Ubuntu
openldap package

Merge ~sergiodj/ubuntu/+source/openldap:merge-2.5.11-jammy into ubuntu/+source/openldap:debian/experimental

Proposed by Sergio Durigan Junior on 2022-01-25

Status:	Merged
Merge reported by:	Sergio Durigan Junior
Merged at revision:	3173e44ad51421ebe61cfc724d5cdd6be5829720
Proposed branch:	~sergiodj/ubuntu/+source/openldap:merge-2.5.11-jammy
Merge into:	ubuntu/+source/openldap:debian/experimental
Diff against target:	3402 lines (+3029/-3) 7 files modified debian/apparmor-profile (+61/-0) debian/changelog (+2876/-0) debian/control (+4/-2) debian/rules (+17/-1) debian/slapd.README.Debian (+11/-0) debian/slapd.py (+51/-0) debian/slapd.ufw.profile (+9/-0)
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Bryce Harrington (community)	2022-01-25	Approve on 2022-01-26
Canonical Server	2022-01-25	Pending
Review via email: mp+414584@code.launchpad.net

Description of the change

This is the merge of openldap 2.5.11 from Debian experimental. The package is still on Debian experimental because the 2.5.x transition hasn't begun there yet.

The merge was relatively trivial. Our delta hasn't changed, and it is pretty well contained. I thought it would be possible to drop the ufw part of our delta, but as it turns out the situation is a bit more complicated (see bug #1943280).

As explained in the merge bug, the reason we're updating openldap to 2.5.11 instead of 2.6.1 is because the OpenLDAP upstream project has decided that the 2.5 release will be their LTS, and for that reason we (i.e., Ryan, Andreas and I) think that it's best to stick with 2.5 on Jammy.

There's a PPA with the proposed package here:

https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4768/+packages

The bileto ticket is here:

https://bileto.ubuntu.com/#/ticket/4768

autopkgtest is still happy:

autopkgtest [18:08:07]: @@@@@@@@@@@@@@@@@@@@ summary
slapd PASS (superficial)
smbk5pwd PASS (superficial)

I'm still waiting for the bileto build to finish so that I can trigger autopkgtest directly on the Ubuntu infra, but I'm not foreseen any problems.

Revision history for this message

Bryce Harrington (bryce) wrote on 2022-01-26:

I confirmed it builds locally, and ran the tests against the PPA (bileto appears to have run it too, but I couldn't see the results.) All looks good:

Results from https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-ci-train-ppa-service-4768/?format=plain:
  openldap @ amd64:
    26.01.22 01:30:06 Log 🗒️ ✅ Triggers: ['openldap/2.5.11+dfsg-1~exp1ubuntu1']
      slapd PASS ✅
      smbk5pwd PASS ✅
  openldap @ arm64:
    26.01.22 01:32:07 Log 🗒️ ✅ Triggers: ['openldap/2.5.11+dfsg-1~exp1ubuntu1']
      slapd PASS ✅
      smbk5pwd PASS ✅
  openldap @ armhf:
    26.01.22 01:32:16 Log 🗒️ ✅ Triggers: ['openldap/2.5.11+dfsg-1~exp1ubuntu1']
      slapd PASS ✅
      smbk5pwd PASS ✅
  openldap @ ppc64el:
    26.01.22 01:31:02 Log 🗒️ ✅ Triggers: ['openldap/2.5.11+dfsg-1~exp1ubuntu1']
      slapd PASS ✅
      smbk5pwd PASS ✅
  openldap @ s390x:
    26.01.22 01:29:27 Log 🗒️ ✅ Triggers: ['openldap/2.5.11+dfsg-1~exp1ubuntu1']
      slapd PASS ✅
      smbk5pwd PASS ✅

Took a review through the commits for the past delta, and reviewed the changelog. All appears to be in good order.

LGTM, +1

review: Approve

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2022-01-26:

On Tuesday, January 25 2022, Bryce Harrington wrote:

Thanks, Bryce.

Uploaded:

$ dput openldap_2.5.11+dfsg-1~exp1ubuntu1_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/openldap/openldap_2.5.11+dfsg-1~exp1ubuntu1_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/openldap/openldap_2.5.11+dfsg-1~exp1ubuntu1.dsc: Valid signature from 106DA1C8C3CBBF14
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openldap_2.5.11+dfsg-1~exp1ubuntu1.dsc: done.
  Uploading openldap_2.5.11+dfsg.orig.tar.gz: done.
  Uploading openldap_2.5.11+dfsg-1~exp1ubuntu1.debian.tar.xz: done.
  Uploading openldap_2.5.11+dfsg-1~exp1ubuntu1_source.buildinfo: done.
  Uploading openldap_2.5.11+dfsg-1~exp1ubuntu1_source.changes: done.
Successfully uploaded packages.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

On Tuesday, January 25 2022, Bryce Harrington wrote:

> I confirmed it builds locally, and ran the tests against the PPA (bileto appears to have run it too, but I couldn't see the results.)  All looks good:
>
> Results from https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-ci-train-ppa-service-4768/?format=plain:
>   openldap @ amd64:
>     26.01.22 01:30:06    Log 🗒️	✅     Triggers: ['openldap/2.5.11+dfsg-1~exp1ubuntu1']
>       slapd                PASS                          ✅ 
>       smbk5pwd             PASS                          ✅ 
>   openldap @ arm64:
>     26.01.22 01:32:07    Log 🗒️	✅     Triggers: ['openldap/2.5.11+dfsg-1~exp1ubuntu1']
>       slapd                PASS                          ✅ 
>       smbk5pwd             PASS                          ✅ 
>   openldap @ armhf:
>     26.01.22 01:32:16    Log 🗒️	✅     Triggers: ['openldap/2.5.11+dfsg-1~exp1ubuntu1']
>       slapd                PASS                          ✅ 
>       smbk5pwd             PASS                          ✅ 
>   openldap @ ppc64el:
>     26.01.22 01:31:02    Log 🗒️	✅     Triggers: ['openldap/2.5.11+dfsg-1~exp1ubuntu1']
>       slapd                PASS                          ✅ 
>       smbk5pwd             PASS                          ✅ 
>   openldap @ s390x:
>     26.01.22 01:29:27    Log 🗒️	✅     Triggers: ['openldap/2.5.11+dfsg-1~exp1ubuntu1']
>       slapd                PASS                          ✅ 
>       smbk5pwd             PASS                          ✅ 
>
> Took a review through the commits for the past delta, and reviewed the changelog.  All appears to be in good order.
>
> LGTM, +1

Thanks, Bryce.

Uploaded:

-- 
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0  EB2F 106D A1C8 C3CB BF14

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Sergio Durigan Junior

git-ubuntu developers

 diff --git a/debian/apparmor-profile b/debian/apparmor-profile
 new file mode 100644
 index 0000000..6a247aa
 --- /dev/null
 +++ b/debian/apparmor-profile
@@ -0,0 +1,61 @@
++# vim:syntax=apparmor
++# Last Modified: Fri Jun  6 13:51:00 2020
++# Author: Jamie Strandboge <jamie@ubuntu.com>
++
++#include <tunables/global>
++
++/usr/sbin/slapd {
++  #include <abstractions/base>
++  #include <abstractions/nameservice>
++  #include <abstractions/p11-kit>
++
++  #include <abstractions/ssl_keys>
++  #include <abstractions/ssl_certs>
++
++  /etc/sasldb2 r,
++
++  capability dac_override,
++  capability net_bind_service,
++  capability setgid,
++  capability setuid,
++
++  /etc/gai.conf r,
++  /etc/hosts.allow r,
++  /etc/hosts.deny r,
++
++  # ldap files
++  /etc/ldap/** kr,
++  /etc/ldap/slapd.d/** rw,
++
++  # kerberos/gssapi
++  /dev/tty rw,
++  /etc/gss/mech.d/   r,
++  /etc/gss/mech.d/* kr,
++  /etc/krb5.keytab kr,
++  /etc/krb5/user/*/client.keytab kr,
++  owner /tmp/krb5cc_* rwk,
++  owner /var/tmp/krb5_*.rcache2 rwk,
++  /var/tmp/ rw,
++  /var/tmp/** rw,
++
++  # the databases and logs
++  /var/lib/ldap/ r,
++  /var/lib/ldap/** rwk,
++
++  # lock file
++  /var/lib/ldap/alock kw,
++
++  # pid files and sockets
++  /{,var/}run/slapd/* w,
++  /{,var/}run/slapd/ldapi rw,
++  /{,var/}run/nslcd/socket rw,
++  /{,var/}run/saslauthd/mux rw,
++
++  /usr/lib/ldap/ r,
++  /usr/lib/ldap/* mr,
++
++  /usr/sbin/slapd mr,
++
++  # Site-specific additions and overrides. See local/README for details.
++  #include <local/usr.sbin.slapd>
++}
 diff --git a/debian/changelog b/debian/changelog
 index 148acb1..7f3a69f 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,22 @@
++openldap (2.5.11+dfsg-1~exp1ubuntu1) jammy; urgency=medium
++
++  * Merge with Debian unstable (LP: #1946883). Remaining changes:
++    - Enable AppArmor support:
++      + d/apparmor-profile: add AppArmor profile
++      + d/rules: use dh_apparmor
++      + d/control: Build-Depends on dh-apparmor
++      + d/slapd.README.Debian: add note about AppArmor
++    - Enable ufw support:
++      + d/control: suggest ufw.
++      + d/rules: install ufw profile.
++      + d/slapd.ufw.profile: add ufw profile.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/rules: better regexp to match the Maintainer tag in d/control,
++      needed in the Ubuntu case because of XSBC-Original-Maintainer
++      (Closes #960448, LP #1875697)
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Tue, 25 Jan 2022 17:06:12 -0500
++
  openldap (2.5.11+dfsg-1~exp1) experimental; urgency=medium
    * New upstream release.
@@ -29,6 +48,25 @@ openldap (2.5.7+dfsg-1~exp1) experimental; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Mon, 30 Aug 2021 18:54:25 -0700
++openldap (2.5.6+dfsg-1~exp1ubuntu1) impish; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Enable AppArmor support:
++      + d/apparmor-profile: add AppArmor profile
++      + d/rules: use dh_apparmor
++      + d/control: Build-Depends on dh-apparmor
++      + d/slapd.README.Debian: add note about AppArmor
++    - Enable ufw support:
++      + d/control: suggest ufw.
++      + d/rules: install ufw profile.
++      + d/slapd.ufw.profile: add ufw profile.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/rules: better regexp to match the Maintainer tag in d/control,
++      needed in the Ubuntu case because of XSBC-Original-Maintainer
++      (Closes #960448, LP #1875697)
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Tue, 17 Aug 2021 14:06:00 -0400
++
  openldap (2.5.6+dfsg-1~exp1) experimental; urgency=medium
    [ Ryan Tandy ]
@@ -63,6 +101,59 @@ openldap (2.5.6+dfsg-1~exp1) experimental; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Mon, 16 Aug 2021 18:32:29 -0700
++openldap (2.5.5+dfsg-1~exp1ubuntu1) impish; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Enable AppArmor support:
++      + d/apparmor-profile: add AppArmor profile
++      + d/rules: use dh_apparmor
++      + d/control: Build-Depends on dh-apparmor
++      + d/slapd.README.Debian: add note about AppArmor
++    - Enable ufw support:
++      + d/control: suggest ufw.
++      + d/rules: install ufw profile.
++      + d/slapd.ufw.profile: add ufw profile.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/rules: better regexp to match the Maintainer tag in d/control,
++      needed in the Ubuntu case because of XSBC-Original-Maintainer
++      (Closes #960448, LP #1875697)
++  * Dropped changes:
++    - Enable GSSAPI support (first added in 2.4.18-0ubuntu2):
++      + d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      + d/configure.options: Configure with --with-gssapi
++      + d/control: Added heimdal-dev as a build depend
++      + d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++      + d/libldap-2.4-2.symbols: add symbols for GSSAPI support
++      This should be dropped when the soname changes.
++      [ Dropped as planned after soname bump due to 2.5.5 update. ]
++    - Enable nss overlay:
++      + d/rules:
++        - add nssov to CONTRIB_MODULES
++        - add sysconfdir to CONTRIB_MAKEVARS
++      + d/slapd.install: install nssov overlay
++      + d/slapd.manpages: install slapo-nssov(5) man page
++      + d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
++        Debian bug #919136, we also have to patch the nssov makefile
++        accordingly and thus update this patch.
++      [ Dropped as planned after soname bump due to 2.5.5 update. ]
++    - Add support for CLDAP (UDP) support, back then required by
++      likewise-open (first enabled in 2.4.17-1ubuntu2):
++      + d/rules: Enable -DLDAP_CONNECTIONLESS
++      + d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP)
++      This should be dropped when the soname changes.
++      [ Dropped as planned after soname bump due to 2.5.5 update. ]
++    - debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because
++      of test timing issue.
++      [ Dropped because the latest update improved the testcase and
++        there is no FTBFS on riscv64 anymore. ]
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Tue, 15 Jun 2021 17:20:34 -0400
++
  openldap (2.5.5+dfsg-1~exp1) experimental; urgency=medium
    * New upstream release.
@@ -168,6 +259,53 @@ openldap (2.4.57+dfsg-3) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Sat, 15 May 2021 16:03:34 -0700
++openldap (2.4.57+dfsg-2ubuntu1) hirsute; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Enable AppArmor support:
++      + d/apparmor-profile: add AppArmor profile
++      + d/rules: use dh_apparmor
++      + d/control: Build-Depends on dh-apparmor
++      + d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support (first added in 2.4.18-0ubuntu2):
++      + d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      + d/configure.options: Configure with --with-gssapi
++      + d/control: Added heimdal-dev as a build depend
++      + d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++      + d/libldap-2.4-2.symbols: add symbols for GSSAPI support
++      This should be dropped when the soname changes.
++    - Enable ufw support:
++      + d/control: suggest ufw.
++      + d/rules: install ufw profile.
++      + d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      + d/rules:
++        - add nssov to CONTRIB_MODULES
++        - add sysconfdir to CONTRIB_MAKEVARS
++      + d/slapd.install: install nssov overlay
++      + d/slapd.manpages: install slapo-nssov(5) man page
++      + d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
++        Debian bug #919136, we also have to patch the nssov makefile
++        accordingly and thus update this patch.
++    - d/{rules,slapd.py}: Add apport hook.
++    - Add support for CLDAP (UDP) support, back then required by
++      likewise-open (first enabled in 2.4.17-1ubuntu2):
++      + d/rules: Enable -DLDAP_CONNECTIONLESS
++      + d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP)
++      This should be dropped when the soname changes.
++    - debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because
++      of test timing issue.
++    - d/rules: better regexp to match the Maintainer tag in d/control,
++      needed in the Ubuntu case because of XSBC-Original-Maintainer
++      (Closes #960448, LP #1875697)
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 18 Feb 2021 10:15:38 -0500
++
  openldap (2.4.57+dfsg-2) unstable; urgency=medium
    * Fix slapd assertion failure in Certificate List Exact Assertion validation
@@ -197,6 +335,65 @@ openldap (2.4.57+dfsg-1) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Sat, 23 Jan 2021 08:57:07 -0800
++openldap (2.4.56+dfsg-1ubuntu2) hirsute; urgency=medium
++
++  * debian/apparmor-profile: add AppArmor rule for locking replay cache.
++    In Hirsute, a change (presumably in src:krb5) has caused slapd to be
++    denied by AppArmor for locking /var/tmp/krb5_*.rcache2. This is
++    acceptable, so add it to the AppArmor profile. This fixes the dep8
++    test in src:krb5 that uses slapd for testing.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Tue, 26 Jan 2021 13:02:40 +0000
++
++openldap (2.4.56+dfsg-1ubuntu1) hirsute; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Enable AppArmor support:
++      + d/apparmor-profile: add AppArmor profile
++      + d/rules: use dh_apparmor
++      + d/control: Build-Depends on dh-apparmor
++      + d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support (first added in 2.4.18-0ubuntu2):
++      + d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      + d/configure.options: Configure with --with-gssapi
++      + d/control: Added heimdal-dev as a build depend
++      + d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++      + d/libldap-2.4-2.symbols: add symbols for GSSAPI support
++      This should be dropped when the soname changes.
++    - Enable ufw support:
++      + d/control: suggest ufw.
++      + d/rules: install ufw profile.
++      + d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      + d/rules:
++        - add nssov to CONTRIB_MODULES
++        - add sysconfdir to CONTRIB_MAKEVARS
++      + d/slapd.install: install nssov overlay
++      + d/slapd.manpages: install slapo-nssov(5) man page
++      + d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
++        Debian bug #919136, we also have to patch the nssov makefile
++        accordingly and thus update this patch.
++    - d/{rules,slapd.py}: Add apport hook.
++    - Add support for CLDAP (UDP) support, back then required by
++      likewise-open (first enabled in 2.4.17-1ubuntu2):
++      + d/rules: Enable -DLDAP_CONNECTIONLESS
++      + d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP)
++      This should be dropped when the soname changes.
++    - debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because
++      of test timing issue.
++    - d/rules: better regexp to match the Maintainer tag in d/control,
++      needed in the Ubuntu case because of XSBC-Original-Maintainer
++      (Closes #960448, LP #1875697)
++  * d/apparmor-profile: use abstractions/ssl_keys instead of manual rules,
++    allows letsencrypt to work. Thanks to Paul McEnery (LP: #1909748)
++
++ -- Paride Legovini <paride.legovini@canonical.com>  Mon, 04 Jan 2021 16:18:57 +0100
++
  openldap (2.4.56+dfsg-1) unstable; urgency=medium
    * New upstream release.
@@ -223,12 +420,151 @@ openldap (2.4.54+dfsg-1) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Sun, 18 Oct 2020 16:03:46 +0000
++openldap (2.4.53+dfsg-1ubuntu5) hirsute; urgency=medium
++
++  * SECURITY UPDATE: assertion failure in Certificate List syntax
++    validation
++    - debian/patches/CVE-2020-25709.patch: properly handle error in
++      servers/slapd/schema_init.c.
++    - CVE-2020-25709
++  * SECURITY UPDATE: assertion failure in CSN normalization with invalid
++    input
++    - debian/patches/CVE-2020-25710.patch: properly handle error in
++      servers/slapd/schema_init.c.
++    - CVE-2020-25710
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 17 Nov 2020 09:41:47 -0500
++
++openldap (2.4.53+dfsg-1ubuntu4) hirsute; urgency=medium
++
++  * SECURITY UPDATE: DoS via NULL pointer dereference
++    - debian/patches/CVE-2020-25692.patch: skip normalization if there's no
++      equality rule in servers/slapd/modrdn.c.
++    - CVE-2020-25692
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 09 Nov 2020 14:02:02 -0500
++
++openldap (2.4.53+dfsg-1ubuntu3) hirsute; urgency=medium
++
++  * No-change rebuild for the perl update.
++
++ -- Matthias Klose <doko@ubuntu.com>  Mon, 09 Nov 2020 12:53:38 +0100
++
++openldap (2.4.53+dfsg-1ubuntu2) hirsute; urgency=medium
++
++  * No-change rebuild for the perl update.
++
++ -- Matthias Klose <doko@ubuntu.com>  Mon, 09 Nov 2020 10:51:32 +0100
++
++openldap (2.4.53+dfsg-1ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable (LP: #1894838). Remaining changes:
++    - Enable AppArmor support:
++      + d/apparmor-profile: add AppArmor profile
++      + d/rules: use dh_apparmor
++      + d/control: Build-Depends on dh-apparmor
++      + d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support (first added in 2.4.18-0ubuntu2):
++      + d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      + d/configure.options: Configure with --with-gssapi
++      + d/control: Added heimdal-dev as a build depend
++      + d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++      + d/libldap-2.4-2.symbols: add symbols for GSSAPI support
++      This should be dropped when the soname changes.
++    - Enable ufw support:
++      + d/control: suggest ufw.
++      + d/rules: install ufw profile.
++      + d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      + d/rules:
++        - add nssov to CONTRIB_MODULES
++        - add sysconfdir to CONTRIB_MAKEVARS
++      + d/slapd.install: install nssov overlay
++      + d/slapd.manpages: install slapo-nssov(5) man page
++      + d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
++        Debian bug #919136, we also have to patch the nssov makefile
++        accordingly and thus update this patch.
++    - d/{rules,slapd.py}: Add apport hook.
++    - Add support for CLDAP (UDP) support, back then required by
++      likewise-open (first enabled in 2.4.17-1ubuntu2):
++      + d/rules: Enable -DLDAP_CONNECTIONLESS
++      + d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP)
++      This should be dropped when the soname changes.
++    - debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because
++      of test timing issue.
++    - d/rules: better regexp to match the Maintainer tag in d/control,
++      needed in the Ubuntu case because of XSBC-Original-Maintainer
++      (Closes #960448, LP #1875697)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 08 Sep 2020 09:36:58 -0300
++
  openldap (2.4.53+dfsg-1) unstable; urgency=medium
    * New upstream release.
   -- Ryan Tandy <ryan@nardis.ca>  Mon, 07 Sep 2020 09:47:28 -0700
++openldap (2.4.51+dfsg-1ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Enable AppArmor support:
++      + d/apparmor-profile: add AppArmor profile
++      + d/rules: use dh_apparmor
++      + d/control: Build-Depends on dh-apparmor
++      + d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support (first added in 2.4.18-0ubuntu2):
++      + d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      + d/configure.options: Configure with --with-gssapi
++      + d/control: Added heimdal-dev as a build depend
++      + d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++      + d/libldap-2.4-2.symbols: add symbols for GSSAPI support
++      This should be dropped when the soname changes.
++    - Enable ufw support:
++      + d/control: suggest ufw.
++      + d/rules: install ufw profile.
++      + d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      + d/rules:
++        - add nssov to CONTRIB_MODULES
++        - add sysconfdir to CONTRIB_MAKEVARS
++      + d/slapd.install: install nssov overlay
++      + d/slapd.manpages: install slapo-nssov(5) man page
++      + d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
++        Debian bug #919136, we also have to patch the nssov makefile
++        accordingly and thus update this patch.
++    - d/{rules,slapd.py}: Add apport hook.
++    - Add support for CLDAP (UDP) support, back then required by
++      likewise-open (first enabled in 2.4.17-1ubuntu2):
++      + d/rules: Enable -DLDAP_CONNECTIONLESS
++      + d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP)
++      This should be dropped when the soname changes.
++    - debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because
++      of test timing issue.
++    - d/rules: better regexp to match the Maintainer tag in d/control,
++      needed in the Ubuntu case because of XSBC-Original-Maintainer
++      (Closes #960448, LP #1875697)
++  * Dropped:
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++      [In 2.4.51+dfsg-1]
++    - d/slapd.scripts-common:
++      + add slapcat_opts to local variables.
++      + Fix backup directory naming for multiple reconfiguration.
++      [In 2.4.51+dfsg-1]
++    - debian/patches/set-maintainer-name: our d/rules change needs to
++      be kept, but this patch is in 2.4.51+dfsg-1.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 26 Aug 2020 11:03:24 -0300
++
  openldap (2.4.51+dfsg-1) unstable; urgency=medium
    * New upstream release.
@@ -274,6 +610,85 @@ openldap (2.4.51+dfsg-1) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Sun, 23 Aug 2020 11:09:57 -0700
++openldap (2.4.50+dfsg-1ubuntu3) groovy; urgency=medium
++
++  * No change rebuild against new libnettle8 and libhogweed6 ABI.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 29 Jun 2020 22:31:30 +0100
++
++openldap (2.4.50+dfsg-1ubuntu2) groovy; urgency=medium
++
++  * d/apparmor-profile: Update apparmor profile to grant access to
++    the saslauthd socket, so that SASL authentication works. (LP: #1557157)
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Fri, 12 Jun 2020 18:20:42 -0400
++
++openldap (2.4.50+dfsg-1ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Enable AppArmor support:
++      + d/apparmor-profile: add AppArmor profile
++      + d/rules: use dh_apparmor
++      + d/control: Build-Depends on dh-apparmor
++      + d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support (first added in 2.4.18-0ubuntu2):
++      + d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      + d/configure.options: Configure with --with-gssapi
++      + d/control: Added heimdal-dev as a build depend
++      + d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++      + d/libldap-2.4-2.symbols: add symbols for GSSAPI support
++      This should be dropped when the soname changes.
++    - Enable ufw support:
++      + d/control: suggest ufw.
++      + d/rules: install ufw profile.
++      + d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      + d/rules:
++        - add nssov to CONTRIB_MODULES
++        - add sysconfdir to CONTRIB_MAKEVARS
++      + d/slapd.install:
++        - install nssov overlay
++      + d/slapd.manpages:
++        - install slapo-nssov(5) man page
++      + d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
++        Debian bug #919136, we also have to patch the nssov makefile
++        accordingly and thus update this patch.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.scripts-common:
++      + add slapcat_opts to local variables.
++      + Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - Add support for CLDAP (UDP) support, back then required by
++      likewise-open (first enabled in 2.4.17-1ubuntu2):
++      + d/rules: Enable -DLDAP_CONNECTIONLESS
++      + d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP)
++      This should be dropped when the soname changes.
++    - debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because
++      of test timing issue.
++  * Dropped:
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++      [Not worth keeping a delta for, as having olcRootDN doesn't hurt]
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++      [Debian now shows the full package version]
++    - SECURITY UPDATE: denial of service via nested search filters
++      + debian/patches/CVE-2020-12243.patch: limit depth of nested
++        filters in servers/slapd/filter.c.
++      [Fixed upstream]
++  * Added:
++    - d/rules, debian/patches/set-maintainer-name: Extract maintainer
++      address dynamically from debian/control. Thanks to Ryan Tandy
++      <ryan@nardis.ca> (Closes: #960448, LP: #1875697)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 01 Jun 2020 09:19:58 -0300
++
  openldap (2.4.50+dfsg-1) unstable; urgency=medium
    * New upstream release.
@@ -316,6 +731,69 @@ openldap (2.4.49+dfsg-3) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Sat, 04 Apr 2020 10:43:56 -0700
++openldap (2.4.49+dfsg-2ubuntu2) groovy; urgency=medium
++
++  * SECURITY UPDATE: denial of service via nested search filters
++    - debian/patches/CVE-2020-12243.patch: limit depth of nested filters in
++      servers/slapd/filter.c.
++    - debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because of
++      test timing issue.
++    - CVE-2020-12243
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 01 May 2020 13:09:12 -0400
++
++openldap (2.4.49+dfsg-2ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable (LP: #1866303). Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++        [Dropped the ldap_gssapi_bind_s() hunk as that is already
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/rules:
++        - add nssov to CONTRIB_MODULES
++        - add sysconfdir to CONTRIB_MAKEVARS
++      - d/slapd.install:
++        - install nssov overlay
++      - d/slapd.manpages:
++        - install slapo-nssov(5) man page
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++    - d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
++      Debian bug #919136, we also have to patch the nssov makefile
++      accordingly and thus update this patch.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 06 Mar 2020 11:39:12 -0300
++
  openldap (2.4.49+dfsg-2) unstable; urgency=medium
    * slapd.README.Debian: Document the initial setup performed by slapd's
@@ -327,6 +805,62 @@ openldap (2.4.49+dfsg-2) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Thu, 05 Mar 2020 12:59:46 -0800
++openldap (2.4.49+dfsg-1ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++        [Dropped the ldap_gssapi_bind_s() hunk as that is already
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/rules:
++        - add nssov to CONTRIB_MODULES
++        - add sysconfdir to CONTRIB_MAKEVARS
++      - d/slapd.install:
++        - install nssov overlay
++      - d/slapd.manpages:
++        - install slapo-nssov(5) man page
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++    - d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
++      Debian bug #919136, we also have to patch the nssov makefile
++      accordingly and thus update this patch.
++  * Dropped:
++    - d/control: slapd can depend on perl:any since it only uses perl for
++      some maintainer and helper scripts.
++      [In 2.4.49+dfsg-1]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 10 Feb 2020 12:13:47 -0300
++
  openldap (2.4.49+dfsg-1) unstable; urgency=medium
    * New upstream release.
@@ -355,6 +889,102 @@ openldap (2.4.49+dfsg-1) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Thu, 06 Feb 2020 10:08:12 -0800
++openldap (2.4.48+dfsg-1ubuntu4) focal; urgency=medium
++
++  * d/control: slapd can depend on perl:any since it only uses perl for
++    some maintainer and helper scripts. The perl backend links against
++    the correct architecture perl libraries already. Can be dropped
++    after https://salsa.debian.org/openldap-team/openldap/commit/794c736
++    is in a Debian upload.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 06 Jan 2020 16:46:11 -0300
++
++openldap (2.4.48+dfsg-1ubuntu3) focal; urgency=medium
++
++  * No-change rebuild against libnettle7
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 31 Oct 2019 22:13:44 +0000
++
++openldap (2.4.48+dfsg-1ubuntu2) focal; urgency=medium
++
++  * No-change rebuild for the perl update.
++
++ -- Matthias Klose <doko@ubuntu.com>  Fri, 18 Oct 2019 19:37:23 +0000
++
++openldap (2.4.48+dfsg-1ubuntu1) eoan; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/rules:
++        - add nssov to CONTRIB_MODULES
++        - add sysconfdir to CONTRIB_MAKEVARS
++      - d/slapd.install:
++        - install nssov overlay
++      - d/slapd.manpages:
++        - install slapo-nssov(5) man page
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++    - d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
++      Debian bug #919136, we also have to patch the nssov makefile
++      accordingly and thus update this patch.
++  * Dropped:
++    - Fix sysv-generator unit file by customizing parameters (LP #1821343)
++      + d/slapd-remain-after-exit.conf: Override RemainAfterExit to allow
++        correct systemctl status for slapd daemon.
++      + d/slapd.install: place override file in correct location.
++      [Included in 2.4.48+dfsg-1]
++    - SECURITY UPDATE: rootDN proxyauthz not restricted to its own databases
++      + debian/patches/CVE-2019-13057-1.patch: add restriction to
++        servers/slapd/saslauthz.c.
++      + debian/patches/CVE-2019-13057-2.patch: add tests to
++        tests/data/idassert.out, tests/data/slapd-idassert.conf,
++        tests/data/test-idassert1.ldif, tests/scripts/test028-idassert.
++      + debian/patches/CVE-2019-13057-3.patch: fix typo in
++        tests/scripts/test028-idassert.
++      + debian/patches/CVE-2019-13057-4.patch: fix typo in
++        tests/scripts/test028-idassert.
++      + CVE-2019-13057
++      [Fixed upstream]
++    - SECURITY UPDATE: SASL SSF not initialized per connection
++      + debian/patches/CVE-2019-13565.patch: zero out sasl_ssf in
++        connection_init in servers/slapd/connection.c.
++      + CVE-2019-13565
++      [Fixed upstream]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 31 Jul 2019 18:01:14 -0300
++
  openldap (2.4.48+dfsg-1) unstable; urgency=medium
    * New upstream release.
@@ -382,6 +1012,87 @@ openldap (2.4.48+dfsg-1) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Thu, 25 Jul 2019 08:32:00 -0700
++openldap (2.4.47+dfsg-3ubuntu3) eoan; urgency=medium
++
++  * SECURITY UPDATE: rootDN proxyauthz not restricted to its own databases
++    - debian/patches/CVE-2019-13057-1.patch: add restriction to
++      servers/slapd/saslauthz.c.
++    - debian/patches/CVE-2019-13057-2.patch: add tests to
++      tests/data/idassert.out, tests/data/slapd-idassert.conf,
++      tests/data/test-idassert1.ldif, tests/scripts/test028-idassert.
++    - debian/patches/CVE-2019-13057-3.patch: fix typo in
++      tests/scripts/test028-idassert.
++    - debian/patches/CVE-2019-13057-4.patch: fix typo in
++      tests/scripts/test028-idassert.
++    - CVE-2019-13057
++  * SECURITY UPDATE: SASL SSF not initialized per connection
++    - debian/patches/CVE-2019-13565.patch: zero out sasl_ssf in
++      connection_init in servers/slapd/connection.c.
++    - CVE-2019-13565
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 26 Jul 2019 13:21:00 -0400
++
++openldap (2.4.47+dfsg-3ubuntu2) disco; urgency=medium
++
++  * Fix sysv-generator unit file by customizing parameters (LP: #1821343)
++    - d/slapd-remain-after-exit.conf: Override RemainAfterExit to allow
++      correct systemctl status for slapd daemon.
++    - d/slapd.install: place override file in correct location.
++
++ -- Heitor Alves de Siqueira <halves@canonical.com>  Mon, 08 Apr 2019 12:39:12 -0300
++
++openldap (2.4.47+dfsg-3ubuntu1) disco; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/rules:
++        - add nssov to CONTRIB_MODULES
++        - add sysconfdir to CONTRIB_MAKEVARS
++      - d/slapd.install:
++        - install nssov overlay
++      - d/slapd.manpages:
++        - install slapo-nssov(5) man page
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++  * Added changes:
++    - d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
++      Debian bug #919136, we also have to patch the nssov makefile
++      accordingly and thus update this patch.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 11 Feb 2019 09:20:47 -0200
++
  openldap (2.4.47+dfsg-3) unstable; urgency=medium
    * Restore patches to contrib Makefiles to set CFLAGS, CPPFLAGS, and LDFLAGS
@@ -397,6 +1108,63 @@ openldap (2.4.47+dfsg-3) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Sat, 02 Feb 2019 10:30:10 -0800
++openldap (2.4.47+dfsg-2ubuntu1) disco; urgency=medium
++
++  * Merge from Debian unstable (LP: #1811630).  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/rules:
++        - add nssov to CONTRIB_MODULES
++        - add sysconfdir to CONTRIB_MAKEVARS
++      - d/slapd.install:
++        - install nssov overlay
++      - d/slapd.manpages:
++        - install slapo-nssov(5) man page
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++  * Update nssov build and packaging for Debian changes:
++    - Drop patch nssov-build
++    - d/rules:
++      - add nssov to CONTRIB_MODULES
++      - add sysconfdir to CONTRIB_MAKEVARS
++    - d/slapd.install:
++      - install nssov overlay
++    - d/slapd.manpages:
++      - install slapo-nssov(5) man page
++
++ -- Ryan Tandy <ryan@nardis.ca>  Sun, 13 Jan 2019 04:47:09 +0000
++
  openldap (2.4.47+dfsg-2) unstable; urgency=medium
    * Reintroduce slapi-dev binary package. (Closes: #711469)
@@ -434,6 +1202,63 @@ openldap (2.4.47+dfsg-1) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Sun, 23 Dec 2018 12:50:40 -0800
++openldap (2.4.46+dfsg-5ubuntu3) disco; urgency=medium
++
++  * d/apparmor-profile: update apparmor profile to allow reading of
++    files needed when slapd is behaving as a kerberos/gssapi client
++    and acquiring its own ticket. (LP: #1783183)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 09 Nov 2018 21:29:51 -0200
++
++openldap (2.4.46+dfsg-5ubuntu2) disco; urgency=medium
++
++  * No-change rebuild for the perl 5.28 transition.
++
++ -- Adam Conrad <adconrad@ubuntu.com>  Fri, 02 Nov 2018 18:14:37 -0600
++
++openldap (2.4.46+dfsg-5ubuntu1) cosmic; urgency=medium
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Wed, 09 May 2018 13:44:37 +0200
++
  openldap (2.4.46+dfsg-5) unstable; urgency=medium
    * Restore slapd-smbk5pwd now that libldap is installable in unstable.
@@ -453,6 +1278,49 @@ openldap (2.4.46+dfsg-3) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Fri, 04 May 2018 07:36:58 -0700
++openldap (2.4.46+dfsg-2ubuntu1) cosmic; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Fri, 04 May 2018 10:19:24 +0200
++
  openldap (2.4.46+dfsg-2) unstable; urgency=medium
    * Remove version constraint from libldap-2.4-2 dependency on libldap-common.
@@ -482,6 +1350,49 @@ openldap (2.4.46+dfsg-1) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Thu, 03 May 2018 07:03:30 -0700
++openldap (2.4.45+dfsg-1ubuntu1) artful; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Fri, 28 Jul 2017 14:49:07 +0200
++
  openldap (2.4.45+dfsg-1) unstable; urgency=medium
    * New upstream release.
@@ -523,6 +1434,49 @@ openldap (2.4.45+dfsg-1) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Thu, 27 Jul 2017 18:04:41 -0700
++openldap (2.4.44+dfsg-8ubuntu1) artful; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Mon, 17 Jul 2017 10:58:24 +0200
++
  openldap (2.4.44+dfsg-8) unstable; urgency=medium
    * Disable test060-mt-hot on ppc64el temporarily to avoid failing tests until
@@ -533,6 +1487,52 @@ openldap (2.4.44+dfsg-8) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Sun, 16 Jul 2017 12:57:41 -0700
++openldap (2.4.44+dfsg-7ubuntu1) artful; urgency=medium
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    [ d/rules modification mentioned above was dropped in
++      2.4.23-6ubuntu1, re-adding it ]
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++      [ Refreshed patch ]
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Tue, 27 Jun 2017 10:21:41 +0200
++
  openldap (2.4.44+dfsg-7) unstable; urgency=medium
    * Relax the dependency of libldap-2.4-2 on libldap-common to also permit
@@ -540,6 +1540,52 @@ openldap (2.4.44+dfsg-7) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Tue, 27 Jun 2017 18:53:12 -0700
++openldap (2.4.44+dfsg-6ubuntu1) artful; urgency=medium
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    [ d/rules modification mentioned above was dropped in
++      2.4.23-6ubuntu1, re-adding it ]
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++      [ Refreshed patch ]
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Tue, 27 Jun 2017 10:21:41 +0200
++
  openldap (2.4.44+dfsg-6) unstable; urgency=medium
    * Update the list of non-translatable strings for the
@@ -548,6 +1594,54 @@ openldap (2.4.44+dfsg-6) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Mon, 26 Jun 2017 19:42:02 -0700
++openldap (2.4.44+dfsg-5ubuntu1) artful; urgency=medium
++
++   * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    [ d/rules modification mentioned above was dropped in
++      2.4.23-6ubuntu1, re-adding it ]
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++      [ Refreshed patch ]
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++    [ undocumented in prior merge, added in 2.4.41+dfsg-1ubuntu1 ]
++    - Fix use after free with GnuTLS. (LP #1557248)
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Sun, 28 May 2017 22:43:50 +0200
++
  openldap (2.4.44+dfsg-5) unstable; urgency=medium
    * debian/patches/ITS-8644-wait-for-slapd-to-start-in-test064.patch: Fix an
@@ -559,6 +1653,54 @@ openldap (2.4.44+dfsg-5) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Sun, 28 May 2017 09:59:46 -0700
++openldap (2.4.44+dfsg-4ubuntu1) artful; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    [ d/rules modification mentioned above was dropped in
++      2.4.23-6ubuntu1, re-adding it ]
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++      [ Refreshed patch ]
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++    [ undocumented in prior merge, added in 2.4.41+dfsg-1ubuntu1 ]
++    - Fix use after free with GnuTLS. (LP #1557248)
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Sat, 22 Apr 2017 14:28:54 +0200
++
  openldap (2.4.44+dfsg-4) unstable; urgency=medium
    * Improve the slapd/ppolicy_schema_needs_update debconf template. Thanks to
@@ -605,6 +1747,67 @@ openldap (2.4.44+dfsg-4) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Sun, 16 Apr 2017 20:10:43 -0700
++openldap (2.4.44+dfsg-3ubuntu2) zesty; urgency=medium
++
++  * d/rules: Fix typo in previous upload.
++
++ -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Fri, 10 Feb 2017 12:17:02 -0800
++
++openldap (2.4.44+dfsg-3ubuntu1) zesty; urgency=medium
++
++  * Merge with Debian unstable (LP: #1663702, LP: #1654416). Remaining
++    changes
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++      - d/rules:
++        - Explicitly add -I/usr/include/heimdal to CFLAGS.
++        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    [ d/rules modification mentioned above was dropped in
++      2.4.23-6ubuntu1, re-adding it ]
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++      [ Refreshed patch ]
++    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++      - GSSAPI support was enabled in 2.4.18-0ubuntu2
++    [ undocumented in prior merge, added in 2.4.41+dfsg-1ubuntu1 ]
++    - Fix use after free with GnuTLS. (LP #1557248)
++  * Drop:
++    - d/slapd.scripts-common:
++      + Remove unused variable new_conf.
++    [ configure_v2_protocol_support function removed in 2.4.44+dfsg-1 ]
++    - d/b/config.log: add config.log
++    [ previously undocumented, stray change ]
++
++ -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Fri, 10 Feb 2017 11:38:57 -0800
++
  openldap (2.4.44+dfsg-3) unstable; urgency=medium
    * Apply upstream patch to fix FTBFS on kFreeBSD. (Closes: #845394)
@@ -677,6 +1880,73 @@ openldap (2.4.44+dfsg-1) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Mon, 14 Nov 2016 18:59:30 -0800
++openldap (2.4.42+dfsg-2ubuntu5) zesty; urgency=medium
++
++  * No-change rebuild for perl 5.24 transition
++
++ -- Iain Lane <iain@orangesquash.org.uk>  Mon, 24 Oct 2016 10:37:13 +0100
++
++openldap (2.4.42+dfsg-2ubuntu4) yakkety; urgency=medium
++
++  * Fix use after free with GnuTLS. (LP: #1557248)
++
++ -- Maciej Puzio <maciej@work.swmed.edu>  Fri, 25 Mar 2016 15:24:25 -0500
++
++openldap (2.4.42+dfsg-2ubuntu3) xenial; urgency=medium
++
++  * Fix building with gssapi suppport:
++    - Explicitly add -I/usr/include/heimdal to CFLAGS.
++    - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
++
++ -- Matthias Klose <doko@ubuntu.com>  Thu, 18 Feb 2016 09:17:27 +0100
++
++openldap (2.4.42+dfsg-2ubuntu2) xenial; urgency=medium
++
++  * No-change rebuild for gnutls transition.
++
++ -- Matthias Klose <doko@ubuntu.com>  Wed, 17 Feb 2016 22:27:04 +0000
++
++openldap (2.4.42+dfsg-2ubuntu1) xenial; urgency=medium
++
++  * Merge from Debian testing (LP: #1532648). Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Remove unused variable new_conf.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++  * Drop CVE-2015-6908.patch, included in Debian.
++  * Remove DEB_HOST_ARCH from debian/rules: left over from when mdb was
++    disabled on ppc64el, no longer used, and missed in the previous merge.
++
++ -- Ryan Tandy <ryan@nardis.ca>  Sun, 10 Jan 2016 15:50:53 -0800
++
  openldap (2.4.42+dfsg-2) unstable; urgency=medium
    [ Ryan Tandy ]
@@ -744,6 +2014,71 @@ openldap (2.4.42+dfsg-1) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Fri, 21 Aug 2015 13:07:51 -0700
++openldap (2.4.41+dfsg-1ubuntu3) xenial; urgency=medium
++
++  * Rebuild for Perl 5.22.1.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Fri, 18 Dec 2015 15:10:17 +0000
++
++openldap (2.4.41+dfsg-1ubuntu2) wily; urgency=medium
++
++  * SECURITY UPDATE: denial of service via crafted BER data
++    - debian/patches/CVE-2015-6908.patch: remove obsolete assert in
++      libraries/liblber/io.c.
++    - CVE-2015-6908
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 14 Sep 2015 10:25:04 -0400
++
++openldap (2.4.41+dfsg-1ubuntu1) wily; urgency=medium
++
++  * Merge from Debian testing (LP: #1471831). Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Remove unused variable new_conf.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++  * Dropped changes:
++    - Fix cpp calls for GCC 5: fixed upstream (ITS#8056)
++  * Upstream fixes:
++    - slapd crash with auditlog overlay and large (~27KB) attribute values
++      (ITS#8003) (LP: #1461276)
++    - nssov updated to support recent nss-pam-ldapd client libraries
++      (ITS#8097) (LP: #1393306)
++  * Update d/patches/nssov-build for upstream changes.
++  * Tweak d/patches/gssapi.diff to apply without fuzz.
++  * d/libldap-2.4-2.symbols: Add symbols not present in Debian.
++    - CLDAP (UDP) was added in 2.4.17-1ubuntu2
++    - GSSAPI support was enabled in 2.4.18-0ubuntu2
++
++ -- Ryan Tandy <ryan@nardis.ca>  Fri, 24 Jul 2015 14:12:06 -0700
++
  openldap (2.4.41+dfsg-1) unstable; urgency=medium
    * New upstream release.
@@ -763,6 +2098,62 @@ openldap (2.4.40+dfsg-2) unstable; urgency=medium
   -- Ryan Tandy <ryan@nardis.ca>  Sun, 28 Jun 2015 20:40:37 -0700
++openldap (2.4.40+dfsg-1ubuntu2) wily; urgency=medium
++
++  * No-change rebuild for the libnettle6 transition.
++
++ -- Adam Conrad <adconrad@ubuntu.com>  Sun, 14 Jun 2015 03:58:30 -0600
++
++openldap (2.4.40+dfsg-1ubuntu1) wily; urgency=low
++
++  * Merge from Debian testing (LP: #1395098, LP: #1316124). Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added heimdal-dev as a build depend
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Remove unused variable new_conf.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - Show distribution in version:
++      - d/control: added lsb-release
++      - d/patches/fix-ldap-distribution.patch: show distribution in version
++  * Drop patches included upstream:
++    - d/patches/0001-ITS-7430-GnuTLS-Avoid-use-of-deprecated-function.patch
++    - d/patches/bdb-deadlock.patch
++    - d/patches/its-7354-fix-delta-sync-mmr.diff
++  * Drop hardening-wrapper as Debian now sets PIE and bindnow flags.
++  * debian/patches/nssov-build: Adjust for upstream changes.
++  * debian/apparmor-profile:
++    - Change 'r' to 'rw' for ldapi and nslcd sockets, required for apparmor
++      kernel ABI v7 (utopic and later). (LP: #1392018)
++    - Reduce permissions on /run/nslcd to just the nslcd socket.
++  * Enable the mdb backend again on ppc64el, fixed upstream in ITS#7713.
++    (LP: #1293250)
++
++ -- Ryan Tandy <ryan@nardis.ca>  Mon, 25 May 2015 19:49:21 -0700
++
  openldap (2.4.40+dfsg-1) unstable; urgency=medium
    * Remove inetorgperson.schema from the upstream source. Replace it with a
@@ -951,6 +2342,187 @@ openldap (2.4.39-1) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Mon, 17 Mar 2014 15:27:31 -0700
++openldap (2.4.31-1+nmu2ubuntu12) vivid; urgency=medium
++
++  * Fix cpp calls for GCC 5.
++
++ -- Matthias Klose <doko@ubuntu.com>  Fri, 06 Mar 2015 13:23:29 +0100
++
++openldap (2.4.31-1+nmu2ubuntu11) utopic; urgency=medium
++
++  * debian/apparmor-profile:
++    - allow p11-kit abstraction
++    - allow read of /etc/gss/mech.d/*
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 02 Sep 2014 15:29:05 -0500
++
++openldap (2.4.31-1+nmu2ubuntu10) utopic; urgency=medium
++
++  * Rebuild for Perl 5.20.0.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Thu, 21 Aug 2014 13:29:20 +0100
++
++openldap (2.4.31-1+nmu2ubuntu9) utopic; urgency=medium
++
++  * Cherry-pick upstream patch for compat with recent GNUTLS.
++  * Build-depend on libgnutls28-dev.
++  * Build-depend on libgcrypt20-dev.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 08 Aug 2014 11:01:56 +0100
++
++openldap (2.4.31-1+nmu2ubuntu8) trusty; urgency=medium
++
++  * Bump database_format_changed value to 2.4.31-1+nmu2ubuntu5 for db5.3.
++
++ -- Adam Conrad <adconrad@ubuntu.com>  Mon, 17 Mar 2014 12:50:18 -0600
++
++openldap (2.4.31-1+nmu2ubuntu7) trusty; urgency=medium
++
++  * Disable mdb backend on ppc64el due to test-suite failures.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 17 Mar 2014 16:32:29 +0000
++
++openldap (2.4.31-1+nmu2ubuntu6) trusty; urgency=low
++
++  * Fix segfault issue with master-master syncrepl (LP: #1287730):
++    - d/patches/its-7354-fix-delta-sync-mmr.diff: Cherry picked
++      patch from upstream VCS.
++
++ -- Pierre Fersing <pfersing@sierrawireless.com>  Tue, 04 Mar 2014 16:04:57 +0100
++
++openldap (2.4.31-1+nmu2ubuntu5) trusty; urgency=low
++
++  * Build-depend on libdb5.3-dev, instead of libdb5.1-dev.
++
++ -- Dmitrijs Ledkovs <xnox@ubuntu.com>  Mon, 04 Nov 2013 08:04:30 +0000
++
++openldap (2.4.31-1+nmu2ubuntu4) trusty; urgency=low
++
++  * Rebuild for Perl 5.18.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Tue, 22 Oct 2013 12:16:39 +0100
++
++openldap (2.4.31-1+nmu2ubuntu3) saucy; urgency=low
++
++  * Update build/config.guess and build/config.sub at build time; this was
++    not done automatically because the top-level configure.in does not use
++    Automake.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Tue, 08 Oct 2013 17:24:59 +0100
++
++openldap (2.4.31-1+nmu2ubuntu2) saucy; urgency=low
++
++  * debian/control: added lsb-release
++  * debian/patches/fix-ldap-distribution.patch: show distribution in version
++
++ -- Yolanda Robla <yolanda.robla@canonical.com>  Mon, 08 Jul 2013 16:53:09 +0200
++
++openldap (2.4.31-1+nmu2ubuntu1) saucy; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++      - d/slapd.dirs: add etc/apparmor.d/force-complain
++    - Enable GSSAPI support:
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added libkrb5-dev as a build depend
++    - Enable ufw support:
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay:
++      - d/{patches/nssov-build,/rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook.
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Remove unused variable new_conf.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open
++    - d/{control,rules}: enable PIE hardening
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 30 May 2013 13:03:25 -0400
++
++openldap (2.4.31-1+nmu2) unstable; urgency=high
++
++  * Non-maintainer upload.
++  * No-change rebuild in a clean environment
++
++ -- Jonathan Wiltshire <jmw@debian.org>  Tue, 23 Apr 2013 13:10:00 +0100
++
++openldap (2.4.31-1+nmu1) unstable; urgency=medium
++
++  * Non-maintainer upload.
++  * Avoid deadlocks in back-bdb that truncate slapcat output (closes: #673038).
++
++ -- Michael Gilbert <mgilbert@debian.org>  Tue, 16 Apr 2013 03:35:31 +0000
++
++openldap (2.4.31-1ubuntu2) quantal-proposed; urgency=low
++
++  * debian/slapd.py: Add AppArmor info and logs to apport hook.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 20 Aug 2012 08:46:02 -0400
++
++openldap (2.4.31-1ubuntu1) quantal; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Enable AppArmor support:
++      - d/apparmor-profile: add AppArmor profile
++      - d/rules: use dh_apparmor
++      - d/control: Build-Depends on dh-apparmor
++      - d/slapd.README.Debian: add note about AppArmor
++      - d/slapd.dirs: add etc/apparmor.d/force-complain
++    - Enable GSSAPI support (LP: #495418):
++      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++        - Add --with-gssapi support
++        - Make guess_service_principal() more robust when determining
++          principal
++      - d/configure.options: Configure with --with-gssapi
++      - d/control: Added libkrb5-dev as a build depend
++    - Enable ufw support (LP: #423246):
++      - d/control: suggest ufw.
++      - d/rules: install ufw profile.
++      - d/slapd.ufw.profile: add ufw profile.
++    - Enable nss overlay (LP: #675391):
++      - d/{patches/nssov-build,/rules}: Apply, build and package the
++        nss overlay.
++    - d/{rules,slapd.py}: Add apport hook. (LP: #610544)
++    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
++      either the default DIT nor via an Authn mapping.
++    - d/slapd.scripts-common:
++      - add slapcat_opts to local variables.
++      - Remove unused variable new_conf.
++      - Fix backup directory naming for multiple reconfiguration.
++    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
++    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++      in the openldap library, as required by Likewise-Open (LP: #390579)
++    - d/{control,rules}: enable PIE hardening
++  * Dropped changes:
++    - d/patches/its-7107-fix-Operation-init-on-reuse.diff: Included in upstream release.
++    - d/patches/CVE-2011-4079: Included in upstream release.
++    - d/patches/service-operational-before-detach: Included in upstream release.
++    - d/schema/extra/misc.ldif: Included upstream.
++    - d/{rules,schema/extra}: Fix configure and clean rules to support
++      extra schemas shipped as part of the debian/schema/ directory; no longer required.
++    - Included in Debian:
++      + Document cn=config in README file.
++      + Install a default DIT; actually a minimal configuration.
++      + d/patches/heimdal-fix.
++  * General tidy of d/patches to remove obsolete patches being held in Ubuntu delta.
++
++ -- James Page <james.page@ubuntu.com>  Fri, 20 Jul 2012 13:48:32 +0100
++
  openldap (2.4.31-1) unstable; urgency=low
    * New upstream release.
@@ -977,6 +2549,121 @@ openldap (2.4.31-1) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Wed, 27 Jun 2012 03:27:34 +0000
++openldap (2.4.28-1.1ubuntu6) quantal; urgency=low
++
++  * Fix issue with intermittent connection issues when using LDAPv3
++    protocol (LP: #1023025):
++    - d/patches/its-7107-fix-Operation-init-on-reuse.diff: Cherry picked
++      patch from upstream VCS which ensures objects are initialized before
++      re-use.
++
++ -- Pierre Fersing <pfersing@sierrawireless.com>  Thu, 19 Jul 2012 14:05:09 +0100
++
++openldap (2.4.28-1.1ubuntu5) quantal; urgency=low
++
++  * debian/rules: Add smbk5pwd build.
++  * debian/control: Add slapd-smbk5pwd binary package.
++  * debian/patches/heimdal-fix: adapt parameters of
++    hdb_generate_key_set_password() to heimdal 1.6~git20120311
++    (patch from Debian #664930).
++
++ -- Jorge Salamero Sanz <bencer@debian.org>  Wed, 18 Jul 2012 09:30:28 -0400
++
++openldap (2.4.28-1.1ubuntu4) precise; urgency=low
++
++  * debian/control: Build-Depends on dh-apparmor (LP: #948481)
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Thu, 05 Apr 2012 09:34:37 -0500
++
++openldap (2.4.28-1.1ubuntu3) precise; urgency=low
++
++  * Add its-7176-only-poll-sockets-for-write-as-needed.diff
++    (LP: #932823).
++
++ -- Timo Aaltonen <tjaalton@ubuntu.com>  Tue, 21 Feb 2012 15:36:29 +0200
++
++openldap (2.4.28-1.1ubuntu2) precise; urgency=low
++
++  * Remove debian/patches/CVE-2011-4079; it's already in this upstream
++    version. Fixes FTBFS.
++
++ -- Daniel T Chen <crimsun@ubuntu.com>  Wed, 25 Jan 2012 17:26:17 -0500
++
++openldap (2.4.28-1.1ubuntu1) precise; urgency=low
++
++  * Merge from Debian testing.  Remaining changes:
++    - Install a default DIT (LP: #442498).
++    - Document cn=config in README file (LP: #370784).
++    - remaining changes:
++      + AppArmor support:
++        - debian/apparmor-profile: add AppArmor profile
++        - use dh_apparmor:
++          - debian/rules: use dh_apparmor
++          - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
++        - updated debian/slapd.README.Debian for note on AppArmor
++        - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      + Enable GSSAPI support (LP: #495418):
++        - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++          - Add --with-gssapi support
++          - Make guess_service_principal() more robust when determining
++            principal
++        - debian/patches/series: apply gssapi.diff patch.
++        - debian/configure.options: Configure with --with-gssapi
++        - debian/control: Added libkrb5-dev as a build depend
++      + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++        in the openldap library, as required by Likewise-Open (LP: #390579)
++     + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
++        - debian/control:
++          - remove build-dependency on heimdal-dev.
++          - remove slapd-smbk5pwd binary package.
++        - debian/rules: don't build smbk5pwd slapd module.
++      + debian/{control,rules}: enable PIE hardening
++      + ufw support (LP: #423246):
++        - debian/control: suggest ufw.
++        - debian/rules: install ufw profile.
++        - debian/slapd.ufw.profile: add ufw profile.
++      + Enable nssoverlay:
++        - debian/patches/nssov-build, debian/series, debian/rules:
++          Apply, build and package the nss overlay.
++        - debian/schema/extra/misc.ldif: add ldif file for the misc schema
++          which defines rfc822MailMember (required by the nss overlay).
++      + debian/rules, debian/schema/extra/:
++        Fix configure rule to supports extra schemas shipped as part
++        of the debian/schema/ directory.
++      + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
++      + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
++       neither the default DIT nor via an Authn mapping.
++      + debian/slapd.scripts-common: adjust minimum version that triggers a
++        database upgrade. Upgrade from maverick shouldn't trigger database
++        upgrade (which would happen with the version used in Debian).
++      + debian/slapd.scripts-common: add slapcat_opts to local variables.
++        Remove unused variable new_conf.
++      + debian/slapd.script-common: Fix package reconfiguration.
++        - Fix backup directory naming for multiple reconfiguration.
++      + debian/slapd.default, debian/slapd.README.Debian:
++        use the new configuration style.
++      + Install nss overlay (LP: #675391):
++        - debian/rules: run install target for nssov module.
++        - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
++      + debian/patches/gssapi.diff:
++        - Update patch so that likewise-open is usuable again. (LP: #661547)
++      + debian/patches/service-operational-before-detach: New patch replacing old one
++        of the same name as previous could cause database corruption based on upstream commits.
++        (LP: #727973)
++      + debian/patches/CVE-2011-4079: fix off by one error in postalAddressNormalize()
++        (CVE-2011-4079)
++
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 23 Jan 2012 10:01:13 -0500
++
++openldap (2.4.28-1.1) unstable; urgency=low
++
++  * Non-maintainer upload.
++  * Disable the mdb backend on non-Linux, it looks like it doesn't work with
++    linuxthreads (closes: #654824).
++
++ -- Julien Cristau <jcristau@debian.org>  Mon, 16 Jan 2012 19:45:42 +0100
++
  openldap (2.4.28-1) unstable; urgency=low
    * New upstream release.
@@ -1004,6 +2691,72 @@ openldap (2.4.28-1) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Thu, 05 Jan 2012 06:07:11 +0000
++openldap (2.4.25-4ubuntu1) precise; urgency=low
++
++  * Merge from Debian testing.  Remaining changes:
++    - Install a default DIT (LP: #442498).
++    - Document cn=config in README file (LP: #370784).
++    - remaining changes:
++      + AppArmor support:
++        - debian/apparmor-profile: add AppArmor profile
++        - use dh_apparmor:
++          - debian/rules: use dh_apparmor
++          - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
++        - updated debian/slapd.README.Debian for note on AppArmor
++        - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      + Enable GSSAPI support (LP: #495418):
++        - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++          - Add --with-gssapi support
++          - Make guess_service_principal() more robust when determining
++            principal
++        - debian/patches/series: apply gssapi.diff patch.
++        - debian/configure.options: Configure with --with-gssapi
++        - debian/control: Added libkrb5-dev as a build depend
++      + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++        in the openldap library, as required by Likewise-Open (LP: #390579)
++     + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
++        - debian/control:
++          - remove build-dependency on heimdal-dev.
++          - remove slapd-smbk5pwd binary package.
++        - debian/rules: don't build smbk5pwd slapd module.
++      + debian/{control,rules}: enable PIE hardening
++      + ufw support (LP: #423246):
++        - debian/control: suggest ufw.
++        - debian/rules: install ufw profile.
++        - debian/slapd.ufw.profile: add ufw profile.
++      + Enable nssoverlay:
++        - debian/patches/nssov-build, debian/series, debian/rules:
++          Apply, build and package the nss overlay.
++        - debian/schema/extra/misc.ldif: add ldif file for the misc schema
++          which defines rfc822MailMember (required by the nss overlay).
++      + debian/rules, debian/schema/extra/:
++        Fix configure rule to supports extra schemas shipped as part
++        of the debian/schema/ directory.
++      + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
++      + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
++       neither the default DIT nor via an Authn mapping.
++      + debian/slapd.scripts-common: adjust minimum version that triggers a
++        database upgrade. Upgrade from maverick shouldn't trigger database
++        upgrade (which would happen with the version used in Debian).
++      + debian/slapd.scripts-common: add slapcat_opts to local variables.
++        Remove unused variable new_conf.
++      + debian/slapd.script-common: Fix package reconfiguration.
++        - Fix backup directory naming for multiple reconfiguration.
++      + debian/slapd.default, debian/slapd.README.Debian:
++        use the new configuration style.
++      + Install nss overlay (LP: #675391):
++        - debian/rules: run install target for nssov module.
++        - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
++      + debian/patches/gssapi.diff:
++        - Update patch so that likewise-open is usuable again. (LP: #661547)
++      + debian/patches/service-operational-before-detach: New patch replacing old one
++        of the same name as previous could cause database corruption based on upstream commits.
++        (LP: #727973)
++      + debian/patches/CVE-2011-4079: fix off by one error in postalAddressNormalize()
++        (CVE-2011-4079)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 22 Nov 2011 06:17:49 +0000
++
  openldap (2.4.25-4) unstable; urgency=low
    * Drop explicit depends on libdb4.8, since we're now linking against
@@ -1037,6 +2790,85 @@ openldap (2.4.25-4) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Tue, 18 Oct 2011 01:08:34 +0000
++openldap (2.4.25-3ubuntu3) precise; urgency=low
++
++  * Rebuild for Perl 5.14.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Tue, 15 Nov 2011 20:50:09 +0000
++
++openldap (2.4.25-3ubuntu2) precise; urgency=low
++
++  * SECURITY UPDATE: potential denial of service (LP: #884163)
++    - debian/patches/CVE-2011-4079: fix off by one error in
++      postalAddressNormalize()
++    - CVE-2011-4079
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Mon, 14 Nov 2011 13:59:56 -0600
++
++openldap (2.4.25-3ubuntu1) precise; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    - Install a default DIT (LP: #442498).
++    - Document cn=config in README file (LP: #370784).
++    - remaining changes:
++      + AppArmor support:
++        - debian/apparmor-profile: add AppArmor profile
++        - use dh_apparmor:
++          - debian/rules: use dh_apparmor
++          - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
++        - updated debian/slapd.README.Debian for note on AppArmor
++        - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      + Enable GSSAPI support (LP: #495418):
++        - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++          - Add --with-gssapi support
++          - Make guess_service_principal() more robust when determining
++            principal
++        - debian/patches/series: apply gssapi.diff patch.
++        - debian/configure.options: Configure with --with-gssapi
++        - debian/control: Added libkrb5-dev as a build depend
++      + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++        in the openldap library, as required by Likewise-Open (LP: #390579)
++     + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
++        - debian/control:
++          - remove build-dependency on heimdal-dev.
++          - remove slapd-smbk5pwd binary package.
++        - debian/rules: don't build smbk5pwd slapd module.
++      + debian/{control,rules}: enable PIE hardening
++      + ufw support (LP: #423246):
++        - debian/control: suggest ufw.
++        - debian/rules: install ufw profile.
++        - debian/slapd.ufw.profile: add ufw profile.
++      + Enable nssoverlay:
++        - debian/patches/nssov-build, debian/series, debian/rules:
++          Apply, build and package the nss overlay.
++        - debian/schema/extra/misc.ldif: add ldif file for the misc schema
++          which defines rfc822MailMember (required by the nss overlay).
++      + debian/rules, debian/schema/extra/:
++        Fix configure rule to supports extra schemas shipped as part
++        of the debian/schema/ directory.
++      + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
++      + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
++       neither the default DIT nor via an Authn mapping.
++      + debian/slapd.scripts-common: adjust minimum version that triggers a
++        database upgrade. Upgrade from maverick shouldn't trigger database
++        upgrade (which would happen with the version used in Debian).
++      + debian/slapd.scripts-common: add slapcat_opts to local variables.
++        Remove unused variable new_conf.
++      + debian/slapd.script-common: Fix package reconfiguration.
++        - Fix backup directory naming for multiple reconfiguration.
++      + debian/slapd.default, debian/slapd.README.Debian:
++        use the new configuration style.
++      + Install nss overlay (LP: #675391):
++        - debian/rules: run install target for nssov module.
++        - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
++      + debian/patches/gssapi.diff:
++        - Update patch so that likewise-open is usuable again. (LP: #661547)
++      + debian/patches/service-operational-before-detach: New patch replacing old one
++        of the same name as previous could cause database corruption based on upstream commits.
++        (LP: #727973)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 19 Oct 2011 20:53:08 +0000
++
  openldap (2.4.25-3) unstable; urgency=low
    * Brown paper bag: really fix the .links.in handling, so we don't generate
@@ -1059,6 +2891,92 @@ openldap (2.4.25-2) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sun, 14 Aug 2011 23:17:09 -0700
++openldap (2.4.25-1.1ubuntu4) oneiric; urgency=low
++
++  * Brown paper bag: really fix the .links.in handling, so we don't generate
++    broken /usr/lib/${DEB_HOST_MULTIARCH} dirs.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 15 Aug 2011 09:43:29 +0000
++
++openldap (2.4.25-1.1ubuntu3) oneiric; urgency=low
++
++  * Cherry-pick multiarch support from Debian (LP: #826601):
++    - Bump to compat level 7, so we don't have to spell out debian/tmp in
++      every single .install file
++    - Build for multiarch.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 15 Aug 2011 02:23:43 -0700
++
++openldap (2.4.25-1.1ubuntu2) oneiric; urgency=low
++
++  * debian/apparmor-profile: Allow /var/run and /run. (LP: #810270)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Thu, 14 Jul 2011 15:18:02 +0200
++
++openldap (2.4.25-1.1ubuntu1) oneiric; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    - Install a default DIT (LP: #442498).
++    - Document cn=config in README file (LP: #370784).
++    - remaining changes:
++      + AppArmor support:
++        - debian/apparmor-profile: add AppArmor profile
++        - use dh_apparmor:
++          - debian/rules: use dh_apparmor
++          - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
++        - updated debian/slapd.README.Debian for note on AppArmor
++        - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      + Enable GSSAPI support (LP: #495418):
++        - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++          - Add --with-gssapi support
++          - Make guess_service_principal() more robust when determining
++            principal
++        - debian/patches/series: apply gssapi.diff patch.
++        - debian/configure.options: Configure with --with-gssapi
++        - debian/control: Added libkrb5-dev as a build depend
++      + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++        in the openldap library, as required by Likewise-Open (LP: #390579)
++      + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
++        - debian/control:
++          - remove build-dependency on heimdal-dev.
++          - remove slapd-smbk5pwd binary package.
++        - debian/rules: don't build smbk5pwd slapd module.
++      + debian/{control,rules}: enable PIE hardening
++      + ufw support (LP: #423246):
++        - debian/control: suggest ufw.
++        - debian/rules: install ufw profile.
++        - debian/slapd.ufw.profile: add ufw profile.
++      + Enable nssoverlay:
++        - debian/patches/nssov-build, debian/series, debian/rules:
++          Apply, build and package the nss overlay.
++        - debian/schema/extra/misc.ldif: add ldif file for the misc schema
++          which defines rfc822MailMember (required by the nss overlay).
++      + debian/rules, debian/schema/extra/:
++        Fix configure rule to supports extra schemas shipped as part
++        of the debian/schema/ directory.
++      + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
++      + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
++        neither the default DIT nor via an Authn mapping.
++      + debian/slapd.scripts-common: adjust minimum version that triggers a
++        database upgrade. Upgrade from maverick shouldn't trigger database
++        upgrade (which would happen with the version used in Debian).
++      + debian/slapd.scripts-common: add slapcat_opts to local variables.
++        Remove unused variable new_conf.
++      + debian/slapd.script-common: Fix package reconfiguration.
++        - Fix backup directory naming for multiple reconfiguration.
++      + debian/slapd.default, debian/slapd.README.Debian:
++        use the new configuration style.
++      + Install nss overlay (LP: #675391):
++        - debian/rules: run install target for nssov module.
++        - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
++      + debian/patches/gssapi.diff:
++        - Update patch so that likewise-open is usuable again. (LP: #661547)
++      + debian/patches/service-operational-before-detach: New patch replacing old one
++        of the same name as previous could cause database corruption based on upstream commits.
++        (LP: #727973)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Sun, 05 Jun 2011 17:38:40 +0100
++
  openldap (2.4.25-1.1) unstable; urgency=low
    * Non-maintainer upload to fix RC bug.
@@ -1066,6 +2984,75 @@ openldap (2.4.25-1.1) unstable; urgency=low
   -- Thijs Kinkhorst <thijs@debian.org>  Tue, 31 May 2011 11:57:29 +0200
++openldap (2.4.25-1ubuntu1) oneiric; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    - Install a default DIT (LP: #442498).
++    - Document cn=config in README file (LP: #370784).
++    - remaining changes:
++      + AppArmor support:
++        - debian/apparmor-profile: add AppArmor profile
++        - use dh_apparmor:
++          - debian/rules: use dh_apparmor
++          - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
++        - updated debian/slapd.README.Debian for note on AppArmor
++        - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      + Enable GSSAPI support (LP: #495418):
++        - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++          - Add --with-gssapi support
++          - Make guess_service_principal() more robust when determining
++            principal
++        - debian/patches/series: apply gssapi.diff patch.
++        - debian/configure.options: Configure with --with-gssapi
++        - debian/control: Added libkrb5-dev as a build depend
++      + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++        in the openldap library, as required by Likewise-Open (LP: #390579)
++      + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
++        - debian/control:
++          - remove build-dependency on heimdal-dev.
++          - remove slapd-smbk5pwd binary package.
++        - debian/rules: don't build smbk5pwd slapd module.
++      + debian/{control,rules}: enable PIE hardening
++      + ufw support (LP: #423246):
++        - debian/control: suggest ufw.
++        - debian/rules: install ufw profile.
++        - debian/slapd.ufw.profile: add ufw profile.
++      + Enable nssoverlay:
++        - debian/patches/nssov-build, debian/series, debian/rules:
++          Apply, build and package the nss overlay.
++        - debian/schema/extra/misc.ldif: add ldif file for the misc schema
++          which defines rfc822MailMember (required by the nss overlay).
++      + debian/rules, debian/schema/extra/:
++        Fix configure rule to supports extra schemas shipped as part
++        of the debian/schema/ directory.
++      + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
++      + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
++        neither the default DIT nor via an Authn mapping.
++      + debian/slapd.scripts-common: adjust minimum version that triggers a
++        database upgrade. Upgrade from maverick shouldn't trigger database
++        upgrade (which would happen with the version used in Debian).
++      + debian/slapd.scripts-common: add slapcat_opts to local variables.
++        Remove unused variable new_conf.
++      + debian/slapd.script-common: Fix package reconfiguration.
++        - Fix backup directory naming for multiple reconfiguration.
++      + debian/slapd.default, debian/slapd.README.Debian:
++        use the new configuration style.
++      + Install nss overlay (LP: #675391):
++        - debian/rules: run install target for nssov module.
++        - debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
++      + debian/patches/gssapi.diff:
++        - Update patch so that likewise-open is usuable again. (LP: #661547)
++      + debian/patches/service-operational-before-detach: New patch replacing old one
++        of the same name as previous could cause database corruption based on upstream commits.
++        (LP: #727973)
++       + Dropped:
++         - debian/patches/gold: Use the debian version instead
++         - debian/patches/CVE-2011-1024: Fixed upstream
++         - debian/patches/CVE-2011-1025: Fixed upstream
++         - debian/patches/CVE-2011-1081: Fixed upstream
++
++ -- Chuck Short <zulcss@ubuntu.com>  Sun, 08 May 2011 16:34:09 +0100
++
  openldap (2.4.25-1) unstable; urgency=low
    * New upstream version (Closes: #617606, #618904, #606815, #608813)
@@ -1097,6 +3084,116 @@ openldap (2.4.23-7) unstable; urgency=low
   -- Matthijs Mohlmann <matthijs@cacholong.nl>  Sat, 06 Nov 2010 12:13:01 +0100
++openldap (2.4.23-6ubuntu7) oneiric; urgency=low
++
++  * Rebuild for Perl 5.12.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Sun, 08 May 2011 13:40:28 +0100
++
++openldap (2.4.23-6ubuntu6) natty; urgency=low
++
++  * SECURITY UPDATE: fix successful anonymous bind via chain overlay when
++    using forwarded authentication failures
++    - debian/patches/CVE-2011-1024
++    - CVE-2011-1024
++  * SECURITY UPDATE: verify password when authenticating to rootdn and using ndb
++    backend. Note: Ubuntu is not compiled with --enable-ndb by default
++    - debian/patches/CVE-2011-1025
++    - CVE-2011-1025
++  * SECURITY UPDATE: fix DoS when processing unauthenticated modrdn requests
++    and requestDN is empty
++    - debian/patches/CVE-2011-1081
++    - CVE-2011-1081
++    - LP: #742104
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Thu, 07 Apr 2011 11:36:53 -0500
++
++openldap (2.4.23-6ubuntu5) natty; urgency=low
++
++  * debian/patches/service-operational-before-detach: New patch replacing
++    old one of same name as previous could cause database corruption,
++    based on upstream commits. (LP: #727973)
++
++ -- Dave Walker (Daviey) <DaveWalker@ubuntu.com>  Wed, 02 Mar 2011 20:33:08 +0000
++
++openldap (2.4.23-6ubuntu4) natty; urgency=low
++
++  * Fix FTBFS with ld.gold.
++
++ -- Matthias Klose <doko@ubuntu.com>  Wed, 19 Jan 2011 07:39:49 +0100
++
++openldap (2.4.23-6ubuntu3) natty; urgency=low
++
++  * debian/patches/gssapi.diff:
++    Update patch so that likewise-open is usable again (LP: #661547)
++
++ -- Thierry Carrez (ttx) <thierry.carrez@ubuntu.com>  Fri, 26 Nov 2010 15:50:11 +0100
++
++openldap (2.4.23-6ubuntu2) natty; urgency=low
++
++  * Install nss overlay (LP: #675391):
++    - debian/rules: run install target for nssov module.
++    - debian/patches/nssov-build: fix patch to install schema in
++      /etc/ldap/schema.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Wed, 17 Nov 2010 18:16:42 -0500
++
++openldap (2.4.23-6ubuntu1) natty; urgency=low
++
++  * Merge from Debian unstable:
++    - Install a default DIT (LP: #442498).
++    - Document cn=config in README file (LP: #370784).
++    - remaining changes:
++      + AppArmor support:
++        - debian/apparmor-profile: add AppArmor profile
++        - use dh_apparmor:
++          - debian/rules: use dh_apparmor
++          - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
++        - updated debian/slapd.README.Debian for note on AppArmor
++        - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      + Enable GSSAPI support (LP: #495418):
++        - debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++          - Add --with-gssapi support
++          - Make guess_service_principal() more robust when determining
++            principal
++        - debian/patches/series: apply gssapi.diff patch.
++        - debian/configure.options: Configure with --with-gssapi
++        - debian/control: Added libkrb5-dev as a build depend
++      + debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++        in the openldap library, as required by Likewise-Open (LP: #390579)
++      + Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
++        - debian/control:
++          - remove build-dependency on heimdal-dev.
++          - remove slapd-smbk5pwd binary package.
++        - debian/rules: don't build smbk5pwd slapd module.
++      + debian/{control,rules}: enable PIE hardening
++      + ufw support (LP: #423246):
++        - debian/control: suggest ufw.
++        - debian/rules: install ufw profile.
++        - debian/slapd.ufw.profile: add ufw profile.
++      + Enable nssoverlay:
++        - debian/patches/nssov-build, debian/series, debian/rules:
++          Apply, build and package the nss overlay.
++        - debian/schema/extra/misc.ldif: add ldif file for the misc schema
++          which defines rfc822MailMember (required by the nss overlay).
++      + debian/rules, debian/schema/extra/:
++        Fix configure rule to supports extra schemas shipped as part
++        of the debian/schema/ directory.
++      + debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
++      + debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
++        neither the default DIT nor via an Authn mapping.
++      + debian/slapd.scripts-common: adjust minimum version that triggers a
++        database upgrade. Upgrade from maverick shouldn't trigger database
++        upgrade (which would happen with the version used in Debian).
++      + debian/slapd.scripts-common: add slapcat_opts to local variables.
++        Remove unused variable new_conf.
++      + debian/slapd.script-common: Fix package reconfiguration.
++        - Fix backup directory naming for multiple reconfiguration.
++      + debian/slapd.default, debian/slapd.README.Debian:
++        use the new configuration style.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Fri, 12 Nov 2010 15:19:07 -0500
++
  openldap (2.4.23-6) unstable; urgency=high
    * Check for an empty directory to prevent an rm -f /*. (Closes: #597704)
@@ -1219,6 +3316,80 @@ openldap (2.4.23-1) unstable; urgency=low
   -- Matthijs Mohlmann <matthijs@cacholong.nl>  Mon, 12 Jul 2010 13:25:00 +0200
++openldap (2.4.23-0ubuntu4) natty; urgency=low
++
++  * debian/slapd.templates: amended typo in slapd/move_old_database
++    (LP: #666028)
++
++ -- James Page <james.page@canonical.com>  Mon, 08 Nov 2010 10:00:58 +0000
++
++openldap (2.4.23-0ubuntu3.2) maverick-proposed; urgency=low
++
++  * debian/slapd.templates: re-add slapd/move_old_database template as it's
++    used during the package upgrade. Thanks to James Page for pointing it.
++  * debian/slapd.config: restore debconf question slapd/move_old_database.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Thu, 14 Oct 2010 16:56:38 -0400
++
++openldap (2.4.23-0ubuntu3.1) maverick-proposed; urgency=low
++
++  [ James Page ]
++  * Fixed install/upgrade process to dump/restore databases due
++    to uplift to libdb4.8-dev (LP: #658227)
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Thu, 14 Oct 2010 14:50:49 -0400
++
++openldap (2.4.23-0ubuntu3) maverick; urgency=low
++
++  * debian/rules: move dh_apparmor before dh_installinit
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Fri, 06 Aug 2010 17:34:21 -0500
++
++openldap (2.4.23-0ubuntu2) maverick; urgency=low
++
++  * convert to using dh_apparmor:
++    - debian/rules, debian/slapd.post{inst,rm}: use dh_apparmor
++    - debian/control: Build-Depends on debhelper 7.4.20ubuntu5
++  * debian/apparmor-profile: use local include
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Fri, 06 Aug 2010 15:08:55 -0500
++
++openldap (2.4.23-0ubuntu1) maverick; urgency=low
++
++  * New release, features include:
++    + Fixed libldap to return server's error code (ITS#6569)
++    + Fixed libldap memleaks (ITS#6568)
++    + Fixed liblutil off-by-one with delta (ITS#6541)
++    + Fixed slapd acls with glued databases (ITS#6468)
++    + Fixed slapd syncrepl rid logging (ITS#6533)
++    + Fixed slapd modrdn handling of invalid values (ITS#6570)
++    + Fixed slapd-bdb hasSubordinates computation (ITS#6549)
++    + Fixed slapd-bdb to use memcpy instead for strcpy (ITS#6474)
++    + Fixed slapd-bdb entry cache delete failure (ITS#6577)
++    + Fixed slapd-ldap to return control responses (ITS#6530)
++    + Fixed slapo-ppolicy to use Debug (ITS#6566)
++    + Fixed slapo-refint to zero out freed DN vals (ITS#6572)
++    + Fixed slapo-rwm to use Debug (ITS#6566)
++    + Fixed slapo-sssvlv to use Debug (ITS#6566)
++    + Fixed slapo-syncprov lost deletes in refresh phase (ITS#6555)
++    + Fixed slapo-valsort to use Debug (ITS#6566)
++    + Fixed contrib/nssov network.c missing patch (ITS#6562)
++    + Fixed test043 attribute sorting (ITS#6553)
++    + slapd-config(5) note default rootdn (ITS#6546)
++  * Rebased patches debian/patches/dropped nssov-build
++  * Resynchronize with Debian:
++    + debian/control:
++      - Bump standards-version to 3.9.0
++      - Use libdb4.8-dev (LP: #572489)
++    + Added debian/patches/issue-6534-patch
++    + Added debian/patches/ldap-conf-tls-cacertdir
++  * Add ufw support, thanks to  PatRiehecky (LP: #423246)
++
++   [Adam Sommer]
++   * debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 28 Jul 2010 11:35:16 -0400
++
  openldap (2.4.21-1) unstable; urgency=low
    [ Steve Langasek ]
@@ -1250,6 +3421,79 @@ openldap (2.4.21-1) unstable; urgency=low
   -- Matthijs Mohlmann <matthijs@cacholong.nl>  Thu, 22 Apr 2010 23:40:30 +0200
++openldap (2.4.21-0ubuntu5) lucid; urgency=low
++
++  * Fix local root connection access: replace olcAuthzRegexp mapping to
++    cn=localroot,cn=config with using the SASL dn directly in olcAccess.
++    Makes upgrades much simpler and robust (LP: #563829).
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Fri, 23 Apr 2010 00:23:31 -0400
++
++openldap (2.4.21-0ubuntu4) lucid; urgency=low
++
++  [ Simon Olofsson ]
++  * debian/slapd.postinst:
++    - Show a message after successful migration (LP: #538848)
++
++  [ Jorgen Rosink ]
++  * debian/slapd.init: add simple status checking with LSB compatible exit
++    codes (LP: #562377)
++  * debian/slapd.init.ldif:
++    - remove admin user in default config database (LP: #556176)
++    - in default config, add olcAccess entries giving access to controls
++      available and cn=subschema (LP: #427842)
++
++  [ Scott Moser ]
++  *  debian/slapd.scripts-common: Do not create /nonexistent directory
++     for openldap user's home (LP: #556176)
++  *  debian/slapd.postinst: fix cn=config olcAccess migration (LP: #559070)
++
++ -- Scott Moser <smoser@ubuntu.com>  Mon, 12 Apr 2010 16:16:47 -0400
++
++openldap (2.4.21-0ubuntu3) lucid; urgency=low
++
++  * debian/slapd.postinst, debian/slapd.scripts-common: Upgrade databases
++    before trying to convert to slapd.d, to avoid upgrade failure from hardy
++    (LP: #536958)
++  * debian/slapd.postinst: Add a {1} numeric index to olcAccess entry in
++    olcDatabase={0}config.ldif to avoid upgrade failures (LP: #538516, #526230)
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Mon, 29 Mar 2010 13:31:47 +0200
++
++openldap (2.4.21-0ubuntu2) lucid; urgency=low
++
++  * debian/apparmor-profile: Update apparmor profile. (LP: #508190)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 09 Mar 2010 13:33:35 -0500
++
++openldap (2.4.21-0ubuntu1) lucid; urgency=low
++
++  * New upstream release.
++  * debian/rules, debian/schema/extra/:
++    Fix get-orig-source rule to supports extra schemas shipped as part of the
++    debian/schema/ directory.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Thu, 18 Feb 2010 00:58:13 -0500
++
++openldap (2.4.18-0ubuntu2) lucid; urgency=low
++
++  * debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
++    - Add --with-gssapi support
++    - Make guess_service_principal() more robust when determining principal
++  * Enable GSSAPI support (LP: #495418):
++    - debian/configure.options: Configure with --with-gssapi
++    - debian/control: Added libkrb5-dev as a build depend
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Fri, 11 Dec 2009 11:31:11 +0100
++
++openldap (2.4.18-0ubuntu1) karmic; urgency=low
++
++  * New upstream release: (LP: #419515):
++    + pcache overlay supports disconnected mode.
++  * Fix nss overlay load (LP: #417163).
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Mon, 07 Sep 2009 13:41:10 -0400
++
  openldap (2.4.17-2.1) unstable; urgency=high
    * Non-maintainer upload by the Security Team.
@@ -1276,6 +3520,108 @@ openldap (2.4.17-2) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Tue, 22 Sep 2009 20:06:34 -0700
++openldap (2.4.17-1ubuntu3) karmic; urgency=low
++
++   * Install a minimal slapd configuration instead of creating a default
++     database with a default DIT:
++     + Move openldap user home from /var/lib/ldap to /nonexistent.
++     + Remove all code and templates dealing with the default database and DIT
++       creation.
++     + Add an Authz map from root user (UID=0) to cn=localroot,cn=config and
++       grant all access to the latter in the cn=config database as well as the
++       default backend configuration.
++   * Add cn=localroot,cn=config authz mapping on upgrades.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Tue, 11 Aug 2009 14:48:56 -0400
++
++openldap (2.4.17-1ubuntu2) karmic; urgency=low
++
++  [ Thierry Carrez ]
++  * debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
++    in the openldap library, as required by Likewise-Open (LP: #390579)
++
++  [ Mathias Gug ]
++  * debian/patches/its6077-uniqueness-overlay: fixes some issues with the
++    uniqueness overlay.
++  * debian/patches/its6220-writetimeout-directive: fixes a problem with the
++    writetimeout directive being in effect even if it wasn't set,
++    closing connections incorrectly.
++  * debian/patches/its6222-dncachesize-parameter: fixes the behavior of the
++    dncachesize parameter that was added in RE24, so that if it is set to
++    "0" (now the default), it has an unlimited DN cache (RE23 always
++    had an unlimited DN cache).
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Fri, 31 Jul 2009 13:43:46 -0400
++
++openldap (2.4.17-1ubuntu1) karmic; urgency=low
++
++  [ Steve Langasek ]
++  * Fix up the lintian warnings:
++    - add missing misc-depends on all packages
++    - slapd, libldap-2.4-2-dbg sections changed to 'debug' to match archive
++      overrides
++    - bump Standards-Version to 3.8.2, no changes required.
++
++  [ Mathias Gug ]
++  * Resynchronise with Debian. Remaining changes:
++    - AppArmor support:
++      - debian/apparmor-profile: add AppArmor profile
++      - updated debian/slapd.README.Debian for note on AppArmor
++      - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      - debian/slapd.postrm: remove symlink in force-complain/ on purge
++      - debian/rules: install apparmor profile.
++    - Don't use local statement in config script as it fails if /bin/sh
++      points to bash.
++    - debian/slapd.postinst, debian/slapd.script-common: set correct
++      ownership and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group
++      readable) and /var/run/slapd (world readable).
++    - Enable nssoverlay:
++      - debian/patches/nssov-build, debian/rules: Build and package the nss
++        overlay.
++      - debian/schema/misc.ldif: add ldif file for the misc schema which
++        defines rfc822MailMember (required by the nss overlay).
++    - debian/{control,rules}: enable PIE hardening
++    - Use cn=config as the default configuration backend instead of
++      slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade
++      asking the end user to enter a new password to control the access to
++      the cn=config tree.
++    - debian/slapd.postinst: create /var/run/slapd before updating its
++      permissions.
++    - debian/slapd.init: Correctly set slapd config backend option even if
++      the pidfile is configured in slapd default file.
++  * Dropped:
++    - Merged in Debian:
++      - Update priority of libldap-2.4-2 to match the archive override.
++      - Add the missing ldapexop and ldapurl tools to ldap-utils, as well as
++        the ldapurl(1) manpage.
++      - Bump build-dependency on debhelper to 6 instead of 5, since that's
++        what we're using.
++      - Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using
++        the built-in default of ldap:/// only.
++    - Fixed in upstream release:
++      - debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034
++        failure when built with PIE.
++      - debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be
++        trusted.
++    - Update Apparmor profile support: don't support upgrade from pre-hardy
++      systems:
++      - debian/slapd.postinst: Reload AA profile on configuration
++      - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++      - debian/control: Conflicts with apparmor-profiles <<
++        2.1+1075-0ubuntu4 to make sure that if earlier version of
++        apparmor-profiles gets installed it won't overwrite our profile.
++      - follow ApparmorProfileMigration and force apparmor complain mode on
++        some upgrades
++      - debian/slapd.preinst: create symlink for force-complain on
++        pre-feisty upgrades, upgrades where apparmor-profiles profile is
++        unchanged (ie non-enforcing) and upgrades where apparmor profile
++        does not exist.
++    - debian/patches/autogen.sh: no longer needed with karmic libtool.
++      - Call libtoolize with the --install option to install
++        config.{guess,sub} files.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Thu, 30 Jul 2009 16:42:58 -0400
++
  openldap (2.4.17-1) unstable; urgency=low
    * New upstream version.
@@ -1298,6 +3644,153 @@ openldap (2.4.17-1) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Tue, 28 Jul 2009 10:17:15 -0700
++openldap (2.4.15-1.1ubuntu1) karmic; urgency=low
++
++  * Resynchronise with Debian. Remaining changes:
++    - AppArmor support:
++      - debian/apparmor-profile: add AppArmor profile
++      - debian/slapd.postinst: Reload AA profile on configuration
++      - updated debian/slapd.README.Debian for note on AppArmor
++      - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++      - debian/control: Conflicts with apparmor-profiles <<
++        2.1+1075-0ubuntu4 to make sure that if earlier version of
++        apparmor-profiles gets installed it won't overwrite our profile.
++      - follow ApparmorProfileMigration and force apparmor complain mode on
++        some upgrades
++      - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      - debian/slapd.preinst: create symlink for force-complain on
++        pre-feisty upgrades, upgrades where apparmor-profiles profile is
++        unchanged (ie non-enforcing) and upgrades where apparmor profile
++        does not exist.
++      - debian/slapd.postrm: remove symlink in force-complain/ on purge
++    - debian/patches/autogen.sh:
++      - Call libtoolize with the --install option to install
++        config.{guess,sub} files.
++    - Don't use local statement in config script as it fails if /bin/sh
++      points to bash.
++    - debian/slapd.postinst, debian/slapd.script-common: set correct
++      ownership and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group
++      readable) and /var/run/slapd (world readable).
++    - Enable nssoverlay:
++      - debian/patches/nssov-build, debian/rules: Build and package the nss
++        overlay.
++      - debian/schema/misc.ldif: add ldif file for the misc schema which
++        defines rfc822MailMember (required by the nss overlay).
++    - debian/{control,rules}: enable PIE hardening
++    - Use cn=config as the default configuration backend instead of
++      slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade
++      asking the end user to enter a new password to control the access to
++      the cn=config tree.
++    - Update priority of libldap-2.4-2 to match the archive override.
++    - Add the missing ldapexop and ldapurl tools to ldap-utils, as well as
++      the ldapurl(1) manpage.
++    - Bump build-dependency on debhelper to 6 instead of 5, since that's
++      what we're using.
++    - Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using
++      the built-in default of ldap:/// only.
++    - debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034
++      failure when built with PIE.
++    - debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be
++      trusted.
++    - debian/slapd.postinst: create /var/run/slapd before updating its
++      permissions.
++    - debian/slapd.init: Correctly set slapd config backend option even if
++      the pidfile is configured in slapd default file.
++  * Drop patch to avoid the test suite on hppa, as hppa is EOL.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Wed, 24 Jun 2009 10:45:20 +0100
++
++openldap (2.4.15-1.1) unstable; urgency=low
++
++  * Non-maintainer upload.
++  * Change libltdl3-dev Build-Depends to libltdl-dev | libltdl3-dev
++    (Closes: #522965)
++
++ -- Kurt Roeckx <kurt@roeckx.be>  Sun, 19 Apr 2009 18:24:32 +0200
++
++openldap (2.4.15-1ubuntu3) jaunty; urgency=low
++
++  * No-change rebuild to fix lpia shared library dependencies.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Thu, 19 Mar 2009 09:52:40 +0000
++
++openldap (2.4.15-1ubuntu2) jaunty; urgency=low
++
++  * debian/slapd.postinst: create /var/run/slapd before updating its
++    permissions (LP: #298928).
++  * debian/slapd.init: Correclty set slapd config backend option even if the
++    pidfile is configured in slapd default file (LP: #292364).
++  * debian/apparmor-profile: support multiple databases to be stored under
++    /var/lib/ldap/. (LP: #286614).
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Fri, 13 Mar 2009 13:56:12 -0400
++
++openldap (2.4.15-1ubuntu1) jaunty; urgency=low
++
++  [ Steve Langasek ]
++  * Update priority of libldap-2.4-2 to match the archive override.
++  * Add the missing ldapexop and ldapurl tools to ldap-utils, as well as the
++    ldapurl(1) manpage.  Thanks to Peter Marschall for the patch.
++    Closes: #496749.
++  * Bump build-dependency on debhelper to 6 instead of 5, since that's
++    what we're using.  Closes: #498116.
++  * Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using
++    the built-in default of ldap:/// only.
++
++  [ Mathias Gug ]
++  * Merge from debian unstable, remaining changes:
++    - Modify Maintainer value to match the DebianMaintainerField
++      speficication.
++    - AppArmor support:
++      - debian/apparmor-profile: add AppArmor profile
++      - debian/slapd.postinst: Reload AA profile on configuration
++      - updated debian/slapd.README.Debian for note on AppArmor
++      - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++      - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
++        to make sure that if earlier version of apparmour-profiles gets
++        installed it won't overwrite our profile.
++      - follow ApparmorProfileMigration and force apparmor compalin mode on
++        some upgrades (LP: #203529)
++      - debian/slapd.dirs: add etc/apparmor.d/force-complain
++      - debian/slapd.preinst: create symlink for force-complain on pre-feisty
++        upgrades, upgrades where apparmor-profiles profile is unchanged (ie
++        non-enforcing) and upgrades where apparmor profile does not exist.
++      - debian/slapd.postrm: remove symlink in force-complain/ on purge
++    - debian/control:
++      - Build-depend on libltdl7-dev rather then libltdl3-dev.
++    - debian/patches/autogen.sh:
++      - Call libtoolize with the --install option to install config.{guess,sub}
++        files.
++    - Don't use local statement in config script as it fails if /bin/sh
++      points to bash (LP: #286063).
++    - Disable the testsuite on hppa. Allows building of packages on this
++      architecture again, once this package is in the archive.
++      LP: #288908.
++    - debian/slapd.postinst, debian/slapd.script-common: set correct ownership
++      and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and
++      /var/run/slapd (world readable). (LP: #257667).
++    - Enable nssoverlay:
++      - debian/patches/nssov-build, debian/rules: Build and package
++        the nss overlay.
++      - debian/schema/misc.ldif: add ldif file for the misc schema
++        which defines rfc822MailMember (required by the nss overlay).
++    - debian/{control,rules}: enable PIE hardening
++    - Use cn=config as the default configuration backend instead of
++      slapd.conf. Migrate slapd.conf  file to /etc/ldap/slapd.d/ on upgrade
++      asking the end user to enter a new password to control the access to the
++      cn=config tree.
++  * Dropped:
++    - debian/patches/corrupt-contextCSN: The contextCSN can get corrupted at
++      times. (ITS: #5947) Fixed in new upstream version 2.4.15.
++    - debian/patches/fix-ucred-libc due to changes how newer glibc handle
++      the ucred struct now. Implemented in Debian.
++  * debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034 failure
++    when built with PIE.
++  * debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be
++    trusted (LP: #305264).
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Fri, 06 Mar 2009 17:34:21 -0500
++
  openldap (2.4.15-1) unstable; urgency=low
    * New upstream version
@@ -1315,6 +3808,69 @@ openldap (2.4.15-1) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Tue, 24 Feb 2009 14:27:35 -0800
++openldap (2.4.14-0ubuntu1) jaunty; urgency=low
++
++  [ Steve Langasek ]
++  * New upstream version
++    - Fixes a bug with the pcache overlay not returning cached entries
++      (closes: #497697)
++    - Update evolution-ntlm patch to apply to current Makefiles.
++    - (tentatively) drop gnutls-ciphers, since this bug was reported to be
++      fixed upstream in 2.4.8.  The fix applied in 2.4.8 didn't match the
++      patch from the bug report, so this should be watched for regressions.
++  * Build against db4.7 instead of db4.2 at last!  Closes: #421946.
++  * Build with --disable-ndb, to avoid a misbuild when libmysqlclient is
++    installed in the build environment.
++  * New patch, no-crlcheck-for-gnutls, to fix a build failure when using
++    --with-tls=gnutls.
++
++  [ Mathias Gug ]
++  * Merge from debian unstable, remaining changes:
++    - debian/apparmor-profile: add AppArmor profile
++    - debian/slapd.postinst: Reload AA profile on configuration
++    - updated debian/slapd.README.Debian for note on AppArmor
++    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++    - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
++      to make sure that if earlier version of apparmour-profiles gets
++      installed it won't overwrite our profile.
++    - Modify Maintainer value to match the DebianMaintainerField
++      speficication.
++    - follow ApparmorProfileMigration and force apparmor compalin mode on
++      some upgrades (LP: #203529)
++    - debian/slapd.dirs: add etc/apparmor.d/force-complain
++    - debian/slapd.preinst: create symlink for force-complain on pre-feisty
++      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
++      non-enforcing) and upgrades where apparmor profile does not exist.
++    - debian/slapd.postrm: remove symlink in force-complain/ on purge
++    - debian/patches/fix-ucred-libc due to changes how newer glibc handle
++      the ucred struct now.
++    - debian/control:
++      - Build-depend on libltdl7-dev rather then libltdl3-dev.
++    - debian/patches/autogen.sh:
++      - Call libtoolize with the --install option to install config.{guess,sub}
++        files.
++    - Don't use local statement in config script as it fails if /bin/sh
++      points to bash (LP: #286063).
++    - Disable the testsuite on hppa. Allows building of packages on this
++      architecture again, once this package is in the archive.
++      LP: #288908.
++    - debian/slapd.postinst, debian/slapd.script-common: set correct ownership
++      and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and
++      /var/run/slapd (world readable). (LP: #257667).
++    - debian/patches/nssov-build, debian/rules:
++      Build and package the nss overlay.
++      debian/schema/misc.ldif: add ldif file for the misc schema, which defines
++      rfc822MailMember (required by the nss overlay).
++    - debian/{control,rules}: enable PIE hardening
++    - Use cn=config as the default configuration backend instead of
++      slapd.conf. Migrate slapd.conf  file to /etc/ldap/slapd.d/ on upgrade
++      asking the end user to enter a new password to control the access to the
++      cn=config tree.
++  * debian/patches/corrupt-contextCSN: The contextCSN can get corrupted at
++    times. (ITS: #5947)
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Wed, 18 Feb 2009 18:44:00 -0500
++
  openldap (2.4.11-1) unstable; urgency=low
    * New upstream version (closes: #499560).
@@ -1337,6 +3893,110 @@ openldap (2.4.11-1) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sat, 11 Oct 2008 01:53:55 -0700
++openldap (2.4.11-0ubuntu7) jaunty; urgency=low
++
++  * Don't use local statement in config script as it fails if /bin/sh
++    points to bash (LP: #286063).
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Tue, 04 Nov 2008 20:03:46 -0500
++
++openldap (2.4.11-0ubuntu6) intrepid; urgency=low
++
++  * Disable the testsuite on hppa. Allows building of packages on this
++    architecture again, once this package is in the archive.
++    LP: #288908.
++
++ -- Matthias Klose <doko@ubuntu.com>  Fri, 24 Oct 2008 23:22:33 +0200
++
++openldap (2.4.11-0ubuntu5) intrepid; urgency=low
++
++  * Don't set admin passwords in ldif files if adminpw is empty.
++    (LP: #273988 - LP: #276606).
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Mon, 13 Oct 2008 19:31:15 -0400
++
++openldap (2.4.11-0ubuntu4) intrepid; urgency=low
++
++  * debian/slapd.postinst, debian/slapd.script-common: set correct ownership
++    and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and
++    /var/run/slapd (world readable). (LP: #257667).
++  * debian/slapd.script-common:
++    - Fix package reconfiguration:
++      + Remove slapd.d/ directory if it already exists when creating a new
++        configuration.
++      + Fix backup directory naming for multiple reconfiguration.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Wed, 24 Sep 2008 21:01:42 -0400
++
++openldap (2.4.11-0ubuntu3) intrepid; urgency=low
++
++  * debian/patches/nssov-build, debian/rules:
++    Build and package the nss overlay.
++  * debian/schema/misc.ldif: add ldif file for the misc schema, which defines
++    rfc822MailMember (required by the nss overlay).
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Tue, 26 Aug 2008 18:42:54 -0400
++
++openldap (2.4.11-0ubuntu2) intrepid; urgency=low
++
++  * debian/{control,rules}: enable PIE hardening
++
++ -- Kees Cook <kees@ubuntu.com>  Wed, 20 Aug 2008 15:47:01 -0700
++
++openldap (2.4.11-0ubuntu1) intrepid; urgency=low
++
++  * New upstream version:
++    - Mainly bug fixes.
++    - New nss slapd overlay (not compiled by default).
++  * Use cn=config as the default configuration backend instead of
++    slapd.conf. Migrate slapd.conf  file to /etc/ldap/slapd.d/ on upgrade
++    asking the end user to enter a new password to control the access to the
++    cn=config tree.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Mon, 11 Aug 2008 20:26:05 -0400
++
++openldap (2.4.10-3ubuntu1) intrepid; urgency=low
++
++  [ Mathias Gug ]
++  * Merge from debian unstable, remaining changes:
++    - debian/apparmor-profile: add AppArmor profile
++    - debian/slapd.postinst: Reload AA profile on configuration
++    - updated debian/slapd.README.Debian for note on AppArmor
++    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++    - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
++      to make sure that if earlier version of apparmour-profiles gets
++      installed it won't overwrite our profile.
++    - Modify Maintainer value to match the DebianMaintainerField
++      speficication.
++    - follow ApparmorProfileMigration and force apparmor compalin mode on
++      some upgrades (LP: #203529)
++    - debian/slapd.dirs: add etc/apparmor.d/force-complain
++    - debian/slapd.preinst: create symlink for force-complain on pre-feisty
++      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
++      non-enforcing) and upgrades where apparmor profile does not exist.
++    - debian/slapd.postrm: remove symlink in force-complain/ on purge
++    - debian/patches/fix-ucred-libc due to changes how newer glibc handle
++      the ucred struct now.
++    - debian/patches/fix-unique-overlay-assertion.patch:
++      Fix another assertion error in unique overlay (LP: #243337).
++      Backport from head.
++  * Dropped - implemented in Debian:
++    - debian/patches/fix-gnutls-key-strength.patch:
++      Fix slapd handling of ssf using gnutls. (LP: #244925).
++    - debian/control:
++      Add time as build dependency: needed by make test.
++  * debian/control:
++    - Build-depend on libltdl7-dev rather then libltdl3-dev.
++  * debian/patches/autogen.sh:
++    - Call libtoolize with the --install option to install config.{guess,sub}
++    files.
++
++  [ Jamie Strandboge ]
++  * adjust apparmor profile to allow gssapi (LP: #229252)
++  * adjust apparmor profile to allow cnconfig (LP: #243525)
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Wed, 30 Jul 2008 19:46:02 -0400
++
  openldap (2.4.10-3) unstable; urgency=low
    [ Steve Langasek ]
@@ -1370,6 +4030,40 @@ openldap (2.4.10-3) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Mon, 28 Jul 2008 15:26:06 -0700
++openldap (2.4.10-2ubuntu1) intrepid; urgency=low
++
++  * Merge from debian unstable, remaining changes:
++    - debian/apparmor-profile: add AppArmor profile
++    - debian/slapd.postinst: Reload AA profile on configuration
++    - updated debian/slapd.README.Debian for note on AppArmor
++    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++    - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
++      to make sure that if earlier version of apparmour-profiles gets
++      installed it won't overwrite our profile.
++    - Modify Maintainer value to match the DebianMaintainerField
++      speficication.
++    - follow ApparmorProfileMigration and force apparmor compalin mode on
++      some upgrades (LP: #203529)
++    - debian/slapd.dirs: add etc/apparmor.d/force-complain
++    - debian/slapd.preinst: create symlink for force-complain on pre-feisty
++      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
++      non-enforcing) and upgrades where apparmor profile does not exist.
++    - debian/slapd.postrm: remove symlink in force-complain/ on purge
++    - debian/patches/fix-ucred-libc due to changes how newer glibc handle
++      the ucred struct now.
++    - debian/patches/fix-unique-overlay-assertion.patch:
++      Fix another assertion error in unique overlay (LP: #243337).
++      Backport from head.
++    - debian/patches/fix-gnutls-key-strength.patch:
++      Fix slapd handling of ssf using gnutls. (LP: #244925).
++    - debian/control:
++      Add time as build dependency: needed by make test.
++  * Dropped - implemented in Debian:
++    - debian/rules:
++      Support debuild nocheck option: don't run tests if nocheck is set.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Thu, 10 Jul 2008 14:45:49 -0400
++
  openldap (2.4.10-2) unstable; urgency=low
    * Support DEB_BUILD_OPTIONS=nocheck to disable running the test suite at
@@ -1384,6 +4078,54 @@ openldap (2.4.10-2) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Sun, 06 Jul 2008 22:03:32 -0700
++openldap2.3 (2.4.10-1ubuntu1) intrepid; urgency=low
++
++  * Merge from debian unstable, remaining changes:
++    - debian/apparmor-profile: add AppArmor profile
++    - debian/slapd.postinst: Reload AA profile on configuration
++    - updated debian/slapd.README.Debian for note on AppArmor
++    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++    - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
++      to make sure that if earlier version of apparmour-profiles gets
++      installed it won't overwrite our profile.
++    - Modify Maintainer value to match the DebianMaintainerField
++      speficication.
++    - follow ApparmorProfileMigration and force apparmor compalin mode on
++      some upgrades (LP: #203529)
++    - debian/slapd.dirs: add etc/apparmor.d/force-complain
++    - debian/slapd.preinst: create symlink for force-complain on pre-feisty
++      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
++      non-enforcing) and upgrades where apparmor profile does not exist.
++    - debian/slapd.postrm: remove symlink in force-complain/ on purge
++    - debian/patches/fix-ucred-libc due to changes how newer glibc handle
++      the ucred struct now.
++    - debian/patches/fix-unique-overlay-assertion.patch:
++      Fix another assertion error in unique overlay (LP: #243337).
++      Backport from head.
++  * debian/control:
++    - add time as build dependency: needed by make test.
++  * debian/rules:
++    - support debuild nocheck option: don't run tests if nocheck is set.
++  * debian/patches/fix-gnutls-key-strength.patch:
++    - fix slapd handling of ssf using gnutls. (LP: #244925).
++  * Dropped - accepted in Debian:
++    - debian/rules, debian/slapd.links: use hard links to slapd instead of
++      symlinks for slap* so these applications aren't confined by apparmor
++      (LP: #203898)
++  * Dropped - fixed in new upstream release:
++    - debian/patches/fix-assertion-io.patch: Fixes ber_flush2 assertion.
++      (LP: #215904)
++    - debian/patches/fix-dnpretty-assertion.patch: Fix dnPrettyNormal assertion
++      error. (LP: #234196)
++    - dropped debian/patches/fix-notify-crasher.patch: Fix modify timestamp crashes.
++      (LP: #220724)
++    - debian/patches/fix-syncrepl-oops: Fixes segmentation fault when using
++      syncrepl. (LP: #227178)
++    - dropped debian/patches/SECURITY_CVE-2008-0658.patch. Already applied
++      upstream.
++
++ -- Mathias Gug <mathiaz@ubuntu.com>  Thu, 03 Jul 2008 14:15:08 -0400
++
  openldap2.3 (2.4.10-1) unstable; urgency=low
    [ Steve Langasek ]
@@ -1408,6 +4150,64 @@ openldap2.3 (2.4.10-1) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Mon, 30 Jun 2008 04:28:34 -0700
++openldap2.3 (2.4.9-1ubuntu4) intrepid; urgency=low
++
++  * debian/patches/fix-unique-overlay-assertion.patch:
++    - Fix another assertion error in unique overlay, backported from head.
++      (LP: #243337) Note: This patch will still be needed when moved to 2.4.10
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 30 Jun 2008 18:49:52 +0000
++
++openldap2.3 (2.4.9-1ubuntu3) intrepid; urgency=low
++
++  * Drop spurious dependency on hiemdal-dev. Caused by an aborted attempt to
++    include the smbk5pwd overlay.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 11 Jun 2008 21:25:40 +0000
++
++openldap2.3 (2.4.9-1ubuntu2) intrepid; urgency=low
++
++  * Rebuild for perl 5.10 transition (LP: #230016)
++  * debian/patches/fix-syncrepl-oops: Fixes segmentation fault when using
++    syncrepl. (LP: #227178)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 09 Jun 2008 14:56:40 +0000
++
++openldap2.3 (2.4.9-1ubuntu1) intrepid; urgency=low
++
++  * Merge from debian unstable, remaining changes:
++    - debian/apparmor-profile: add AppArmor profile
++    - debian/slapd.postinst: Reload AA profile on configuration
++    - updated debian/slapd.README.Debian for note on AppArmor
++    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++    - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
++      to make sure that if earlier version of apparmour-profiles gets
++      installed it won't overwrite our profile.
++    - Modify Maintainer value to match the DebianMaintainerField
++      speficication.
++    - follow ApparmorProfileMigration and force apparmor compalin mode on
++      some upgrades (LP: #203529)
++    - debian/slapd.dirs: add etc/apparmor.d/force-complain
++    - debian/slapd.preinst: create symlink for force-complain on pre-feisty
++      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
++      non-enforcing) and upgrades where apparmor profile does not exist.
++    - debian/slapd.postrm: remove symlink in force-complain/ on purge
++    - debian/rules, debian/slapd.links: use hard links to slapd instead of
++      symlinks for slap* so these applications aren't confined by apparmor
++      (LP: #203898)
++    - debian/patches/fix-assertion-io.patch: Fixes ber_flush2 assertion.
++      (LP: #215904)
++    - debian/patches/fix-dnpretty-assertion.patch: Fix dnPrettyNormal assertion
++      error. (LP: #234196)
++    - dropped debian/patches/fix-notify-crasher.patch: Fix modify timestamp crashes.
++      (LP: #220724)
++    - dropped debian/patches/SECURITY_CVE-2008-0658.patch. Already applied
++      upstream.
++   * Added debian/patches/fix-ucred-libc due to changes how newer glibc handle
++     the ucred struct now.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Fri, 30 May 2008 17:09:53 +0100
++
  openldap2.3 (2.4.9-1) unstable; urgency=low
    [ Updated debconf translations ]
@@ -1478,6 +4278,51 @@ openldap2.3 (2.4.7-6.1) unstable; urgency=high
   -- Nico Golde <nion@debian.org>  Tue, 04 Mar 2008 14:34:44 +0100
++openldap2.3 (2.4.7-6ubuntu3) hardy; urgency=low
++
++  * remove apparmor-profile workaround for Launchpad #202161 (it's now fixed
++    in klibc)
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Mon, 07 Apr 2008 16:09:38 -0400
++
++openldap2.3 (2.4.7-6ubuntu2) hardy; urgency=low
++
++  * apparmor-profile workaround for Launchpad #202161
++  * follow ApparmorProfileMigration and force apparmor complain mode on some
++    upgrades (LP: #203529)
++    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
++    - debian/slapd.dirs: add etc/apparmor.d/force-complain
++    - debian/slapd.preinst: create symlink for force-complain/ on pre-feisty
++      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
++      non-enforcing) and upgrades where apparmor profile does not exist
++    - debian/slapd.postrm: remove symlink in force-complain/ on purge
++  * debian/rules, debian/slapd.links: use hard links to slapd instead of
++    symlinks for slap* so these applications aren't confined by apparmor
++    (LP: #203898)
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 18 Mar 2008 13:53:23 -0400
++
++openldap2.3 (2.4.7-6ubuntu1) hardy; urgency=low
++
++  * Merge from Debian unstable, remaining changes:
++    + debian/patches/SECURITY_CVE-2008-0658.patch (LP: #197077)
++      slapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP 2.3.39
++      allows remote authenticated users to cause a denial of service (daemon
++      crash) via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION)
++      control, a related issue to CVE-2007-6698.
++    + debian/apparmor-profile: add AppArmor profile
++    + debian/slapd.postinst: Reload AA profile on configuration
++    + updated debian/slapd.README.Debian for note on AppArmor
++    + debian/control: Replaces apparmor-profiles << 2.1+1075-0ubuntu4 as we
++      should now take control
++    + debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
++      to make sure that if earlier version of apparmor-profiles gets
++      installed it won't overwrite our profile
++    + Modify Maintainer value to match the DebianMaintainerField
++      specification.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 04 Mar 2008 01:59:51 +0000
++
  openldap2.3 (2.4.7-6) unstable; urgency=low
    [ Updated debconf translations ]
@@ -1523,6 +4368,37 @@ openldap2.3 (2.4.7-6) unstable; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Thu, 28 Feb 2008 22:15:17 -0800
++openldap2.3 (2.4.7-5ubuntu2) hardy; urgency=low
++
++  * SECURITY UPDATE:
++   + debian/patches/SECURITY_CVE-2008-0658.patch (LP: #197077)
++     slapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP 2.3.39
++     allows remote authenticated users to cause a denial of service (daemon crash)
++     via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION) control, a related
++     issue to CVE-2007-6698.
++
++  * References
++   - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0658
++   - http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5358
++
++ -- Emanuele Gentili <emgent@emanuele-gentili.com>  Sun, 02 Mar 2008 16:34:30 +0100
++
++openldap2.3 (2.4.7-5ubuntu1) hardy; urgency=low
++
++  * add AppArmor profile
++    + debian/apparmor-profile
++    + debian/slapd.postinst: Reload AA profile on configuration
++  * updated debian/slapd.README.Debian for note on AppArmor
++  * debian/control: Replaces apparmor-profiles << 2.1+1075-0ubuntu4 as we
++    should now take control
++  * debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
++    to make sure that if earlier version of apparmor-profiles gets installed
++    it won't overwrite our profile
++  * Modify Maintainer value to match the DebianMaintainerField
++    specification.
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 13 Feb 2008 17:15:41 +0000
++
  openldap2.3 (2.4.7-5) unstable; urgency=low
    [ Updated debconf translations ]
 diff --git a/debian/control b/debian/control
 index fbae9dd..fb7ed08 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,11 +1,13 @@
  Source: openldap
  Section: net
  Priority: optional
--Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
  Uploaders: Steve Langasek <vorlon@debian.org>,
   Torsten Landschoff <torsten@debian.org>,
   Ryan Tandy <ryan@nardis.ca>
  Build-Depends: debhelper-compat (= 12),
++               dh-apparmor,
                 dpkg-dev (>= 1.17.14),
                 groff-base,
                 heimdal-multidev (>= 7.4.0.dfsg.1-1~) <!pkg.openldap.noslapd>,
@@ -36,7 +38,7 @@ Depends: ${shlibs:Depends}, libldap-2.5-0 (= ${binary:Version}),
   coreutils (>= 4.5.1-1), psmisc, perl:any (>> 5.8.0) | libmime-base64-perl,
   adduser, lsb-base (>= 3.2-13), ${perl:Depends}, ${misc:Depends}
  Recommends: ldap-utils
--Suggests: libsasl2-modules,
++Suggests: libsasl2-modules, ufw,
   libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal
  Conflicts: umich-ldapd, ldap-server, libltdl3 (= 1.5.4-1)
  Replaces: libldap2, ldap-utils (<< 2.2.23-3)
 diff --git a/debian/rules b/debian/rules
 index 777fc6b..0913611 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -11,7 +11,7 @@ export DEB_CFLAGS_MAINT_APPEND := -Wall -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE
  export DEB_BUILD_MAINT_OPTIONS := hardening=+all
  # Expose maintainer address to build/mkversion (see debian/patches/set-maintainer-name)
--export DEB_MAINTAINER := $(shell sed -ne 's/Maintainer:\s\+//p' debian/control)
++export DEB_MAINTAINER := $(shell sed -ne 's/^Maintainer:\s\+//p' debian/control)
  # Expose DEB_VERSION to build/version.sh (see debian/patches/debian-version)
  export DEB_VERSION
@@ -144,6 +144,22 @@ endif
  	find $(installdir)/usr/share/man -name \*.8 \
  		| xargs perl -pi -e 's#(\.TH \w+ 8)C#$$1#'
++ifeq ($(filter stage1,$(DEB_BUILD_PROFILES)),)
++override_dh_install-arch:
++	dh_install
++
++	# install AppArmor profile
++	install -D -m 644 $(CURDIR)/debian/apparmor-profile $(CURDIR)/debian/slapd/etc/apparmor.d/usr.sbin.slapd
++
++	# install Apport hook
++	install -D -m 644 $(CURDIR)/debian/slapd.py $(CURDIR)/debian/slapd/usr/share/apport/package-hooks/slapd.py
++
++	# install ufw profile
++	install -D -m 644 $(CURDIR)/debian/slapd.ufw.profile $(CURDIR)/debian/slapd/etc/ufw/applications.d/slapd
++
++	dh_apparmor -pslapd --profile-name=usr.sbin.slapd
++endif
++
  override_dh_installinit:
  	dh_installinit --no-restart-after-upgrade --error-handler=ignore_init_failure -- "defaults 19 80"
 diff --git a/debian/slapd.README.Debian b/debian/slapd.README.Debian
 index ff7d66b..a4f3f55 100644
 --- a/debian/slapd.README.Debian
 +++ b/debian/slapd.README.Debian
@@ -252,6 +252,17 @@ Modifications Compared to Upstream
   -- Russ Allbery <rra@debian.org>, Thu, 14 Feb 2008 18:47:07 -0800
++Apparmor Profile
++----------------
++
++  If your system uses AppArmor, please note that the shipped enforcing profile
++  works with the default installation, and changes in your configuration may
++  require changes to the installed apparmor profile. Please see
++  https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this
++  software.
++
++ -- Jamie Strandboge <jamie@ubuntu.com>, Mon,  4 Feb 2008 21:18:21 -0500
++
  Migrating your installation to OpenLDAP 2.5.x
    OpenLDAP 2.5 is a major new release and includes several incompatible
 diff --git a/debian/slapd.py b/debian/slapd.py
 new file mode 100644
 index 0000000..b1aed25
 --- /dev/null
 +++ b/debian/slapd.py
@@ -0,0 +1,51 @@
++#!/usr/bin/python3
++
++'''apport hook for slapd
++
++(c) 2010 Adam Sommer.
++Author: Adam Sommer <asommer@ubuntu.com>
++
++This program is free software; you can redistribute it and/or modify it
++under the terms of the GNU General Public License as published by the
++Free Software Foundation; either version 2 of the License, or (at your
++option) any later version.  See http://www.gnu.org/copyleft/gpl.html for
++the full text of the license.
++'''
++
++from apport.hookutils import *
++import os
++
++# Scrub olcRootPW attribute and credentials strings if necessary.
++def scrub_pass_strings(config):
++    olcrootpw_regex = re.compile('olcRootPW:.*')
++    olcrootpw_string = olcrootpw_regex.search(config)
++    if olcrootpw_string:
++        config = config.replace(olcrootpw_string.group(0), 'olcRootPW: @@APPORTREPLACED@@')
++
++    credentials_regex = re.compile('credentials=.* ')
++    credentials_string = credentials_regex.search(config)
++    if credentials_string:
++        config = config.replace(credentials_string.group(0), 'credentials=@@APPORTREPLACED@@ ')
++
++    return config
++
++def add_info(report, ui):
++    response = ui.yesno("The contents of your /etc/ldap/slapd.d directory "
++                        "may help developers diagnose your bug more "
++                        "quickly.  However, it may contain sensitive "
++                        "information.  Do you want to include it in your "
++                        "bug report?")
++
++    if response == None: # user cancelled
++        raise StopIteration
++
++    elif response == True:
++        # Get the cn=config tree.
++        cn_config = root_command_output(['/usr/bin/ldapsearch', '-Q', '-LLL', '-Y EXTERNAL', '-H ldapi:///', '-b cn=config'])
++        report['CNConfig'] = scrub_pass_strings(cn_config)
++
++        # Get slapd messages from /var/log/syslog
++        slapd_re = re.compile('slapd', re.IGNORECASE)
++        report['SysLog'] = recent_syslog(slapd_re)
++
++        attach_mac_events(report, '/usr/sbin/slapd')
 diff --git a/debian/slapd.ufw.profile b/debian/slapd.ufw.profile
 new file mode 100644
 index 0000000..3c4f676
 --- /dev/null
 +++ b/debian/slapd.ufw.profile
@@ -0,0 +1,9 @@
++[OpenLDAP LDAP]
++title=OpenLDAP with TLS
++description=OpenLDAP is a free, fast, lightweight LDAP server
++ports=389/tcp
++
++[OpenLDAP LDAPS]
++title=OpenLDAP over SSL
++description=OpenLDAP is a free, fast, lightweight LDAP server
++ports=636/tcp

Ubuntuopenldap package

Merge ~sergiodj/ubuntu/+source/openldap:merge-2.5.11-jammy into ubuntu/+source/openldap:debian/experimental

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
openldap package