.{guess,sub} files.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Thu, 30 Jul 2009 16:42:58 -0400
++
  openldap (2.4.17-1) unstable; urgency=low
    * New upstream version.
@@ -980,6 +2900,153 @@ openldap (2.4.17-1) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Tue, 28 Jul 2009 10:17:15 -0700
++openldap (2.4.15-1.1ubuntu1) karmic; urgency=low
++
++  * Resynchronise with Debian. Remaining changes:
++    - AppArmor support:
++      - debian/apparmor-profile: add AppArmor profile
++      - debian/slapd.postinst: Reload AA profile on configuration
++      - updated debian/slapd.README.Debian for note on AppArmor
++      - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++      - debian/control: Conflicts with apparmor-profiles <<
++        2.1+1075-0ubuntu4 to make sure that if earlier version of
++        apparmor-profiles gets installed it won't overwrite our profile.
++      - follow ApparmorProfileMigration and force apparmor complain mode on
++        some upgrades
++      - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      - debian/slapd.preinst: create symlink for force-complain on
++        pre-feisty upgrades, upgrades where apparmor-profiles profile is
++        unchanged (ie non-enforcing) and upgrades where apparmor profile
++        does not exist.
++      - debian/slapd.postrm: remove symlink in force-complain/ on purge
++    - debian/patches/autogen.sh:
++      - Call libtoolize with the --install option to install
++        config.{guess,sub} files.
++    - Don't use local statement in config script as it fails if /bin/sh
++      points to bash.
++    - debian/slapd.postinst, debian/slapd.script-common: set correct
++      ownership and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group
++      readable) and /var/run/slapd (world readable).
++    - Enable nssoverlay:
++      - debian/patches/nssov-build, debian/rules: Build and package the nss
++        overlay.
++      - debian/schema/misc.ldif: add ldif file for the misc schema which
++        defines rfc822MailMember (required by the nss overlay).
++    - debian/{control,rules}: enable PIE hardening
++    - Use cn=config as the default configuration backend instead of
++      slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade
++      asking the end user to enter a new password to control the access to
++      the cn=config tree.
++    - Update priority of libldap-2.4-2 to match the archive override.
++    - Add the missing ldapexop and ldapurl tools to ldap-utils, as well as
++      the ldapurl(1) manpage.
++    - Bump build-dependency on debhelper to 6 instead of 5, since that's
++      what we're using.
++    - Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using
++      the built-in default of ldap:/// only.
++    - debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034
++      failure when built with PIE.
++    - debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be
++      trusted.
++    - debian/slapd.postinst: create /var/run/slapd before updating its
++      permissions.
++    - debian/slapd.init: Correctly set slapd config backend option even if
++      the pidfile is configured in slapd default file.
++  * Drop patch to avoid the test suite on hppa, as hppa is EOL.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Wed, 24 Jun 2009 10:45:20 +0100
++
++openldap (2.4.15-1.1) unstable; urgency=low
++
++  * Non-maintainer upload.
++  * Change libltdl3-dev Build-Depends to libltdl-dev | libltdl3-dev
++    (Closes: #522965)
++
++ -- Kurt Roeckx <kurt@roeckx.be>  Sun, 19 Apr 2009 18:24:32 +0200
++
++openldap (2.4.15-1ubuntu3) jaunty; urgency=low
++
++  * No-change rebuild to fix lpia shared library dependencies.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Thu, 19 Mar 2009 09:52:40 +0000
++
++openldap (2.4.15-1ubuntu2) jaunty; urgency=low
++
++  * debian/slapd.postinst: create /var/run/slapd before updating its
++    permissions (LP: #298928).
++  * debian/slapd.init: Correclty set slapd config backend option even if the
++    pidfile is configured in slapd default file (LP: #292364).
++  * debian/apparmor-profile: support multiple databases to be stored under
++    /var/lib/ldap/. (LP: #286614).
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Fri, 13 Mar 2009 13:56:12 -0400
++
++openldap (2.4.15-1ubuntu1) jaunty; urgency=low
++
++  [ Steve Langasek ]
++  * Update priority of libldap-2.4-2 to match the archive override.
++  * Add the missing ldapexop and ldapurl tools to ldap-utils, as well as the
++    ldapurl(1) manpage.  Thanks to Peter Marschall for the patch.
++    Closes: #496749.
++  * Bump build-dependency on debhelper to 6 instead of 5, since that's
++    what we're using.  Closes: #498116.
++  * Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using
++    the built-in default of ldap:/// only.
++
++  [ Mathias Gug ]
++  * Merge from debian unstable, remaining changes:
++    - Modify Maintainer value to match the DebianMaintainerField
++      speficication.
++    - AppArmor support:
++      - debian/apparmor-profile: add AppArmor profile
++      - debian/slapd.postinst: Reload AA profile on configuration
++      - updated debian/slapd.README.Debian for note on AppArmor
++      - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++      - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
++        to make sure that if earlier version of apparmour-profiles gets
++        installed it won't overwrite our profile.
++      - follow ApparmorProfileMigration and force apparmor compalin mode on
++        some upgrades (LP: #203529)
++      - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      - debian/slapd.preinst: create symlink for force-complain on pre-feisty
++        upgrades, upgrades where apparmor-profiles profile is unchanged (ie
++        non-enforcing) and upgrades where apparmor profile does not exist.
++      - debian/slapd.postrm: remove symlink in force-complain/ on purge
++    - debian/control:
++      - Build-depend on libltdl7-dev rather then libltdl3-dev.
++    - debian/patches/autogen.sh:
++      - Call libtoolize with the --install option to install config.{guess,sub}
++        files.
++    - Don't use local statement in config script as it fails if /bin/sh
++      points to bash (LP: #286063).
++    - Disable the testsuite on hppa. Allows building of packages on this
++      architecture again, once this package is in the archive.
++      LP: #288908.
++    - debian/slapd.postinst, debian/slapd.script-common: set correct ownership
++      and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and
++      /var/run/slapd (world readable). (LP: #257667).
++    - Enable nssoverlay:
++      - debian/patches/nssov-build, debian/rules: Build and package
++        the nss overlay.
++      - debian/schema/misc.ldif: add ldif file for the misc schema
++        which defines rfc822MailMember (required by the nss overlay).
++    - debian/{control,rules}: enable PIE hardening
++    - Use cn=config as the default configuration backend instead of
++      slapd.conf. Migrate slapd.conf  file to /etc/ldap/slapd.d/ on upgrade
++      asking the end user to enter a new password to control the access to the
++      cn=config tree.
++  * Dropped:
++    - debian/patches/corrupt-contextCSN: The contextCSN can get corrupted at
++      times. (ITS: #5947) Fixed in new upstream version 2.4.15.
++    - debian/patches/fix-ucred-libc due to changes how newer glibc handle
++      the ucred struct now. Implemented in Debian.
++  * debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034 failure
++    when built with PIE.
++  * debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be
++    trusted (LP: #305264).
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Fri, 06 Mar 2009 17:34:21 -0500
++
  openldap (2.4.15-1) unstable; urgency=low
    * New upstream version
@@ -997,6 +3064,69 @@ openldap (2.4.15-1) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Tue, 24 Feb 2009 14:27:35 -0800
++openldap (2.4.14-0ubuntu1) jaunty; urgency=low
++
++  [ Steve Langasek ]
++  * New upstream version
++    - Fixes a bug with the pcache overlay not returning cached entries
++      (closes: #497697)
++    - Update evolution-ntlm patch to apply to current Makefiles.
++    - (tentatively) drop gnutls-ciphers, since this bug was reported to be
++      fixed upstream in 2.4.8.  The fix applied in 2.4.8 didn't match the
++      patch from the bug report, so this should be watched for regressions.
++  * Build against db4.7 instead of db4.2 at last!  Closes: #421946.
++  * Build with --disable-ndb, to avoid a misbuild when libmysqlclient is
++    installed in the build environment.
++  * New patch, no-crlcheck-for-gnutls, to fix a build failure when using
++    --with-tls=gnutls.
++
++  [ Mathias Gug ]
++  * Merge from debian unstable, remaining changes:
++    - debian/apparmor-profile: add AppArmor profile
++    - debian/slapd.postinst: Reload AA profile on configuration
++    - updated debian/slapd.README.Debian for note on AppArmor
++    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++    - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
++      to make sure that if earlier version of apparmour-profiles gets
++      installed it won't overwrite our profile.
++    - Modify Maintainer value to match the DebianMaintainerField
++      speficication.
++    - follow ApparmorProfileMigration and force apparmor compalin mode on
++      some upgrades (LP: #203529)
++    - debian/slapd.dirs: add etc/apparmor.d/force-complain
++    - debian/slapd.preinst: create symlink for force-complain on pre-feisty
++      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
++      non-enforcing) and upgrades where apparmor profile does not exist.
++    - debian/slapd.postrm: remove symlink in force-complain/ on purge
++    - debian/patches/fix-ucred-libc due to changes how newer glibc handle
++      the ucred struct now.
++    - debian/control:
++      - Build-depend on libltdl7-dev rather then libltdl3-dev.
++    - debian/patches/autogen.sh:
++      - Call libtoolize with the --install option to install config.{guess,sub}
++        files.
++    - Don't use local statement in config script as it fails if /bin/sh
++      points to bash (LP: #286063).
++    - Disable the testsuite on hppa. Allows building of packages on this
++      architecture again, once this package is in the archive.
++      LP: #288908.
++    - debian/slapd.postinst, debian/slapd.script-common: set correct ownership
++      and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and
++      /var/run/slapd (world readable). (LP: #257667).
++    - debian/patches/nssov-build, debian/rules:
++      Build and package the nss overlay.
++      debian/schema/misc.ldif: add ldif file for the misc schema, which defines
++      rfc822MailMember (required by the nss overlay).
++    - debian/{control,rules}: enable PIE hardening
++    - Use cn=config as the default configuration backend instead of
++      slapd.conf. Migrate slapd.conf  file to /etc/ldap/slapd.d/ on upgrade
++      asking the end user to enter a new password to control the access to the
++      cn=config tree.
++  * debian/patches/corrupt-contextCSN: The contextCSN can get corrupted at
++    times. (ITS: #5947)
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Wed, 18 Feb 2009 18:44:00 -0500
++
  openldap (2.4.11-1) unstable; urgency=low
    * New upstream version (closes: #499560).
@@ -1019,6 +3149,110 @@ openldap (2.4.11-1) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sat, 11 Oct 2008 01:53:55 -0700
++openldap (2.4.11-0ubuntu7) jaunty; urgency=low
++
++  * Don't use local statement in config script as it fails if /bin/sh
++    points to bash (LP: #286063).
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Tue, 04 Nov 2008 20:03:46 -0500
++
++openldap (2.4.11-0ubuntu6) intrepid; urgency=low
++
++  * Disable the testsuite on hppa. Allows building of packages on this
++    architecture again, once this package is in the archive.
++    LP: #288908.
++
++ -- Matthias Klose <doko@ubuntu.com>  Fri, 24 Oct 2008 23:22:33 +0200
++
++openldap (2.4.11-0ubuntu5) intrepid; urgency=low
++
++  * Don't set admin passwords in ldif files if adminpw is empty.
++    (LP: #273988 - LP: #276606).
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Mon, 13 Oct 2008 19:31:15 -0400
++
++openldap (2.4.11-0ubuntu4) intrepid; urgency=low
++
++  * debian/slapd.postinst, debian/slapd.script-common: set correct ownership
++    and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and
++    /var/run/slapd (world readable). (LP: #257667).
++  * debian/slapd.script-common:
++    - Fix package reconfiguration:
++      + Remove slapd.d/ directory if it already exists when creating a new
++        configuration.
++      + Fix backup directory naming for multiple reconfiguration.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Wed, 24 Sep 2008 21:01:42 -0400
++
++openldap (2.4.11-0ubuntu3) intrepid; urgency=low
++
++  * debian/patches/nssov-build, debian/rules:
++    Build and package the nss overlay.
++  * debian/schema/misc.ldif: add ldif file for the misc schema, which defines
++    rfc822MailMember (required by the nss overlay).
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Tue, 26 Aug 2008 18:42:54 -0400
++
++openldap (2.4.11-0ubuntu2) intrepid; urgency=low
++
++  * debian/{control,rules}: enable PIE hardening
++
++ -- Kees Cook <kees@ubuntu.com>  Wed, 20 Aug 2008 15:47:01 -0700
++
++openldap (2.4.11-0ubuntu1) intrepid; urgency=low
++
++  * New upstream version:
++    - Mainly bug fixes.
++    - New nss slapd overlay (not compiled by default).
++  * Use cn=config as the default configuration backend instead of
++    slapd.conf. Migrate slapd.conf  file to /etc/ldap/slapd.d/ on upgrade
++    asking the end user to enter a new password to control the access to the
++    cn=config tree.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Mon, 11 Aug 2008 20:26:05 -0400
++
++openldap (2.4.10-3ubuntu1) intrepid; urgency=low
++
++  [ Mathias Gug ]
++  * Merge from debian unstable, remaining changes:
++    - debian/apparmor-profile: add AppArmor profile
++    - debian/slapd.postinst: Reload AA profile on configuration
++    - updated debian/slapd.README.Debian for note on AppArmor
++    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++    - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
++      to make sure that if earlier version of apparmour-profiles gets
++      installed it won't overwrite our profile.
++    - Modify Maintainer value to match the DebianMaintainerField
++      speficication.
++    - follow ApparmorProfileMigration and force apparmor compalin mode on
++      some upgrades (LP: #203529)
++    - debian/slapd.dirs: add etc/apparmor.d/force-complain
++    - debian/slapd.preinst: create symlink for force-complain on pre-feisty
++      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
++      non-enforcing) and upgrades where apparmor profile does not exist.
++    - debian/slapd.postrm: remove symlink in force-complain/ on purge
++    - debian/patches/fix-ucred-libc due to changes how newer glibc handle
++      the ucred struct now.
++    - debian/patches/fix-unique-overlay-assertion.patch:
++      Fix another assertion error in unique overlay (LP: #243337).
++      Backport from head.
++  * Dropped - implemented in Debian:
++    - debian/patches/fix-gnutls-key-strength.patch:
++      Fix slapd handling of ssf using gnutls. (LP: #244925).
++    - debian/control:
++      Add time as build dependency: needed by make test.
++  * debian/control:
++    - Build-depend on libltdl7-dev rather then libltdl3-dev.
++  * debian/patches/autogen.sh:
++    - Call libtoolize with the --install option to install config.{guess,sub}
++    files.
++
++  [ Jamie Strandboge ]
++  * adjust apparmor profile to allow gssapi (LP: #229252)
++  * adjust apparmor profile to allow cnconfig (LP: #243525)
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Wed, 30 Jul 2008 19:46:02 -0400
++
  openldap (2.4.10-3) unstable; urgency=low
    [ Steve Langasek ]
@@ -1052,6 +3286,40 @@ openldap (2.4.10-3) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Mon, 28 Jul 2008 15:26:06 -0700
++openldap (2.4.10-2ubuntu1) intrepid; urgency=low
++
++  * Merge from debian unstable, remaining changes:
++    - debian/apparmor-profile: add AppArmor profile
++    - debian/slapd.postinst: Reload AA profile on configuration
++    - updated debian/slapd.README.Debian for note on AppArmor
++    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++    - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
++      to make sure that if earlier version of apparmour-profiles gets
++      installed it won't overwrite our profile.
++    - Modify Maintainer value to match the DebianMaintainerField
++      speficication.
++    - follow ApparmorProfileMigration and force apparmor compalin mode on
++      some upgrades (LP: #203529)
++    - debian/slapd.dirs: add etc/apparmor.d/force-complain
++    - debian/slapd.preinst: create symlink for force-complain on pre-feisty
++      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
++      non-enforcing) and upgrades where apparmor profile does not exist.
++    - debian/slapd.postrm: remove symlink in force-complain/ on purge
++    - debian/patches/fix-ucred-libc due to changes how newer glibc handle
++      the ucred struct now.
++    - debian/patches/fix-unique-overlay-assertion.patch:
++      Fix another assertion error in unique overlay (LP: #243337).
++      Backport from head.
++    - debian/patches/fix-gnutls-key-strength.patch:
++      Fix slapd handling of ssf using gnutls. (LP: #244925).
++    - debian/control:
++      Add time as build dependency: needed by make test.
++  * Dropped - implemented in Debian:
++    - debian/rules:
++      Support debuild nocheck option: don't run tests if nocheck is set.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Thu, 10 Jul 2008 14:45:49 -0400
++
  openldap (2.4.10-2) unstable; urgency=low
    * Support DEB_BUILD_OPTIONS=nocheck to disable running the test suite at
@@ -1066,6 +3334,54 @@ openldap (2.4.10-2) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sun, 06 Jul 2008 22:03:32 -0700
++openldap2.3 (2.4.10-1ubuntu1) intrepid; urgency=low
++
++  * Merge from debian unstable, remaining changes:
++    - debian/apparmor-profile: add AppArmor profile
++    - debian/slapd.postinst: Reload AA profile on configuration
++    - updated debian/slapd.README.Debian for note on AppArmor
++    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++    - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
++      to make sure that if earlier version of apparmour-profiles gets
++      installed it won't overwrite our profile.
++    - Modify Maintainer value to match the DebianMaintainerField
++      speficication.
++    - follow ApparmorProfileMigration and force apparmor compalin mode on
++      some upgrades (LP: #203529)
++    - debian/slapd.dirs: add etc/apparmor.d/force-complain
++    - debian/slapd.preinst: create symlink for force-complain on pre-feisty
++      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
++      non-enforcing) and upgrades where apparmor profile does not exist.
++    - debian/slapd.postrm: remove symlink in force-complain/ on purge
++    - debian/patches/fix-ucred-libc due to changes how newer glibc handle
++      the ucred struct now.
++    - debian/patches/fix-unique-overlay-assertion.patch:
++      Fix another assertion error in unique overlay (LP: #243337).
++      Backport from head.
++  * debian/control:
++    - add time as build dependency: needed by make test.
++  * debian/rules:
++    - support debuild nocheck option: don't run tests if nocheck is set.
++  * debian/patches/fix-gnutls-key-strength.patch:
++    - fix slapd handling of ssf using gnutls. (LP: #244925).
++  * Dropped - accepted in Debian:
++    - debian/rules, debian/slapd.links: use hard links to slapd instead of
++      symlinks for slap* so these applications aren't confined by apparmor
++      (LP: #203898)
++  * Dropped - fixed in new upstream release:
++    - debian/patches/fix-assertion-io.patch: Fixes ber_flush2 assertion.
++      (LP: #215904)
++    - debian/patches/fix-dnpretty-assertion.patch: Fix dnPrettyNormal assertion
++      error. (LP: #234196)
++    - dropped debian/patches/fix-notify-crasher.patch: Fix modify timestamp crashes.
++      (LP: #220724)
++    - debian/patches/fix-syncrepl-oops: Fixes segmentation fault when using
++      syncrepl. (LP: #227178)
++    - dropped debian/patches/SECURITY_CVE-2008-0658.patch. Already applied
++      upstream.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Thu, 03 Jul 2008 14:15:08 -0400
++
  openldap2.3 (2.4.10-1) unstable; urgency=low
    [ Steve Langasek ]
@@ -1090,6 +3406,64 @@ openldap2.3 (2.4.10-1) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Mon, 30 Jun 2008 04:28:34 -0700
++openldap2.3 (2.4.9-1ubuntu4) intrepid; urgency=low
++
++  * debian/patches/fix-unique-overlay-assertion.patch:
++    - Fix another assertion error in unique overlay, backported from head.
++      (LP: #243337) Note: This patch will still be needed when moved to 2.4.10
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 30 Jun 2008 18:49:52 +0000
++
++openldap2.3 (2.4.9-1ubuntu3) intrepid; urgency=low
++
++  * Drop spurious dependency on hiemdal-dev. Caused by an aborted attempt to
++    include the smbk5pwd overlay.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 11 Jun 2008 21:25:40 +0000
++
++openldap2.3 (2.4.9-1ubuntu2) intrepid; urgency=low
++
++  * Rebuild for perl 5.10 transition (LP: #230016)
++  * debian/patches/fix-syncrepl-oops: Fixes segmentation fault when using
++    syncrepl. (LP: #227178)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 09 Jun 2008 14:56:40 +0000
++
++openldap2.3 (2.4.9-1ubuntu1) intrepid; urgency=low
++
++  * Merge from debian unstable, remaining changes:
++    - debian/apparmor-profile: add AppArmor profile
++    - debian/slapd.postinst: Reload AA profile on configuration
++    - updated debian/slapd.README.Debian for note on AppArmor
++    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++    - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
++      to make sure that if earlier version of apparmour-profiles gets
++      installed it won't overwrite our profile.
++    - Modify Maintainer value to match the DebianMaintainerField
++      speficication.
++    - follow ApparmorProfileMigration and force apparmor compalin mode on
++      some upgrades (LP: #203529)
++    - debian/slapd.dirs: add etc/apparmor.d/force-complain
++    - debian/slapd.preinst: create symlink for force-complain on pre-feisty
++      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
++      non-enforcing) and upgrades where apparmor profile does not exist.
++    - debian/slapd.postrm: remove symlink in force-complain/ on purge
++    - debian/rules, debian/slapd.links: use hard links to slapd instead of
++      symlinks for slap* so these applications aren't confined by apparmor
++      (LP: #203898)
++    - debian/patches/fix-assertion-io.patch: Fixes ber_flush2 assertion.
++      (LP: #215904)
++    - debian/patches/fix-dnpretty-assertion.patch: Fix dnPrettyNormal assertion
++      error. (LP: #234196)
++    - dropped debian/patches/fix-notify-crasher.patch: Fix modify timestamp crashes.
++      (LP: #220724)
++    - dropped debian/patches/SECURITY_CVE-2008-0658.patch. Already applied
++      upstream.
++   * Added debian/patches/fix-ucred-libc due to changes how newer glibc handle
++     the ucred struct now.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Fri, 30 May 2008 17:09:53 +0100
++
  openldap2.3 (2.4.9-1) unstable; urgency=low
    [ Updated debconf translations ]
@@ -1160,6 +3534,51 @@ openldap2.3 (2.4.7-6.1) unstable; urgency=high
   -- Nico Golde <nion@debian.org>  Tue, 04 Mar 2008 14:34:44 +0100
++openldap2.3 (2.4.7-6ubuntu3) hardy; urgency=low
++
++  * remove apparmor-profile workaround for Launchpad #202161 (it's now fixed
++    in klibc)
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Mon, 07 Apr 2008 16:09:38 -0400
++
++openldap2.3 (2.4.7-6ubuntu2) hardy; urgency=low
++
++  * apparmor-profile workaround for Launchpad #202161
++  * follow ApparmorProfileMigration and force apparmor complain mode on some
++    upgrades (LP: #203529)
++    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++    - debian/slapd.dirs: add etc/apparmor.d/force-complain
++    - debian/slapd.preinst: create symlink for force-complain/ on pre-feisty
++      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
++      non-enforcing) and upgrades where apparmor profile does not exist
++    - debian/slapd.postrm: remove symlink in force-complain/ on purge
++  * debian/rules, debian/slapd.links: use hard links to slapd instead of
++    symlinks for slap* so these applications aren't confined by apparmor
++    (LP: #203898)
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 18 Mar 2008 13:53:23 -0400
++
++openldap2.3 (2.4.7-6ubuntu1) hardy; urgency=low
++
++  * Merge from Debian unstable, remaining changes:
++    + debian/patches/SECURITY_CVE-2008-0658.patch (LP: #197077)
++      slapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP 2.3.39
++      allows remote authenticated users to cause a denial of service (daemon
++      crash) via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION)
++      control, a related issue to CVE-2007-6698.
++    + debian/apparmor-profile: add AppArmor profile
++    + debian/slapd.postinst: Reload AA profile on configuration
++    + updated debian/slapd.README.Debian for note on AppArmor
++    + debian/control: Replaces apparmor-profiles << 2.1+1075-0ubuntu4 as we
++      should now take control
++    + debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
++      to make sure that if earlier version of apparmor-profiles gets
++      installed it won't overwrite our profile
++    + Modify Maintainer value to match the DebianMaintainerField
++      specification.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 04 Mar 2008 01:59:51 +0000
++
  openldap2.3 (2.4.7-6) unstable; urgency=low
    [ Updated debconf translations ]
@@ -1205,6 +3624,37 @@ openldap2.3 (2.4.7-6) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Thu, 28 Feb 2008 22:15:17 -0800
++openldap2.3 (2.4.7-5ubuntu2) hardy; urgency=low
++
++  * SECURITY UPDATE:
++   + debian/patches/SECURITY_CVE-2008-0658.patch (LP: #197077)
++     slapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP 2.3.39
++     allows remote authenticated users to cause a denial of service (daemon crash)
++     via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION) control, a related
++     issue to CVE-2007-6698.
++
++  * References
++   - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0658
++   - http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5358
++
++ -- Emanuele Gentili <emgent@emanuele-gentili.com>  Sun, 02 Mar 2008 16:34:30 +0100
++
++openldap2.3 (2.4.7-5ubuntu1) hardy; urgency=low
++
++  * add AppArmor profile
++    + debian/apparmor-profile
++    + debian/slapd.postinst: Reload AA profile on configuration
++  * updated debian/slapd.README.Debian for note on AppArmor
++  * debian/control: Replaces apparmor-profiles << 2.1+1075-0ubuntu4 as we
++    should now take control
++  * debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
++    to make sure that if earlier version of apparmor-profiles gets installed
++    it won't overwrite our profile
++  * Modify Maintainer value to match the DebianMaintainerField
++    specification.
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 13 Feb 2008 17:15:41 +0000
++
  openldap2.3 (2.4.7-5) unstable; urgency=low
    [ Updated debconf translations ]
 diff --git a/debian/configure.options b/debian/configure.options
 index 08a55e0..9d3704e 100644
 --- a/debian/configure.options
 +++ b/debian/configure.options
@@ -175,6 +175,7 @@
  #  --with-fetch		  with fetch(3) URL support [auto]
  #  --with-threads	  with threads [auto]
  --with-threads
++--with-gssapi
  #  --with-tls		  with TLS/SSL support auto|openssl|gnutls|moznss [auto]
  --with-tls=gnutls
  #  --with-yielding-select  with implicitly yielding select [auto]
 diff --git a/debian/control b/debian/control
 index e88429a..a603885 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,20 +1,23 @@
  Source: openldap
  Section: net
  Priority: optional
--Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
  Uploaders: Steve Langasek <vorlon@debian.org>,
   Torsten Landschoff <torsten@debian.org>,
   Ryan Tandy <ryan@nardis.ca>
  Build-Depends: debhelper (>= 10),
++               dh-apparmor,
                 dpkg-dev (>= 1.17.14),
                 groff-base,
--               heimdal-multidev (>= 7.4.0.dfsg.1-1~) <!pkg.openldap.noslapd>,
++               heimdal-dev (>= 7.4.0.dfsg.1-1~) <!pkg.openldap.noslapd>,
                 libdb5.3-dev <!pkg.openldap.noslapd>,
                 libgnutls28-dev,
                 libltdl-dev <!pkg.openldap.noslapd>,
                 libperl-dev (>= 5.8.0) <!pkg.openldap.noslapd>,
                 libsasl2-dev,
                 libwrap0-dev <!pkg.openldap.noslapd>,
++               lsb-release,
                 nettle-dev <!pkg.openldap.noslapd>,
                 perl:any,
                 po-debconf,
@@ -34,7 +37,7 @@ Depends: ${shlibs:Depends}, libldap-2.4-2 (= ${binary:Version}),
   coreutils (>= 4.5.1-1), psmisc, perl:any (>> 5.8.0) | libmime-base64-perl,
   adduser, lsb-base (>= 3.2-13), ${misc:Depends}
  Recommends: libsasl2-modules
--Suggests: ldap-utils,
++Suggests: ldap-utils, ufw,
   libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal
  Conflicts: umich-ldapd, ldap-server, libltdl3 (= 1.5.4-1)
  Replaces: libldap2, ldap-utils (<< 2.2.23-3)
 diff --git a/debian/libldap-2.4-2.symbols b/debian/libldap-2.4-2.symbols
 index d42ccec..55421bc 100644
 --- a/debian/libldap-2.4-2.symbols
 +++ b/debian/libldap-2.4-2.symbols
@@ -118,6 +118,7 @@ liblber-2.4.so.2 libldap-2.4-2 #MINVER#
   ber_sockbuf_io_fd@OPENLDAP_2.4_2 2.4.7
   ber_sockbuf_io_readahead@OPENLDAP_2.4_2 2.4.7
   ber_sockbuf_io_tcp@OPENLDAP_2.4_2 2.4.7
++ ber_sockbuf_io_udp@OPENLDAP_2.4_2 2.4.17-1ubuntu2
   ber_sockbuf_remove_io@OPENLDAP_2.4_2 2.4.7
   ber_sos_dump@OPENLDAP_2.4_2 2.4.7
   ber_start@OPENLDAP_2.4_2 2.4.7
@@ -280,6 +281,11 @@ libldap_r-2.4.so.2 libldap-2.4-2 #MINVER#
   ldap_int_flush_request@OPENLDAP_2.4_2 2.4.7
   ldap_int_global_options@OPENLDAP_2.4_2 2.4.7
   ldap_int_gmtime_mutex@OPENLDAP_2.4_2 2.4.23
++ ldap_int_gssapi_close@OPENLDAP_2.4_2 2.4.18-0ubuntu2
++ ldap_int_gssapi_config@OPENLDAP_2.4_2 2.4.18-0ubuntu2
++ ldap_int_gssapi_get_option@OPENLDAP_2.4_2 2.4.18-0ubuntu2
++ ldap_int_gssapi_mutex@OPENLDAP_2.4_2 2.4.18-0ubuntu2
++ ldap_int_gssapi_set_option@OPENLDAP_2.4_2 2.4.18-0ubuntu2
   ldap_int_hostname@OPENLDAP_2.4_2 2.4.7
   ldap_int_hostname_mutex@OPENLDAP_2.4_2 2.4.39
   ldap_int_inet4or6@OPENLDAP_2.4_2 2.4.7
@@ -312,6 +318,7 @@ libldap_r-2.4.so.2 libldap-2.4-2 #MINVER#
   ldap_int_tls_start@OPENLDAP_2.4_2 2.4.7
   ldap_int_utils_init@OPENLDAP_2.4_2 2.4.7
   ldap_is_ldap_url@OPENLDAP_2.4_2 2.4.7
++ ldap_is_ldapc_url@OPENLDAP_2.4_2 2.4.17-1ubuntu2
   ldap_is_ldapi_url@OPENLDAP_2.4_2 2.4.7
   ldap_is_ldaps_url@OPENLDAP_2.4_2 2.4.7
   ldap_is_read_ready@OPENLDAP_2.4_2 2.4.7
 diff --git a/debian/patches/contrib-makefiles b/debian/patches/contrib-makefiles
 index 07256ba..4d820f7 100644
 --- a/debian/patches/contrib-makefiles
 +++ b/debian/patches/contrib-makefiles
@@ -157,3 +157,24 @@
   	-rpath $(moduledir) -module -o $@ $? $(LIBS)
   clean:
++--- a/contrib/slapd-modules/nssov/Makefile
+++++ b/contrib/slapd-modules/nssov/Makefile
++@@ -52,15 +52,15 @@
++ .SUFFIXES: .c .o .lo
++
++ .c.lo:
++-	$(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
+++	$(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
++
++ tio.lo:	nss-pam-ldapd/tio.c
++-	$(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $?
+++	$(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $?
++
++ $(OBJS):	nssov.h
++
++ nssov.la:	$(OBJS) $(XOBJS)
++-	$(LIBTOOL) --mode=link $(CC) $(OPT) -version-info 0:0:0 \
+++	$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info 0:0:0 \
++ 	-rpath $(moduledir) -module -o $@ $(OBJS) $(XOBJS) $(LIBS)
++
++ install: nssov.la
 diff --git a/debian/patches/fix-ldap-distribution.patch b/debian/patches/fix-ldap-distribution.patch
 new file mode 100644
 index 0000000..17be364
 --- /dev/null
 +++ b/debian/patches/fix-ldap-distribution.patch
@@ -0,0 +1,24 @@
++--- a/build/mkversion
+++++ b/build/mkversion
++@@ -52,6 +52,12 @@
++ APPLICATION=$1
++ WHOWHERE="Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>"
++
+++if test -x /usr/bin/lsb_release; then
+++    OPENLDAP_DISTRIBUTION=" ($(lsb_release -si))"
+++else
+++    OPENLDAP_DISTRIBUTION=""
+++fi
+++
++ cat << __EOF__
++ /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
++  *
++@@ -72,7 +78,7 @@
++ "COPYING RESTRICTIONS APPLY\n";
++
++ $static $const char $SYMBOL[] =
++-"@(#) \$$PACKAGE: $APPLICATION $VERSION (" __DATE__ " " __TIME__ ") \$\n"
+++"@(#) \$$PACKAGE: $APPLICATION $VERSION$OPENLDAP_DISTRIBUTION (" __DATE__ " " __TIME__ ") \$\n"
++ "\t$WHOWHERE\n";
++
++ __EOF__
 diff --git a/debian/patches/gssapi.diff b/debian/patches/gssapi.diff
 new file mode 100644
 index 0000000..5bcf266
 --- /dev/null
 +++ b/debian/patches/gssapi.diff
@@ -0,0 +1,140 @@
++--- a/configure.in
+++++ b/configure.in
++@@ -244,6 +244,8 @@
++ 	auto, [auto yes no] )
++ OL_ARG_WITH(fetch,[  --with-fetch		  with fetch(3) URL support],
++ 	auto, [auto yes no] )
+++OL_ARG_WITH(gssapi,[  --with-gssapi               with GSSAPI support],
+++        auto, [auto yes no] )
++ OL_ARG_WITH(threads,[  --with-threads	  with threads],
++ 	auto, [auto nt posix mach pth lwp yes no manual] )
++ OL_ARG_WITH(tls,[  --with-tls		  with TLS/SSL support auto|openssl|gnutls|moznss],
++@@ -591,6 +593,7 @@
++ KRB4_LIBS=
++ KRB5_LIBS=
++ SASL_LIBS=
+++GSSAPI_LIBS=
++ TLS_LIBS=
++ MODULES_LIBS=
++ SLAPI_LIBS=
++@@ -1153,6 +1156,63 @@
++ fi
++
++ dnl ----------------------------------------------------------------
+++dnl GSSAPI
+++ol_link_gssapi=no
+++
+++case $ol_with_gssapi in yes | auto)
+++
+++        ol_header_gssapi=no
+++        AC_CHECK_HEADERS(gssapi/gssapi.h)
+++        if test $ac_cv_header_gssapi_gssapi_h = yes ; then
+++                ol_header_gssapi=yes
+++        else
+++                AC_CHECK_HEADERS(gssapi.h)
+++                if test $ac_cv_header_gssapi_h = yes ; then
+++                        ol_header_gssapi=yes
+++                fi
+++
+++                dnl## not every gssapi has gss_oid_to_str()
+++                dnl## as it's not defined in the GSSAPI V2 API
+++                dnl## anymore
+++                saveLIBS="$LIBS"
+++                LIBS="$LIBS $GSSAPI_LIBS"
+++                AC_CHECK_FUNCS(gss_oid_to_str)
+++                LIBS="$saveLIBS"
+++        fi
+++
+++        if test $ol_header_gssapi = yes ; then
+++                dnl## we check for gss_wrap
+++                dnl## as it's new to the GSSAPI V2 API
+++                AC_CHECK_LIB(gssapi, gss_wrap,
+++                             [ol_link_gssapi=yes;GSSAPI_LIBS="-lgssapi"],
+++                             [ol_link_gssapi=no])
+++                if test $ol_link_gssapi != yes ; then
+++                        AC_CHECK_LIB(gssapi_krb5, gss_wrap,
+++                                     [ol_link_gssapi=yes;GSSAPI_LIBS="-lgssapi_krb5"],
+++                                     [ol_link_gssapi=no])
+++                fi
+++                if test $ol_link_gssapi != yes ; then
+++                        AC_CHECK_LIB(gss, gss_wrap,
+++                                     [ol_link_gssapi=yes;GSSAPI_LIBS="-lgss"],
+++                                     [ol_link_gssapi=no])
+++                fi
+++        fi
+++
+++        ;;
+++esac
+++
+++WITH_GSSAPI=no
+++if test $ol_link_gssapi = yes; then
+++        AC_DEFINE(HAVE_GSSAPI, 1, [define if you have GSSAPI])
+++        WITH_GSSAPI=yes
+++elif test $ol_with_gssapi = auto ; then
+++        AC_MSG_WARN([Could not locate GSSAPI package])
+++        AC_MSG_WARN([GSSAPI authentication not supported!])
+++elif test $ol_with_gssapi = yes ; then
+++        AC_MSG_ERROR([GSSAPI detection failed])
+++fi
+++
+++dnl ----------------------------------------------------------------
++ dnl TLS/SSL
++
++ if test $ol_with_tls = yes ; then
++@@ -1928,6 +1988,13 @@
++ fi
++ AC_SUBST(VERSION_OPTION)
++
+++VERSION_OPTION=""
+++OL_SYMBOL_VERSIONING
+++if test $ol_cv_ld_version_script_option = yes ; then
+++  VERSION_OPTION="-Wl,--version-script="
+++fi
+++AC_SUBST(VERSION_OPTION)
+++
++ dnl ----------------------------------------------------------------
++ if test $ol_enable_wrappers != no ; then
++ 	AC_CHECK_HEADERS(tcpd.h,[
++@@ -3159,6 +3226,7 @@
++ AC_SUBST(KRB4_LIBS)
++ AC_SUBST(KRB5_LIBS)
++ AC_SUBST(SASL_LIBS)
+++AC_SUBST(GSSAPI_LIBS)
++ AC_SUBST(TLS_LIBS)
++ AC_SUBST(MODULES_LIBS)
++ AC_SUBST(SLAPI_LIBS)
++--- a/include/portable.hin
+++++ b/include/portable.hin
++@@ -253,6 +253,18 @@
++ /* Define to 1 if you have the <grp.h> header file. */
++ #undef HAVE_GRP_H
++
+++/* define if you have GSSAPI */
+++#undef HAVE_GSSAPI
+++
+++/* Define to 1 if you have the <gssapi/gssapi.h> header file. */
+++#undef HAVE_GSSAPI_GSSAPI_H
+++
+++/* Define to 1 if you have the <gssapi.h> header file. */
+++#undef HAVE_GSSAPI_H
+++
+++/* Define to 1 if you have the `gss_oid_to_str' function. */
+++#undef HAVE_GSS_OID_TO_STR
+++
++ /* Define to 1 if you have the `hstrerror' function. */
++ #undef HAVE_HSTRERROR
++
++--- a/build/top.mk
+++++ b/build/top.mk
++@@ -190,9 +190,10 @@
++ KRB5_LIBS = @KRB5_LIBS@
++ KRB_LIBS = @KRB4_LIBS@ @KRB5_LIBS@
++ SASL_LIBS = @SASL_LIBS@
+++GSSAPI_LIBS = @GSSAPI_LIBS@
++ TLS_LIBS = @TLS_LIBS@
++ AUTH_LIBS = @AUTH_LIBS@
++-SECURITY_LIBS = $(SASL_LIBS) $(KRB_LIBS) $(TLS_LIBS) $(AUTH_LIBS)
+++SECURITY_LIBS = $(SASL_LIBS) $(KRB_LIBS) $(GSSAPI_LIBS) $(TLS_LIBS) $(AUTH_LIBS)
++
++ MODULES_CPPFLAGS = @SLAPD_MODULES_CPPFLAGS@
++ MODULES_LDFLAGS = @SLAPD_MODULES_LDFLAGS@
 diff --git a/debian/patches/series b/debian/patches/series
 index b0ef82d..ebd0ad3 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -7,6 +7,7 @@ index-files-created-as-root
  sasl-default-path
  libldap-symbol-versions
  getaddrinfo-is-threadsafe
++gssapi.diff
  do-not-second-guess-sonames
  contrib-makefiles
  smbk5pwd-makefile-manpage
@@ -21,3 +22,4 @@ ITS6035-olcauthzregex-needs-restart.patch
  set-maintainer-name
  ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch
  ITS-9171-Insert-callback-in-the-right-place.patch
++fix-ldap-distribution.patch
 diff --git a/debian/rules b/debian/rules
 index b13a6bc..4777bb2 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -7,7 +7,8 @@ include /usr/share/dpkg/pkg-info.mk
  # want the checks for DFSG-freeness.
  #DFSG_NONFREE = 1
--export DEB_CFLAGS_MAINT_APPEND := -Wall -Wno-format-extra-args -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE
++export DEB_CFLAGS_MAINT_APPEND := -Wall -Wno-format-extra-args -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -DLDAP_CONNECTIONLESS -I/usr/include/heimdal
++export DEB_LDFLAGS_MAINT_APPEND := -L/usr/lib/$(DEB_HOST_MULTIARCH)/heimdal
  export DEB_BUILD_MAINT_OPTIONS := hardening=+pie,+bindnow
  # Workaround for bad glibc behavior when resolving localhost
@@ -21,7 +22,7 @@ ifneq ($(filter pkg.openldap.noslapd,$(DEB_BUILD_PROFILES)),)
  	CONFIG += --disable-slapd
  endif
--CONTRIB_MODULES = autogroup lastbind passwd passwd/pbkdf2 passwd/sha2 smbk5pwd
++CONTRIB_MODULES = autogroup lastbind nssov passwd passwd/pbkdf2 passwd/sha2 smbk5pwd
  # Ensure CC is set correctly for cross builds, unless it has already
  # been set explicitly.
@@ -41,7 +42,8 @@ CONTRIB_MAKEVARS := \
  	LDAP_BUILD='$(builddir)' \
  	prefix=/usr \
  	ldap_subdir=/ldap \
--	moduledir='$$(libdir)$$(ldap_subdir)'
++	moduledir='$$(libdir)$$(ldap_subdir)' \
++	sysconfdir='/etc$$(ldap_subdir)'
  # These variables are used only by get-orig-source, which will normally only
  # be run by maintainers.
@@ -155,6 +157,22 @@ endif
  	find $(installdir)/usr/share/man -name \*.8 \
  		| xargs perl -pi -e 's#(\.TH \w+ 8)C#$$1#'
++ifeq ($(filter stage1,$(DEB_BUILD_PROFILES)),)
++override_dh_install-arch:
++	dh_install
++
++	# install AppArmor profile
++	install -D -m 644 $(CURDIR)/debian/apparmor-profile $(CURDIR)/debian/slapd/etc/apparmor.d/usr.sbin.slapd
++
++	# install Apport hook
++	install -D -m 644 $(CURDIR)/debian/slapd.py $(CURDIR)/debian/slapd/usr/share/apport/package-hooks/slapd.py
++
++	# install ufw profile
++	install -D -m 644 $(CURDIR)/debian/slapd.ufw.profile $(CURDIR)/debian/slapd/etc/ufw/applications.d/slapd
++
++	dh_apparmor -pslapd --profile-name=usr.sbin.slapd
++endif
++
  override_dh_installinit:
  	dh_installinit -- "defaults 19 80"
@@ -215,6 +233,8 @@ ifeq ($(filter pkg.openldap.noslapd,$(DEB_BUILD_PROFILES)),)
  	    done; \
  	fi
++	rm -f contrib/slapd-modules/nssov/nss-pam-ldapd/config.sub contrib/slapd-modules/nssov/nss-pam-ldapd/config.guess
++
  	# Clean the contrib directory
  	for mod in $(CONTRIB_MODULES); do \
  		dh_auto_clean -Dcontrib/slapd-modules/$$mod -Bcontrib/slapd-modules/$$mod || exit $?; \
 diff --git a/debian/slapd.README.Debian b/debian/slapd.README.Debian
 index a43dfe4..216e6ac 100644
 --- a/debian/slapd.README.Debian
 +++ b/debian/slapd.README.Debian
@@ -204,8 +204,8 @@ Running slapd under a Different UID/GID
    - Tell linux slapd can access configuration files -- usually:
--      chgrp <group> /etc/ldap/slapd.conf
--      chmod 0640 /etc/ldap/slapd.conf
++      chgrp -R <group> /etc/ldap/slapd.d
++      chmod -R g+rX /etc/ldap/slapd.d
    - Tell linux slapd can access /var/run/slapd and write a PID file:
@@ -339,3 +339,14 @@ Unsafe access control rule installed by default in previous versions
    slapd.access(5) man page.
   -- Ryan Tandy <ryan@nardis.ca>, Mon, 20 Oct 2014 11:45:20 -0700
++
++Apparmor Profile
++----------------
++
++  If your system uses AppArmor, please note that the shipped enforcing profile
++  works with the default installation, and changes in your configuration may
++  require changes to the installed apparmor profile. Please see
++  https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this
++  software.
++
++ -- Jamie Strandboge <jamie@ubuntu.com>, Mon,  4 Feb 2008 21:18:21 -0500
 diff --git a/debian/slapd.default b/debian/slapd.default
 index 372b8f4..4212e07 100644
 --- a/debian/slapd.default
 +++ b/debian/slapd.default
@@ -12,7 +12,7 @@ SLAPD_USER="openldap"
  SLAPD_GROUP="openldap"
  # Path to the pid file of the slapd server. If not set the init.d script
--# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
++# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
  # default)
  SLAPD_PIDFILE=
 diff --git a/debian/slapd.init.ldif b/debian/slapd.init.ldif
 index a5277c0..8fd30a5 100644
 --- a/debian/slapd.init.ldif
 +++ b/debian/slapd.init.ldif
@@ -32,7 +32,6 @@ objectClass: olcDatabaseConfig
  olcDatabase: config
  # Allow unlimited access to local connection from the local root user
  olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
--olcRootDN: cn=admin,cn=config
  # Load schemas
  dn: cn=schema,cn=config
 diff --git a/debian/slapd.install b/debian/slapd.install
 index 0987dad..206a208 100644
 --- a/debian/slapd.install
 +++ b/debian/slapd.install
@@ -54,5 +54,7 @@ usr/lib/ldap/autogroup.so*
  usr/lib/ldap/autogroup.la
  usr/lib/ldap/lastbind.so*
  usr/lib/ldap/lastbind.la
++usr/lib/ldap/nssov.so*
++usr/lib/ldap/nssov.la
  usr/lib/ldap/pw-sha2.so*
  usr/lib/ldap/pw-sha2.la
 diff --git a/debian/slapd.manpages b/debian/slapd.manpages
 index ffd3243..25f6d43 100644
 --- a/debian/slapd.manpages
 +++ b/debian/slapd.manpages
@@ -43,3 +43,4 @@ debian/tmp/usr/share/man/man5/slapo-valsort.5
  # contrib modules installed in main package
  debian/tmp/usr/share/man/man5/slapo-lastbind.5
++contrib/slapd-modules/nssov/slapo-nssov.5
 diff --git a/debian/slapd.py b/debian/slapd.py
 new file mode 100644
 index 0000000..7d78699
 --- /dev/null
 +++ b/debian/slapd.py
@@ -0,0 +1,51 @@
++#!/usr/bin/python
++
++'''apport hook for slapd
++
++(c) 2010 Adam Sommer.
++Author: Adam Sommer <asommer@ubuntu.com>
++
++This program is free software; you can redistribute it and/or modify it
++under the terms of the GNU General Public License as published by the
++Free Software Foundation; either version 2 of the License, or (at your
++option) any later version.  See http://www.gnu.org/copyleft/gpl.html for
++the full text of the license.
++'''
++
++from apport.hookutils import *
++import os
++
++# Scrub olcRootPW attribute and credentials strings if necessary.
++def scrub_pass_strings(config):
++    olcrootpw_regex = re.compile('olcRootPW:.*')
++    olcrootpw_string = olcrootpw_regex.search(config)
++    if olcrootpw_string:
++        config = config.replace(olcrootpw_string.group(0), 'olcRootPW: @@APPORTREPLACED@@')
++
++    credentials_regex = re.compile('credentials=.* ')
++    credentials_string = credentials_regex.search(config)
++    if credentials_string:
++        config = config.replace(credentials_string.group(0), 'credentials=@@APPORTREPLACED@@ ')
++
++    return config
++
++def add_info(report, ui):
++    response = ui.yesno("The contents of your /etc/ldap/slapd.d directory "
++                        "may help developers diagnose your bug more "
++                        "quickly.  However, it may contain sensitive "
++                        "information.  Do you want to include it in your "
++                        "bug report?")
++
++    if response == None: # user cancelled
++        raise StopIteration
++
++    elif response == True:
++        # Get the cn=config tree.
++        cn_config = root_command_output(['/usr/bin/ldapsearch', '-Q', '-LLL', '-Y EXTERNAL', '-H ldapi:///', '-b cn=config'])
++        report['CNConfig'] = scrub_pass_strings(cn_config)
++
++        # Get slapd messages from /var/log/syslog
++        slapd_re = re.compile('slapd', re.IGNORECASE)
++        report['SysLog'] = recent_syslog(slapd_re)
++
++        attach_mac_events(report, '/usr/sbin/slapd')
 diff --git a/debian/slapd.scripts-common b/debian/slapd.scripts-common
 index b2b3d3d..0dc0045 100644
 --- a/debian/slapd.scripts-common
 +++ b/debian/slapd.scripts-common
@@ -175,8 +175,7 @@ dump_config() {								# {{{
  dump_databases() {							# {{{
  # If the user wants us to dump the databases they are dumped to the
  # configured directory.
--
--	local db suffix file dir failed
++	local db suffix file dir failed slapcat_opts
  	database_dumping_enabled || return 0
@@ -365,6 +364,12 @@ compute_backup_path() {							# {{{
  	id="$OLD_VERSION"
  	[ -n "$id" ] || id=`date +%Y%m%d-%H%M%S`
  	target="/var/backups/$basedn-$id.ldapdb"
++	# Configuration via dpkg-reconfigure.
++	# The backup directory already exists when reconfigured
++	# twice or more: append a timestamp.
++	if [ -e "${target}" ] && ([ "$MODE" = reconfigure ] || [ "$DEBCONF_RECONFIGURE" ]); then
++			 target="$target-`date +%Y%m%d-%H%M%S`"
++	fi
  	if [ -e "$target" ] && [ -z "$ok_exists" ]; then
  		echo >&2
  		echo >&2 "  Backup path $target exists. Giving up..."
 diff --git a/debian/slapd.ufw.profile b/debian/slapd.ufw.profile
 new file mode 100644
 index 0000000..3c4f676
 --- /dev/null
 +++ b/debian/slapd.ufw.profile
@@ -0,0 +1,9 @@
++[OpenLDAP LDAP]
++title=OpenLDAP with TLS
++description=OpenLDAP is a free, fast, lightweight LDAP server
++ports=389/tcp
++
++[OpenLDAP LDAPS]
++title=OpenLDAP over SSL
++description=OpenLDAP is a free, fast, lightweight LDAP server
++ports=636/tcp

Ubuntuopenldap package

Merge ~ahasenack/ubuntu/+source/openldap:focal-openldap-merge-to-grab-fix into ubuntu/+source/openldap:debian/sid

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
openldap package