Merge ~ahasenack/ubuntu/+source/openldap:groovy-openldap-2.4.50-merge-and-delta-drop into ubuntu/+source/openldap:debian/sid

Proposed by Andreas Hasenack
Status: Merged
Approved by: Andreas Hasenack
Approved revision: 890c4eea118142866ff23abe7b8be5d408316d98
Merge reported by: Andreas Hasenack
Merged at revision: 890c4eea118142866ff23abe7b8be5d408316d98
Proposed branch: ~ahasenack/ubuntu/+source/openldap:groovy-openldap-2.4.50-merge-and-delta-drop
Merge into: ubuntu/+source/openldap:debian/sid
Diff against target: 3397 lines (+2901/-12)
18 files modified
debian/apparmor-profile (+60/-0)
debian/changelog (+2527/-0)
debian/configure.options (+1/-0)
debian/control (+5/-3)
debian/libldap-2.4-2.symbols (+7/-0)
debian/patches/contrib-makefiles (+21/-0)
debian/patches/fix_test_timing.patch (+27/-0)
debian/patches/gssapi.diff (+140/-0)
debian/patches/series (+2/-0)
debian/patches/set-maintainer-name (+1/-1)
debian/rules (+26/-3)
debian/slapd.README.Debian (+13/-2)
debian/slapd.default (+1/-1)
debian/slapd.install (+2/-0)
debian/slapd.manpages (+1/-0)
debian/slapd.py (+51/-0)
debian/slapd.scripts-common (+7/-2)
debian/slapd.ufw.profile (+9/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Team Pending
Review via email: mp+383797@code.launchpad.net

Description of the change

Most of the diff is in d/changelog, for carrying such a large delta for so long.

Debian merge of 2.4.50, plus a lot of delta drop. Let's go!

Bileto (still running, mostly done, i386 known failures so far): https://bileto.ubuntu.com/#/ticket/4053

I added sssd to that ticket because it has nice ldap integration tests.

First, remaining "normal" delta:
- apparmor
- ufw
- apport

The remaining bits:
    - d/slapd.scripts-common:
      - add slapcat_opts to local variables.
Added to debian in https://salsa.debian.org/openldap-team/openldap/-/commit/50a32c03d83ed8f8026a93da0fba0ef0b639a7ee

      - Fix backup directory naming for multiple reconfiguration.
Submitted to debian via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960449

    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
Adopted by debian in https://salsa.debian.org/openldap-team/openldap/-/commit/50a32c03d83ed8f8026a93da0fba0ef0b639a7ee

    - debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because
      of test timing issue.
Not submitted yet

    - d/p/set-maintainer-name: use the Maintainer field from d/control
      instead of hardcoding an email (LP: #1875697)
Submitted to debian via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960448

The drops!

I hope the reasoning for each drop, even though just a short sentence, is clarifying enough. Most of the drops are because we no longer ship likewise-open. But here we go:
- nss overlay: we don't need another name service switch module, we have standardized on sssd
- gssapi support: we still have it, via sasl gssapi. Bug #495418 (which introduced this delta) even has a comment from upstream asking us to drop this. This was also added because of likewise-open, it probably didn't work with sasl back then.
- olcRootDN for the ldif init: not worth keeping a delta for. It's just an authentication entity that there is no way for someone to authenticate as, but the ACL in that ldif grant the "manage" access to the sasl external entity, so that is in effect the new admin. There is no harm in keeping olcRootDN, so let's drop this.
- CLDAP support. Also added because of likewise-open. This was required for windows 2k domain joins, as cldap was the only way to query the server for what ldap suffixes it had, and other discovery things.
- show distribution in version: debian now shows the package version, which will have the "ubuntu" name in it in our case, so dropped (also requested in https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1875697). The delta I added makes the maintainer email dynamic, and I pushed that to debian too (but see the (*) remark above). The debian maintainer said in the bug he would accept something dynamic, so let's see if my parsing of d/control is ok.

That's it!

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I got this review via email from Ryan Tandy, the debian maintainer of openldap. ">" are his comments, and my reply below.

> - dropping GSSAPI is an ABI break (removing public symbols), therefore I
> think it requires a SONAME change and transition. I was going to
> propose dropping this when we eventually update to 2.5 as I don't
> foresee a SONAME bump happening sooner.

After an LTS is the right time to drop such an old delta, that was
even requested by (now upstream)
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/495418/comments/2

We should be able to rely on the symbols file to handle upgrades, no?
Or do you mean in terms of debian policy the soname must change?

> - dropping nssov breaks upgrades for anyone who has it enabled, unless
> you specifically add scripting to detect and disable it. I guess the
> numbers of users is small but I know at least one person who was (not
> sure whether still is) using nssov.

Scripting with the cn=config backend is tough. And just removing nssov
for the sake of having slapd start up fine would hide the change
somewhat.

For both these changes, we will certainly need release notes, and I
wrote this down already to add to the notes when we are closer to
release. I can also email ubuntu-server@ or even ubuntu-devel@ to get
a feeling who is using these, and what people think. I also think that
right after the LTS is a good time to tackle this problem and drop
stuff we don't use anymore, nor want our users still use. The nss
overlay requires "the client-side stuf library from nss-pam-ldapd",
which we only have in universe since precise, and I would like to
standardize on sssd as much as possible.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

More comments. This time, ">" are mine:

On Tue, May 12, 2020 at 02:32:18PM -0300, Andreas Hasenack wrote:
>We should be able to rely on the symbols file to handle upgrades, no?
>Or do you mean in terms of debian policy the soname must change?

The symbols file tracks when new interfaces were added, but when
changing or removing already exported ones, the SONAME must change.

https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#run-time-shared-libraries

>Scripting with the cn=config backend is tough. And just removing nssov
>for the sake of having slapd start up fine would hide the change
>somewhat.

Yeah. I was thinking more along the lines of failing the upgrade in
preinst if nssov is enabled, rather than get into a state where recovery
requires manual changes in /etc/ldap/slapd.d.

But the number of users affected is honestly going to be single-digit or
zero, so a release note is probably about all the effort it's worth.

>The nss overlay requires "the client-side stuf library from
>nss-pam-ldapd", which we only have in universe since precise, and I
>would like to standardize on sssd as much as possible.

ACK, recommending sssd makes sense for sure.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Looong changelog, but after reading it twice I agree.
Glad you could drop so much.

I like that you added the reasoning for each of them.
And I also agree that early in the post-LTS cycle is the right time to do so.

Also thanks for sending all the remaining bits that are applicable to Debian already.

This is so much I need to look a bit further, but so far it LGTM

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

ok, AFAICS old delta is retained correctly.
But a lot is going on, so I hope I didn't miss anything.

Hopefully you can drop more of the already submitted changes next time to further clean this up.

review: Approve
Revision history for this message
ben thielsen (btb-bitrate) wrote :

i use and prefer nss-pam-ldapd, so removing nssov would break things for my installations. it doesn't really matter to me if nssov is loaded/enabled/configured by the packaging system [in fact, i would prefer it not be, myself], but it's not clear to me what problem it causes to include it in the package, so people who want it can use it.

as a side note, it would be disappointing to see sssd pushed over nss-pam-ldapd, generally speaking.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

As recommended by Ryan Tandy (debian maintainer of openldap), and after a discussion with my colleagues, we decided to not drop the gssapi and CLDAP deltas at this time, because that would require buming the soname of the openldap libraries, which is already at 2.4. When the next upstream major release happens, 2.5, that will be the right time to drop this delta. It's unfortunate, but it's the price to pay for having introduced that back in 2009 without much thinking ahead.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I emailed ubuntu-server@ about these changes, and also posted on the discourse forum.

https://lists.ubuntu.com/archives/ubuntu-server/2020-May/008333.html

https://discourse.ubuntu.com/t/cleaning-up-openldap-packaging/16287

ben thielsen (btb-bitrate), we can continue the nss overlay discussion there.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

About the nssov removal, if the previous install is using the overlay, the upgrade fails, quite as expected:

May 21 19:05:20 groovy-nss-overlay slapd[1275]: lt_dlopenext failed: (nssov) file not found
...

Errors were encountered while processing:
 slapd
E: Sub-process /usr/bin/dpkg returned an error code (1)

Expected, but not very nice. Ryan Tandy suggested a check in preinst.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

If I check for the nss overlay in slapd.preinst, and exit 1 (just for the sake of testing, let's assume there are debconf prompts asking what to do, and the user chose to abort), then we get:

(...)
Preparing to unpack .../slapd_2.4.50+dfsg-1ubuntu1~ppa4_amd64.deb ...
Saving current slapd configuration to /var/backups/slapd-2.4.49+dfsg-2ubuntu2...
nss overlay in use, aborting install
dpkg: error processing archive ./slapd_2.4.50+dfsg-1ubuntu1~ppa4_amd64.deb (--install):
 new slapd package pre-installation script subprocess returned error exit status 1
  Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.4.50+dfsg-1ubuntu1~ppa4... done.
Setting up libldap-common (2.4.50+dfsg-1ubuntu1~ppa4) ...
Setting up libldap-2.4-2:amd64 (2.4.50+dfsg-1ubuntu1~ppa4) ...
Setting up ldap-utils (2.4.50+dfsg-1ubuntu1~ppa4) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9) ...
Errors were encountered while processing:
 ./slapd_2.4.50+dfsg-1ubuntu1~ppa4_amd64.deb
$ echo $?
1

Summary:
- apt exits 1, indicating a failure
- slapd stays at the previous version, but other packages remain upgraded
- slapd is restarted, but stays running instead of failing to come up

Removing the nss overlay configuration in postinst is complicated, error prone, and might render the system without a working login (assuming the overlay is being used in that system for logins: not always the case).

These are the options as far as I can see, at the moment:
a) don't remove nssov
b) remove nssov, and exit 1 in preinst if it's detected, with the outcome detailed above
c) remove nssov and not handle it. apt fails, slapd remains stopped at the end, system might be without a working logn
d) remove nssov, go through great lengths to remove it from slapd's config (very complicated due to cn=config and the fact that slapd doesn't support removing modules dynamically via ldap commands), and in the end have a running slapd, but without nssov. System might again be without a working login, if nssov was used for that on this system.

If we chose (a), I might as well fix bug #381829 and bug #1452087

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I emailed ubuntu-devel[1] about the nssov situation, and will keep the overlay for now until I can come up with a better plan for its removal that doesn't horribly break upgrades for people who are using it.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

And the link to my ubuntu-devel post, which I forgot to add in my previous comment:

https://lists.ubuntu.com/archives/ubuntu-devel/2020-May/041004.html

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I updated the branch keeping the nssov delta, and I also rearranged the commits a bit so they are together where it makes sense:

a)
commit cee0c2496d9abaee94778cb201462300372d0763
Author: Andreas Hasenack <email address hidden>
Date: Fri Feb 8 18:23:23 2019 -0200

        - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
          - CLDAP (UDP) was added in 2.4.17-1ubuntu2
          - GSSAPI support was enabled in 2.4.18-0ubuntu2

I split this one up in two pieces, and folded them together each with the commit that added the feature. I also added notes about when this can be dropped:
commit b8787fe7f9e5ed0a9d3aabd0fe3c65c5a3d64db1
Author: Andreas Hasenack <email address hidden>
Date: Fri Feb 8 18:22:00 2019 -0200

        - Add support for CLDAP (UDP) support, back then required by
          likewise-open (first enabled in 2.4.17-1ubuntu2):
          + d/rules: Enable -DLDAP_CONNECTIONLESS
          + d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP)
          This should be dropped when the soname changes.

and
commit 90eba5f78d1a44aa3b86956b6916edc8e518f9f8
Author: Andreas Hasenack <email address hidden>
Date: Fri Feb 8 18:16:01 2019 -0200

        - Enable GSSAPI support (first added in 2.4.18-0ubuntu2):
...
          + d/libldap-2.4-2.symbols: add symbols for GSSAPI support
          This should be dropped when the soname changes.

b)
commit a23fad285c57ba7ba8c2a14668c66e637a2a584a
Author: Andreas Hasenack <email address hidden>
Date: Mon Feb 11 09:18:28 2019 -0200

        - d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
          Debian bug #919136, we also have to patch the nssov makefile
          accordingly and thus update this patch.

Squashed the above commit into the one adding the nssov delta:
commit 3ebf10cacef2c35e7598c131118aea769b091427
Author: Andreas Hasenack <email address hidden>
Date: Fri Feb 8 18:19:09 2019 -0200

        - Enable nss overlay:
...
          + d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
            Debian bug #919136, we also have to patch the nssov makefile
            accordingly and thus update this patch.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Finally, i also updated the commit messages with the correct list symbol for each indentation level. Basically, replaced many "-" with "+".

b76ceba... by Ryan Tandy

  * Added:
    - d/rules, debian/patches/set-maintainer-name: Extract maintainer
      address dynamically from debian/control. Thanks to Ryan Tandy
      <email address hidden> (Closes: #960448, LP: #1875697)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

sigh, soname troubles plus this nssov thing - this clearly is one of the more ugly merged.
/me hugs Andreas

Re-reviewing the MP as it is right now ...

- Ack on not removing nssov (for now)
- Ack on keeping the bad symbols until we can soname bump
(both as discussed)

+1 on the new set of kept/dropped changes.

One thing if you want to experiment a bit more with it since we can't get rid of the extra features/symbols we have that came to my mind last weekend was deprecating them.
Would it be a reasonable delta to throw in some "deprecated" attributes via [1]?
That way - once we some day remove it - everyone linking against them would have had quite some time being told that they are deprecated.

One could think of a similar strategy for nssov to now yell/warn/message about that it will be dropped later in all places you can - to reduce the impact when you do it some time down the road. IIRC you already have the code to detect nssov and while I agree messing with the config is error-prone, warning that it should not be used would be fine IMHO.

[1]: https://gcc.gnu.org/onlinedocs/gcc-4.7.1/gcc/Type-Attributes.html#Type-Attributes

review: Needs Information
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> One thing if you want to experiment a bit more with it since we can't get rid of
> the extra features/symbols we have that came to my mind last weekend was
> deprecating them. Would it be a reasonable delta to throw in some "deprecated"
> attributes via [1]?

I can play with this, but I'm not sure it's the right thing to do. These symbols are not deprecated, and they fall into two categories:

- cldap support: ber_sockbuf_io_udp and ldap_is_ldapc_url. Both defined in public header files:

include/lber.h:LBER_V( Sockbuf_IO ) ber_sockbuf_io_udp;

and

include/ldap.h:
#ifdef LDAP_CONNECTIONLESS
LDAP_F( int )
ldap_is_ldapc_url LDAP_P((
    LDAP_CONST char *url ));
#endif

Both are only used if LDAP_CONNECTIONLESS is defined.

- gssapi support
This is the "bad" one, as the delta we have is adding internal symbols to the symbols file. For example, ldap_int_gssapi_close is defined in ./libraries/libldap/ldap-int.h. This header file is not even shipped in the libldap2-dev package. Hm, since the header file isn't shipped, I wonder if these symbols can even be used?

Anyway, going back to the point of deprecating symbols, adding a patch that changes C code marking the, say, gssapi symbols deprecated isn't correct, as they shouldn't be exposed in the first place. Using them when linking with the ubuntu openldap packages (if possible, given we don't ship the corresponding header file), that is what is "deprecated", because we want to remove them.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Hm, there are many other *_int_* symbols in the symbols file, also defined just in the -int header file that is not shipped. Meh.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I tested patching one attribute with that flag:

-LDAP_F(void) ldap_int_gssapi_close LDAP_P(( LDAP *ld, LDAPConn *lc ));
+LDAP_F(void) ldap_int_gssapi_close LDAP_P(( LDAP *ld, LDAPConn *lc )) __attribute__ ((deprecated));

The build shows this then:
../../../../libraries/libldap/gssapi.c: In function ‘ldap_int_gssapi_setup’:
../../../../libraries/libldap/gssapi.c:620:2: warning: ‘ldap_int_gssapi_close’ is deprecated [-Wdeprecated-declarations]
  620 | ldap_int_gssapi_close( ld, lc );
      | ^~~~~~~~~~~~~~~~~~~~~
../../../../libraries/libldap/gssapi.c:581:6: note: declared here
  581 | void ldap_int_gssapi_close( LDAP *ld, LDAPConn *lc )
      | ^~~~~~~~~~~~~~~~~~~~~

since that function is used internally, correctly. So I don't think it's a good approach.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Ok, thanks for trying - it was worth that but you have shown it doesn't match your case :-/

I was +1 otherwise on it, so +1 is all that is left after trying the deprecation trick.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

About notifying the user that nssov will eventually be removed, I thought of these options:
- d/NEWS file. A bit weird, because we are not changing it yet, so I'm not sure this mechanism applies. But is an interesting notification mechanism for those who have apt-listchanges (I think that's the name) installed. It would only show once, thouch, iiuc.
- simple postinst "echo" lines. Can get lost in all those messages, but can show the warning with every upgrade if we want (i.e., do the check regardless of the package version that is being upgraded)

Any other ideas? Also keep in mind we might not be able to cleanly removed this overlay, so maybe adding these warnings now is premature.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

We know that eventually there will always be someone that misses it and later complain.
So don't let perfection be the enemy of progress and pick something that works for the majority.

For this particular case I'm fan of something very noisy on the upgrade if we detected it is in use.
That way the majority of users won't see anything and that is ok as it isn't "for them".
For all the others I think it would be good to be loud and noisy on upgrades.
Actually - we can detect that it is in use can we?

Furthermore orthogonal to the packaging changes something that you can find with a search engine, maybe release notes or server guide (or even a blog if you want). Whatever you think is best for you.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm actually -1 on adding notes about future upcoming changes to the packaging at the moment, when such changes aren't there. It's our intention, and that was communicated in 2 mailing lists and the discourse forum. I added a d/slapd.NEWS bit, but am ready to revert that.

421b8d2... by Andreas Hasenack

merge-changelogs

1c96234... by Andreas Hasenack

reconstruct-changelog

890c4ee... by Andreas Hasenack

update-maintainer

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

As I said above, "Whatever you think is best for you", so if ML+Discourse is what you want that is fine with me. The NEWS entry would be just another Delta with potentially low gain - so I'm ok if you drop it before upload.
I mostly wanted to spawn the idea of trying to communicate it, not define how exactly we do it.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, sorry for misunderstanding.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Tagging and uploading 890c4eea118142866ff23abe7b8be5d408316d98

$ git push pkg upload/2.4.50+dfsg-1ubuntu1
Enumerating objects: 94, done.
Counting objects: 100% (94/94), done.
Delta compression using up to 4 threads
Compressing objects: 100% (76/76), done.
Writing objects: 100% (78/78), 28.91 KiB | 1.11 MiB/s, done.
Total 78 (delta 55), reused 6 (delta 2)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/openldap
 * [new tag] upload/2.4.50+dfsg-1ubuntu1 -> upload/2.4.50+dfsg-1ubuntu1

$ dput ubuntu ../openldap_2.4.50+dfsg-1ubuntu1_source.changes
Checking signature on .changes
gpg: ../openldap_2.4.50+dfsg-1ubuntu1_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../openldap_2.4.50+dfsg-1ubuntu1.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openldap_2.4.50+dfsg-1ubuntu1.dsc: done.
  Uploading openldap_2.4.50+dfsg-1ubuntu1.debian.tar.xz: done.
  Uploading openldap_2.4.50+dfsg-1ubuntu1_source.buildinfo: done.
  Uploading openldap_2.4.50+dfsg-1ubuntu1_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This migrated.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apparmor-profile b/debian/apparmor-profile
2new file mode 100644
3index 0000000..793fa7b
4--- /dev/null
5+++ b/debian/apparmor-profile
6@@ -0,0 +1,60 @@
7+# vim:syntax=apparmor
8+# Last Modified: Fri Jan 4 15:18:13 2008
9+# Author: Jamie Strandboge <jamie@ubuntu.com>
10+
11+#include <tunables/global>
12+
13+/usr/sbin/slapd {
14+ #include <abstractions/base>
15+ #include <abstractions/nameservice>
16+ #include <abstractions/p11-kit>
17+
18+ #include <abstractions/ssl_certs>
19+ /etc/ssl/private/ r,
20+ /etc/ssl/private/* r,
21+
22+ /etc/sasldb2 r,
23+
24+ capability dac_override,
25+ capability net_bind_service,
26+ capability setgid,
27+ capability setuid,
28+
29+ /etc/gai.conf r,
30+ /etc/hosts.allow r,
31+ /etc/hosts.deny r,
32+
33+ # ldap files
34+ /etc/ldap/** kr,
35+ /etc/ldap/slapd.d/** rw,
36+
37+ # kerberos/gssapi
38+ /dev/tty rw,
39+ /etc/gss/mech.d/ r,
40+ /etc/gss/mech.d/* kr,
41+ /etc/krb5.keytab kr,
42+ /etc/krb5/user/*/client.keytab kr,
43+ owner /tmp/krb5cc_* rwk,
44+ /var/tmp/ rw,
45+ /var/tmp/** rw,
46+
47+ # the databases and logs
48+ /var/lib/ldap/ r,
49+ /var/lib/ldap/** rwk,
50+
51+ # lock file
52+ /var/lib/ldap/alock kw,
53+
54+ # pid files and sockets
55+ /{,var/}run/slapd/* w,
56+ /{,var/}run/slapd/ldapi rw,
57+ /{,var/}run/nslcd/socket rw,
58+
59+ /usr/lib/ldap/ r,
60+ /usr/lib/ldap/* mr,
61+
62+ /usr/sbin/slapd mr,
63+
64+ # Site-specific additions and overrides. See local/README for details.
65+ #include <local/usr.sbin.slapd>
66+}
67diff --git a/debian/changelog b/debian/changelog
68index 7d3dc4c..504f29f 100644
69--- a/debian/changelog
70+++ b/debian/changelog
71@@ -1,3 +1,69 @@
72+openldap (2.4.50+dfsg-1ubuntu1) groovy; urgency=medium
73+
74+ * Merge with Debian unstable. Remaining changes:
75+ - Enable AppArmor support:
76+ + d/apparmor-profile: add AppArmor profile
77+ + d/rules: use dh_apparmor
78+ + d/control: Build-Depends on dh-apparmor
79+ + d/slapd.README.Debian: add note about AppArmor
80+ - Enable GSSAPI support (first added in 2.4.18-0ubuntu2):
81+ + d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
82+ - Add --with-gssapi support
83+ - Make guess_service_principal() more robust when determining
84+ principal
85+ + d/configure.options: Configure with --with-gssapi
86+ + d/control: Added heimdal-dev as a build depend
87+ + d/rules:
88+ - Explicitly add -I/usr/include/heimdal to CFLAGS.
89+ - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
90+ + d/libldap-2.4-2.symbols: add symbols for GSSAPI support
91+ This should be dropped when the soname changes.
92+ - Enable ufw support:
93+ + d/control: suggest ufw.
94+ + d/rules: install ufw profile.
95+ + d/slapd.ufw.profile: add ufw profile.
96+ - Enable nss overlay:
97+ + d/rules:
98+ - add nssov to CONTRIB_MODULES
99+ - add sysconfdir to CONTRIB_MAKEVARS
100+ + d/slapd.install:
101+ - install nssov overlay
102+ + d/slapd.manpages:
103+ - install slapo-nssov(5) man page
104+ + d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
105+ Debian bug #919136, we also have to patch the nssov makefile
106+ accordingly and thus update this patch.
107+ - d/{rules,slapd.py}: Add apport hook.
108+ - d/slapd.scripts-common:
109+ + add slapcat_opts to local variables.
110+ + Fix backup directory naming for multiple reconfiguration.
111+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
112+ - Add support for CLDAP (UDP) support, back then required by
113+ likewise-open (first enabled in 2.4.17-1ubuntu2):
114+ + d/rules: Enable -DLDAP_CONNECTIONLESS
115+ + d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP)
116+ This should be dropped when the soname changes.
117+ - debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because
118+ of test timing issue.
119+ * Dropped:
120+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
121+ either the default DIT nor via an Authn mapping.
122+ [Not worth keeping a delta for, as having olcRootDN doesn't hurt]
123+ - Show distribution in version:
124+ - d/control: added lsb-release
125+ - d/patches/fix-ldap-distribution.patch: show distribution in version
126+ [Debian now shows the full package version]
127+ - SECURITY UPDATE: denial of service via nested search filters
128+ + debian/patches/CVE-2020-12243.patch: limit depth of nested
129+ filters in servers/slapd/filter.c.
130+ [Fixed upstream]
131+ * Added:
132+ - d/rules, debian/patches/set-maintainer-name: Extract maintainer
133+ address dynamically from debian/control. Thanks to Ryan Tandy
134+ <ryan@nardis.ca> (Closes: #960448, LP: #1875697)
135+
136+ -- Andreas Hasenack <andreas@canonical.com> Mon, 01 Jun 2020 09:19:58 -0300
137+
138 openldap (2.4.50+dfsg-1) unstable; urgency=medium
139
140 * New upstream release.
141@@ -40,6 +106,69 @@ openldap (2.4.49+dfsg-3) unstable; urgency=medium
142
143 -- Ryan Tandy <ryan@nardis.ca> Sat, 04 Apr 2020 10:43:56 -0700
144
145+openldap (2.4.49+dfsg-2ubuntu2) groovy; urgency=medium
146+
147+ * SECURITY UPDATE: denial of service via nested search filters
148+ - debian/patches/CVE-2020-12243.patch: limit depth of nested filters in
149+ servers/slapd/filter.c.
150+ - debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because of
151+ test timing issue.
152+ - CVE-2020-12243
153+
154+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 01 May 2020 13:09:12 -0400
155+
156+openldap (2.4.49+dfsg-2ubuntu1) focal; urgency=medium
157+
158+ * Merge with Debian unstable (LP: #1866303). Remaining changes:
159+ - Enable AppArmor support:
160+ - d/apparmor-profile: add AppArmor profile
161+ - d/rules: use dh_apparmor
162+ - d/control: Build-Depends on dh-apparmor
163+ - d/slapd.README.Debian: add note about AppArmor
164+ - Enable GSSAPI support:
165+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
166+ - Add --with-gssapi support
167+ - Make guess_service_principal() more robust when determining
168+ principal
169+ [Dropped the ldap_gssapi_bind_s() hunk as that is already
170+ - d/configure.options: Configure with --with-gssapi
171+ - d/control: Added heimdal-dev as a build depend
172+ - d/rules:
173+ - Explicitly add -I/usr/include/heimdal to CFLAGS.
174+ - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
175+ - Enable ufw support:
176+ - d/control: suggest ufw.
177+ - d/rules: install ufw profile.
178+ - d/slapd.ufw.profile: add ufw profile.
179+ - Enable nss overlay:
180+ - d/rules:
181+ - add nssov to CONTRIB_MODULES
182+ - add sysconfdir to CONTRIB_MAKEVARS
183+ - d/slapd.install:
184+ - install nssov overlay
185+ - d/slapd.manpages:
186+ - install slapo-nssov(5) man page
187+ - d/{rules,slapd.py}: Add apport hook.
188+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
189+ either the default DIT nor via an Authn mapping.
190+ - d/slapd.scripts-common:
191+ - add slapcat_opts to local variables.
192+ - Fix backup directory naming for multiple reconfiguration.
193+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
194+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
195+ in the openldap library, as required by Likewise-Open
196+ - Show distribution in version:
197+ - d/control: added lsb-release
198+ - d/patches/fix-ldap-distribution.patch: show distribution in version
199+ - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
200+ - CLDAP (UDP) was added in 2.4.17-1ubuntu2
201+ - GSSAPI support was enabled in 2.4.18-0ubuntu2
202+ - d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
203+ Debian bug #919136, we also have to patch the nssov makefile
204+ accordingly and thus update this patch.
205+
206+ -- Andreas Hasenack <andreas@canonical.com> Fri, 06 Mar 2020 11:39:12 -0300
207+
208 openldap (2.4.49+dfsg-2) unstable; urgency=medium
209
210 * slapd.README.Debian: Document the initial setup performed by slapd's
211@@ -51,6 +180,62 @@ openldap (2.4.49+dfsg-2) unstable; urgency=medium
212
213 -- Ryan Tandy <ryan@nardis.ca> Thu, 05 Mar 2020 12:59:46 -0800
214
215+openldap (2.4.49+dfsg-1ubuntu1) focal; urgency=medium
216+
217+ * Merge with Debian unstable. Remaining changes:
218+ - Enable AppArmor support:
219+ - d/apparmor-profile: add AppArmor profile
220+ - d/rules: use dh_apparmor
221+ - d/control: Build-Depends on dh-apparmor
222+ - d/slapd.README.Debian: add note about AppArmor
223+ - Enable GSSAPI support:
224+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
225+ - Add --with-gssapi support
226+ - Make guess_service_principal() more robust when determining
227+ principal
228+ [Dropped the ldap_gssapi_bind_s() hunk as that is already
229+ - d/configure.options: Configure with --with-gssapi
230+ - d/control: Added heimdal-dev as a build depend
231+ - d/rules:
232+ - Explicitly add -I/usr/include/heimdal to CFLAGS.
233+ - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
234+ - Enable ufw support:
235+ - d/control: suggest ufw.
236+ - d/rules: install ufw profile.
237+ - d/slapd.ufw.profile: add ufw profile.
238+ - Enable nss overlay:
239+ - d/rules:
240+ - add nssov to CONTRIB_MODULES
241+ - add sysconfdir to CONTRIB_MAKEVARS
242+ - d/slapd.install:
243+ - install nssov overlay
244+ - d/slapd.manpages:
245+ - install slapo-nssov(5) man page
246+ - d/{rules,slapd.py}: Add apport hook.
247+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
248+ either the default DIT nor via an Authn mapping.
249+ - d/slapd.scripts-common:
250+ - add slapcat_opts to local variables.
251+ - Fix backup directory naming for multiple reconfiguration.
252+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
253+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
254+ in the openldap library, as required by Likewise-Open
255+ - Show distribution in version:
256+ - d/control: added lsb-release
257+ - d/patches/fix-ldap-distribution.patch: show distribution in version
258+ - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
259+ - CLDAP (UDP) was added in 2.4.17-1ubuntu2
260+ - GSSAPI support was enabled in 2.4.18-0ubuntu2
261+ - d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
262+ Debian bug #919136, we also have to patch the nssov makefile
263+ accordingly and thus update this patch.
264+ * Dropped:
265+ - d/control: slapd can depend on perl:any since it only uses perl for
266+ some maintainer and helper scripts.
267+ [In 2.4.49+dfsg-1]
268+
269+ -- Andreas Hasenack <andreas@canonical.com> Mon, 10 Feb 2020 12:13:47 -0300
270+
271 openldap (2.4.49+dfsg-1) unstable; urgency=medium
272
273 * New upstream release.
274@@ -79,6 +264,102 @@ openldap (2.4.49+dfsg-1) unstable; urgency=medium
275
276 -- Ryan Tandy <ryan@nardis.ca> Thu, 06 Feb 2020 10:08:12 -0800
277
278+openldap (2.4.48+dfsg-1ubuntu4) focal; urgency=medium
279+
280+ * d/control: slapd can depend on perl:any since it only uses perl for
281+ some maintainer and helper scripts. The perl backend links against
282+ the correct architecture perl libraries already. Can be dropped
283+ after https://salsa.debian.org/openldap-team/openldap/commit/794c736
284+ is in a Debian upload.
285+
286+ -- Andreas Hasenack <andreas@canonical.com> Mon, 06 Jan 2020 16:46:11 -0300
287+
288+openldap (2.4.48+dfsg-1ubuntu3) focal; urgency=medium
289+
290+ * No-change rebuild against libnettle7
291+
292+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 31 Oct 2019 22:13:44 +0000
293+
294+openldap (2.4.48+dfsg-1ubuntu2) focal; urgency=medium
295+
296+ * No-change rebuild for the perl update.
297+
298+ -- Matthias Klose <doko@ubuntu.com> Fri, 18 Oct 2019 19:37:23 +0000
299+
300+openldap (2.4.48+dfsg-1ubuntu1) eoan; urgency=medium
301+
302+ * Merge with Debian unstable. Remaining changes:
303+ - Enable AppArmor support:
304+ - d/apparmor-profile: add AppArmor profile
305+ - d/rules: use dh_apparmor
306+ - d/control: Build-Depends on dh-apparmor
307+ - d/slapd.README.Debian: add note about AppArmor
308+ - Enable GSSAPI support:
309+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
310+ - Add --with-gssapi support
311+ - Make guess_service_principal() more robust when determining
312+ principal
313+ - d/configure.options: Configure with --with-gssapi
314+ - d/control: Added heimdal-dev as a build depend
315+ - d/rules:
316+ - Explicitly add -I/usr/include/heimdal to CFLAGS.
317+ - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
318+ - Enable ufw support:
319+ - d/control: suggest ufw.
320+ - d/rules: install ufw profile.
321+ - d/slapd.ufw.profile: add ufw profile.
322+ - Enable nss overlay:
323+ - d/rules:
324+ - add nssov to CONTRIB_MODULES
325+ - add sysconfdir to CONTRIB_MAKEVARS
326+ - d/slapd.install:
327+ - install nssov overlay
328+ - d/slapd.manpages:
329+ - install slapo-nssov(5) man page
330+ - d/{rules,slapd.py}: Add apport hook.
331+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
332+ either the default DIT nor via an Authn mapping.
333+ - d/slapd.scripts-common:
334+ - add slapcat_opts to local variables.
335+ - Fix backup directory naming for multiple reconfiguration.
336+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
337+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
338+ in the openldap library, as required by Likewise-Open
339+ - Show distribution in version:
340+ - d/control: added lsb-release
341+ - d/patches/fix-ldap-distribution.patch: show distribution in version
342+ - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
343+ - CLDAP (UDP) was added in 2.4.17-1ubuntu2
344+ - GSSAPI support was enabled in 2.4.18-0ubuntu2
345+ - d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
346+ Debian bug #919136, we also have to patch the nssov makefile
347+ accordingly and thus update this patch.
348+ * Dropped:
349+ - Fix sysv-generator unit file by customizing parameters (LP #1821343)
350+ + d/slapd-remain-after-exit.conf: Override RemainAfterExit to allow
351+ correct systemctl status for slapd daemon.
352+ + d/slapd.install: place override file in correct location.
353+ [Included in 2.4.48+dfsg-1]
354+ - SECURITY UPDATE: rootDN proxyauthz not restricted to its own databases
355+ + debian/patches/CVE-2019-13057-1.patch: add restriction to
356+ servers/slapd/saslauthz.c.
357+ + debian/patches/CVE-2019-13057-2.patch: add tests to
358+ tests/data/idassert.out, tests/data/slapd-idassert.conf,
359+ tests/data/test-idassert1.ldif, tests/scripts/test028-idassert.
360+ + debian/patches/CVE-2019-13057-3.patch: fix typo in
361+ tests/scripts/test028-idassert.
362+ + debian/patches/CVE-2019-13057-4.patch: fix typo in
363+ tests/scripts/test028-idassert.
364+ + CVE-2019-13057
365+ [Fixed upstream]
366+ - SECURITY UPDATE: SASL SSF not initialized per connection
367+ + debian/patches/CVE-2019-13565.patch: zero out sasl_ssf in
368+ connection_init in servers/slapd/connection.c.
369+ + CVE-2019-13565
370+ [Fixed upstream]
371+
372+ -- Andreas Hasenack <andreas@canonical.com> Wed, 31 Jul 2019 18:01:14 -0300
373+
374 openldap (2.4.48+dfsg-1) unstable; urgency=medium
375
376 * New upstream release.
377@@ -106,6 +387,87 @@ openldap (2.4.48+dfsg-1) unstable; urgency=medium
378
379 -- Ryan Tandy <ryan@nardis.ca> Thu, 25 Jul 2019 08:32:00 -0700
380
381+openldap (2.4.47+dfsg-3ubuntu3) eoan; urgency=medium
382+
383+ * SECURITY UPDATE: rootDN proxyauthz not restricted to its own databases
384+ - debian/patches/CVE-2019-13057-1.patch: add restriction to
385+ servers/slapd/saslauthz.c.
386+ - debian/patches/CVE-2019-13057-2.patch: add tests to
387+ tests/data/idassert.out, tests/data/slapd-idassert.conf,
388+ tests/data/test-idassert1.ldif, tests/scripts/test028-idassert.
389+ - debian/patches/CVE-2019-13057-3.patch: fix typo in
390+ tests/scripts/test028-idassert.
391+ - debian/patches/CVE-2019-13057-4.patch: fix typo in
392+ tests/scripts/test028-idassert.
393+ - CVE-2019-13057
394+ * SECURITY UPDATE: SASL SSF not initialized per connection
395+ - debian/patches/CVE-2019-13565.patch: zero out sasl_ssf in
396+ connection_init in servers/slapd/connection.c.
397+ - CVE-2019-13565
398+
399+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 26 Jul 2019 13:21:00 -0400
400+
401+openldap (2.4.47+dfsg-3ubuntu2) disco; urgency=medium
402+
403+ * Fix sysv-generator unit file by customizing parameters (LP: #1821343)
404+ - d/slapd-remain-after-exit.conf: Override RemainAfterExit to allow
405+ correct systemctl status for slapd daemon.
406+ - d/slapd.install: place override file in correct location.
407+
408+ -- Heitor Alves de Siqueira <halves@canonical.com> Mon, 08 Apr 2019 12:39:12 -0300
409+
410+openldap (2.4.47+dfsg-3ubuntu1) disco; urgency=medium
411+
412+ * Merge with Debian unstable. Remaining changes:
413+ - Enable AppArmor support:
414+ - d/apparmor-profile: add AppArmor profile
415+ - d/rules: use dh_apparmor
416+ - d/control: Build-Depends on dh-apparmor
417+ - d/slapd.README.Debian: add note about AppArmor
418+ - Enable GSSAPI support:
419+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
420+ - Add --with-gssapi support
421+ - Make guess_service_principal() more robust when determining
422+ principal
423+ - d/configure.options: Configure with --with-gssapi
424+ - d/control: Added heimdal-dev as a build depend
425+ - d/rules:
426+ - Explicitly add -I/usr/include/heimdal to CFLAGS.
427+ - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
428+ - Enable ufw support:
429+ - d/control: suggest ufw.
430+ - d/rules: install ufw profile.
431+ - d/slapd.ufw.profile: add ufw profile.
432+ - Enable nss overlay:
433+ - d/rules:
434+ - add nssov to CONTRIB_MODULES
435+ - add sysconfdir to CONTRIB_MAKEVARS
436+ - d/slapd.install:
437+ - install nssov overlay
438+ - d/slapd.manpages:
439+ - install slapo-nssov(5) man page
440+ - d/{rules,slapd.py}: Add apport hook.
441+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
442+ either the default DIT nor via an Authn mapping.
443+ - d/slapd.scripts-common:
444+ - add slapcat_opts to local variables.
445+ - Fix backup directory naming for multiple reconfiguration.
446+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
447+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
448+ in the openldap library, as required by Likewise-Open
449+ - Show distribution in version:
450+ - d/control: added lsb-release
451+ - d/patches/fix-ldap-distribution.patch: show distribution in version
452+ - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
453+ - CLDAP (UDP) was added in 2.4.17-1ubuntu2
454+ - GSSAPI support was enabled in 2.4.18-0ubuntu2
455+ * Added changes:
456+ - d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
457+ Debian bug #919136, we also have to patch the nssov makefile
458+ accordingly and thus update this patch.
459+
460+ -- Andreas Hasenack <andreas@canonical.com> Mon, 11 Feb 2019 09:20:47 -0200
461+
462 openldap (2.4.47+dfsg-3) unstable; urgency=medium
463
464 * Restore patches to contrib Makefiles to set CFLAGS, CPPFLAGS, and LDFLAGS
465@@ -121,6 +483,63 @@ openldap (2.4.47+dfsg-3) unstable; urgency=medium
466
467 -- Ryan Tandy <ryan@nardis.ca> Sat, 02 Feb 2019 10:30:10 -0800
468
469+openldap (2.4.47+dfsg-2ubuntu1) disco; urgency=medium
470+
471+ * Merge from Debian unstable (LP: #1811630). Remaining changes:
472+ - Enable AppArmor support:
473+ - d/apparmor-profile: add AppArmor profile
474+ - d/rules: use dh_apparmor
475+ - d/control: Build-Depends on dh-apparmor
476+ - d/slapd.README.Debian: add note about AppArmor
477+ - Enable GSSAPI support:
478+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
479+ - Add --with-gssapi support
480+ - Make guess_service_principal() more robust when determining
481+ principal
482+ - d/configure.options: Configure with --with-gssapi
483+ - d/control: Added heimdal-dev as a build depend
484+ - d/rules:
485+ - Explicitly add -I/usr/include/heimdal to CFLAGS.
486+ - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
487+ - Enable ufw support:
488+ - d/control: suggest ufw.
489+ - d/rules: install ufw profile.
490+ - d/slapd.ufw.profile: add ufw profile.
491+ - Enable nss overlay:
492+ - d/rules:
493+ - add nssov to CONTRIB_MODULES
494+ - add sysconfdir to CONTRIB_MAKEVARS
495+ - d/slapd.install:
496+ - install nssov overlay
497+ - d/slapd.manpages:
498+ - install slapo-nssov(5) man page
499+ - d/{rules,slapd.py}: Add apport hook.
500+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
501+ either the default DIT nor via an Authn mapping.
502+ - d/slapd.scripts-common:
503+ - add slapcat_opts to local variables.
504+ - Fix backup directory naming for multiple reconfiguration.
505+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
506+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
507+ in the openldap library, as required by Likewise-Open
508+ - Show distribution in version:
509+ - d/control: added lsb-release
510+ - d/patches/fix-ldap-distribution.patch: show distribution in version
511+ - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
512+ - CLDAP (UDP) was added in 2.4.17-1ubuntu2
513+ - GSSAPI support was enabled in 2.4.18-0ubuntu2
514+ * Update nssov build and packaging for Debian changes:
515+ - Drop patch nssov-build
516+ - d/rules:
517+ - add nssov to CONTRIB_MODULES
518+ - add sysconfdir to CONTRIB_MAKEVARS
519+ - d/slapd.install:
520+ - install nssov overlay
521+ - d/slapd.manpages:
522+ - install slapo-nssov(5) man page
523+
524+ -- Ryan Tandy <ryan@nardis.ca> Sun, 13 Jan 2019 04:47:09 +0000
525+
526 openldap (2.4.47+dfsg-2) unstable; urgency=medium
527
528 * Reintroduce slapi-dev binary package. (Closes: #711469)
529@@ -158,6 +577,63 @@ openldap (2.4.47+dfsg-1) unstable; urgency=medium
530
531 -- Ryan Tandy <ryan@nardis.ca> Sun, 23 Dec 2018 12:50:40 -0800
532
533+openldap (2.4.46+dfsg-5ubuntu3) disco; urgency=medium
534+
535+ * d/apparmor-profile: update apparmor profile to allow reading of
536+ files needed when slapd is behaving as a kerberos/gssapi client
537+ and acquiring its own ticket. (LP: #1783183)
538+
539+ -- Andreas Hasenack <andreas@canonical.com> Fri, 09 Nov 2018 21:29:51 -0200
540+
541+openldap (2.4.46+dfsg-5ubuntu2) disco; urgency=medium
542+
543+ * No-change rebuild for the perl 5.28 transition.
544+
545+ -- Adam Conrad <adconrad@ubuntu.com> Fri, 02 Nov 2018 18:14:37 -0600
546+
547+openldap (2.4.46+dfsg-5ubuntu1) cosmic; urgency=medium
548+
549+ * Merge from Debian unstable. Remaining changes:
550+ - Enable AppArmor support:
551+ - d/apparmor-profile: add AppArmor profile
552+ - d/rules: use dh_apparmor
553+ - d/control: Build-Depends on dh-apparmor
554+ - d/slapd.README.Debian: add note about AppArmor
555+ - Enable GSSAPI support:
556+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
557+ - Add --with-gssapi support
558+ - Make guess_service_principal() more robust when determining
559+ principal
560+ - d/configure.options: Configure with --with-gssapi
561+ - d/control: Added heimdal-dev as a build depend
562+ - d/rules:
563+ - Explicitly add -I/usr/include/heimdal to CFLAGS.
564+ - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
565+ - Enable ufw support:
566+ - d/control: suggest ufw.
567+ - d/rules: install ufw profile.
568+ - d/slapd.ufw.profile: add ufw profile.
569+ - Enable nss overlay:
570+ - d/{patches/nssov-build,rules}: Apply, build and package the
571+ nss overlay.
572+ - d/{rules,slapd.py}: Add apport hook.
573+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
574+ either the default DIT nor via an Authn mapping.
575+ - d/slapd.scripts-common:
576+ - add slapcat_opts to local variables.
577+ - Fix backup directory naming for multiple reconfiguration.
578+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
579+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
580+ in the openldap library, as required by Likewise-Open
581+ - Show distribution in version:
582+ - d/control: added lsb-release
583+ - d/patches/fix-ldap-distribution.patch: show distribution in version
584+ - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
585+ - CLDAP (UDP) was added in 2.4.17-1ubuntu2
586+ - GSSAPI support was enabled in 2.4.18-0ubuntu2
587+
588+ -- Gianfranco Costamagna <locutusofborg@debian.org> Wed, 09 May 2018 13:44:37 +0200
589+
590 openldap (2.4.46+dfsg-5) unstable; urgency=medium
591
592 * Restore slapd-smbk5pwd now that libldap is installable in unstable.
593@@ -177,6 +653,49 @@ openldap (2.4.46+dfsg-3) unstable; urgency=medium
594
595 -- Ryan Tandy <ryan@nardis.ca> Fri, 04 May 2018 07:36:58 -0700
596
597+openldap (2.4.46+dfsg-2ubuntu1) cosmic; urgency=low
598+
599+ * Merge from Debian unstable. Remaining changes:
600+ - Enable AppArmor support:
601+ - d/apparmor-profile: add AppArmor profile
602+ - d/rules: use dh_apparmor
603+ - d/control: Build-Depends on dh-apparmor
604+ - d/slapd.README.Debian: add note about AppArmor
605+ - Enable GSSAPI support:
606+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
607+ - Add --with-gssapi support
608+ - Make guess_service_principal() more robust when determining
609+ principal
610+ - d/configure.options: Configure with --with-gssapi
611+ - d/control: Added heimdal-dev as a build depend
612+ - d/rules:
613+ - Explicitly add -I/usr/include/heimdal to CFLAGS.
614+ - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
615+ - Enable ufw support:
616+ - d/control: suggest ufw.
617+ - d/rules: install ufw profile.
618+ - d/slapd.ufw.profile: add ufw profile.
619+ - Enable nss overlay:
620+ - d/{patches/nssov-build,rules}: Apply, build and package the
621+ nss overlay.
622+ - d/{rules,slapd.py}: Add apport hook.
623+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
624+ either the default DIT nor via an Authn mapping.
625+ - d/slapd.scripts-common:
626+ - add slapcat_opts to local variables.
627+ - Fix backup directory naming for multiple reconfiguration.
628+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
629+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
630+ in the openldap library, as required by Likewise-Open
631+ - Show distribution in version:
632+ - d/control: added lsb-release
633+ - d/patches/fix-ldap-distribution.patch: show distribution in version
634+ - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
635+ - CLDAP (UDP) was added in 2.4.17-1ubuntu2
636+ - GSSAPI support was enabled in 2.4.18-0ubuntu2
637+
638+ -- Gianfranco Costamagna <locutusofborg@debian.org> Fri, 04 May 2018 10:19:24 +0200
639+
640 openldap (2.4.46+dfsg-2) unstable; urgency=medium
641
642 * Remove version constraint from libldap-2.4-2 dependency on libldap-common.
643@@ -206,6 +725,49 @@ openldap (2.4.46+dfsg-1) unstable; urgency=medium
644
645 -- Ryan Tandy <ryan@nardis.ca> Thu, 03 May 2018 07:03:30 -0700
646
647+openldap (2.4.45+dfsg-1ubuntu1) artful; urgency=low
648+
649+ * Merge from Debian unstable. Remaining changes:
650+ - Enable AppArmor support:
651+ - d/apparmor-profile: add AppArmor profile
652+ - d/rules: use dh_apparmor
653+ - d/control: Build-Depends on dh-apparmor
654+ - d/slapd.README.Debian: add note about AppArmor
655+ - Enable GSSAPI support:
656+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
657+ - Add --with-gssapi support
658+ - Make guess_service_principal() more robust when determining
659+ principal
660+ - d/configure.options: Configure with --with-gssapi
661+ - d/control: Added heimdal-dev as a build depend
662+ - d/rules:
663+ - Explicitly add -I/usr/include/heimdal to CFLAGS.
664+ - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
665+ - Enable ufw support:
666+ - d/control: suggest ufw.
667+ - d/rules: install ufw profile.
668+ - d/slapd.ufw.profile: add ufw profile.
669+ - Enable nss overlay:
670+ - d/{patches/nssov-build,rules}: Apply, build and package the
671+ nss overlay.
672+ - d/{rules,slapd.py}: Add apport hook.
673+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
674+ either the default DIT nor via an Authn mapping.
675+ - d/slapd.scripts-common:
676+ - add slapcat_opts to local variables.
677+ - Fix backup directory naming for multiple reconfiguration.
678+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
679+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
680+ in the openldap library, as required by Likewise-Open
681+ - Show distribution in version:
682+ - d/control: added lsb-release
683+ - d/patches/fix-ldap-distribution.patch: show distribution in version
684+ - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
685+ - CLDAP (UDP) was added in 2.4.17-1ubuntu2
686+ - GSSAPI support was enabled in 2.4.18-0ubuntu2
687+
688+ -- Gianfranco Costamagna <locutusofborg@debian.org> Fri, 28 Jul 2017 14:49:07 +0200
689+
690 openldap (2.4.45+dfsg-1) unstable; urgency=medium
691
692 * New upstream release.
693@@ -247,6 +809,49 @@ openldap (2.4.45+dfsg-1) unstable; urgency=medium
694
695 -- Ryan Tandy <ryan@nardis.ca> Thu, 27 Jul 2017 18:04:41 -0700
696
697+openldap (2.4.44+dfsg-8ubuntu1) artful; urgency=low
698+
699+ * Merge from Debian unstable. Remaining changes:
700+ - Enable AppArmor support:
701+ - d/apparmor-profile: add AppArmor profile
702+ - d/rules: use dh_apparmor
703+ - d/control: Build-Depends on dh-apparmor
704+ - d/slapd.README.Debian: add note about AppArmor
705+ - Enable GSSAPI support:
706+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
707+ - Add --with-gssapi support
708+ - Make guess_service_principal() more robust when determining
709+ principal
710+ - d/configure.options: Configure with --with-gssapi
711+ - d/control: Added heimdal-dev as a build depend
712+ - d/rules:
713+ - Explicitly add -I/usr/include/heimdal to CFLAGS.
714+ - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
715+ - Enable ufw support:
716+ - d/control: suggest ufw.
717+ - d/rules: install ufw profile.
718+ - d/slapd.ufw.profile: add ufw profile.
719+ - Enable nss overlay:
720+ - d/{patches/nssov-build,rules}: Apply, build and package the
721+ nss overlay.
722+ - d/{rules,slapd.py}: Add apport hook.
723+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
724+ either the default DIT nor via an Authn mapping.
725+ - d/slapd.scripts-common:
726+ - add slapcat_opts to local variables.
727+ - Fix backup directory naming for multiple reconfiguration.
728+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
729+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
730+ in the openldap library, as required by Likewise-Open
731+ - Show distribution in version:
732+ - d/control: added lsb-release
733+ - d/patches/fix-ldap-distribution.patch: show distribution in version
734+ - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
735+ - CLDAP (UDP) was added in 2.4.17-1ubuntu2
736+ - GSSAPI support was enabled in 2.4.18-0ubuntu2
737+
738+ -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 17 Jul 2017 10:58:24 +0200
739+
740 openldap (2.4.44+dfsg-8) unstable; urgency=medium
741
742 * Disable test060-mt-hot on ppc64el temporarily to avoid failing tests until
743@@ -257,6 +862,52 @@ openldap (2.4.44+dfsg-8) unstable; urgency=medium
744
745 -- Ryan Tandy <ryan@nardis.ca> Sun, 16 Jul 2017 12:57:41 -0700
746
747+openldap (2.4.44+dfsg-7ubuntu1) artful; urgency=medium
748+
749+ * Merge from Debian unstable. Remaining changes:
750+ - Enable AppArmor support:
751+ - d/apparmor-profile: add AppArmor profile
752+ - d/rules: use dh_apparmor
753+ - d/control: Build-Depends on dh-apparmor
754+ - d/slapd.README.Debian: add note about AppArmor
755+ - Enable GSSAPI support:
756+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
757+ - Add --with-gssapi support
758+ - Make guess_service_principal() more robust when determining
759+ principal
760+ - d/configure.options: Configure with --with-gssapi
761+ - d/control: Added heimdal-dev as a build depend
762+ - d/rules:
763+ - Explicitly add -I/usr/include/heimdal to CFLAGS.
764+ - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
765+ - Enable ufw support:
766+ - d/control: suggest ufw.
767+ - d/rules: install ufw profile.
768+ - d/slapd.ufw.profile: add ufw profile.
769+ - Enable nss overlay:
770+ - d/{patches/nssov-build,rules}: Apply, build and package the
771+ nss overlay.
772+ - d/{rules,slapd.py}: Add apport hook.
773+ [ d/rules modification mentioned above was dropped in
774+ 2.4.23-6ubuntu1, re-adding it ]
775+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
776+ either the default DIT nor via an Authn mapping.
777+ - d/slapd.scripts-common:
778+ - add slapcat_opts to local variables.
779+ - Fix backup directory naming for multiple reconfiguration.
780+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
781+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
782+ in the openldap library, as required by Likewise-Open
783+ - Show distribution in version:
784+ - d/control: added lsb-release
785+ - d/patches/fix-ldap-distribution.patch: show distribution in version
786+ [ Refreshed patch ]
787+ - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
788+ - CLDAP (UDP) was added in 2.4.17-1ubuntu2
789+ - GSSAPI support was enabled in 2.4.18-0ubuntu2
790+
791+ -- Gianfranco Costamagna <locutusofborg@debian.org> Tue, 27 Jun 2017 10:21:41 +0200
792+
793 openldap (2.4.44+dfsg-7) unstable; urgency=medium
794
795 * Relax the dependency of libldap-2.4-2 on libldap-common to also permit
796@@ -264,6 +915,52 @@ openldap (2.4.44+dfsg-7) unstable; urgency=medium
797
798 -- Ryan Tandy <ryan@nardis.ca> Tue, 27 Jun 2017 18:53:12 -0700
799
800+openldap (2.4.44+dfsg-6ubuntu1) artful; urgency=medium
801+
802+ * Merge from Debian unstable. Remaining changes:
803+ - Enable AppArmor support:
804+ - d/apparmor-profile: add AppArmor profile
805+ - d/rules: use dh_apparmor
806+ - d/control: Build-Depends on dh-apparmor
807+ - d/slapd.README.Debian: add note about AppArmor
808+ - Enable GSSAPI support:
809+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
810+ - Add --with-gssapi support
811+ - Make guess_service_principal() more robust when determining
812+ principal
813+ - d/configure.options: Configure with --with-gssapi
814+ - d/control: Added heimdal-dev as a build depend
815+ - d/rules:
816+ - Explicitly add -I/usr/include/heimdal to CFLAGS.
817+ - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
818+ - Enable ufw support:
819+ - d/control: suggest ufw.
820+ - d/rules: install ufw profile.
821+ - d/slapd.ufw.profile: add ufw profile.
822+ - Enable nss overlay:
823+ - d/{patches/nssov-build,rules}: Apply, build and package the
824+ nss overlay.
825+ - d/{rules,slapd.py}: Add apport hook.
826+ [ d/rules modification mentioned above was dropped in
827+ 2.4.23-6ubuntu1, re-adding it ]
828+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
829+ either the default DIT nor via an Authn mapping.
830+ - d/slapd.scripts-common:
831+ - add slapcat_opts to local variables.
832+ - Fix backup directory naming for multiple reconfiguration.
833+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
834+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
835+ in the openldap library, as required by Likewise-Open
836+ - Show distribution in version:
837+ - d/control: added lsb-release
838+ - d/patches/fix-ldap-distribution.patch: show distribution in version
839+ [ Refreshed patch ]
840+ - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
841+ - CLDAP (UDP) was added in 2.4.17-1ubuntu2
842+ - GSSAPI support was enabled in 2.4.18-0ubuntu2
843+
844+ -- Gianfranco Costamagna <locutusofborg@debian.org> Tue, 27 Jun 2017 10:21:41 +0200
845+
846 openldap (2.4.44+dfsg-6) unstable; urgency=medium
847
848 * Update the list of non-translatable strings for the
849@@ -272,6 +969,54 @@ openldap (2.4.44+dfsg-6) unstable; urgency=medium
850
851 -- Ryan Tandy <ryan@nardis.ca> Mon, 26 Jun 2017 19:42:02 -0700
852
853+openldap (2.4.44+dfsg-5ubuntu1) artful; urgency=medium
854+
855+ * Merge from Debian unstable. Remaining changes:
856+ - Enable AppArmor support:
857+ - d/apparmor-profile: add AppArmor profile
858+ - d/rules: use dh_apparmor
859+ - d/control: Build-Depends on dh-apparmor
860+ - d/slapd.README.Debian: add note about AppArmor
861+ - Enable GSSAPI support:
862+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
863+ - Add --with-gssapi support
864+ - Make guess_service_principal() more robust when determining
865+ principal
866+ - d/configure.options: Configure with --with-gssapi
867+ - d/control: Added heimdal-dev as a build depend
868+ - d/rules:
869+ - Explicitly add -I/usr/include/heimdal to CFLAGS.
870+ - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
871+ - Enable ufw support:
872+ - d/control: suggest ufw.
873+ - d/rules: install ufw profile.
874+ - d/slapd.ufw.profile: add ufw profile.
875+ - Enable nss overlay:
876+ - d/{patches/nssov-build,rules}: Apply, build and package the
877+ nss overlay.
878+ - d/{rules,slapd.py}: Add apport hook.
879+ [ d/rules modification mentioned above was dropped in
880+ 2.4.23-6ubuntu1, re-adding it ]
881+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
882+ either the default DIT nor via an Authn mapping.
883+ - d/slapd.scripts-common:
884+ - add slapcat_opts to local variables.
885+ - Fix backup directory naming for multiple reconfiguration.
886+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
887+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
888+ in the openldap library, as required by Likewise-Open
889+ - Show distribution in version:
890+ - d/control: added lsb-release
891+ - d/patches/fix-ldap-distribution.patch: show distribution in version
892+ [ Refreshed patch ]
893+ - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
894+ - CLDAP (UDP) was added in 2.4.17-1ubuntu2
895+ - GSSAPI support was enabled in 2.4.18-0ubuntu2
896+ [ undocumented in prior merge, added in 2.4.41+dfsg-1ubuntu1 ]
897+ - Fix use after free with GnuTLS. (LP #1557248)
898+
899+ -- Gianfranco Costamagna <locutusofborg@debian.org> Sun, 28 May 2017 22:43:50 +0200
900+
901 openldap (2.4.44+dfsg-5) unstable; urgency=medium
902
903 * debian/patches/ITS-8644-wait-for-slapd-to-start-in-test064.patch: Fix an
904@@ -283,6 +1028,54 @@ openldap (2.4.44+dfsg-5) unstable; urgency=medium
905
906 -- Ryan Tandy <ryan@nardis.ca> Sun, 28 May 2017 09:59:46 -0700
907
908+openldap (2.4.44+dfsg-4ubuntu1) artful; urgency=low
909+
910+ * Merge from Debian unstable. Remaining changes:
911+ - Enable AppArmor support:
912+ - d/apparmor-profile: add AppArmor profile
913+ - d/rules: use dh_apparmor
914+ - d/control: Build-Depends on dh-apparmor
915+ - d/slapd.README.Debian: add note about AppArmor
916+ - Enable GSSAPI support:
917+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
918+ - Add --with-gssapi support
919+ - Make guess_service_principal() more robust when determining
920+ principal
921+ - d/configure.options: Configure with --with-gssapi
922+ - d/control: Added heimdal-dev as a build depend
923+ - d/rules:
924+ - Explicitly add -I/usr/include/heimdal to CFLAGS.
925+ - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
926+ - Enable ufw support:
927+ - d/control: suggest ufw.
928+ - d/rules: install ufw profile.
929+ - d/slapd.ufw.profile: add ufw profile.
930+ - Enable nss overlay:
931+ - d/{patches/nssov-build,rules}: Apply, build and package the
932+ nss overlay.
933+ - d/{rules,slapd.py}: Add apport hook.
934+ [ d/rules modification mentioned above was dropped in
935+ 2.4.23-6ubuntu1, re-adding it ]
936+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
937+ either the default DIT nor via an Authn mapping.
938+ - d/slapd.scripts-common:
939+ - add slapcat_opts to local variables.
940+ - Fix backup directory naming for multiple reconfiguration.
941+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
942+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
943+ in the openldap library, as required by Likewise-Open
944+ - Show distribution in version:
945+ - d/control: added lsb-release
946+ - d/patches/fix-ldap-distribution.patch: show distribution in version
947+ [ Refreshed patch ]
948+ - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
949+ - CLDAP (UDP) was added in 2.4.17-1ubuntu2
950+ - GSSAPI support was enabled in 2.4.18-0ubuntu2
951+ [ undocumented in prior merge, added in 2.4.41+dfsg-1ubuntu1 ]
952+ - Fix use after free with GnuTLS. (LP #1557248)
953+
954+ -- Gianfranco Costamagna <locutusofborg@debian.org> Sat, 22 Apr 2017 14:28:54 +0200
955+
956 openldap (2.4.44+dfsg-4) unstable; urgency=medium
957
958 * Improve the slapd/ppolicy_schema_needs_update debconf template. Thanks to
959@@ -329,6 +1122,67 @@ openldap (2.4.44+dfsg-4) unstable; urgency=medium
960
961 -- Ryan Tandy <ryan@nardis.ca> Sun, 16 Apr 2017 20:10:43 -0700
962
963+openldap (2.4.44+dfsg-3ubuntu2) zesty; urgency=medium
964+
965+ * d/rules: Fix typo in previous upload.
966+
967+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 10 Feb 2017 12:17:02 -0800
968+
969+openldap (2.4.44+dfsg-3ubuntu1) zesty; urgency=medium
970+
971+ * Merge with Debian unstable (LP: #1663702, LP: #1654416). Remaining
972+ changes
973+ - Enable AppArmor support:
974+ - d/apparmor-profile: add AppArmor profile
975+ - d/rules: use dh_apparmor
976+ - d/control: Build-Depends on dh-apparmor
977+ - d/slapd.README.Debian: add note about AppArmor
978+ - Enable GSSAPI support:
979+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
980+ - Add --with-gssapi support
981+ - Make guess_service_principal() more robust when determining
982+ principal
983+ - d/configure.options: Configure with --with-gssapi
984+ - d/control: Added heimdal-dev as a build depend
985+ - d/rules:
986+ - Explicitly add -I/usr/include/heimdal to CFLAGS.
987+ - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
988+ - Enable ufw support:
989+ - d/control: suggest ufw.
990+ - d/rules: install ufw profile.
991+ - d/slapd.ufw.profile: add ufw profile.
992+ - Enable nss overlay:
993+ - d/{patches/nssov-build,rules}: Apply, build and package the
994+ nss overlay.
995+ - d/{rules,slapd.py}: Add apport hook.
996+ [ d/rules modification mentioned above was dropped in
997+ 2.4.23-6ubuntu1, re-adding it ]
998+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
999+ either the default DIT nor via an Authn mapping.
1000+ - d/slapd.scripts-common:
1001+ - add slapcat_opts to local variables.
1002+ - Fix backup directory naming for multiple reconfiguration.
1003+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
1004+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
1005+ in the openldap library, as required by Likewise-Open
1006+ - Show distribution in version:
1007+ - d/control: added lsb-release
1008+ - d/patches/fix-ldap-distribution.patch: show distribution in version
1009+ [ Refreshed patch ]
1010+ - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
1011+ - CLDAP (UDP) was added in 2.4.17-1ubuntu2
1012+ - GSSAPI support was enabled in 2.4.18-0ubuntu2
1013+ [ undocumented in prior merge, added in 2.4.41+dfsg-1ubuntu1 ]
1014+ - Fix use after free with GnuTLS. (LP #1557248)
1015+ * Drop:
1016+ - d/slapd.scripts-common:
1017+ + Remove unused variable new_conf.
1018+ [ configure_v2_protocol_support function removed in 2.4.44+dfsg-1 ]
1019+ - d/b/config.log: add config.log
1020+ [ previously undocumented, stray change ]
1021+
1022+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Fri, 10 Feb 2017 11:38:57 -0800
1023+
1024 openldap (2.4.44+dfsg-3) unstable; urgency=medium
1025
1026 * Apply upstream patch to fix FTBFS on kFreeBSD. (Closes: #845394)
1027@@ -401,6 +1255,73 @@ openldap (2.4.44+dfsg-1) unstable; urgency=medium
1028
1029 -- Ryan Tandy <ryan@nardis.ca> Mon, 14 Nov 2016 18:59:30 -0800
1030
1031+openldap (2.4.42+dfsg-2ubuntu5) zesty; urgency=medium
1032+
1033+ * No-change rebuild for perl 5.24 transition
1034+
1035+ -- Iain Lane <iain@orangesquash.org.uk> Mon, 24 Oct 2016 10:37:13 +0100
1036+
1037+openldap (2.4.42+dfsg-2ubuntu4) yakkety; urgency=medium
1038+
1039+ * Fix use after free with GnuTLS. (LP: #1557248)
1040+
1041+ -- Maciej Puzio <maciej@work.swmed.edu> Fri, 25 Mar 2016 15:24:25 -0500
1042+
1043+openldap (2.4.42+dfsg-2ubuntu3) xenial; urgency=medium
1044+
1045+ * Fix building with gssapi suppport:
1046+ - Explicitly add -I/usr/include/heimdal to CFLAGS.
1047+ - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
1048+
1049+ -- Matthias Klose <doko@ubuntu.com> Thu, 18 Feb 2016 09:17:27 +0100
1050+
1051+openldap (2.4.42+dfsg-2ubuntu2) xenial; urgency=medium
1052+
1053+ * No-change rebuild for gnutls transition.
1054+
1055+ -- Matthias Klose <doko@ubuntu.com> Wed, 17 Feb 2016 22:27:04 +0000
1056+
1057+openldap (2.4.42+dfsg-2ubuntu1) xenial; urgency=medium
1058+
1059+ * Merge from Debian testing (LP: #1532648). Remaining changes:
1060+ - Enable AppArmor support:
1061+ - d/apparmor-profile: add AppArmor profile
1062+ - d/rules: use dh_apparmor
1063+ - d/control: Build-Depends on dh-apparmor
1064+ - d/slapd.README.Debian: add note about AppArmor
1065+ - Enable GSSAPI support:
1066+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
1067+ - Add --with-gssapi support
1068+ - Make guess_service_principal() more robust when determining
1069+ principal
1070+ - d/configure.options: Configure with --with-gssapi
1071+ - d/control: Added heimdal-dev as a build depend
1072+ - Enable ufw support:
1073+ - d/control: suggest ufw.
1074+ - d/rules: install ufw profile.
1075+ - d/slapd.ufw.profile: add ufw profile.
1076+ - Enable nss overlay:
1077+ - d/{patches/nssov-build,rules}: Apply, build and package the
1078+ nss overlay.
1079+ - d/{rules,slapd.py}: Add apport hook.
1080+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
1081+ either the default DIT nor via an Authn mapping.
1082+ - d/slapd.scripts-common:
1083+ - add slapcat_opts to local variables.
1084+ - Remove unused variable new_conf.
1085+ - Fix backup directory naming for multiple reconfiguration.
1086+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
1087+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
1088+ in the openldap library, as required by Likewise-Open
1089+ - Show distribution in version:
1090+ - d/control: added lsb-release
1091+ - d/patches/fix-ldap-distribution.patch: show distribution in version
1092+ * Drop CVE-2015-6908.patch, included in Debian.
1093+ * Remove DEB_HOST_ARCH from debian/rules: left over from when mdb was
1094+ disabled on ppc64el, no longer used, and missed in the previous merge.
1095+
1096+ -- Ryan Tandy <ryan@nardis.ca> Sun, 10 Jan 2016 15:50:53 -0800
1097+
1098 openldap (2.4.42+dfsg-2) unstable; urgency=medium
1099
1100 [ Ryan Tandy ]
1101@@ -468,6 +1389,71 @@ openldap (2.4.42+dfsg-1) unstable; urgency=medium
1102
1103 -- Ryan Tandy <ryan@nardis.ca> Fri, 21 Aug 2015 13:07:51 -0700
1104
1105+openldap (2.4.41+dfsg-1ubuntu3) xenial; urgency=medium
1106+
1107+ * Rebuild for Perl 5.22.1.
1108+
1109+ -- Colin Watson <cjwatson@ubuntu.com> Fri, 18 Dec 2015 15:10:17 +0000
1110+
1111+openldap (2.4.41+dfsg-1ubuntu2) wily; urgency=medium
1112+
1113+ * SECURITY UPDATE: denial of service via crafted BER data
1114+ - debian/patches/CVE-2015-6908.patch: remove obsolete assert in
1115+ libraries/liblber/io.c.
1116+ - CVE-2015-6908
1117+
1118+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Sep 2015 10:25:04 -0400
1119+
1120+openldap (2.4.41+dfsg-1ubuntu1) wily; urgency=medium
1121+
1122+ * Merge from Debian testing (LP: #1471831). Remaining changes:
1123+ - Enable AppArmor support:
1124+ - d/apparmor-profile: add AppArmor profile
1125+ - d/rules: use dh_apparmor
1126+ - d/control: Build-Depends on dh-apparmor
1127+ - d/slapd.README.Debian: add note about AppArmor
1128+ - Enable GSSAPI support:
1129+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
1130+ - Add --with-gssapi support
1131+ - Make guess_service_principal() more robust when determining
1132+ principal
1133+ - d/configure.options: Configure with --with-gssapi
1134+ - d/control: Added heimdal-dev as a build depend
1135+ - Enable ufw support:
1136+ - d/control: suggest ufw.
1137+ - d/rules: install ufw profile.
1138+ - d/slapd.ufw.profile: add ufw profile.
1139+ - Enable nss overlay:
1140+ - d/{patches/nssov-build,rules}: Apply, build and package the
1141+ nss overlay.
1142+ - d/{rules,slapd.py}: Add apport hook.
1143+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
1144+ either the default DIT nor via an Authn mapping.
1145+ - d/slapd.scripts-common:
1146+ - add slapcat_opts to local variables.
1147+ - Remove unused variable new_conf.
1148+ - Fix backup directory naming for multiple reconfiguration.
1149+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
1150+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
1151+ in the openldap library, as required by Likewise-Open
1152+ - Show distribution in version:
1153+ - d/control: added lsb-release
1154+ - d/patches/fix-ldap-distribution.patch: show distribution in version
1155+ * Dropped changes:
1156+ - Fix cpp calls for GCC 5: fixed upstream (ITS#8056)
1157+ * Upstream fixes:
1158+ - slapd crash with auditlog overlay and large (~27KB) attribute values
1159+ (ITS#8003) (LP: #1461276)
1160+ - nssov updated to support recent nss-pam-ldapd client libraries
1161+ (ITS#8097) (LP: #1393306)
1162+ * Update d/patches/nssov-build for upstream changes.
1163+ * Tweak d/patches/gssapi.diff to apply without fuzz.
1164+ * d/libldap-2.4-2.symbols: Add symbols not present in Debian.
1165+ - CLDAP (UDP) was added in 2.4.17-1ubuntu2
1166+ - GSSAPI support was enabled in 2.4.18-0ubuntu2
1167+
1168+ -- Ryan Tandy <ryan@nardis.ca> Fri, 24 Jul 2015 14:12:06 -0700
1169+
1170 openldap (2.4.41+dfsg-1) unstable; urgency=medium
1171
1172 * New upstream release.
1173@@ -487,6 +1473,62 @@ openldap (2.4.40+dfsg-2) unstable; urgency=medium
1174
1175 -- Ryan Tandy <ryan@nardis.ca> Sun, 28 Jun 2015 20:40:37 -0700
1176
1177+openldap (2.4.40+dfsg-1ubuntu2) wily; urgency=medium
1178+
1179+ * No-change rebuild for the libnettle6 transition.
1180+
1181+ -- Adam Conrad <adconrad@ubuntu.com> Sun, 14 Jun 2015 03:58:30 -0600
1182+
1183+openldap (2.4.40+dfsg-1ubuntu1) wily; urgency=low
1184+
1185+ * Merge from Debian testing (LP: #1395098, LP: #1316124). Remaining changes:
1186+ - Enable AppArmor support:
1187+ - d/apparmor-profile: add AppArmor profile
1188+ - d/rules: use dh_apparmor
1189+ - d/control: Build-Depends on dh-apparmor
1190+ - d/slapd.README.Debian: add note about AppArmor
1191+ - Enable GSSAPI support:
1192+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
1193+ - Add --with-gssapi support
1194+ - Make guess_service_principal() more robust when determining
1195+ principal
1196+ - d/configure.options: Configure with --with-gssapi
1197+ - d/control: Added heimdal-dev as a build depend
1198+ - Enable ufw support:
1199+ - d/control: suggest ufw.
1200+ - d/rules: install ufw profile.
1201+ - d/slapd.ufw.profile: add ufw profile.
1202+ - Enable nss overlay:
1203+ - d/{patches/nssov-build,rules}: Apply, build and package the
1204+ nss overlay.
1205+ - d/{rules,slapd.py}: Add apport hook.
1206+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
1207+ either the default DIT nor via an Authn mapping.
1208+ - d/slapd.scripts-common:
1209+ - add slapcat_opts to local variables.
1210+ - Remove unused variable new_conf.
1211+ - Fix backup directory naming for multiple reconfiguration.
1212+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
1213+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
1214+ in the openldap library, as required by Likewise-Open
1215+ - Show distribution in version:
1216+ - d/control: added lsb-release
1217+ - d/patches/fix-ldap-distribution.patch: show distribution in version
1218+ * Drop patches included upstream:
1219+ - d/patches/0001-ITS-7430-GnuTLS-Avoid-use-of-deprecated-function.patch
1220+ - d/patches/bdb-deadlock.patch
1221+ - d/patches/its-7354-fix-delta-sync-mmr.diff
1222+ * Drop hardening-wrapper as Debian now sets PIE and bindnow flags.
1223+ * debian/patches/nssov-build: Adjust for upstream changes.
1224+ * debian/apparmor-profile:
1225+ - Change 'r' to 'rw' for ldapi and nslcd sockets, required for apparmor
1226+ kernel ABI v7 (utopic and later). (LP: #1392018)
1227+ - Reduce permissions on /run/nslcd to just the nslcd socket.
1228+ * Enable the mdb backend again on ppc64el, fixed upstream in ITS#7713.
1229+ (LP: #1293250)
1230+
1231+ -- Ryan Tandy <ryan@nardis.ca> Mon, 25 May 2015 19:49:21 -0700
1232+
1233 openldap (2.4.40+dfsg-1) unstable; urgency=medium
1234
1235 * Remove inetorgperson.schema from the upstream source. Replace it with a
1236@@ -675,6 +1717,187 @@ openldap (2.4.39-1) unstable; urgency=low
1237
1238 -- Steve Langasek <vorlon@debian.org> Mon, 17 Mar 2014 15:27:31 -0700
1239
1240+openldap (2.4.31-1+nmu2ubuntu12) vivid; urgency=medium
1241+
1242+ * Fix cpp calls for GCC 5.
1243+
1244+ -- Matthias Klose <doko@ubuntu.com> Fri, 06 Mar 2015 13:23:29 +0100
1245+
1246+openldap (2.4.31-1+nmu2ubuntu11) utopic; urgency=medium
1247+
1248+ * debian/apparmor-profile:
1249+ - allow p11-kit abstraction
1250+ - allow read of /etc/gss/mech.d/*
1251+
1252+ -- Jamie Strandboge <jamie@ubuntu.com> Tue, 02 Sep 2014 15:29:05 -0500
1253+
1254+openldap (2.4.31-1+nmu2ubuntu10) utopic; urgency=medium
1255+
1256+ * Rebuild for Perl 5.20.0.
1257+
1258+ -- Colin Watson <cjwatson@ubuntu.com> Thu, 21 Aug 2014 13:29:20 +0100
1259+
1260+openldap (2.4.31-1+nmu2ubuntu9) utopic; urgency=medium
1261+
1262+ * Cherry-pick upstream patch for compat with recent GNUTLS.
1263+ * Build-depend on libgnutls28-dev.
1264+ * Build-depend on libgcrypt20-dev.
1265+
1266+ -- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 08 Aug 2014 11:01:56 +0100
1267+
1268+openldap (2.4.31-1+nmu2ubuntu8) trusty; urgency=medium
1269+
1270+ * Bump database_format_changed value to 2.4.31-1+nmu2ubuntu5 for db5.3.
1271+
1272+ -- Adam Conrad <adconrad@ubuntu.com> Mon, 17 Mar 2014 12:50:18 -0600
1273+
1274+openldap (2.4.31-1+nmu2ubuntu7) trusty; urgency=medium
1275+
1276+ * Disable mdb backend on ppc64el due to test-suite failures.
1277+
1278+ -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 17 Mar 2014 16:32:29 +0000
1279+
1280+openldap (2.4.31-1+nmu2ubuntu6) trusty; urgency=low
1281+
1282+ * Fix segfault issue with master-master syncrepl (LP: #1287730):
1283+ - d/patches/its-7354-fix-delta-sync-mmr.diff: Cherry picked
1284+ patch from upstream VCS.
1285+
1286+ -- Pierre Fersing <pfersing@sierrawireless.com> Tue, 04 Mar 2014 16:04:57 +0100
1287+
1288+openldap (2.4.31-1+nmu2ubuntu5) trusty; urgency=low
1289+
1290+ * Build-depend on libdb5.3-dev, instead of libdb5.1-dev.
1291+
1292+ -- Dmitrijs Ledkovs <xnox@ubuntu.com> Mon, 04 Nov 2013 08:04:30 +0000
1293+
1294+openldap (2.4.31-1+nmu2ubuntu4) trusty; urgency=low
1295+
1296+ * Rebuild for Perl 5.18.
1297+
1298+ -- Colin Watson <cjwatson@ubuntu.com> Tue, 22 Oct 2013 12:16:39 +0100
1299+
1300+openldap (2.4.31-1+nmu2ubuntu3) saucy; urgency=low
1301+
1302+ * Update build/config.guess and build/config.sub at build time; this was
1303+ not done automatically because the top-level configure.in does not use
1304+ Automake.
1305+
1306+ -- Colin Watson <cjwatson@ubuntu.com> Tue, 08 Oct 2013 17:24:59 +0100
1307+
1308+openldap (2.4.31-1+nmu2ubuntu2) saucy; urgency=low
1309+
1310+ * debian/control: added lsb-release
1311+ * debian/patches/fix-ldap-distribution.patch: show distribution in version
1312+
1313+ -- Yolanda Robla <yolanda.robla@canonical.com> Mon, 08 Jul 2013 16:53:09 +0200
1314+
1315+openldap (2.4.31-1+nmu2ubuntu1) saucy; urgency=low
1316+
1317+ * Merge from Debian unstable. Remaining changes:
1318+ - Enable AppArmor support:
1319+ - d/apparmor-profile: add AppArmor profile
1320+ - d/rules: use dh_apparmor
1321+ - d/control: Build-Depends on dh-apparmor
1322+ - d/slapd.README.Debian: add note about AppArmor
1323+ - d/slapd.dirs: add etc/apparmor.d/force-complain
1324+ - Enable GSSAPI support:
1325+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
1326+ - Add --with-gssapi support
1327+ - Make guess_service_principal() more robust when determining
1328+ principal
1329+ - d/configure.options: Configure with --with-gssapi
1330+ - d/control: Added libkrb5-dev as a build depend
1331+ - Enable ufw support:
1332+ - d/control: suggest ufw.
1333+ - d/rules: install ufw profile.
1334+ - d/slapd.ufw.profile: add ufw profile.
1335+ - Enable nss overlay:
1336+ - d/{patches/nssov-build,/rules}: Apply, build and package the
1337+ nss overlay.
1338+ - d/{rules,slapd.py}: Add apport hook.
1339+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
1340+ either the default DIT nor via an Authn mapping.
1341+ - d/slapd.scripts-common:
1342+ - add slapcat_opts to local variables.
1343+ - Remove unused variable new_conf.
1344+ - Fix backup directory naming for multiple reconfiguration.
1345+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
1346+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
1347+ in the openldap library, as required by Likewise-Open
1348+ - d/{control,rules}: enable PIE hardening
1349+
1350+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 30 May 2013 13:03:25 -0400
1351+
1352+openldap (2.4.31-1+nmu2) unstable; urgency=high
1353+
1354+ * Non-maintainer upload.
1355+ * No-change rebuild in a clean environment
1356+
1357+ -- Jonathan Wiltshire <jmw@debian.org> Tue, 23 Apr 2013 13:10:00 +0100
1358+
1359+openldap (2.4.31-1+nmu1) unstable; urgency=medium
1360+
1361+ * Non-maintainer upload.
1362+ * Avoid deadlocks in back-bdb that truncate slapcat output (closes: #673038).
1363+
1364+ -- Michael Gilbert <mgilbert@debian.org> Tue, 16 Apr 2013 03:35:31 +0000
1365+
1366+openldap (2.4.31-1ubuntu2) quantal-proposed; urgency=low
1367+
1368+ * debian/slapd.py: Add AppArmor info and logs to apport hook.
1369+
1370+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 20 Aug 2012 08:46:02 -0400
1371+
1372+openldap (2.4.31-1ubuntu1) quantal; urgency=low
1373+
1374+ * Merge from Debian unstable. Remaining changes:
1375+ - Enable AppArmor support:
1376+ - d/apparmor-profile: add AppArmor profile
1377+ - d/rules: use dh_apparmor
1378+ - d/control: Build-Depends on dh-apparmor
1379+ - d/slapd.README.Debian: add note about AppArmor
1380+ - d/slapd.dirs: add etc/apparmor.d/force-complain
1381+ - Enable GSSAPI support (LP: #495418):
1382+ - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
1383+ - Add --with-gssapi support
1384+ - Make guess_service_principal() more robust when determining
1385+ principal
1386+ - d/configure.options: Configure with --with-gssapi
1387+ - d/control: Added libkrb5-dev as a build depend
1388+ - Enable ufw support (LP: #423246):
1389+ - d/control: suggest ufw.
1390+ - d/rules: install ufw profile.
1391+ - d/slapd.ufw.profile: add ufw profile.
1392+ - Enable nss overlay (LP: #675391):
1393+ - d/{patches/nssov-build,/rules}: Apply, build and package the
1394+ nss overlay.
1395+ - d/{rules,slapd.py}: Add apport hook. (LP: #610544)
1396+ - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
1397+ either the default DIT nor via an Authn mapping.
1398+ - d/slapd.scripts-common:
1399+ - add slapcat_opts to local variables.
1400+ - Remove unused variable new_conf.
1401+ - Fix backup directory naming for multiple reconfiguration.
1402+ - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
1403+ - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
1404+ in the openldap library, as required by Likewise-Open (LP: #390579)
1405+ - d/{control,rules}: enable PIE hardening
1406+ * Dropped changes:
1407+ - d/patches/its-7107-fix-Operation-init-on-reuse.diff: Included in upstream release.
1408+ - d/patches/CVE-2011-4079: Included in upstream release.
1409+ - d/patches/service-operational-before-detach: Included in upstream release.
1410+ - d/schema/extra/misc.ldif: Included upstream.
1411+ - d/{rules,schema/extra}: Fix configure and clean rules to support
1412+ extra schemas shipped as part of the debian/schema/ directory; no longer required.
1413+ - Included in Debian:
1414+ + Document cn=config in README file.
1415+ + Install a default DIT; actually a minimal configuration.
1416+ + d/patches/heimdal-fix.
1417+ * General tidy of d/patches to remove obsolete patches being held in Ubuntu delta.
1418+
1419+ -- James Page <james.page@ubuntu.com> Fri, 20 Jul 2012 13:48:32 +0100
1420+
1421 openldap (2.4.31-1) unstable; urgency=low
1422
1423 * New upstream release.
1424@@ -701,6 +1924,121 @@ openldap (2.4.31-1) unstable; urgency=low
1425
1426 -- Steve Langasek <vorlon@debian.org> Wed, 27 Jun 2012 03:27:34 +0000
1427
1428+openldap (2.4.28-1.1ubuntu6) quantal; urgency=low
1429+
1430+ * Fix issue with intermittent connection issues when using LDAPv3
1431+ protocol (LP: #1023025):
1432+ - d/patches/its-7107-fix-Operation-init-on-reuse.diff: Cherry picked
1433+ patch from upstream VCS which ensures objects are initialized before
1434+ re-use.
1435+
1436+ -- Pierre Fersing <pfersing@sierrawireless.com> Thu, 19 Jul 2012 14:05:09 +0100
1437+
1438+openldap (2.4.28-1.1ubuntu5) quantal; urgency=low
1439+
1440+ * debian/rules: Add smbk5pwd build.
1441+ * debian/control: Add slapd-smbk5pwd binary package.
1442+ * debian/patches/heimdal-fix: adapt parameters of
1443+ hdb_generate_key_set_password() to heimdal 1.6~git20120311
1444+ (patch from Debian #664930).
1445+
1446+ -- Jorge Salamero Sanz <bencer@debian.org> Wed, 18 Jul 2012 09:30:28 -0400
1447+
1448+openldap (2.4.28-1.1ubuntu4) precise; urgency=low
1449+
1450+ * debian/control: Build-Depends on dh-apparmor (LP: #948481)
1451+
1452+ -- Jamie Strandboge <jamie@ubuntu.com> Thu, 05 Apr 2012 09:34:37 -0500
1453+
1454+openldap (2.4.28-1.1ubuntu3) precise; urgency=low
1455+
1456+ * Add its-7176-only-poll-sockets-for-write-as-needed.diff
1457+ (LP: #932823).
1458+
1459+ -- Timo Aaltonen <tjaalton@ubuntu.com> Tue, 21 Feb 2012 15:36:29 +0200
1460+
1461+openldap (2.4.28-1.1ubuntu2) precise; urgency=low
1462+
1463+ * Remove debian/patches/CVE-2011-4079; it's already in this upstream
1464+ version. Fixes FTBFS.
1465+
1466+ -- Daniel T Chen <crimsun@ubuntu.com> Wed, 25 Jan 2012 17:26:17 -0500
1467+
1468+openldap (2.4.28-1.1ubuntu1) precise; urgency=low
1469+
1470+ * Merge from Debian testing. Remaining changes:
1471+ - Install a default DIT (LP: #442498).
1472+ - Document cn=config in README file (LP: #370784).
1473+ - remaining changes:
1474+ + AppArmor support:
1475+ - debian/apparmor-profile: add AppArmor profile
1476+ - use dh_apparmor:
1477+ - debian/rules: use dh_apparmor
1478+ - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
1479+ - updated debian/slapd.README.Debian for note on AppArmor
1480+ - debian/slapd.dirs: add etc/apparmor.d/force-complain
1481+ + Enable GSSAPI support (LP: #495418):
1482+ - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
1483+ - Add --with-gssapi support
1484+ - Make guess_service_principal() more robust when determining
1485+ principal
1486+ - debian/patches/series: apply gssapi.diff patch.
1487+ - debian/configure.options: Configure with --with-gssapi
1488+ - debian/control: Added libkrb5-dev as a build depend
1489+ + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
1490+ in the openldap library, as required by Likewise-Open (LP: #390579)
1491+ + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
1492+ - debian/control:
1493+ - remove build-dependency on heimdal-dev.
1494+ - remove slapd-smbk5pwd binary package.
1495+ - debian/rules: don't build smbk5pwd slapd module.
1496+ + debian/{control,rules}: enable PIE hardening
1497+ + ufw support (LP: #423246):
1498+ - debian/control: suggest ufw.
1499+ - debian/rules: install ufw profile.
1500+ - debian/slapd.ufw.profile: add ufw profile.
1501+ + Enable nssoverlay:
1502+ - debian/patches/nssov-build, debian/series, debian/rules:
1503+ Apply, build and package the nss overlay.
1504+ - debian/schema/extra/misc.ldif: add ldif file for the misc schema
1505+ which defines rfc822MailMember (required by the nss overlay).
1506+ + debian/rules, debian/schema/extra/:
1507+ Fix configure rule to supports extra schemas shipped as part
1508+ of the debian/schema/ directory.
1509+ + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
1510+ + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
1511+ neither the default DIT nor via an Authn mapping.
1512+ + debian/slapd.scripts-common: adjust minimum version that triggers a
1513+ database upgrade. Upgrade from maverick shouldn't trigger database
1514+ upgrade (which would happen with the version used in Debian).
1515+ + debian/slapd.scripts-common: add slapcat_opts to local variables.
1516+ Remove unused variable new_conf.
1517+ + debian/slapd.script-common: Fix package reconfiguration.
1518+ - Fix backup directory naming for multiple reconfiguration.
1519+ + debian/slapd.default, debian/slapd.README.Debian:
1520+ use the new configuration style.
1521+ + Install nss overlay (LP: #675391):
1522+ - debian/rules: run install target for nssov module.
1523+ - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
1524+ + debian/patches/gssapi.diff:
1525+ - Update patch so that likewise-open is usuable again. (LP: #661547)
1526+ + debian/patches/service-operational-before-detach: New patch replacing old one
1527+ of the same name as previous could cause database corruption based on upstream commits.
1528+ (LP: #727973)
1529+ + debian/patches/CVE-2011-4079: fix off by one error in postalAddressNormalize()
1530+ (CVE-2011-4079)
1531+
1532+
1533+ -- Chuck Short <zulcss@ubuntu.com> Mon, 23 Jan 2012 10:01:13 -0500
1534+
1535+openldap (2.4.28-1.1) unstable; urgency=low
1536+
1537+ * Non-maintainer upload.
1538+ * Disable the mdb backend on non-Linux, it looks like it doesn't work with
1539+ linuxthreads (closes: #654824).
1540+
1541+ -- Julien Cristau <jcristau@debian.org> Mon, 16 Jan 2012 19:45:42 +0100
1542+
1543 openldap (2.4.28-1) unstable; urgency=low
1544
1545 * New upstream release.
1546@@ -728,6 +2066,72 @@ openldap (2.4.28-1) unstable; urgency=low
1547
1548 -- Steve Langasek <vorlon@debian.org> Thu, 05 Jan 2012 06:07:11 +0000
1549
1550+openldap (2.4.25-4ubuntu1) precise; urgency=low
1551+
1552+ * Merge from Debian testing. Remaining changes:
1553+ - Install a default DIT (LP: #442498).
1554+ - Document cn=config in README file (LP: #370784).
1555+ - remaining changes:
1556+ + AppArmor support:
1557+ - debian/apparmor-profile: add AppArmor profile
1558+ - use dh_apparmor:
1559+ - debian/rules: use dh_apparmor
1560+ - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
1561+ - updated debian/slapd.README.Debian for note on AppArmor
1562+ - debian/slapd.dirs: add etc/apparmor.d/force-complain
1563+ + Enable GSSAPI support (LP: #495418):
1564+ - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
1565+ - Add --with-gssapi support
1566+ - Make guess_service_principal() more robust when determining
1567+ principal
1568+ - debian/patches/series: apply gssapi.diff patch.
1569+ - debian/configure.options: Configure with --with-gssapi
1570+ - debian/control: Added libkrb5-dev as a build depend
1571+ + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
1572+ in the openldap library, as required by Likewise-Open (LP: #390579)
1573+ + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
1574+ - debian/control:
1575+ - remove build-dependency on heimdal-dev.
1576+ - remove slapd-smbk5pwd binary package.
1577+ - debian/rules: don't build smbk5pwd slapd module.
1578+ + debian/{control,rules}: enable PIE hardening
1579+ + ufw support (LP: #423246):
1580+ - debian/control: suggest ufw.
1581+ - debian/rules: install ufw profile.
1582+ - debian/slapd.ufw.profile: add ufw profile.
1583+ + Enable nssoverlay:
1584+ - debian/patches/nssov-build, debian/series, debian/rules:
1585+ Apply, build and package the nss overlay.
1586+ - debian/schema/extra/misc.ldif: add ldif file for the misc schema
1587+ which defines rfc822MailMember (required by the nss overlay).
1588+ + debian/rules, debian/schema/extra/:
1589+ Fix configure rule to supports extra schemas shipped as part
1590+ of the debian/schema/ directory.
1591+ + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
1592+ + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
1593+ neither the default DIT nor via an Authn mapping.
1594+ + debian/slapd.scripts-common: adjust minimum version that triggers a
1595+ database upgrade. Upgrade from maverick shouldn't trigger database
1596+ upgrade (which would happen with the version used in Debian).
1597+ + debian/slapd.scripts-common: add slapcat_opts to local variables.
1598+ Remove unused variable new_conf.
1599+ + debian/slapd.script-common: Fix package reconfiguration.
1600+ - Fix backup directory naming for multiple reconfiguration.
1601+ + debian/slapd.default, debian/slapd.README.Debian:
1602+ use the new configuration style.
1603+ + Install nss overlay (LP: #675391):
1604+ - debian/rules: run install target for nssov module.
1605+ - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
1606+ + debian/patches/gssapi.diff:
1607+ - Update patch so that likewise-open is usuable again. (LP: #661547)
1608+ + debian/patches/service-operational-before-detach: New patch replacing old one
1609+ of the same name as previous could cause database corruption based on upstream commits.
1610+ (LP: #727973)
1611+ + debian/patches/CVE-2011-4079: fix off by one error in postalAddressNormalize()
1612+ (CVE-2011-4079)
1613+
1614+ -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Nov 2011 06:17:49 +0000
1615+
1616 openldap (2.4.25-4) unstable; urgency=low
1617
1618 * Drop explicit depends on libdb4.8, since we're now linking against
1619@@ -761,6 +2165,85 @@ openldap (2.4.25-4) unstable; urgency=low
1620
1621 -- Steve Langasek <vorlon@debian.org> Tue, 18 Oct 2011 01:08:34 +0000
1622
1623+openldap (2.4.25-3ubuntu3) precise; urgency=low
1624+
1625+ * Rebuild for Perl 5.14.
1626+
1627+ -- Colin Watson <cjwatson@ubuntu.com> Tue, 15 Nov 2011 20:50:09 +0000
1628+
1629+openldap (2.4.25-3ubuntu2) precise; urgency=low
1630+
1631+ * SECURITY UPDATE: potential denial of service (LP: #884163)
1632+ - debian/patches/CVE-2011-4079: fix off by one error in
1633+ postalAddressNormalize()
1634+ - CVE-2011-4079
1635+
1636+ -- Jamie Strandboge <jamie@ubuntu.com> Mon, 14 Nov 2011 13:59:56 -0600
1637+
1638+openldap (2.4.25-3ubuntu1) precise; urgency=low
1639+
1640+ * Merge from debian unstable. Remaining changes:
1641+ - Install a default DIT (LP: #442498).
1642+ - Document cn=config in README file (LP: #370784).
1643+ - remaining changes:
1644+ + AppArmor support:
1645+ - debian/apparmor-profile: add AppArmor profile
1646+ - use dh_apparmor:
1647+ - debian/rules: use dh_apparmor
1648+ - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
1649+ - updated debian/slapd.README.Debian for note on AppArmor
1650+ - debian/slapd.dirs: add etc/apparmor.d/force-complain
1651+ + Enable GSSAPI support (LP: #495418):
1652+ - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
1653+ - Add --with-gssapi support
1654+ - Make guess_service_principal() more robust when determining
1655+ principal
1656+ - debian/patches/series: apply gssapi.diff patch.
1657+ - debian/configure.options: Configure with --with-gssapi
1658+ - debian/control: Added libkrb5-dev as a build depend
1659+ + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
1660+ in the openldap library, as required by Likewise-Open (LP: #390579)
1661+ + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
1662+ - debian/control:
1663+ - remove build-dependency on heimdal-dev.
1664+ - remove slapd-smbk5pwd binary package.
1665+ - debian/rules: don't build smbk5pwd slapd module.
1666+ + debian/{control,rules}: enable PIE hardening
1667+ + ufw support (LP: #423246):
1668+ - debian/control: suggest ufw.
1669+ - debian/rules: install ufw profile.
1670+ - debian/slapd.ufw.profile: add ufw profile.
1671+ + Enable nssoverlay:
1672+ - debian/patches/nssov-build, debian/series, debian/rules:
1673+ Apply, build and package the nss overlay.
1674+ - debian/schema/extra/misc.ldif: add ldif file for the misc schema
1675+ which defines rfc822MailMember (required by the nss overlay).
1676+ + debian/rules, debian/schema/extra/:
1677+ Fix configure rule to supports extra schemas shipped as part
1678+ of the debian/schema/ directory.
1679+ + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
1680+ + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
1681+ neither the default DIT nor via an Authn mapping.
1682+ + debian/slapd.scripts-common: adjust minimum version that triggers a
1683+ database upgrade. Upgrade from maverick shouldn't trigger database
1684+ upgrade (which would happen with the version used in Debian).
1685+ + debian/slapd.scripts-common: add slapcat_opts to local variables.
1686+ Remove unused variable new_conf.
1687+ + debian/slapd.script-common: Fix package reconfiguration.
1688+ - Fix backup directory naming for multiple reconfiguration.
1689+ + debian/slapd.default, debian/slapd.README.Debian:
1690+ use the new configuration style.
1691+ + Install nss overlay (LP: #675391):
1692+ - debian/rules: run install target for nssov module.
1693+ - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
1694+ + debian/patches/gssapi.diff:
1695+ - Update patch so that likewise-open is usuable again. (LP: #661547)
1696+ + debian/patches/service-operational-before-detach: New patch replacing old one
1697+ of the same name as previous could cause database corruption based on upstream commits.
1698+ (LP: #727973)
1699+
1700+ -- Chuck Short <zulcss@ubuntu.com> Wed, 19 Oct 2011 20:53:08 +0000
1701+
1702 openldap (2.4.25-3) unstable; urgency=low
1703
1704 * Brown paper bag: really fix the .links.in handling, so we don't generate
1705@@ -783,6 +2266,92 @@ openldap (2.4.25-2) unstable; urgency=low
1706
1707 -- Steve Langasek <vorlon@debian.org> Sun, 14 Aug 2011 23:17:09 -0700
1708
1709+openldap (2.4.25-1.1ubuntu4) oneiric; urgency=low
1710+
1711+ * Brown paper bag: really fix the .links.in handling, so we don't generate
1712+ broken /usr/lib/${DEB_HOST_MULTIARCH} dirs.
1713+
1714+ -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 15 Aug 2011 09:43:29 +0000
1715+
1716+openldap (2.4.25-1.1ubuntu3) oneiric; urgency=low
1717+
1718+ * Cherry-pick multiarch support from Debian (LP: #826601):
1719+ - Bump to compat level 7, so we don't have to spell out debian/tmp in
1720+ every single .install file
1721+ - Build for multiarch.
1722+
1723+ -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 15 Aug 2011 02:23:43 -0700
1724+
1725+openldap (2.4.25-1.1ubuntu2) oneiric; urgency=low
1726+
1727+ * debian/apparmor-profile: Allow /var/run and /run. (LP: #810270)
1728+
1729+ -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 14 Jul 2011 15:18:02 +0200
1730+
1731+openldap (2.4.25-1.1ubuntu1) oneiric; urgency=low
1732+
1733+ * Merge from debian unstable. Remaining changes:
1734+ - Install a default DIT (LP: #442498).
1735+ - Document cn=config in README file (LP: #370784).
1736+ - remaining changes:
1737+ + AppArmor support:
1738+ - debian/apparmor-profile: add AppArmor profile
1739+ - use dh_apparmor:
1740+ - debian/rules: use dh_apparmor
1741+ - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
1742+ - updated debian/slapd.README.Debian for note on AppArmor
1743+ - debian/slapd.dirs: add etc/apparmor.d/force-complain
1744+ + Enable GSSAPI support (LP: #495418):
1745+ - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
1746+ - Add --with-gssapi support
1747+ - Make guess_service_principal() more robust when determining
1748+ principal
1749+ - debian/patches/series: apply gssapi.diff patch.
1750+ - debian/configure.options: Configure with --with-gssapi
1751+ - debian/control: Added libkrb5-dev as a build depend
1752+ + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
1753+ in the openldap library, as required by Likewise-Open (LP: #390579)
1754+ + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
1755+ - debian/control:
1756+ - remove build-dependency on heimdal-dev.
1757+ - remove slapd-smbk5pwd binary package.
1758+ - debian/rules: don't build smbk5pwd slapd module.
1759+ + debian/{control,rules}: enable PIE hardening
1760+ + ufw support (LP: #423246):
1761+ - debian/control: suggest ufw.
1762+ - debian/rules: install ufw profile.
1763+ - debian/slapd.ufw.profile: add ufw profile.
1764+ + Enable nssoverlay:
1765+ - debian/patches/nssov-build, debian/series, debian/rules:
1766+ Apply, build and package the nss overlay.
1767+ - debian/schema/extra/misc.ldif: add ldif file for the misc schema
1768+ which defines rfc822MailMember (required by the nss overlay).
1769+ + debian/rules, debian/schema/extra/:
1770+ Fix configure rule to supports extra schemas shipped as part
1771+ of the debian/schema/ directory.
1772+ + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
1773+ + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
1774+ neither the default DIT nor via an Authn mapping.
1775+ + debian/slapd.scripts-common: adjust minimum version that triggers a
1776+ database upgrade. Upgrade from maverick shouldn't trigger database
1777+ upgrade (which would happen with the version used in Debian).
1778+ + debian/slapd.scripts-common: add slapcat_opts to local variables.
1779+ Remove unused variable new_conf.
1780+ + debian/slapd.script-common: Fix package reconfiguration.
1781+ - Fix backup directory naming for multiple reconfiguration.
1782+ + debian/slapd.default, debian/slapd.README.Debian:
1783+ use the new configuration style.
1784+ + Install nss overlay (LP: #675391):
1785+ - debian/rules: run install target for nssov module.
1786+ - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
1787+ + debian/patches/gssapi.diff:
1788+ - Update patch so that likewise-open is usuable again. (LP: #661547)
1789+ + debian/patches/service-operational-before-detach: New patch replacing old one
1790+ of the same name as previous could cause database corruption based on upstream commits.
1791+ (LP: #727973)
1792+
1793+ -- Chuck Short <zulcss@ubuntu.com> Sun, 05 Jun 2011 17:38:40 +0100
1794+
1795 openldap (2.4.25-1.1) unstable; urgency=low
1796
1797 * Non-maintainer upload to fix RC bug.
1798@@ -790,6 +2359,75 @@ openldap (2.4.25-1.1) unstable; urgency=low
1799
1800 -- Thijs Kinkhorst <thijs@debian.org> Tue, 31 May 2011 11:57:29 +0200
1801
1802+openldap (2.4.25-1ubuntu1) oneiric; urgency=low
1803+
1804+ * Merge from debian unstable. Remaining changes:
1805+ - Install a default DIT (LP: #442498).
1806+ - Document cn=config in README file (LP: #370784).
1807+ - remaining changes:
1808+ + AppArmor support:
1809+ - debian/apparmor-profile: add AppArmor profile
1810+ - use dh_apparmor:
1811+ - debian/rules: use dh_apparmor
1812+ - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
1813+ - updated debian/slapd.README.Debian for note on AppArmor
1814+ - debian/slapd.dirs: add etc/apparmor.d/force-complain
1815+ + Enable GSSAPI support (LP: #495418):
1816+ - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
1817+ - Add --with-gssapi support
1818+ - Make guess_service_principal() more robust when determining
1819+ principal
1820+ - debian/patches/series: apply gssapi.diff patch.
1821+ - debian/configure.options: Configure with --with-gssapi
1822+ - debian/control: Added libkrb5-dev as a build depend
1823+ + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
1824+ in the openldap library, as required by Likewise-Open (LP: #390579)
1825+ + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
1826+ - debian/control:
1827+ - remove build-dependency on heimdal-dev.
1828+ - remove slapd-smbk5pwd binary package.
1829+ - debian/rules: don't build smbk5pwd slapd module.
1830+ + debian/{control,rules}: enable PIE hardening
1831+ + ufw support (LP: #423246):
1832+ - debian/control: suggest ufw.
1833+ - debian/rules: install ufw profile.
1834+ - debian/slapd.ufw.profile: add ufw profile.
1835+ + Enable nssoverlay:
1836+ - debian/patches/nssov-build, debian/series, debian/rules:
1837+ Apply, build and package the nss overlay.
1838+ - debian/schema/extra/misc.ldif: add ldif file for the misc schema
1839+ which defines rfc822MailMember (required by the nss overlay).
1840+ + debian/rules, debian/schema/extra/:
1841+ Fix configure rule to supports extra schemas shipped as part
1842+ of the debian/schema/ directory.
1843+ + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
1844+ + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
1845+ neither the default DIT nor via an Authn mapping.
1846+ + debian/slapd.scripts-common: adjust minimum version that triggers a
1847+ database upgrade. Upgrade from maverick shouldn't trigger database
1848+ upgrade (which would happen with the version used in Debian).
1849+ + debian/slapd.scripts-common: add slapcat_opts to local variables.
1850+ Remove unused variable new_conf.
1851+ + debian/slapd.script-common: Fix package reconfiguration.
1852+ - Fix backup directory naming for multiple reconfiguration.
1853+ + debian/slapd.default, debian/slapd.README.Debian:
1854+ use the new configuration style.
1855+ + Install nss overlay (LP: #675391):
1856+ - debian/rules: run install target for nssov module.
1857+ - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
1858+ + debian/patches/gssapi.diff:
1859+ - Update patch so that likewise-open is usuable again. (LP: #661547)
1860+ + debian/patches/service-operational-before-detach: New patch replacing old one
1861+ of the same name as previous could cause database corruption based on upstream commits.
1862+ (LP: #727973)
1863+ + Dropped:
1864+ - debian/patches/gold: Use the debian version instead
1865+ - debian/patches/CVE-2011-1024: Fixed upstream
1866+ - debian/patches/CVE-2011-1025: Fixed upstream
1867+ - debian/patches/CVE-2011-1081: Fixed upstream
1868+
1869+ -- Chuck Short <zulcss@ubuntu.com> Sun, 08 May 2011 16:34:09 +0100
1870+
1871 openldap (2.4.25-1) unstable; urgency=low
1872
1873 * New upstream version (Closes: #617606, #618904, #606815, #608813)
1874@@ -821,6 +2459,116 @@ openldap (2.4.23-7) unstable; urgency=low
1875
1876 -- Matthijs Mohlmann <matthijs@cacholong.nl> Sat, 06 Nov 2010 12:13:01 +0100
1877
1878+openldap (2.4.23-6ubuntu7) oneiric; urgency=low
1879+
1880+ * Rebuild for Perl 5.12.
1881+
1882+ -- Colin Watson <cjwatson@ubuntu.com> Sun, 08 May 2011 13:40:28 +0100
1883+
1884+openldap (2.4.23-6ubuntu6) natty; urgency=low
1885+
1886+ * SECURITY UPDATE: fix successful anonymous bind via chain overlay when
1887+ using forwarded authentication failures
1888+ - debian/patches/CVE-2011-1024
1889+ - CVE-2011-1024
1890+ * SECURITY UPDATE: verify password when authenticating to rootdn and using ndb
1891+ backend. Note: Ubuntu is not compiled with --enable-ndb by default
1892+ - debian/patches/CVE-2011-1025
1893+ - CVE-2011-1025
1894+ * SECURITY UPDATE: fix DoS when processing unauthenticated modrdn requests
1895+ and requestDN is empty
1896+ - debian/patches/CVE-2011-1081
1897+ - CVE-2011-1081
1898+ - LP: #742104
1899+
1900+ -- Jamie Strandboge <jamie@ubuntu.com> Thu, 07 Apr 2011 11:36:53 -0500
1901+
1902+openldap (2.4.23-6ubuntu5) natty; urgency=low
1903+
1904+ * debian/patches/service-operational-before-detach: New patch replacing
1905+ old one of same name as previous could cause database corruption,
1906+ based on upstream commits. (LP: #727973)
1907+
1908+ -- Dave Walker (Daviey) <DaveWalker@ubuntu.com> Wed, 02 Mar 2011 20:33:08 +0000
1909+
1910+openldap (2.4.23-6ubuntu4) natty; urgency=low
1911+
1912+ * Fix FTBFS with ld.gold.
1913+
1914+ -- Matthias Klose <doko@ubuntu.com> Wed, 19 Jan 2011 07:39:49 +0100
1915+
1916+openldap (2.4.23-6ubuntu3) natty; urgency=low
1917+
1918+ * debian/patches/gssapi.diff:
1919+ Update patch so that likewise-open is usable again (LP: #661547)
1920+
1921+ -- Thierry Carrez (ttx) <thierry.carrez@ubuntu.com> Fri, 26 Nov 2010 15:50:11 +0100
1922+
1923+openldap (2.4.23-6ubuntu2) natty; urgency=low
1924+
1925+ * Install nss overlay (LP: #675391):
1926+ - debian/rules: run install target for nssov module.
1927+ - debian/patches/nssov-build: fix patch to install schema in
1928+ /etc/ldap/schema.
1929+
1930+ -- Mathias Gug <mathiaz@ubuntu.com> Wed, 17 Nov 2010 18:16:42 -0500
1931+
1932+openldap (2.4.23-6ubuntu1) natty; urgency=low
1933+
1934+ * Merge from Debian unstable:
1935+ - Install a default DIT (LP: #442498).
1936+ - Document cn=config in README file (LP: #370784).
1937+ - remaining changes:
1938+ + AppArmor support:
1939+ - debian/apparmor-profile: add AppArmor profile
1940+ - use dh_apparmor:
1941+ - debian/rules: use dh_apparmor
1942+ - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
1943+ - updated debian/slapd.README.Debian for note on AppArmor
1944+ - debian/slapd.dirs: add etc/apparmor.d/force-complain
1945+ + Enable GSSAPI support (LP: #495418):
1946+ - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
1947+ - Add --with-gssapi support
1948+ - Make guess_service_principal() more robust when determining
1949+ principal
1950+ - debian/patches/series: apply gssapi.diff patch.
1951+ - debian/configure.options: Configure with --with-gssapi
1952+ - debian/control: Added libkrb5-dev as a build depend
1953+ + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
1954+ in the openldap library, as required by Likewise-Open (LP: #390579)
1955+ + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
1956+ - debian/control:
1957+ - remove build-dependency on heimdal-dev.
1958+ - remove slapd-smbk5pwd binary package.
1959+ - debian/rules: don't build smbk5pwd slapd module.
1960+ + debian/{control,rules}: enable PIE hardening
1961+ + ufw support (LP: #423246):
1962+ - debian/control: suggest ufw.
1963+ - debian/rules: install ufw profile.
1964+ - debian/slapd.ufw.profile: add ufw profile.
1965+ + Enable nssoverlay:
1966+ - debian/patches/nssov-build, debian/series, debian/rules:
1967+ Apply, build and package the nss overlay.
1968+ - debian/schema/extra/misc.ldif: add ldif file for the misc schema
1969+ which defines rfc822MailMember (required by the nss overlay).
1970+ + debian/rules, debian/schema/extra/:
1971+ Fix configure rule to supports extra schemas shipped as part
1972+ of the debian/schema/ directory.
1973+ + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
1974+ + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
1975+ neither the default DIT nor via an Authn mapping.
1976+ + debian/slapd.scripts-common: adjust minimum version that triggers a
1977+ database upgrade. Upgrade from maverick shouldn't trigger database
1978+ upgrade (which would happen with the version used in Debian).
1979+ + debian/slapd.scripts-common: add slapcat_opts to local variables.
1980+ Remove unused variable new_conf.
1981+ + debian/slapd.script-common: Fix package reconfiguration.
1982+ - Fix backup directory naming for multiple reconfiguration.
1983+ + debian/slapd.default, debian/slapd.README.Debian:
1984+ use the new configuration style.
1985+
1986+ -- Mathias Gug <mathiaz@ubuntu.com> Fri, 12 Nov 2010 15:19:07 -0500
1987+
1988 openldap (2.4.23-6) unstable; urgency=high
1989
1990 * Check for an empty directory to prevent an rm -f /*. (Closes: #597704)
1991@@ -943,6 +2691,80 @@ openldap (2.4.23-1) unstable; urgency=low
1992
1993 -- Matthijs Mohlmann <matthijs@cacholong.nl> Mon, 12 Jul 2010 13:25:00 +0200
1994
1995+openldap (2.4.23-0ubuntu4) natty; urgency=low
1996+
1997+ * debian/slapd.templates: amended typo in slapd/move_old_database
1998+ (LP: #666028)
1999+
2000+ -- James Page <james.page@canonical.com> Mon, 08 Nov 2010 10:00:58 +0000
2001+
2002+openldap (2.4.23-0ubuntu3.2) maverick-proposed; urgency=low
2003+
2004+ * debian/slapd.templates: re-add slapd/move_old_database template as it's
2005+ used during the package upgrade. Thanks to James Page for pointing it.
2006+ * debian/slapd.config: restore debconf question slapd/move_old_database.
2007+
2008+ -- Mathias Gug <mathiaz@ubuntu.com> Thu, 14 Oct 2010 16:56:38 -0400
2009+
2010+openldap (2.4.23-0ubuntu3.1) maverick-proposed; urgency=low
2011+
2012+ [ James Page ]
2013+ * Fixed install/upgrade process to dump/restore databases due
2014+ to uplift to libdb4.8-dev (LP: #658227)
2015+
2016+ -- Mathias Gug <mathiaz@ubuntu.com> Thu, 14 Oct 2010 14:50:49 -0400
2017+
2018+openldap (2.4.23-0ubuntu3) maverick; urgency=low
2019+
2020+ * debian/rules: move dh_apparmor before dh_installinit
2021+
2022+ -- Jamie Strandboge <jamie@ubuntu.com> Fri, 06 Aug 2010 17:34:21 -0500
2023+
2024+openldap (2.4.23-0ubuntu2) maverick; urgency=low
2025+
2026+ * convert to using dh_apparmor:
2027+ - debian/rules, debian/slapd.post{inst,rm}: use dh_apparmor
2028+ - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
2029+ * debian/apparmor-profile: use local include
2030+
2031+ -- Jamie Strandboge <jamie@ubuntu.com> Fri, 06 Aug 2010 15:08:55 -0500
2032+
2033+openldap (2.4.23-0ubuntu1) maverick; urgency=low
2034+
2035+ * New release, features include:
2036+ + Fixed libldap to return server's error code (ITS#6569)
2037+ + Fixed libldap memleaks (ITS#6568)
2038+ + Fixed liblutil off-by-one with delta (ITS#6541)
2039+ + Fixed slapd acls with glued databases (ITS#6468)
2040+ + Fixed slapd syncrepl rid logging (ITS#6533)
2041+ + Fixed slapd modrdn handling of invalid values (ITS#6570)
2042+ + Fixed slapd-bdb hasSubordinates computation (ITS#6549)
2043+ + Fixed slapd-bdb to use memcpy instead for strcpy (ITS#6474)
2044+ + Fixed slapd-bdb entry cache delete failure (ITS#6577)
2045+ + Fixed slapd-ldap to return control responses (ITS#6530)
2046+ + Fixed slapo-ppolicy to use Debug (ITS#6566)
2047+ + Fixed slapo-refint to zero out freed DN vals (ITS#6572)
2048+ + Fixed slapo-rwm to use Debug (ITS#6566)
2049+ + Fixed slapo-sssvlv to use Debug (ITS#6566)
2050+ + Fixed slapo-syncprov lost deletes in refresh phase (ITS#6555)
2051+ + Fixed slapo-valsort to use Debug (ITS#6566)
2052+ + Fixed contrib/nssov network.c missing patch (ITS#6562)
2053+ + Fixed test043 attribute sorting (ITS#6553)
2054+ + slapd-config(5) note default rootdn (ITS#6546)
2055+ * Rebased patches debian/patches/dropped nssov-build
2056+ * Resynchronize with Debian:
2057+ + debian/control:
2058+ - Bump standards-version to 3.9.0
2059+ - Use libdb4.8-dev (LP: #572489)
2060+ + Added debian/patches/issue-6534-patch
2061+ + Added debian/patches/ldap-conf-tls-cacertdir
2062+ * Add ufw support, thanks to PatRiehecky (LP: #423246)
2063+
2064+ [Adam Sommer]
2065+ * debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
2066+
2067+ -- Chuck Short <zulcss@ubuntu.com> Wed, 28 Jul 2010 11:35:16 -0400
2068+
2069 openldap (2.4.21-1) unstable; urgency=low
2070
2071 [ Steve Langasek ]
2072@@ -974,6 +2796,79 @@ openldap (2.4.21-1) unstable; urgency=low
2073
2074 -- Matthijs Mohlmann <matthijs@cacholong.nl> Thu, 22 Apr 2010 23:40:30 +0200
2075
2076+openldap (2.4.21-0ubuntu5) lucid; urgency=low
2077+
2078+ * Fix local root connection access: replace olcAuthzRegexp mapping to
2079+ cn=localroot,cn=config with using the SASL dn directly in olcAccess.
2080+ Makes upgrades much simpler and robust (LP: #563829).
2081+
2082+ -- Mathias Gug <mathiaz@ubuntu.com> Fri, 23 Apr 2010 00:23:31 -0400
2083+
2084+openldap (2.4.21-0ubuntu4) lucid; urgency=low
2085+
2086+ [ Simon Olofsson ]
2087+ * debian/slapd.postinst:
2088+ - Show a message after successful migration (LP: #538848)
2089+
2090+ [ Jorgen Rosink ]
2091+ * debian/slapd.init: add simple status checking with LSB compatible exit
2092+ codes (LP: #562377)
2093+ * debian/slapd.init.ldif:
2094+ - remove admin user in default config database (LP: #556176)
2095+ - in default config, add olcAccess entries giving access to controls
2096+ available and cn=subschema (LP: #427842)
2097+
2098+ [ Scott Moser ]
2099+ * debian/slapd.scripts-common: Do not create /nonexistent directory
2100+ for openldap user's home (LP: #556176)
2101+ * debian/slapd.postinst: fix cn=config olcAccess migration (LP: #559070)
2102+
2103+ -- Scott Moser <smoser@ubuntu.com> Mon, 12 Apr 2010 16:16:47 -0400
2104+
2105+openldap (2.4.21-0ubuntu3) lucid; urgency=low
2106+
2107+ * debian/slapd.postinst, debian/slapd.scripts-common: Upgrade databases
2108+ before trying to convert to slapd.d, to avoid upgrade failure from hardy
2109+ (LP: #536958)
2110+ * debian/slapd.postinst: Add a {1} numeric index to olcAccess entry in
2111+ olcDatabase={0}config.ldif to avoid upgrade failures (LP: #538516, #526230)
2112+
2113+ -- Thierry Carrez <thierry.carrez@ubuntu.com> Mon, 29 Mar 2010 13:31:47 +0200
2114+
2115+openldap (2.4.21-0ubuntu2) lucid; urgency=low
2116+
2117+ * debian/apparmor-profile: Update apparmor profile. (LP: #508190)
2118+
2119+ -- Chuck Short <zulcss@ubuntu.com> Tue, 09 Mar 2010 13:33:35 -0500
2120+
2121+openldap (2.4.21-0ubuntu1) lucid; urgency=low
2122+
2123+ * New upstream release.
2124+ * debian/rules, debian/schema/extra/:
2125+ Fix get-orig-source rule to supports extra schemas shipped as part of the
2126+ debian/schema/ directory.
2127+
2128+ -- Mathias Gug <mathiaz@ubuntu.com> Thu, 18 Feb 2010 00:58:13 -0500
2129+
2130+openldap (2.4.18-0ubuntu2) lucid; urgency=low
2131+
2132+ * debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
2133+ - Add --with-gssapi support
2134+ - Make guess_service_principal() more robust when determining principal
2135+ * Enable GSSAPI support (LP: #495418):
2136+ - debian/configure.options: Configure with --with-gssapi
2137+ - debian/control: Added libkrb5-dev as a build depend
2138+
2139+ -- Thierry Carrez <thierry.carrez@ubuntu.com> Fri, 11 Dec 2009 11:31:11 +0100
2140+
2141+openldap (2.4.18-0ubuntu1) karmic; urgency=low
2142+
2143+ * New upstream release: (LP: #419515):
2144+ + pcache overlay supports disconnected mode.
2145+ * Fix nss overlay load (LP: #417163).
2146+
2147+ -- Mathias Gug <mathiaz@ubuntu.com> Mon, 07 Sep 2009 13:41:10 -0400
2148+
2149 openldap (2.4.17-2.1) unstable; urgency=high
2150
2151 * Non-maintainer upload by the Security Team.
2152@@ -1000,6 +2895,108 @@ openldap (2.4.17-2) unstable; urgency=low
2153
2154 -- Steve Langasek <vorlon@debian.org> Tue, 22 Sep 2009 20:06:34 -0700
2155
2156+openldap (2.4.17-1ubuntu3) karmic; urgency=low
2157+
2158+ * Install a minimal slapd configuration instead of creating a default
2159+ database with a default DIT:
2160+ + Move openldap user home from /var/lib/ldap to /nonexistent.
2161+ + Remove all code and templates dealing with the default database and DIT
2162+ creation.
2163+ + Add an Authz map from root user (UID=0) to cn=localroot,cn=config and
2164+ grant all access to the latter in the cn=config database as well as the
2165+ default backend configuration.
2166+ * Add cn=localroot,cn=config authz mapping on upgrades.
2167+
2168+ -- Mathias Gug <mathiaz@ubuntu.com> Tue, 11 Aug 2009 14:48:56 -0400
2169+
2170+openldap (2.4.17-1ubuntu2) karmic; urgency=low
2171+
2172+ [ Thierry Carrez ]
2173+ * debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
2174+ in the openldap library, as required by Likewise-Open (LP: #390579)
2175+
2176+ [ Mathias Gug ]
2177+ * debian/patches/its6077-uniqueness-overlay: fixes some issues with the
2178+ uniqueness overlay.
2179+ * debian/patches/its6220-writetimeout-directive: fixes a problem with the
2180+ writetimeout directive being in effect even if it wasn't set,
2181+ closing connections incorrectly.
2182+ * debian/patches/its6222-dncachesize-parameter: fixes the behavior of the
2183+ dncachesize parameter that was added in RE24, so that if it is set to
2184+ "0" (now the default), it has an unlimited DN cache (RE23 always
2185+ had an unlimited DN cache).
2186+
2187+ -- Mathias Gug <mathiaz@ubuntu.com> Fri, 31 Jul 2009 13:43:46 -0400
2188+
2189+openldap (2.4.17-1ubuntu1) karmic; urgency=low
2190+
2191+ [ Steve Langasek ]
2192+ * Fix up the lintian warnings:
2193+ - add missing misc-depends on all packages
2194+ - slapd, libldap-2.4-2-dbg sections changed to 'debug' to match archive
2195+ overrides
2196+ - bump Standards-Version to 3.8.2, no changes required.
2197+
2198+ [ Mathias Gug ]
2199+ * Resynchronise with Debian. Remaining changes:
2200+ - AppArmor support:
2201+ - debian/apparmor-profile: add AppArmor profile
2202+ - updated debian/slapd.README.Debian for note on AppArmor
2203+ - debian/slapd.dirs: add etc/apparmor.d/force-complain
2204+ - debian/slapd.postrm: remove symlink in force-complain/ on purge
2205+ - debian/rules: install apparmor profile.
2206+ - Don't use local statement in config script as it fails if /bin/sh
2207+ points to bash.
2208+ - debian/slapd.postinst, debian/slapd.script-common: set correct
2209+ ownership and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group
2210+ readable) and /var/run/slapd (world readable).
2211+ - Enable nssoverlay:
2212+ - debian/patches/nssov-build, debian/rules: Build and package the nss
2213+ overlay.
2214+ - debian/schema/misc.ldif: add ldif file for the misc schema which
2215+ defines rfc822MailMember (required by the nss overlay).
2216+ - debian/{control,rules}: enable PIE hardening
2217+ - Use cn=config as the default configuration backend instead of
2218+ slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade
2219+ asking the end user to enter a new password to control the access to
2220+ the cn=config tree.
2221+ - debian/slapd.postinst: create /var/run/slapd before updating its
2222+ permissions.
2223+ - debian/slapd.init: Correctly set slapd config backend option even if
2224+ the pidfile is configured in slapd default file.
2225+ * Dropped:
2226+ - Merged in Debian:
2227+ - Update priority of libldap-2.4-2 to match the archive override.
2228+ - Add the missing ldapexop and ldapurl tools to ldap-utils, as well as
2229+ the ldapurl(1) manpage.
2230+ - Bump build-dependency on debhelper to 6 instead of 5, since that's
2231+ what we're using.
2232+ - Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using
2233+ the built-in default of ldap:/// only.
2234+ - Fixed in upstream release:
2235+ - debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034
2236+ failure when built with PIE.
2237+ - debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be
2238+ trusted.
2239+ - Update Apparmor profile support: don't support upgrade from pre-hardy
2240+ systems:
2241+ - debian/slapd.postinst: Reload AA profile on configuration
2242+ - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
2243+ - debian/control: Conflicts with apparmor-profiles <<
2244+ 2.1+1075-0ubuntu4 to make sure that if earlier version of
2245+ apparmor-profiles gets installed it won't overwrite our profile.
2246+ - follow ApparmorProfileMigration and force apparmor complain mode on
2247+ some upgrades
2248+ - debian/slapd.preinst: create symlink for force-complain on
2249+ pre-feisty upgrades, upgrades where apparmor-profiles profile is
2250+ unchanged (ie non-enforcing) and upgrades where apparmor profile
2251+ does not exist.
2252+ - debian/patches/autogen.sh: no longer needed with karmic libtool.
2253+ - Call libtoolize with the --install option to install
2254+ config.{guess,sub} files.
2255+
2256+ -- Mathias Gug <mathiaz@ubuntu.com> Thu, 30 Jul 2009 16:42:58 -0400
2257+
2258 openldap (2.4.17-1) unstable; urgency=low
2259
2260 * New upstream version.
2261@@ -1022,6 +3019,153 @@ openldap (2.4.17-1) unstable; urgency=low
2262
2263 -- Steve Langasek <vorlon@debian.org> Tue, 28 Jul 2009 10:17:15 -0700
2264
2265+openldap (2.4.15-1.1ubuntu1) karmic; urgency=low
2266+
2267+ * Resynchronise with Debian. Remaining changes:
2268+ - AppArmor support:
2269+ - debian/apparmor-profile: add AppArmor profile
2270+ - debian/slapd.postinst: Reload AA profile on configuration
2271+ - updated debian/slapd.README.Debian for note on AppArmor
2272+ - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
2273+ - debian/control: Conflicts with apparmor-profiles <<
2274+ 2.1+1075-0ubuntu4 to make sure that if earlier version of
2275+ apparmor-profiles gets installed it won't overwrite our profile.
2276+ - follow ApparmorProfileMigration and force apparmor complain mode on
2277+ some upgrades
2278+ - debian/slapd.dirs: add etc/apparmor.d/force-complain
2279+ - debian/slapd.preinst: create symlink for force-complain on
2280+ pre-feisty upgrades, upgrades where apparmor-profiles profile is
2281+ unchanged (ie non-enforcing) and upgrades where apparmor profile
2282+ does not exist.
2283+ - debian/slapd.postrm: remove symlink in force-complain/ on purge
2284+ - debian/patches/autogen.sh:
2285+ - Call libtoolize with the --install option to install
2286+ config.{guess,sub} files.
2287+ - Don't use local statement in config script as it fails if /bin/sh
2288+ points to bash.
2289+ - debian/slapd.postinst, debian/slapd.script-common: set correct
2290+ ownership and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group
2291+ readable) and /var/run/slapd (world readable).
2292+ - Enable nssoverlay:
2293+ - debian/patches/nssov-build, debian/rules: Build and package the nss
2294+ overlay.
2295+ - debian/schema/misc.ldif: add ldif file for the misc schema which
2296+ defines rfc822MailMember (required by the nss overlay).
2297+ - debian/{control,rules}: enable PIE hardening
2298+ - Use cn=config as the default configuration backend instead of
2299+ slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade
2300+ asking the end user to enter a new password to control the access to
2301+ the cn=config tree.
2302+ - Update priority of libldap-2.4-2 to match the archive override.
2303+ - Add the missing ldapexop and ldapurl tools to ldap-utils, as well as
2304+ the ldapurl(1) manpage.
2305+ - Bump build-dependency on debhelper to 6 instead of 5, since that's
2306+ what we're using.
2307+ - Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using
2308+ the built-in default of ldap:/// only.
2309+ - debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034
2310+ failure when built with PIE.
2311+ - debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be
2312+ trusted.
2313+ - debian/slapd.postinst: create /var/run/slapd before updating its
2314+ permissions.
2315+ - debian/slapd.init: Correctly set slapd config backend option even if
2316+ the pidfile is configured in slapd default file.
2317+ * Drop patch to avoid the test suite on hppa, as hppa is EOL.
2318+
2319+ -- Colin Watson <cjwatson@ubuntu.com> Wed, 24 Jun 2009 10:45:20 +0100
2320+
2321+openldap (2.4.15-1.1) unstable; urgency=low
2322+
2323+ * Non-maintainer upload.
2324+ * Change libltdl3-dev Build-Depends to libltdl-dev | libltdl3-dev
2325+ (Closes: #522965)
2326+
2327+ -- Kurt Roeckx <kurt@roeckx.be> Sun, 19 Apr 2009 18:24:32 +0200
2328+
2329+openldap (2.4.15-1ubuntu3) jaunty; urgency=low
2330+
2331+ * No-change rebuild to fix lpia shared library dependencies.
2332+
2333+ -- Colin Watson <cjwatson@ubuntu.com> Thu, 19 Mar 2009 09:52:40 +0000
2334+
2335+openldap (2.4.15-1ubuntu2) jaunty; urgency=low
2336+
2337+ * debian/slapd.postinst: create /var/run/slapd before updating its
2338+ permissions (LP: #298928).
2339+ * debian/slapd.init: Correclty set slapd config backend option even if the
2340+ pidfile is configured in slapd default file (LP: #292364).
2341+ * debian/apparmor-profile: support multiple databases to be stored under
2342+ /var/lib/ldap/. (LP: #286614).
2343+
2344+ -- Mathias Gug <mathiaz@ubuntu.com> Fri, 13 Mar 2009 13:56:12 -0400
2345+
2346+openldap (2.4.15-1ubuntu1) jaunty; urgency=low
2347+
2348+ [ Steve Langasek ]
2349+ * Update priority of libldap-2.4-2 to match the archive override.
2350+ * Add the missing ldapexop and ldapurl tools to ldap-utils, as well as the
2351+ ldapurl(1) manpage. Thanks to Peter Marschall for the patch.
2352+ Closes: #496749.
2353+ * Bump build-dependency on debhelper to 6 instead of 5, since that's
2354+ what we're using. Closes: #498116.
2355+ * Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using
2356+ the built-in default of ldap:/// only.
2357+
2358+ [ Mathias Gug ]
2359+ * Merge from debian unstable, remaining changes:
2360+ - Modify Maintainer value to match the DebianMaintainerField
2361+ speficication.
2362+ - AppArmor support:
2363+ - debian/apparmor-profile: add AppArmor profile
2364+ - debian/slapd.postinst: Reload AA profile on configuration
2365+ - updated debian/slapd.README.Debian for note on AppArmor
2366+ - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
2367+ - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
2368+ to make sure that if earlier version of apparmour-profiles gets
2369+ installed it won't overwrite our profile.
2370+ - follow ApparmorProfileMigration and force apparmor compalin mode on
2371+ some upgrades (LP: #203529)
2372+ - debian/slapd.dirs: add etc/apparmor.d/force-complain
2373+ - debian/slapd.preinst: create symlink for force-complain on pre-feisty
2374+ upgrades, upgrades where apparmor-profiles profile is unchanged (ie
2375+ non-enforcing) and upgrades where apparmor profile does not exist.
2376+ - debian/slapd.postrm: remove symlink in force-complain/ on purge
2377+ - debian/control:
2378+ - Build-depend on libltdl7-dev rather then libltdl3-dev.
2379+ - debian/patches/autogen.sh:
2380+ - Call libtoolize with the --install option to install config.{guess,sub}
2381+ files.
2382+ - Don't use local statement in config script as it fails if /bin/sh
2383+ points to bash (LP: #286063).
2384+ - Disable the testsuite on hppa. Allows building of packages on this
2385+ architecture again, once this package is in the archive.
2386+ LP: #288908.
2387+ - debian/slapd.postinst, debian/slapd.script-common: set correct ownership
2388+ and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and
2389+ /var/run/slapd (world readable). (LP: #257667).
2390+ - Enable nssoverlay:
2391+ - debian/patches/nssov-build, debian/rules: Build and package
2392+ the nss overlay.
2393+ - debian/schema/misc.ldif: add ldif file for the misc schema
2394+ which defines rfc822MailMember (required by the nss overlay).
2395+ - debian/{control,rules}: enable PIE hardening
2396+ - Use cn=config as the default configuration backend instead of
2397+ slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade
2398+ asking the end user to enter a new password to control the access to the
2399+ cn=config tree.
2400+ * Dropped:
2401+ - debian/patches/corrupt-contextCSN: The contextCSN can get corrupted at
2402+ times. (ITS: #5947) Fixed in new upstream version 2.4.15.
2403+ - debian/patches/fix-ucred-libc due to changes how newer glibc handle
2404+ the ucred struct now. Implemented in Debian.
2405+ * debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034 failure
2406+ when built with PIE.
2407+ * debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be
2408+ trusted (LP: #305264).
2409+
2410+ -- Mathias Gug <mathiaz@ubuntu.com> Fri, 06 Mar 2009 17:34:21 -0500
2411+
2412 openldap (2.4.15-1) unstable; urgency=low
2413
2414 * New upstream version
2415@@ -1039,6 +3183,69 @@ openldap (2.4.15-1) unstable; urgency=low
2416
2417 -- Steve Langasek <vorlon@debian.org> Tue, 24 Feb 2009 14:27:35 -0800
2418
2419+openldap (2.4.14-0ubuntu1) jaunty; urgency=low
2420+
2421+ [ Steve Langasek ]
2422+ * New upstream version
2423+ - Fixes a bug with the pcache overlay not returning cached entries
2424+ (closes: #497697)
2425+ - Update evolution-ntlm patch to apply to current Makefiles.
2426+ - (tentatively) drop gnutls-ciphers, since this bug was reported to be
2427+ fixed upstream in 2.4.8. The fix applied in 2.4.8 didn't match the
2428+ patch from the bug report, so this should be watched for regressions.
2429+ * Build against db4.7 instead of db4.2 at last! Closes: #421946.
2430+ * Build with --disable-ndb, to avoid a misbuild when libmysqlclient is
2431+ installed in the build environment.
2432+ * New patch, no-crlcheck-for-gnutls, to fix a build failure when using
2433+ --with-tls=gnutls.
2434+
2435+ [ Mathias Gug ]
2436+ * Merge from debian unstable, remaining changes:
2437+ - debian/apparmor-profile: add AppArmor profile
2438+ - debian/slapd.postinst: Reload AA profile on configuration
2439+ - updated debian/slapd.README.Debian for note on AppArmor
2440+ - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
2441+ - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
2442+ to make sure that if earlier version of apparmour-profiles gets
2443+ installed it won't overwrite our profile.
2444+ - Modify Maintainer value to match the DebianMaintainerField
2445+ speficication.
2446+ - follow ApparmorProfileMigration and force apparmor compalin mode on
2447+ some upgrades (LP: #203529)
2448+ - debian/slapd.dirs: add etc/apparmor.d/force-complain
2449+ - debian/slapd.preinst: create symlink for force-complain on pre-feisty
2450+ upgrades, upgrades where apparmor-profiles profile is unchanged (ie
2451+ non-enforcing) and upgrades where apparmor profile does not exist.
2452+ - debian/slapd.postrm: remove symlink in force-complain/ on purge
2453+ - debian/patches/fix-ucred-libc due to changes how newer glibc handle
2454+ the ucred struct now.
2455+ - debian/control:
2456+ - Build-depend on libltdl7-dev rather then libltdl3-dev.
2457+ - debian/patches/autogen.sh:
2458+ - Call libtoolize with the --install option to install config.{guess,sub}
2459+ files.
2460+ - Don't use local statement in config script as it fails if /bin/sh
2461+ points to bash (LP: #286063).
2462+ - Disable the testsuite on hppa. Allows building of packages on this
2463+ architecture again, once this package is in the archive.
2464+ LP: #288908.
2465+ - debian/slapd.postinst, debian/slapd.script-common: set correct ownership
2466+ and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and
2467+ /var/run/slapd (world readable). (LP: #257667).
2468+ - debian/patches/nssov-build, debian/rules:
2469+ Build and package the nss overlay.
2470+ debian/schema/misc.ldif: add ldif file for the misc schema, which defines
2471+ rfc822MailMember (required by the nss overlay).
2472+ - debian/{control,rules}: enable PIE hardening
2473+ - Use cn=config as the default configuration backend instead of
2474+ slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade
2475+ asking the end user to enter a new password to control the access to the
2476+ cn=config tree.
2477+ * debian/patches/corrupt-contextCSN: The contextCSN can get corrupted at
2478+ times. (ITS: #5947)
2479+
2480+ -- Mathias Gug <mathiaz@ubuntu.com> Wed, 18 Feb 2009 18:44:00 -0500
2481+
2482 openldap (2.4.11-1) unstable; urgency=low
2483
2484 * New upstream version (closes: #499560).
2485@@ -1061,6 +3268,110 @@ openldap (2.4.11-1) unstable; urgency=low
2486
2487 -- Steve Langasek <vorlon@debian.org> Sat, 11 Oct 2008 01:53:55 -0700
2488
2489+openldap (2.4.11-0ubuntu7) jaunty; urgency=low
2490+
2491+ * Don't use local statement in config script as it fails if /bin/sh
2492+ points to bash (LP: #286063).
2493+
2494+ -- Mathias Gug <mathiaz@ubuntu.com> Tue, 04 Nov 2008 20:03:46 -0500
2495+
2496+openldap (2.4.11-0ubuntu6) intrepid; urgency=low
2497+
2498+ * Disable the testsuite on hppa. Allows building of packages on this
2499+ architecture again, once this package is in the archive.
2500+ LP: #288908.
2501+
2502+ -- Matthias Klose <doko@ubuntu.com> Fri, 24 Oct 2008 23:22:33 +0200
2503+
2504+openldap (2.4.11-0ubuntu5) intrepid; urgency=low
2505+
2506+ * Don't set admin passwords in ldif files if adminpw is empty.
2507+ (LP: #273988 - LP: #276606).
2508+
2509+ -- Mathias Gug <mathiaz@ubuntu.com> Mon, 13 Oct 2008 19:31:15 -0400
2510+
2511+openldap (2.4.11-0ubuntu4) intrepid; urgency=low
2512+
2513+ * debian/slapd.postinst, debian/slapd.script-common: set correct ownership
2514+ and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and
2515+ /var/run/slapd (world readable). (LP: #257667).
2516+ * debian/slapd.script-common:
2517+ - Fix package reconfiguration:
2518+ + Remove slapd.d/ directory if it already exists when creating a new
2519+ configuration.
2520+ + Fix backup directory naming for multiple reconfiguration.
2521+
2522+ -- Mathias Gug <mathiaz@ubuntu.com> Wed, 24 Sep 2008 21:01:42 -0400
2523+
2524+openldap (2.4.11-0ubuntu3) intrepid; urgency=low
2525+
2526+ * debian/patches/nssov-build, debian/rules:
2527+ Build and package the nss overlay.
2528+ * debian/schema/misc.ldif: add ldif file for the misc schema, which defines
2529+ rfc822MailMember (required by the nss overlay).
2530+
2531+ -- Mathias Gug <mathiaz@ubuntu.com> Tue, 26 Aug 2008 18:42:54 -0400
2532+
2533+openldap (2.4.11-0ubuntu2) intrepid; urgency=low
2534+
2535+ * debian/{control,rules}: enable PIE hardening
2536+
2537+ -- Kees Cook <kees@ubuntu.com> Wed, 20 Aug 2008 15:47:01 -0700
2538+
2539+openldap (2.4.11-0ubuntu1) intrepid; urgency=low
2540+
2541+ * New upstream version:
2542+ - Mainly bug fixes.
2543+ - New nss slapd overlay (not compiled by default).
2544+ * Use cn=config as the default configuration backend instead of
2545+ slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade
2546+ asking the end user to enter a new password to control the access to the
2547+ cn=config tree.
2548+
2549+ -- Mathias Gug <mathiaz@ubuntu.com> Mon, 11 Aug 2008 20:26:05 -0400
2550+
2551+openldap (2.4.10-3ubuntu1) intrepid; urgency=low
2552+
2553+ [ Mathias Gug ]
2554+ * Merge from debian unstable, remaining changes:
2555+ - debian/apparmor-profile: add AppArmor profile
2556+ - debian/slapd.postinst: Reload AA profile on configuration
2557+ - updated debian/slapd.README.Debian for note on AppArmor
2558+ - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
2559+ - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
2560+ to make sure that if earlier version of apparmour-profiles gets
2561+ installed it won't overwrite our profile.
2562+ - Modify Maintainer value to match the DebianMaintainerField
2563+ speficication.
2564+ - follow ApparmorProfileMigration and force apparmor compalin mode on
2565+ some upgrades (LP: #203529)
2566+ - debian/slapd.dirs: add etc/apparmor.d/force-complain
2567+ - debian/slapd.preinst: create symlink for force-complain on pre-feisty
2568+ upgrades, upgrades where apparmor-profiles profile is unchanged (ie
2569+ non-enforcing) and upgrades where apparmor profile does not exist.
2570+ - debian/slapd.postrm: remove symlink in force-complain/ on purge
2571+ - debian/patches/fix-ucred-libc due to changes how newer glibc handle
2572+ the ucred struct now.
2573+ - debian/patches/fix-unique-overlay-assertion.patch:
2574+ Fix another assertion error in unique overlay (LP: #243337).
2575+ Backport from head.
2576+ * Dropped - implemented in Debian:
2577+ - debian/patches/fix-gnutls-key-strength.patch:
2578+ Fix slapd handling of ssf using gnutls. (LP: #244925).
2579+ - debian/control:
2580+ Add time as build dependency: needed by make test.
2581+ * debian/control:
2582+ - Build-depend on libltdl7-dev rather then libltdl3-dev.
2583+ * debian/patches/autogen.sh:
2584+ - Call libtoolize with the --install option to install config.{guess,sub}
2585+ files.
2586+
2587+ [ Jamie Strandboge ]
2588+ * adjust apparmor profile to allow gssapi (LP: #229252)
2589+ * adjust apparmor profile to allow cnconfig (LP: #243525)
2590+
2591+ -- Mathias Gug <mathiaz@ubuntu.com> Wed, 30 Jul 2008 19:46:02 -0400
2592+
2593 openldap (2.4.10-3) unstable; urgency=low
2594
2595 [ Steve Langasek ]
2596@@ -1094,6 +3405,40 @@ openldap (2.4.10-3) unstable; urgency=low
2597
2598 -- Steve Langasek <vorlon@debian.org> Mon, 28 Jul 2008 15:26:06 -0700
2599
2600+openldap (2.4.10-2ubuntu1) intrepid; urgency=low
2601+
2602+ * Merge from debian unstable, remaining changes:
2603+ - debian/apparmor-profile: add AppArmor profile
2604+ - debian/slapd.postinst: Reload AA profile on configuration
2605+ - updated debian/slapd.README.Debian for note on AppArmor
2606+ - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
2607+ - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
2608+ to make sure that if earlier version of apparmour-profiles gets
2609+ installed it won't overwrite our profile.
2610+ - Modify Maintainer value to match the DebianMaintainerField
2611+ speficication.
2612+ - follow ApparmorProfileMigration and force apparmor compalin mode on
2613+ some upgrades (LP: #203529)
2614+ - debian/slapd.dirs: add etc/apparmor.d/force-complain
2615+ - debian/slapd.preinst: create symlink for force-complain on pre-feisty
2616+ upgrades, upgrades where apparmor-profiles profile is unchanged (ie
2617+ non-enforcing) and upgrades where apparmor profile does not exist.
2618+ - debian/slapd.postrm: remove symlink in force-complain/ on purge
2619+ - debian/patches/fix-ucred-libc due to changes how newer glibc handle
2620+ the ucred struct now.
2621+ - debian/patches/fix-unique-overlay-assertion.patch:
2622+ Fix another assertion error in unique overlay (LP: #243337).
2623+ Backport from head.
2624+ - debian/patches/fix-gnutls-key-strength.patch:
2625+ Fix slapd handling of ssf using gnutls. (LP: #244925).
2626+ - debian/control:
2627+ Add time as build dependency: needed by make test.
2628+ * Dropped - implemented in Debian:
2629+ - debian/rules:
2630+ Support debuild nocheck option: don't run tests if nocheck is set.
2631+
2632+ -- Mathias Gug <mathiaz@ubuntu.com> Thu, 10 Jul 2008 14:45:49 -0400
2633+
2634 openldap (2.4.10-2) unstable; urgency=low
2635
2636 * Support DEB_BUILD_OPTIONS=nocheck to disable running the test suite at
2637@@ -1108,6 +3453,54 @@ openldap (2.4.10-2) unstable; urgency=low
2638
2639 -- Steve Langasek <vorlon@debian.org> Sun, 06 Jul 2008 22:03:32 -0700
2640
2641+openldap2.3 (2.4.10-1ubuntu1) intrepid; urgency=low
2642+
2643+ * Merge from debian unstable, remaining changes:
2644+ - debian/apparmor-profile: add AppArmor profile
2645+ - debian/slapd.postinst: Reload AA profile on configuration
2646+ - updated debian/slapd.README.Debian for note on AppArmor
2647+ - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
2648+ - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
2649+ to make sure that if earlier version of apparmour-profiles gets
2650+ installed it won't overwrite our profile.
2651+ - Modify Maintainer value to match the DebianMaintainerField
2652+ speficication.
2653+ - follow ApparmorProfileMigration and force apparmor compalin mode on
2654+ some upgrades (LP: #203529)
2655+ - debian/slapd.dirs: add etc/apparmor.d/force-complain
2656+ - debian/slapd.preinst: create symlink for force-complain on pre-feisty
2657+ upgrades, upgrades where apparmor-profiles profile is unchanged (ie
2658+ non-enforcing) and upgrades where apparmor profile does not exist.
2659+ - debian/slapd.postrm: remove symlink in force-complain/ on purge
2660+ - debian/patches/fix-ucred-libc due to changes how newer glibc handle
2661+ the ucred struct now.
2662+ - debian/patches/fix-unique-overlay-assertion.patch:
2663+ Fix another assertion error in unique overlay (LP: #243337).
2664+ Backport from head.
2665+ * debian/control:
2666+ - add time as build dependency: needed by make test.
2667+ * debian/rules:
2668+ - support debuild nocheck option: don't run tests if nocheck is set.
2669+ * debian/patches/fix-gnutls-key-strength.patch:
2670+ - fix slapd handling of ssf using gnutls. (LP: #244925).
2671+ * Dropped - accepted in Debian:
2672+ - debian/rules, debian/slapd.links: use hard links to slapd instead of
2673+ symlinks for slap* so these applications aren't confined by apparmor
2674+ (LP: #203898)
2675+ * Dropped - fixed in new upstream release:
2676+ - debian/patches/fix-assertion-io.patch: Fixes ber_flush2 assertion.
2677+ (LP: #215904)
2678+ - debian/patches/fix-dnpretty-assertion.patch: Fix dnPrettyNormal assertion
2679+ error. (LP: #234196)
2680+ - dropped debian/patches/fix-notify-crasher.patch: Fix modify timestamp crashes.
2681+ (LP: #220724)
2682+ - debian/patches/fix-syncrepl-oops: Fixes segmentation fault when using
2683+ syncrepl. (LP: #227178)
2684+ - dropped debian/patches/SECURITY_CVE-2008-0658.patch. Already applied
2685+ upstream.
2686+
2687+ -- Mathias Gug <mathiaz@ubuntu.com> Thu, 03 Jul 2008 14:15:08 -0400
2688+
2689 openldap2.3 (2.4.10-1) unstable; urgency=low
2690
2691 [ Steve Langasek ]
2692@@ -1132,6 +3525,64 @@ openldap2.3 (2.4.10-1) unstable; urgency=low
2693
2694 -- Steve Langasek <vorlon@debian.org> Mon, 30 Jun 2008 04:28:34 -0700
2695
2696+openldap2.3 (2.4.9-1ubuntu4) intrepid; urgency=low
2697+
2698+ * debian/patches/fix-unique-overlay-assertion.patch:
2699+ - Fix another assertion error in unique overlay, backported from head.
2700+ (LP: #243337) Note: This patch will still be needed when moved to 2.4.10
2701+
2702+ -- Chuck Short <zulcss@ubuntu.com> Mon, 30 Jun 2008 18:49:52 +0000
2703+
2704+openldap2.3 (2.4.9-1ubuntu3) intrepid; urgency=low
2705+
2706+ * Drop spurious dependency on hiemdal-dev. Caused by an aborted attempt to
2707+ include the smbk5pwd overlay.
2708+
2709+ -- Chuck Short <zulcss@ubuntu.com> Wed, 11 Jun 2008 21:25:40 +0000
2710+
2711+openldap2.3 (2.4.9-1ubuntu2) intrepid; urgency=low
2712+
2713+ * Rebuild for perl 5.10 transition (LP: #230016)
2714+ * debian/patches/fix-syncrepl-oops: Fixes segmentation fault when using
2715+ syncrepl. (LP: #227178)
2716+
2717+ -- Chuck Short <zulcss@ubuntu.com> Mon, 09 Jun 2008 14:56:40 +0000
2718+
2719+openldap2.3 (2.4.9-1ubuntu1) intrepid; urgency=low
2720+
2721+ * Merge from debian unstable, remaining changes:
2722+ - debian/apparmor-profile: add AppArmor profile
2723+ - debian/slapd.postinst: Reload AA profile on configuration
2724+ - updated debian/slapd.README.Debian for note on AppArmor
2725+ - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
2726+ - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
2727+ to make sure that if earlier version of apparmour-profiles gets
2728+ installed it won't overwrite our profile.
2729+ - Modify Maintainer value to match the DebianMaintainerField
2730+ speficication.
2731+ - follow ApparmorProfileMigration and force apparmor compalin mode on
2732+ some upgrades (LP: #203529)
2733+ - debian/slapd.dirs: add etc/apparmor.d/force-complain
2734+ - debian/slapd.preinst: create symlink for force-complain on pre-feisty
2735+ upgrades, upgrades where apparmor-profiles profile is unchanged (ie
2736+ non-enforcing) and upgrades where apparmor profile does not exist.
2737+ - debian/slapd.postrm: remove symlink in force-complain/ on purge
2738+ - debian/rules, debian/slapd.links: use hard links to slapd instead of
2739+ symlinks for slap* so these applications aren't confined by apparmor
2740+ (LP: #203898)
2741+ - debian/patches/fix-assertion-io.patch: Fixes ber_flush2 assertion.
2742+ (LP: #215904)
2743+ - debian/patches/fix-dnpretty-assertion.patch: Fix dnPrettyNormal assertion
2744+ error. (LP: #234196)
2745+ - dropped debian/patches/fix-notify-crasher.patch: Fix modify timestamp crashes.
2746+ (LP: #220724)
2747+ - dropped debian/patches/SECURITY_CVE-2008-0658.patch. Already applied
2748+ upstream.
2749+ * Added debian/patches/fix-ucred-libc due to changes how newer glibc handle
2750+ the ucred struct now.
2751+
2752+ -- Chuck Short <zulcss@ubuntu.com> Fri, 30 May 2008 17:09:53 +0100
2753+
2754 openldap2.3 (2.4.9-1) unstable; urgency=low
2755
2756 [ Updated debconf translations ]
2757@@ -1202,6 +3653,51 @@ openldap2.3 (2.4.7-6.1) unstable; urgency=high
2758
2759 -- Nico Golde <nion@debian.org> Tue, 04 Mar 2008 14:34:44 +0100
2760
2761+openldap2.3 (2.4.7-6ubuntu3) hardy; urgency=low
2762+
2763+ * remove apparmor-profile workaround for Launchpad #202161 (it's now fixed
2764+ in klibc)
2765+
2766+ -- Jamie Strandboge <jamie@ubuntu.com> Mon, 07 Apr 2008 16:09:38 -0400
2767+
2768+openldap2.3 (2.4.7-6ubuntu2) hardy; urgency=low
2769+
2770+ * apparmor-profile workaround for Launchpad #202161
2771+ * follow ApparmorProfileMigration and force apparmor complain mode on some
2772+ upgrades (LP: #203529)
2773+ - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
2774+ - debian/slapd.dirs: add etc/apparmor.d/force-complain
2775+ - debian/slapd.preinst: create symlink for force-complain/ on pre-feisty
2776+ upgrades, upgrades where apparmor-profiles profile is unchanged (ie
2777+ non-enforcing) and upgrades where apparmor profile does not exist
2778+ - debian/slapd.postrm: remove symlink in force-complain/ on purge
2779+ * debian/rules, debian/slapd.links: use hard links to slapd instead of
2780+ symlinks for slap* so these applications aren't confined by apparmor
2781+ (LP: #203898)
2782+
2783+ -- Jamie Strandboge <jamie@ubuntu.com> Tue, 18 Mar 2008 13:53:23 -0400
2784+
2785+openldap2.3 (2.4.7-6ubuntu1) hardy; urgency=low
2786+
2787+ * Merge from Debian unstable, remaining changes:
2788+ + debian/patches/SECURITY_CVE-2008-0658.patch (LP: #197077)
2789+ slapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP 2.3.39
2790+ allows remote authenticated users to cause a denial of service (daemon
2791+ crash) via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION)
2792+ control, a related issue to CVE-2007-6698.
2793+ + debian/apparmor-profile: add AppArmor profile
2794+ + debian/slapd.postinst: Reload AA profile on configuration
2795+ + updated debian/slapd.README.Debian for note on AppArmor
2796+ + debian/control: Replaces apparmor-profiles << 2.1+1075-0ubuntu4 as we
2797+ should now take control
2798+ + debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
2799+ to make sure that if earlier version of apparmor-profiles gets
2800+ installed it won't overwrite our profile
2801+ + Modify Maintainer value to match the DebianMaintainerField
2802+ specification.
2803+
2804+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 04 Mar 2008 01:59:51 +0000
2805+
2806 openldap2.3 (2.4.7-6) unstable; urgency=low
2807
2808 [ Updated debconf translations ]
2809@@ -1247,6 +3743,37 @@ openldap2.3 (2.4.7-6) unstable; urgency=low
2810
2811 -- Steve Langasek <vorlon@debian.org> Thu, 28 Feb 2008 22:15:17 -0800
2812
2813+openldap2.3 (2.4.7-5ubuntu2) hardy; urgency=low
2814+
2815+ * SECURITY UPDATE:
2816+ + debian/patches/SECURITY_CVE-2008-0658.patch (LP: #197077)
2817+ slapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP 2.3.39
2818+ allows remote authenticated users to cause a denial of service (daemon crash)
2819+ via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION) control, a related
2820+ issue to CVE-2007-6698.
2821+
2822+ * References
2823+ - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0658
2824+ - http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5358
2825+
2826+ -- Emanuele Gentili <emgent@emanuele-gentili.com> Sun, 02 Mar 2008 16:34:30 +0100
2827+
2828+openldap2.3 (2.4.7-5ubuntu1) hardy; urgency=low
2829+
2830+ * add AppArmor profile
2831+ + debian/apparmor-profile
2832+ + debian/slapd.postinst: Reload AA profile on configuration
2833+ * updated debian/slapd.README.Debian for note on AppArmor
2834+ * debian/control: Replaces apparmor-profiles << 2.1+1075-0ubuntu4 as we
2835+ should now take control
2836+ * debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
2837+ to make sure that if earlier version of apparmor-profiles gets installed
2838+ it won't overwrite our profile
2839+ * Modify Maintainer value to match the DebianMaintainerField
2840+ specification.
2841+
2842+ -- Jamie Strandboge <jamie@ubuntu.com> Wed, 13 Feb 2008 17:15:41 +0000
2843+
2844 openldap2.3 (2.4.7-5) unstable; urgency=low
2845
2846 [ Updated debconf translations ]
2847diff --git a/debian/configure.options b/debian/configure.options
2848index 08a55e0..9d3704e 100644
2849--- a/debian/configure.options
2850+++ b/debian/configure.options
2851@@ -175,6 +175,7 @@
2852 # --with-fetch with fetch(3) URL support [auto]
2853 # --with-threads with threads [auto]
2854 --with-threads
2855+--with-gssapi
2856 # --with-tls with TLS/SSL support auto|openssl|gnutls|moznss [auto]
2857 --with-tls=gnutls
2858 # --with-yielding-select with implicitly yielding select [auto]
2859diff --git a/debian/control b/debian/control
2860index fa7c8a1..f8060d2 100644
2861--- a/debian/control
2862+++ b/debian/control
2863@@ -1,14 +1,16 @@
2864 Source: openldap
2865 Section: net
2866 Priority: optional
2867-Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
2868+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
2869+XSBC-Original-Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
2870 Uploaders: Steve Langasek <vorlon@debian.org>,
2871 Torsten Landschoff <torsten@debian.org>,
2872 Ryan Tandy <ryan@nardis.ca>
2873 Build-Depends: debhelper (>= 10),
2874+ dh-apparmor,
2875 dpkg-dev (>= 1.17.14),
2876 groff-base,
2877- heimdal-multidev (>= 7.4.0.dfsg.1-1~) <!pkg.openldap.noslapd>,
2878+ heimdal-dev (>= 7.4.0.dfsg.1-1~) <!pkg.openldap.noslapd>,
2879 libargon2-dev <!pkg.openldap.noslapd>,
2880 libdb5.3-dev <!pkg.openldap.noslapd>,
2881 libgnutls28-dev,
2882@@ -35,7 +37,7 @@ Depends: ${shlibs:Depends}, libldap-2.4-2 (= ${binary:Version}),
2883 coreutils (>= 4.5.1-1), psmisc, perl:any (>> 5.8.0) | libmime-base64-perl,
2884 adduser, lsb-base (>= 3.2-13), ${perl:Depends}, ${misc:Depends}
2885 Recommends: libsasl2-modules
2886-Suggests: ldap-utils,
2887+Suggests: ldap-utils, ufw,
2888 libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal
2889 Conflicts: umich-ldapd, ldap-server, libltdl3 (= 1.5.4-1)
2890 Replaces: libldap2, ldap-utils (<< 2.2.23-3)
2891diff --git a/debian/libldap-2.4-2.symbols b/debian/libldap-2.4-2.symbols
2892index d42ccec..55421bc 100644
2893--- a/debian/libldap-2.4-2.symbols
2894+++ b/debian/libldap-2.4-2.symbols
2895@@ -118,6 +118,7 @@ liblber-2.4.so.2 libldap-2.4-2 #MINVER#
2896 ber_sockbuf_io_fd@OPENLDAP_2.4_2 2.4.7
2897 ber_sockbuf_io_readahead@OPENLDAP_2.4_2 2.4.7
2898 ber_sockbuf_io_tcp@OPENLDAP_2.4_2 2.4.7
2899+ ber_sockbuf_io_udp@OPENLDAP_2.4_2 2.4.17-1ubuntu2
2900 ber_sockbuf_remove_io@OPENLDAP_2.4_2 2.4.7
2901 ber_sos_dump@OPENLDAP_2.4_2 2.4.7
2902 ber_start@OPENLDAP_2.4_2 2.4.7
2903@@ -280,6 +281,11 @@ libldap_r-2.4.so.2 libldap-2.4-2 #MINVER#
2904 ldap_int_flush_request@OPENLDAP_2.4_2 2.4.7
2905 ldap_int_global_options@OPENLDAP_2.4_2 2.4.7
2906 ldap_int_gmtime_mutex@OPENLDAP_2.4_2 2.4.23
2907+ ldap_int_gssapi_close@OPENLDAP_2.4_2 2.4.18-0ubuntu2
2908+ ldap_int_gssapi_config@OPENLDAP_2.4_2 2.4.18-0ubuntu2
2909+ ldap_int_gssapi_get_option@OPENLDAP_2.4_2 2.4.18-0ubuntu2
2910+ ldap_int_gssapi_mutex@OPENLDAP_2.4_2 2.4.18-0ubuntu2
2911+ ldap_int_gssapi_set_option@OPENLDAP_2.4_2 2.4.18-0ubuntu2
2912 ldap_int_hostname@OPENLDAP_2.4_2 2.4.7
2913 ldap_int_hostname_mutex@OPENLDAP_2.4_2 2.4.39
2914 ldap_int_inet4or6@OPENLDAP_2.4_2 2.4.7
2915@@ -312,6 +318,7 @@ libldap_r-2.4.so.2 libldap-2.4-2 #MINVER#
2916 ldap_int_tls_start@OPENLDAP_2.4_2 2.4.7
2917 ldap_int_utils_init@OPENLDAP_2.4_2 2.4.7
2918 ldap_is_ldap_url@OPENLDAP_2.4_2 2.4.7
2919+ ldap_is_ldapc_url@OPENLDAP_2.4_2 2.4.17-1ubuntu2
2920 ldap_is_ldapi_url@OPENLDAP_2.4_2 2.4.7
2921 ldap_is_ldaps_url@OPENLDAP_2.4_2 2.4.7
2922 ldap_is_read_ready@OPENLDAP_2.4_2 2.4.7
2923diff --git a/debian/patches/contrib-makefiles b/debian/patches/contrib-makefiles
2924index 0aea4c3..bf04e60 100644
2925--- a/debian/patches/contrib-makefiles
2926+++ b/debian/patches/contrib-makefiles
2927@@ -183,3 +183,24 @@
2928 -rpath $(moduledir) -module -o $@ $? $(LIBS)
2929
2930 clean:
2931+--- a/contrib/slapd-modules/nssov/Makefile
2932++++ b/contrib/slapd-modules/nssov/Makefile
2933+@@ -52,15 +52,15 @@
2934+ .SUFFIXES: .c .o .lo
2935+
2936+ .c.lo:
2937+- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
2938++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
2939+
2940+ tio.lo: nss-pam-ldapd/tio.c
2941+- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $?
2942++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $?
2943+
2944+ $(OBJS): nssov.h
2945+
2946+ nssov.la: $(OBJS) $(XOBJS)
2947+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info 0:0:0 \
2948++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info 0:0:0 \
2949+ -rpath $(moduledir) -module -o $@ $(OBJS) $(XOBJS) $(LIBS)
2950+
2951+ install: nssov.la
2952diff --git a/debian/patches/fix_test_timing.patch b/debian/patches/fix_test_timing.patch
2953new file mode 100644
2954index 0000000..bc57140
2955--- /dev/null
2956+++ b/debian/patches/fix_test_timing.patch
2957@@ -0,0 +1,27 @@
2958+Description: fix test timing on slow builders such as riscv64
2959+Author: Marc Deslauriers <marc.deslauriers@canonical.com>
2960+
2961+--- a/tests/data/ppolicy.ldif
2962++++ b/tests/data/ppolicy.ldif
2963+@@ -25,7 +25,7 @@ pwdLockoutDuration: 15
2964+ pwdInHistory: 6
2965+ pwdCheckQuality: 2
2966+ pwdExpireWarning: 10
2967+-pwdMaxAge: 30
2968++pwdMaxAge: 40
2969+ pwdMinLength: 5
2970+ pwdGraceAuthnLimit: 3
2971+ pwdAllowUserChange: TRUE
2972+--- a/tests/scripts/test022-ppolicy
2973++++ b/tests/scripts/test022-ppolicy
2974+@@ -100,8 +100,8 @@ if test $RC != 0 ; then
2975+ fi
2976+
2977+ echo "Testing password expiration"
2978+-echo "Waiting 20 seconds for password to expire..."
2979+-sleep 20
2980++echo "Waiting 40 seconds for password to expire..."
2981++sleep 40
2982+
2983+ $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
2984+ -b "$BASEDN" -s base > $SEARCHOUT 2>&1
2985diff --git a/debian/patches/gssapi.diff b/debian/patches/gssapi.diff
2986new file mode 100644
2987index 0000000..5bcf266
2988--- /dev/null
2989+++ b/debian/patches/gssapi.diff
2990@@ -0,0 +1,140 @@
2991+--- a/configure.in
2992++++ b/configure.in
2993+@@ -244,6 +244,8 @@
2994+ auto, [auto yes no] )
2995+ OL_ARG_WITH(fetch,[ --with-fetch with fetch(3) URL support],
2996+ auto, [auto yes no] )
2997++OL_ARG_WITH(gssapi,[ --with-gssapi with GSSAPI support],
2998++ auto, [auto yes no] )
2999+ OL_ARG_WITH(threads,[ --with-threads with threads],
3000+ auto, [auto nt posix mach pth lwp yes no manual] )
3001+ OL_ARG_WITH(tls,[ --with-tls with TLS/SSL support auto|openssl|gnutls|moznss],
3002+@@ -591,6 +593,7 @@
3003+ KRB4_LIBS=
3004+ KRB5_LIBS=
3005+ SASL_LIBS=
3006++GSSAPI_LIBS=
3007+ TLS_LIBS=
3008+ MODULES_LIBS=
3009+ SLAPI_LIBS=
3010+@@ -1153,6 +1156,63 @@
3011+ fi
3012+
3013+ dnl ----------------------------------------------------------------
3014++dnl GSSAPI
3015++ol_link_gssapi=no
3016++
3017++case $ol_with_gssapi in yes | auto)
3018++
3019++ ol_header_gssapi=no
3020++ AC_CHECK_HEADERS(gssapi/gssapi.h)
3021++ if test $ac_cv_header_gssapi_gssapi_h = yes ; then
3022++ ol_header_gssapi=yes
3023++ else
3024++ AC_CHECK_HEADERS(gssapi.h)
3025++ if test $ac_cv_header_gssapi_h = yes ; then
3026++ ol_header_gssapi=yes
3027++ fi
3028++
3029++ dnl## not every gssapi has gss_oid_to_str()
3030++ dnl## as it's not defined in the GSSAPI V2 API
3031++ dnl## anymore
3032++ saveLIBS="$LIBS"
3033++ LIBS="$LIBS $GSSAPI_LIBS"
3034++ AC_CHECK_FUNCS(gss_oid_to_str)
3035++ LIBS="$saveLIBS"
3036++ fi
3037++
3038++ if test $ol_header_gssapi = yes ; then
3039++ dnl## we check for gss_wrap
3040++ dnl## as it's new to the GSSAPI V2 API
3041++ AC_CHECK_LIB(gssapi, gss_wrap,
3042++ [ol_link_gssapi=yes;GSSAPI_LIBS="-lgssapi"],
3043++ [ol_link_gssapi=no])
3044++ if test $ol_link_gssapi != yes ; then
3045++ AC_CHECK_LIB(gssapi_krb5, gss_wrap,
3046++ [ol_link_gssapi=yes;GSSAPI_LIBS="-lgssapi_krb5"],
3047++ [ol_link_gssapi=no])
3048++ fi
3049++ if test $ol_link_gssapi != yes ; then
3050++ AC_CHECK_LIB(gss, gss_wrap,
3051++ [ol_link_gssapi=yes;GSSAPI_LIBS="-lgss"],
3052++ [ol_link_gssapi=no])
3053++ fi
3054++ fi
3055++
3056++ ;;
3057++esac
3058++
3059++WITH_GSSAPI=no
3060++if test $ol_link_gssapi = yes; then
3061++ AC_DEFINE(HAVE_GSSAPI, 1, [define if you have GSSAPI])
3062++ WITH_GSSAPI=yes
3063++elif test $ol_with_gssapi = auto ; then
3064++ AC_MSG_WARN([Could not locate GSSAPI package])
3065++ AC_MSG_WARN([GSSAPI authentication not supported!])
3066++elif test $ol_with_gssapi = yes ; then
3067++ AC_MSG_ERROR([GSSAPI detection failed])
3068++fi
3069++
3070++dnl ----------------------------------------------------------------
3071+ dnl TLS/SSL
3072+
3073+ if test $ol_with_tls = yes ; then
3074+@@ -1928,6 +1988,13 @@
3075+ fi
3076+ AC_SUBST(VERSION_OPTION)
3077+
3078++VERSION_OPTION=""
3079++OL_SYMBOL_VERSIONING
3080++if test $ol_cv_ld_version_script_option = yes ; then
3081++ VERSION_OPTION="-Wl,--version-script="
3082++fi
3083++AC_SUBST(VERSION_OPTION)
3084++
3085+ dnl ----------------------------------------------------------------
3086+ if test $ol_enable_wrappers != no ; then
3087+ AC_CHECK_HEADERS(tcpd.h,[
3088+@@ -3159,6 +3226,7 @@
3089+ AC_SUBST(KRB4_LIBS)
3090+ AC_SUBST(KRB5_LIBS)
3091+ AC_SUBST(SASL_LIBS)
3092++AC_SUBST(GSSAPI_LIBS)
3093+ AC_SUBST(TLS_LIBS)
3094+ AC_SUBST(MODULES_LIBS)
3095+ AC_SUBST(SLAPI_LIBS)
3096+--- a/include/portable.hin
3097++++ b/include/portable.hin
3098+@@ -253,6 +253,18 @@
3099+ /* Define to 1 if you have the <grp.h> header file. */
3100+ #undef HAVE_GRP_H
3101+
3102++/* define if you have GSSAPI */
3103++#undef HAVE_GSSAPI
3104++
3105++/* Define to 1 if you have the <gssapi/gssapi.h> header file. */
3106++#undef HAVE_GSSAPI_GSSAPI_H
3107++
3108++/* Define to 1 if you have the <gssapi.h> header file. */
3109++#undef HAVE_GSSAPI_H
3110++
3111++/* Define to 1 if you have the `gss_oid_to_str' function. */
3112++#undef HAVE_GSS_OID_TO_STR
3113++
3114+ /* Define to 1 if you have the `hstrerror' function. */
3115+ #undef HAVE_HSTRERROR
3116+
3117+--- a/build/top.mk
3118++++ b/build/top.mk
3119+@@ -190,9 +190,10 @@
3120+ KRB5_LIBS = @KRB5_LIBS@
3121+ KRB_LIBS = @KRB4_LIBS@ @KRB5_LIBS@
3122+ SASL_LIBS = @SASL_LIBS@
3123++GSSAPI_LIBS = @GSSAPI_LIBS@
3124+ TLS_LIBS = @TLS_LIBS@
3125+ AUTH_LIBS = @AUTH_LIBS@
3126+-SECURITY_LIBS = $(SASL_LIBS) $(KRB_LIBS) $(TLS_LIBS) $(AUTH_LIBS)
3127++SECURITY_LIBS = $(SASL_LIBS) $(KRB_LIBS) $(GSSAPI_LIBS) $(TLS_LIBS) $(AUTH_LIBS)
3128+
3129+ MODULES_CPPFLAGS = @SLAPD_MODULES_CPPFLAGS@
3130+ MODULES_LDFLAGS = @SLAPD_MODULES_LDFLAGS@
3131diff --git a/debian/patches/series b/debian/patches/series
3132index 6181d9b..c93db6f 100644
3133--- a/debian/patches/series
3134+++ b/debian/patches/series
3135@@ -8,6 +8,7 @@ index-files-created-as-root
3136 sasl-default-path
3137 libldap-symbol-versions
3138 getaddrinfo-is-threadsafe
3139+gssapi.diff
3140 do-not-second-guess-sonames
3141 contrib-makefiles
3142 smbk5pwd-makefile-manpage
3143@@ -20,3 +21,4 @@ no-bdb-ABI-second-guessing
3144 ITS6035-olcauthzregex-needs-restart.patch
3145 set-maintainer-name
3146 ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch
3147+fix_test_timing.patch
3148diff --git a/debian/patches/set-maintainer-name b/debian/patches/set-maintainer-name
3149index 262b7ef..35f8f77 100644
3150--- a/debian/patches/set-maintainer-name
3151+++ b/debian/patches/set-maintainer-name
3152@@ -10,7 +10,7 @@
3153 -else
3154 - WHOWHERE="$USER@$(uname -n):$(pwd)"
3155 -fi
3156-+WHOWHERE="Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>"
3157++WHOWHERE="${DEB_MAINTAINER:-openldap}"
3158
3159 cat << __EOF__
3160 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
3161diff --git a/debian/rules b/debian/rules
3162index 1eb0d5b..30cf8e0 100755
3163--- a/debian/rules
3164+++ b/debian/rules
3165@@ -7,13 +7,17 @@ include /usr/share/dpkg/pkg-info.mk
3166 # want the checks for DFSG-freeness.
3167 #DFSG_NONFREE = 1
3168
3169-export DEB_CFLAGS_MAINT_APPEND := -Wall -Wno-format-extra-args -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE
3170+export DEB_CFLAGS_MAINT_APPEND := -Wall -Wno-format-extra-args -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -DLDAP_CONNECTIONLESS -I/usr/include/heimdal
3171+export DEB_LDFLAGS_MAINT_APPEND := -L/usr/lib/$(DEB_HOST_MULTIARCH)/heimdal
3172 export DEB_BUILD_MAINT_OPTIONS := hardening=+pie,+bindnow
3173
3174 # Configure calls AM_INIT_AUTOMAKE, but Automake fails as there is no Makefile.am.
3175 # Tell dh-autoreconf to skip automake.
3176 export AUTOMAKE = true
3177
3178+# Expose maintainer address to build/mkversion (see debian/patches/set-maintainer-name)
3179+export DEB_MAINTAINER := $(shell sed -ne 's/^Maintainer:\s\+//p' debian/control)
3180+
3181 # Expose DEB_VERSION to build/version.sh (see debian/patches/debian-version)
3182 export DEB_VERSION
3183
3184@@ -28,7 +32,7 @@ ifneq ($(filter pkg.openldap.noslapd,$(DEB_BUILD_PROFILES)),)
3185 CONFIG += --disable-slapd
3186 endif
3187
3188-CONTRIB_MODULES = autogroup lastbind passwd passwd/argon2 passwd/pbkdf2 passwd/sha2 smbk5pwd
3189+CONTRIB_MODULES = autogroup lastbind nssov passwd passwd/argon2 passwd/pbkdf2 passwd/sha2 smbk5pwd
3190
3191 # Ensure CC is set correctly for cross builds, unless it has already
3192 # been set explicitly.
3193@@ -48,7 +52,8 @@ CONTRIB_MAKEVARS := \
3194 LDAP_BUILD='$(builddir)' \
3195 prefix=/usr \
3196 ldap_subdir=/ldap \
3197- moduledir='$$(libdir)$$(ldap_subdir)'
3198+ moduledir='$$(libdir)$$(ldap_subdir)' \
3199+ sysconfdir='/etc$$(ldap_subdir)'
3200
3201 # These variables are used only by get-orig-source, which will normally only
3202 # be run by maintainers.
3203@@ -162,6 +167,22 @@ endif
3204 find $(installdir)/usr/share/man -name \*.8 \
3205 | xargs perl -pi -e 's#(\.TH \w+ 8)C#$$1#'
3206
3207+ifeq ($(filter stage1,$(DEB_BUILD_PROFILES)),)
3208+override_dh_install-arch:
3209+ dh_install
3210+
3211+ # install AppArmor profile
3212+ install -D -m 644 $(CURDIR)/debian/apparmor-profile $(CURDIR)/debian/slapd/etc/apparmor.d/usr.sbin.slapd
3213+
3214+ # install Apport hook
3215+ install -D -m 644 $(CURDIR)/debian/slapd.py $(CURDIR)/debian/slapd/usr/share/apport/package-hooks/slapd.py
3216+
3217+ # install ufw profile
3218+ install -D -m 644 $(CURDIR)/debian/slapd.ufw.profile $(CURDIR)/debian/slapd/etc/ufw/applications.d/slapd
3219+
3220+ dh_apparmor -pslapd --profile-name=usr.sbin.slapd
3221+endif
3222+
3223 override_dh_installinit:
3224 dh_installinit -- "defaults 19 80"
3225
3226@@ -222,6 +243,8 @@ ifeq ($(filter pkg.openldap.noslapd,$(DEB_BUILD_PROFILES)),)
3227 done; \
3228 fi
3229
3230+ rm -f contrib/slapd-modules/nssov/nss-pam-ldapd/config.sub contrib/slapd-modules/nssov/nss-pam-ldapd/config.guess
3231+
3232 # Clean the contrib directory
3233 for mod in $(CONTRIB_MODULES); do \
3234 dh_auto_clean -Dcontrib/slapd-modules/$$mod -Bcontrib/slapd-modules/$$mod || exit $?; \
3235diff --git a/debian/slapd.README.Debian b/debian/slapd.README.Debian
3236index a43dfe4..216e6ac 100644
3237--- a/debian/slapd.README.Debian
3238+++ b/debian/slapd.README.Debian
3239@@ -204,8 +204,8 @@ Running slapd under a Different UID/GID
3240
3241 - Tell linux slapd can access configuration files -- usually:
3242
3243- chgrp <group> /etc/ldap/slapd.conf
3244- chmod 0640 /etc/ldap/slapd.conf
3245+ chgrp -R <group> /etc/ldap/slapd.d
3246+ chmod -R g+rX /etc/ldap/slapd.d
3247
3248 - Tell linux slapd can access /var/run/slapd and write a PID file:
3249
3250@@ -339,3 +339,14 @@ Unsafe access control rule installed by default in previous versions
3251 slapd.access(5) man page.
3252
3253 -- Ryan Tandy <ryan@nardis.ca>, Mon, 20 Oct 2014 11:45:20 -0700
3254+
3255+Apparmor Profile
3256+----------------
3257+
3258+ If your system uses AppArmor, please note that the shipped enforcing profile
3259+ works with the default installation, and changes in your configuration may
3260+ require changes to the installed apparmor profile. Please see
3261+ https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this
3262+ software.
3263+
3264+ -- Jamie Strandboge <jamie@ubuntu.com>, Mon, 4 Feb 2008 21:18:21 -0500
3265diff --git a/debian/slapd.default b/debian/slapd.default
3266index 372b8f4..4212e07 100644
3267--- a/debian/slapd.default
3268+++ b/debian/slapd.default
3269@@ -12,7 +12,7 @@ SLAPD_USER="openldap"
3270 SLAPD_GROUP="openldap"
3271
3272 # Path to the pid file of the slapd server. If not set the init.d script
3273-# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
3274+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
3275 # default)
3276 SLAPD_PIDFILE=
3277
3278diff --git a/debian/slapd.install b/debian/slapd.install
3279index 0987dad..206a208 100644
3280--- a/debian/slapd.install
3281+++ b/debian/slapd.install
3282@@ -54,5 +54,7 @@ usr/lib/ldap/autogroup.so*
3283 usr/lib/ldap/autogroup.la
3284 usr/lib/ldap/lastbind.so*
3285 usr/lib/ldap/lastbind.la
3286+usr/lib/ldap/nssov.so*
3287+usr/lib/ldap/nssov.la
3288 usr/lib/ldap/pw-sha2.so*
3289 usr/lib/ldap/pw-sha2.la
3290diff --git a/debian/slapd.manpages b/debian/slapd.manpages
3291index ffd3243..25f6d43 100644
3292--- a/debian/slapd.manpages
3293+++ b/debian/slapd.manpages
3294@@ -43,3 +43,4 @@ debian/tmp/usr/share/man/man5/slapo-valsort.5
3295
3296 # contrib modules installed in main package
3297 debian/tmp/usr/share/man/man5/slapo-lastbind.5
3298+contrib/slapd-modules/nssov/slapo-nssov.5
3299diff --git a/debian/slapd.py b/debian/slapd.py
3300new file mode 100644
3301index 0000000..7d78699
3302--- /dev/null
3303+++ b/debian/slapd.py
3304@@ -0,0 +1,51 @@
3305+#!/usr/bin/python
3306+
3307+'''apport hook for slapd
3308+
3309+(c) 2010 Adam Sommer.
3310+Author: Adam Sommer <asommer@ubuntu.com>
3311+
3312+This program is free software; you can redistribute it and/or modify it
3313+under the terms of the GNU General Public License as published by the
3314+Free Software Foundation; either version 2 of the License, or (at your
3315+option) any later version. See http://www.gnu.org/copyleft/gpl.html for
3316+the full text of the license.
3317+'''
3318+
3319+from apport.hookutils import *
3320+import os
3321+
3322+# Scrub olcRootPW attribute and credentials strings if necessary.
3323+def scrub_pass_strings(config):
3324+ olcrootpw_regex = re.compile('olcRootPW:.*')
3325+ olcrootpw_string = olcrootpw_regex.search(config)
3326+ if olcrootpw_string:
3327+ config = config.replace(olcrootpw_string.group(0), 'olcRootPW: @@APPORTREPLACED@@')
3328+
3329+ credentials_regex = re.compile('credentials=.* ')
3330+ credentials_string = credentials_regex.search(config)
3331+ if credentials_string:
3332+ config = config.replace(credentials_string.group(0), 'credentials=@@APPORTREPLACED@@ ')
3333+
3334+ return config
3335+
3336+def add_info(report, ui):
3337+ response = ui.yesno("The contents of your /etc/ldap/slapd.d directory "
3338+ "may help developers diagnose your bug more "
3339+ "quickly. However, it may contain sensitive "
3340+ "information. Do you want to include it in your "
3341+ "bug report?")
3342+
3343+ if response == None: # user cancelled
3344+ raise StopIteration
3345+
3346+ elif response == True:
3347+ # Get the cn=config tree.
3348+ cn_config = root_command_output(['/usr/bin/ldapsearch', '-Q', '-LLL', '-Y EXTERNAL', '-H ldapi:///', '-b cn=config'])
3349+ report['CNConfig'] = scrub_pass_strings(cn_config)
3350+
3351+ # Get slapd messages from /var/log/syslog
3352+ slapd_re = re.compile('slapd', re.IGNORECASE)
3353+ report['SysLog'] = recent_syslog(slapd_re)
3354+
3355+ attach_mac_events(report, '/usr/sbin/slapd')
3356diff --git a/debian/slapd.scripts-common b/debian/slapd.scripts-common
3357index b2b3d3d..0dc0045 100644
3358--- a/debian/slapd.scripts-common
3359+++ b/debian/slapd.scripts-common
3360@@ -175,8 +175,7 @@ dump_config() { # {{{
3361 dump_databases() { # {{{
3362 # If the user wants us to dump the databases they are dumped to the
3363 # configured directory.
3364-
3365- local db suffix file dir failed
3366+ local db suffix file dir failed slapcat_opts
3367
3368 database_dumping_enabled || return 0
3369
3370@@ -365,6 +364,12 @@ compute_backup_path() { # {{{
3371 id="$OLD_VERSION"
3372 [ -n "$id" ] || id=`date +%Y%m%d-%H%M%S`
3373 target="/var/backups/$basedn-$id.ldapdb"
3374+ # Configuration via dpkg-reconfigure.
3375+ # The backup directory already exists when reconfigured
3376+ # twice or more: append a timestamp.
3377+ if [ -e "${target}" ] && ([ "$MODE" = reconfigure ] || [ "$DEBCONF_RECONFIGURE" ]); then
3378+ target="$target-`date +%Y%m%d-%H%M%S`"
3379+ fi
3380 if [ -e "$target" ] && [ -z "$ok_exists" ]; then
3381 echo >&2
3382 echo >&2 " Backup path $target exists. Giving up..."
3383diff --git a/debian/slapd.ufw.profile b/debian/slapd.ufw.profile
3384new file mode 100644
3385index 0000000..3c4f676
3386--- /dev/null
3387+++ b/debian/slapd.ufw.profile
3388@@ -0,0 +1,9 @@
3389+[OpenLDAP LDAP]
3390+title=OpenLDAP with TLS
3391+description=OpenLDAP is a free, fast, lightweight LDAP server
3392+ports=389/tcp
3393+
3394+[OpenLDAP LDAPS]
3395+title=OpenLDAP over SSL
3396+description=OpenLDAP is a free, fast, lightweight LDAP server
3397+ports=636/tcp

Subscribers

People subscribed via source and target branches