diff options
Diffstat (limited to 'debian/changelog')
-rw-r--r-- | debian/changelog | 3460 |
1 files changed, 3460 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..50e401a --- /dev/null +++ b/debian/changelog @@ -0,0 +1,3460 @@ +openldap (2.4.57+dfsg-3+deb11u1) bullseye-security; urgency=high + + * Fix SQL injection in back-sql (ITS#9815) (CVE-2022-29155) + + -- Ryan Tandy <ryan@nardis.ca> Sat, 14 May 2022 11:32:57 -0700 + +openldap (2.4.57+dfsg-3) unstable; urgency=medium + + * Link smbk5pwd with -lkrb5. (Closes: #988565) + + -- Ryan Tandy <ryan@nardis.ca> Sat, 15 May 2021 16:03:34 -0700 + +openldap (2.4.57+dfsg-2) unstable; urgency=medium + + * Fix slapd assertion failure in Certificate List Exact Assertion validation + (ITS#9454) (CVE-2021-27212) + + -- Ryan Tandy <ryan@nardis.ca> Sun, 14 Feb 2021 09:26:41 -0800 + +openldap (2.4.57+dfsg-1) unstable; urgency=medium + + * New upstream release. + - Fixed slapd crashes in Certificate Exact Assertion processing + (ITS#9404, ITS#9424) (CVE-2020-36221) + - Fixed slapd assertion failures in saslAuthzTo validation + (ITS#9406, ITS#9407) (CVE-2020-36222) + - Fixed slapd crash in Values Return Filter control handling + (ITS#9408) (CVE-2020-36223) + - Fixed slapd crashes in saslAuthzTo processing + (ITS#9409, ITS#9412, ITS#9413) + (CVE-2020-36224, CVE-2020-36225, CVE-2020-36226) + - Fixed slapd assertion failure in X.509 DN parsing + (ITS#9423) (CVE-2020-36230) + - Fixed slapd crash in X.509 DN parsing (ITS#9425) (CVE-2020-36229) + - Fixed slapd crash in Certificate List Exact Assertion processing + (ITS#9427) (CVE-2020-36228) + - Fixed slapd infinite loop with Cancel operation + (ITS#9428) (CVE-2020-36227) + + -- Ryan Tandy <ryan@nardis.ca> Sat, 23 Jan 2021 08:57:07 -0800 + +openldap (2.4.56+dfsg-1) unstable; urgency=medium + + * New upstream release. + - Fixed slapd abort due to assertion failure in Certificate List syntax + validation (ITS#9383) (CVE-2020-25709) + - Fixed slapd abort due to assertion failure in CSN normalization with + invalid input (ITS#9384) (CVE-2020-25710) + + -- Ryan Tandy <ryan@nardis.ca> Wed, 11 Nov 2020 09:13:56 -0800 + +openldap (2.4.55+dfsg-1) unstable; urgency=medium + + * New upstream release. + - Fixed slapd normalization handling with modrdn + (ITS#9370) (CVE-2020-25692) + + -- Ryan Tandy <ryan@nardis.ca> Tue, 27 Oct 2020 21:07:29 -0700 + +openldap (2.4.54+dfsg-1) unstable; urgency=medium + + * New upstream release. + * Change upstream Homepage and get-orig-source URLs to HTTPS. + * Create debian/gbp.conf. + + -- Ryan Tandy <ryan@nardis.ca> Sun, 18 Oct 2020 16:03:46 +0000 + +openldap (2.4.53+dfsg-1) unstable; urgency=medium + + * New upstream release. + + -- Ryan Tandy <ryan@nardis.ca> Mon, 07 Sep 2020 09:47:28 -0700 + +openldap (2.4.51+dfsg-1) unstable; urgency=medium + + * New upstream release. + - Add ldap_parse_password_expiring_control to libldap-2.4-2.symbols. + * Merge some changes from Ubuntu: + - slapd.default, slapd.README.Debian: update to refer to slapd.d instead + of slapd.conf. + - debian/slapd.scripts-common: dump_databases: make slapcat_opts a local + variable. + * Drop paragraph about patch gnutls-altname-nulterminated (#465197) from + slapd.README.Debian. The patch referred to was dropped in 2.4.7-6. + * debian/patches/set-maintainer-name: Extract maintainer address dynamically + from debian/control. (Closes: #960448) + * Fix Torsten's email address in a historic debian/changelog entry to + resolve a Lintian error (bogus-mail-host-in-debian-changelog). + * Rename debian/source.lintian-overrides to debian/source/lintian-overrides. + Fixes a Lintian pedantic tag (old-source-override-location). + * Override Lintian pedantic tag maintainer-manual-page for + slapo-pw-pbkdf2.5, which will be included upstream in a future release. + * Remove the trailing whitespaces from debian/changelog, debian/control, and + debian/rules. Fixes a Lintian pedantic tag (trailing-whitespace). + * Convert debian/po/de.po to UTF-8. Fixes a Lintian warning + (national-encoding). + * Relax libldap's dependency on libldap-common to Recommends. + This is intended to mitigate the impact of bug #915948 in the case where + the arch:all build is delayed for so long that the old libldap-common + disappears. Previously, a delayed arch:all build could become + BD-Uninstallable if new amd64 binaries were published before the arch:all + build starts, due to the transitive build-dependency on libldap. + Although libldap works fine without libldap-common, in normal + installations it is still recommended to install libldap-common. + * Append a timestamp to the backup directory created by dpkg-reconfigure. + (Closes: #599585, #960449) + * Remove the redundant cn=admin,<suffix> entry from the default DIT for new + installs. For new installs going forward, the root credentials will be + stored in olcRootDN/olcRootPW only. (Closes: #821331) + * Change slapd's Suggests: ldap-utils to Recommends. While any LDAP client + suffices, ldap-utils contains the standard tools recommended by upstream + for basic administration and management. + * Relax Recommends: libsasl2-modules to Suggests on slapd and ldap-utils. + Many deployments do not use SASL at all, and therefore SASL mechanisms are + not needed "in all but unusual installations". + + -- Ryan Tandy <ryan@nardis.ca> Sun, 23 Aug 2020 11:09:57 -0700 + +openldap (2.4.50+dfsg-1) unstable; urgency=medium + + * New upstream release. + - Fixed slapd to limit depth of nested filters + (ITS#9202) (CVE-2020-12243) + - Drop patches included upstream: argon2.patch, ITS#9171, ITS#8650. + * Update Spanish debconf translation. + Thanks to Camaleón. (Closes: #958869) + + -- Ryan Tandy <ryan@nardis.ca> Tue, 28 Apr 2020 10:18:12 -0700 + +openldap (2.4.49+dfsg-4) unstable; urgency=medium + + * Annotate libsodium-dev dependency with <!pkg.openldap.noslapd>. + Thanks to Helmut Grohne. (Closes: #955993) + * Add the man page for the Argon2 password module. + Thanks to Peter Marschall. (Closes: #955977) + * Build the Argon2 password module with libargon2-dev instead of + libsodium-dev. Rationale: + - libargon2 contains the specific functionality needed; libsodium is a + larger library and contains many features not used here + - libsodium does not support configuring the p= (parallelism) parameter + * Import upstream patch to properly retry gnutls_handshake() after it + returns GNUTLS_E_AGAIN. (ITS#8650) (Closes: #861838) + * Update the Argon2 password module to upstream commit feb6f21d2e. + + -- Ryan Tandy <ryan@nardis.ca> Tue, 14 Apr 2020 21:33:16 -0700 + +openldap (2.4.49+dfsg-3) unstable; urgency=medium + + * Drop patch no-AM_INIT_AUTOMAKE. Instead, configure dh_autoreconf to skip + automake by setting AUTOMAKE=/bin/true. (Closes: #864637) + * debian/patches/debian-version: Show Debian version, instead of upstream + version, in version strings. + * Add ${perl:Depends} to slapd Depends to silence a dpkg-gencontrol warning. + This is practically a no-op since slapd explicitly Depends on perl because + of the maintainer scripts. + * Import the Argon2 password module from upstream git and install it in + slapd-contrib. New Build-Depends: libsodium-dev. (Closes: #920283) + + -- Ryan Tandy <ryan@nardis.ca> Sat, 04 Apr 2020 10:43:56 -0700 + +openldap (2.4.49+dfsg-2) unstable; urgency=medium + + * slapd.README.Debian: Document the initial setup performed by slapd's + maintainer scripts in more detail. Thanks to Karl O. Pinc. + (Closes: #952501) + * Import upstream patch to fix slapd crashing in certain configurations when + a client attempts a login to a locked account. + (ITS#9171) (Closes: #953150) + + -- Ryan Tandy <ryan@nardis.ca> Thu, 05 Mar 2020 12:59:46 -0800 + +openldap (2.4.49+dfsg-1) unstable; urgency=medium + + * New upstream release. + - Drop patch no-gnutls_global_set_mutex, applied upstream. + * When validating the DNS domain chosen for slapd's default suffix, set + LC_COLLATE explicitly for grep to ensure character ranges behave as + expected. Thanks to Fredrik Roubert. (Closes: #940908) + * Backport proposed upstream patch to emit detailed messages about errors in + the TLS configuration. (ITS#9086) (Closes: #837341) + * slapd.scripts-common: Delete unused copy_example_DB_CONFIG function. + * Remove debconf support for choosing a database backend. Always use the + LMDB backend for new installs, as recommended by upstream. + * Remove the empty olcBackend section from the default configuration. + * Remove the unused slapd.conf template from /usr/share/slapd. Continue + shipping it as an example in /usr/share/doc/slapd. + * Fix a typo in index-files-created-as-root patch. + Thanks to Quanah Gibson-Mount. + * Annotate slapd's Depends on perl with :any. Fixes installation of + foreign-arch slapd. Thanks to Andreas Hasenack. + * Rename 'stage1' build profile to 'pkg.openldap.noslapd'. + Thanks to Helmut Grohne. (Closes: #949722) + * Drop Build-Conflicts: libicu-dev as upstream's configure no longer tests + for or links with libicu. + * Note ITS#9126 recommendation in slapd.NEWS. + * Update Standards-Version to 4.5.0; no changes required. + + -- Ryan Tandy <ryan@nardis.ca> Thu, 06 Feb 2020 10:08:12 -0800 + +openldap (2.4.48+dfsg-1) unstable; urgency=medium + + * New upstream release. + - fixed slapd to restrict rootDN proxyauthz to its own databases + (CVE-2019-13057) (ITS#9038) (Closes: #932997) + - fixed slapd to enforce sasl_ssf ACL statement on every connection + (CVE-2019-13565) (ITS#9052) (Closes: #932998) + - added new openldap.h header with OpenLDAP specific libldap interfaces + (ITS#8671) + - updated lastbind overlay to support forwarding authTimestamp updates + (ITS#7721) (Closes: #880656) + * Update Standards-Version to 4.4.0. + * Add a systemd drop-in to set RemainAfterExit=no on the slapd service, so + that systemd marks the service as dead after it crashes or is killed. + Thanks to Heitor Alves de Siqueira. (Closes: #926657, LP: #1821343) + * Use more entropy for generating a random admin password, if none was set + during initial configuration. Thanks to Judicael Courant. + (Closes: #932270) + * Replace debian/rules calls to dpkg-architecture and dpkg-parsechangelog + with variables provided by dpkg-dev includes. + * Declare R³: no. + * Create a simple autopkgtest that tests installing slapd and connecting to + it with an ldap tool. + * Install the new openldap.h header in libldap2-dev. + + -- Ryan Tandy <ryan@nardis.ca> Thu, 25 Jul 2019 08:32:00 -0700 + +openldap (2.4.47+dfsg-3) unstable; urgency=medium + + * Restore patches to contrib Makefiles to set CFLAGS, CPPFLAGS, and LDFLAGS + individually in the relevant command lines instead of overriding OPT. The + change to use OPT caused FTBFS on some ports arches where PIE enablement + uses spec files, by mixing compile-time and link-time flags. + (Closes: #919136) + * Fix architecture-specific path in smbk5pwd's binary-or-shlib-defines-rpath + Lintian override. + * Skip exporting cn=config to LDIF in preinst for upgrades where nothing + needs to be checked in it. + * Update Standards-Version to 4.3.0. + + -- Ryan Tandy <ryan@nardis.ca> Sat, 02 Feb 2019 10:30:10 -0800 + +openldap (2.4.47+dfsg-2) unstable; urgency=medium + + * Reintroduce slapi-dev binary package. (Closes: #711469) + Thanks to Florian Schlichting. + * Do not call gnutls_global_set_mutex(). (Closes: #803197) + * Use dh_auto_* to build and install contrib modules. + - Stop patching the clean rule in smbk5pwd's Makefile. + * Explicitly list overlays and man pages installed by slapd package in + slapd.install and slapd.manpages files. + * Set common variables for contrib Makefiles by make(1) command line instead + of patching every Makefile. + * Build and install more contrib plugins in a new slapd-contrib package: + - pw-apr1 and pw-netscape (Closes: #592362) + - pw-pbkdf2 (Closes: #794999) + * Import the slapo-pw-pbkdf2 man page from upstream git master and install + it with the slapd-contrib package. + * Add smbk5pwd to slapd-contrib and turn slapd-smbk5pwd into a transitional + package. Drop smbk5pwd README since it now has a man page which is a + better resource for users. + - Use Breaks to ensure that slapd is not upgraded in between removing the + old smbk5pwd module and installing the new one. + * Include the apr1-atol.pl and apr1-lota.pl helper scripts in the + slapd-contrib package as examples. + * Merge remaining contrib Makefile patches into a single contrib-makefiles + patch. + + -- Ryan Tandy <ryan@nardis.ca> Sat, 12 Jan 2019 11:18:03 -0800 + +openldap (2.4.47+dfsg-1) unstable; urgency=medium + + * New upstream release. + - reverted GnuTLS handshake change in libldap as it regressed slapd + (Reopens: #861838) + * Update Standards-Version to 4.2.1. + + -- Ryan Tandy <ryan@nardis.ca> Sun, 23 Dec 2018 12:50:40 -0800 + +openldap (2.4.46+dfsg-5) unstable; urgency=medium + + * Restore slapd-smbk5pwd now that libldap is installable in unstable. + This reverts the changes from -3 and -4. + + -- Ryan Tandy <ryan@nardis.ca> Fri, 04 May 2018 16:12:27 -0700 + +openldap (2.4.46+dfsg-4) unstable; urgency=medium + + * Disable building the smbk5pwd plugin temporarily. + + -- Ryan Tandy <ryan@nardis.ca> Fri, 04 May 2018 08:06:58 -0700 + +openldap (2.4.46+dfsg-3) unstable; urgency=medium + + * Build without heimdal temporarily to resolve BD-Uninstallable loop. + + -- Ryan Tandy <ryan@nardis.ca> Fri, 04 May 2018 07:36:58 -0700 + +openldap (2.4.46+dfsg-2) unstable; urgency=medium + + * Remove version constraint from libldap-2.4-2 dependency on libldap-common. + + -- Ryan Tandy <ryan@nardis.ca> Thu, 03 May 2018 14:16:49 -0700 + +openldap (2.4.46+dfsg-1) unstable; urgency=medium + + * Move the repository to Salsa. + Update debian/control Vcs-* fields. + * Remove Matthijs Möhlmann from Uploaders. (Closes: #891308) + Thank you Matthijs for your past contributions. + * New upstream release. + - fixed slapd out-of-sync issue with delta-MMR and memberof overlay + (ITS#8444) (Closes: #877166) + * Rebase patch no-AM_INIT_AUTOMAKE to apply cleanly. + * Drop patch ITS8650-retry-gnutls_handshake-after-GNUTLS_E_AGAIN, applied + upstream. + * Really fix upgrades when the config contains backslash-escaped special + characters. The previous fix was incomplete and didn't fully fix upgrades + involving a database reload. (Closes: #864719) + * Update Standards-Version to 4.1.4. + - Change the Priority of libldap-2.4-2 and libldap-common to optional. + * Change download URL in debian/watch to https. Fixes a Lintian info. + * Override the binary-or-shlib-defines-rpath Lintian tag for slapd-smbk5pwd. + The rpath is set by krb5-config.heimdal; see bug #868840. + + -- Ryan Tandy <ryan@nardis.ca> Thu, 03 May 2018 07:03:30 -0700 + +openldap (2.4.45+dfsg-1) unstable; urgency=medium + + * New upstream release. + - fixed a use-after-free in GnuTLS options handling + (ITS#8385) (Closes: #820244) (LP: #1557248) + - fixed unsafe concurrent SASL calls causing memory corruption + (ITS#8648) (Closes: #860947) (LP: #1688575) + - fixed syncrepl infinite looping with multi-master delta-syncrepl + (ITS#8432) (Closes: #868753) + * Rebase patches to apply cleanly: + - do-not-second-guess-sonames + - no-AM_INIT_AUTOMAKE + * Drop patches applied upstream: + - ITS-8554-kFreeBSD-is-like-BSD.patch + - ITS-8644-wait-for-slapd-to-start-in-test064.patch + - ITS-8655-paged-results-double-free.patch + * Upgrade to debhelper compat level 10. + - Depend on debhelper 10. + - Stop enabling parallel and autoreconf explicitly. They are now enabled + by default. + - Drop dh-autoreconf from build-depends since debhelper requires it. + * Add -Wno-format-extra-args to CFLAGS to reduce the noise in the build + logs, as this warning is emitted on each use of the Debug() macro. + * Drop libldap-2.4-4-dbg and slapd-dbg binary packages in favour of + automatic dbgsym packages. + * Update Standards-Version to 4.0.0; no changes required. + * Drop Priority and Section from binary package stanzas when they only + duplicate information from the source stanza. + * Update Priority of slapd-smbk5pwd and libldap2-dev to optional to match + the archive. + * Remove retired developer, Roland Bauerschmidt, from Uploaders. + (Closes: #856422) + * Remove Timo Aaltonen from Uploaders, with his agreement. + * debian/patches/ITS8650-retry-gnutls_handshake-after-GNUTLS_E_AGAIN.patch: + If gnutls_handshake() returns EAGAIN, call it again. Fixes TLS handshake + failures when the ServerHello message exceeds 16K. + (ITS#8650) (Closes: #861838) + * Drop time from Build-Depends. The upstream testsuite no longer calls it. + + -- Ryan Tandy <ryan@nardis.ca> Thu, 27 Jul 2017 18:04:41 -0700 + +openldap (2.4.44+dfsg-8) unstable; urgency=medium + + * Disable test060-mt-hot on ppc64el temporarily to avoid failing tests until + the underlying kernel bug #866122 is fixed. + * Fix FTBFS with Heimdal 7.2.0: Drop patch heimdal-fix as the + hdb_generate_key_set_password change was reverted in heimdal. Depend on an + appropriate minimum version of heimdal. + + -- Ryan Tandy <ryan@nardis.ca> Sun, 16 Jul 2017 12:57:41 -0700 + +openldap (2.4.44+dfsg-7) unstable; urgency=medium + + * Relax the dependency of libldap-2.4-2 on libldap-common to also permit + later versions. (Closes: #860774) + + -- Ryan Tandy <ryan@nardis.ca> Tue, 27 Jun 2017 18:53:12 -0700 + +openldap (2.4.44+dfsg-6) unstable; urgency=medium + + * Update the list of non-translatable strings for the + slapd/ppolicy_schema_needs_update template. Thanks Ferenc Wágner. + * Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719) + + -- Ryan Tandy <ryan@nardis.ca> Mon, 26 Jun 2017 19:42:02 -0700 + +openldap (2.4.44+dfsg-5) unstable; urgency=medium + + * debian/patches/ITS-8644-wait-for-slapd-to-start-in-test064.patch: Fix an + intermittently failing test by waiting for slapd to start before running + tests. (ITS#8644) (Closes: #770890) + * debian/patches/ITS-8655-paged-results-double-free.patch: Fix a double free + in the MDB backend on a search including the Paged Results control with a + page size of 0. (ITS#8655) (CVE-2017-9287) (Closes: #863563) + + -- Ryan Tandy <ryan@nardis.ca> Sun, 28 May 2017 09:59:46 -0700 + +openldap (2.4.44+dfsg-4) unstable; urgency=medium + + * Improve the slapd/ppolicy_schema_needs_update debconf template. Thanks to + Justin B Rye for the review. + * Update Catalan debconf translation. (Closes: #851905) + Thanks to Innocent De Marchi. + * Update Czech debconf translation. (Closes: #852190) + Thanks to Miroslav Kure. + * Update Danish debconf translation. (Closes: #850859) + Thanks to Joe Dalton. + * Update German debconf translation. (Closes: #851480) + Thanks to Helge Kreutzmann. + * Update Basque debconf translation. (Closes: #850812) + Thanks to Iñaki Larrañaga Murgoitio. + * Update French debconf translation. (Closes: #852459) + Thanks to Jean-Pierre Giraud. + * Update Italian debconf translation. (Closes: #852074) + Thanks to Luca Monducci. + * Update Japanese debconf translation. (Closes: #851457) + Thanks to Kenshi Muto. + * Update Dutch debconf translation. (Closes: #852405) + Thanks to Frans Spiesschaert. + * Update Brazilian Portuguese debconf translation. (Closes: #852443) + Thanks to Adriano Rafael Gomes. + * Update Russian debconf translation. (Closes: #850833) + Thanks to Yuri Kozlov. + * Update Slovak debconf translation. (Closes: #850796) + Thanks to Ivan Masár. + * Update Swedish debconf translation. (Closes: #851168) + Thanks to Martin Bagge. + * Update Turkish debconf translation. (Closes: #851470) + Thanks to Atila KOÇ. + * Update Vietnamese debconf translation. + Thanks to Trần Ngọc Quân. + * Update Build-Depends on debhelper to ensure shlibs files are installed at + the expected time during build. (Closes: #854158) + * Update Portuguese debconf translation. (Closes: #859943) + Thanks to Rui Branco and DebianPT. + * Dump the configuration and databases to LDIF before removing slapd, so + that they are available if a newer version requiring migration is + installed later. (Closes: #665199) + * When creating a new configuration with dpkg-reconfigure, back up the old + configuration before overwriting it. + + -- Ryan Tandy <ryan@nardis.ca> Sun, 16 Apr 2017 20:10:43 -0700 + +openldap (2.4.44+dfsg-3) unstable; urgency=medium + + * Apply upstream patch to fix FTBFS on kFreeBSD. (Closes: #845394) + * Restore heimdal support to the smbk5pwd overlay. + + -- Ryan Tandy <ryan@nardis.ca> Sun, 01 Jan 2017 19:47:36 -0800 + +openldap (2.4.44+dfsg-2) unstable; urgency=medium + + [ Ryan Tandy ] + * Update Standards-Version to 3.9.8; no changes required. + * Enable dh_makeshlibs for libldap-2.4-2. Remove libldap-2.4-2.postinst, now + replaced by the automatic ldconfig trigger. + * Don't execute slapd's override_dh_install when building only + arch-independent packages. (Closes: #845506) + * Override lintian false positives on slapd.README.Debian, + slapd-smbk5pwd.postinst, and slapd-smbk5pwd triggering ldconfig. + * Perform permissions changes in override_dh_fixperms instead of in + override_dh_install. + * Remove manual chmod of schema files since dh_fixperms sets correct + permissions automatically. + * Fix slapd-smbk5pwd failing to upgrade when there are no instances of the + overlay configured. + + [ Helmut Grohne ] + * Fix FTCBFS: Pass CC to make explicitly. (Closes: #839251) + + -- Ryan Tandy <ryan@nardis.ca> Thu, 01 Dec 2016 19:40:20 -0800 + +openldap (2.4.44+dfsg-1) unstable; urgency=medium + + [ Ryan Tandy ] + * New upstream release. + - Fixed ppolicy not unlocking policy entry after initialization failure + (ITS#7537) (Closes: #702414) + * Drop ITS8240-remove-obsolete-assert.patch, included upstream. + * Update debian/schema/ppolicy.schema to add the pwdMaxRecordedFailure + attribute. + * Update libldap-2.4-2.symbols with new ldap_build_*_req symbols. + * Mark the build target in debian/rules as phony, since the upstream source + includes a build/ directory. + * Correct the list of files to be cleaned for the pw-sha2 contrib module. + * Fix a typo (slpad -> slapd) in the Catalan debconf translation. + * Disable OpenSLP support and remove libslp-dev from Build-Depends. + (Closes: #815364) + * Ensure /var/run/slapd exists when starting slapd, even if the pid file is + somewhere else. Thanks to Dave Beach for the report. (Closes: #815571) + * Create the pidfile directory when starting slapd, but not when running the + init script in other modes. + * Remove support for enabling the obsolete LDAPv2 protocol via debconf. + * debian/copyright: Update the OpenLDAP copyright and license. + * debian/control: Update VCS URIs to the modern canonical form. + * Override Lintian errors about schema files derived from RFC documents. + Copyrightable content has been removed from these files; however, the + copyright notices have been retained to preserve attribution. + * On upgrade, if the cn=config database contains the ppolicy schema, add the + new pwdMaxRecordedFailure attribute to it. + * Add debian/patches/set-maintainer-name to omit the builder's username and + working directory from version strings and thereby make the build + reproducible. Thanks to Daniel Shahaf for the patch. (Closes: #833179) + * Build smbk5pwd without Kerberos support and drop the build-dependency on + heimdal. (Closes: #836885) + * On upgrade, comment the krb5 setting on any instances of the smbk5pwd + overlay in slapd.conf. Require cn=config users to disable krb5 manually + before upgrading. + + [ Helmut Grohne ] + * Fix policy 8.2 violation (Closes: #330695) + + Move /etc/ldap/ldap.conf and manpage to new package libldap-common. + + -- Ryan Tandy <ryan@nardis.ca> Mon, 14 Nov 2016 18:59:30 -0800 + +openldap (2.4.42+dfsg-2) unstable; urgency=medium + + [ Ryan Tandy ] + * Change explicit Pre-Depends: multiarch-support to ${misc:Pre-Depends}, as + recommended by lintian. + * Omit slapd, slapd-dbg, and slapd-smbk5pwd from the stage1 build profile. + This allows the dependency loop with heimdal to be broken for + bootstrapping, and the dependency on libperl-dev to be avoided for + cross-building. Thanks Daniel Schepler and Helmut Grohne. + (Closes: #724518) + * Apply wrap-and-sort to the Build-Depends field. + * Drop libncurses5-dev from Build-Depends, no longer needed since the ud + tool was removed in OpenLDAP 2.1.4. + * Drop libltdl3-dev as an alternate Build-Depends, since that package was + removed after lenny. + * Annotate Build-Depends on perl with :any to allow running the system perl + interpreter during cross builds. + * Ensure CC is set correctly for cross builds. Thanks Helmut Grohne. + * Build-Depend on dpkg-dev (>= 1.17.14) and debhelper (>= 9.20141010) for + restriction formula support. + * Override the 'dev-pkg-without-shlib-symlink' lintian tag. The symlink is + actually in the form libldap_r.so -> libldap_r-2.4.so.xyz and the tag is a + false positive; see #687022. + * Include the smbk5pwd man page in the slapd-smbk5pwd package. + * Allow anonymous read access to the shadowLastChange attribute by default, + allowing nss-ldap/nss-ldapd to handle password expiry correctly even when + bound anonymously. This was the only restricted shadow attribute, the + others were already world-readable. (Closes: #669235) + * Drop the redundant default ACL for dn.base="" from the database entry. + It's already covered by the fallback case below. + * Copy more comments from the slapd.conf template to slapd.init.ldif. Also + comment the shadowLastChange access rule. + * Import upstream patch to remove an unnecessary assert(0) that could be + triggered remotely by an unauthenticated user by sending a malformed BER + element. (ITS#8240) (CVE-2015-6908) (Closes: #798622) + + [ Peter Marschall ] + * Add a manual page slapo-smbk5pwd.5 and update smbk5pwd's Makefile to + install the new manual page. (Closes: #794998) + + -- Ryan Tandy <ryan@nardis.ca> Thu, 10 Sep 2015 20:13:17 -0700 + +openldap (2.4.42+dfsg-1) unstable; urgency=medium + + [ Peter Marschall ] + * slapd.scripts-common: + - Use update_permissions instead of direct calls to chown and chgrp. + - Make variables only used within a function local to that function. + - Restore databases ordered by increasing suffix path length. + This should help configurations with databases glued together using the + 'subordinate' keyword / 'olcSubordinate' attribute in slapd's + configuration. + (Closes: #794996) + * Install slapo-lastbind.5 man page. (Closes: #794997) + + [ Ryan Tandy ] + * slapd.scripts-common: Delete an outdated comment. + * New upstream release. + * Enable the MDB backend again on GNU/kFreeBSD. The new pthread library + provides all the required interfaces, and the test suite now passes. + Leave it disabled on the Hurd. LMDB requires POSIX semaphores, which have + not yet been implemented. + * Disable the BDB/HDB backends on the Hurd. BDB requires record locks + (F_SETLK), which have not yet been implemented; see #693971. + + -- Ryan Tandy <ryan@nardis.ca> Fri, 21 Aug 2015 13:07:51 -0700 + +openldap (2.4.41+dfsg-1) unstable; urgency=medium + + * New upstream release. + * Update patches for upstream changes, drop patches included upstream. + * debian/rules: Adjust get-orig-source target to add +dfsg to version. + * Convert to source format 3.0 (quilt). + * debian/slapd.scripts-common: Fix nesting of fold markers. + + -- Ryan Tandy <ryan@nardis.ca> Wed, 08 Jul 2015 21:07:24 -0700 + +openldap (2.4.40+dfsg-2) unstable; urgency=medium + + * Actually install libldap-2.4-2.symbols. + * Update Standards-Version to 3.9.6. + * Build-Depend on debhelper (>= 9) to fix a Lintian warning. + * Import upstream patch to fix FTBFS with gcc-5. (Addresses #778045) + + -- Ryan Tandy <ryan@nardis.ca> Sun, 28 Jun 2015 20:40:37 -0700 + +openldap (2.4.40+dfsg-1) unstable; urgency=medium + + * Remove inetorgperson.schema from the upstream source. Replace it with a + copy stripped of RFC text. (Closes: #780283) + * Adjust debian/watch for +dfsg versioning. + * debian/patches/ITS7975-fix-mdb-onelevel-search.patch: Import upstream + patch to fix scope=onelevel searches wrongly including the search base in + results under the MDB backend. (ITS#7975) (Closes: #782212) + + -- Ryan Tandy <ryan@nardis.ca> Thu, 09 Apr 2015 08:38:38 -0700 + +openldap (2.4.40-4) unstable; urgency=medium + + * debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream + patch to fix a crash when a search includes the Deref control with an + empty attribute list. (ITS#8027) (CVE-2015-1545, Closes: #776988) + * debian/patches/ITS8046-fix-vrFilter_free-crash.patch: Import upstream + patch to fix a double free triggered by certain search queries using the + Matched Values control. (ITS#8046) (CVE-2015-1546, Closes: #776991) + + -- Ryan Tandy <ryan@nardis.ca> Sun, 08 Feb 2015 20:19:11 +0000 + +openldap (2.4.40-3) unstable; urgency=medium + + * Remove trailing spaces from slapd.templates. + * Update Vietnamese debconf translation. + Thanks to Trần Ngọc Quân. + * Update Danish debconf translation. + Thanks to Joe Hansen. (Closes: #766848) + * Update Japanese debconf translation. + Thanks to Kenshi Muto. (Closes: #766824) + * Update Russian debconf translation. + Thanks to Yuri Kozlov. (Closes: #766825) + * Update Basque translation. + Thanks to Iñaki Larrañaga Murgoitio. (Closes: #767070) + * Update French debconf translation. + Thanks to Christian Perrier. (Closes: #767634) + * Update German debconf translation. + Thanks to Helge Kreutzmann. (Closes: #767686) + * Update Portuguese debconf translation. + Thanks to Ricardo Silva. (Closes: #768085) + * Update Italian debconf translation. + Thanks to Luca Monducci. (Closes: #768195) + * Update Turkish debconf translation. + Thanks to Atila KOÇ. (Closes: #768409) + * Update Czech debconf translation. + Thanks to Miroslav Kure. (Closes: #768591) + * Update Catalan debconf translation. + Thanks to Innocent De Marchi. (Closes: #768605) + * Update Dutch debconf translation. + Thanks to Frans Spiesschaert. (Closes: #769024) + * Update Brazilian Portuguese debconf translation. + Thanks to Adriano Rafael Gomes. (Closes: #769717) + * Update Galician debconf translation. + Thanks to Jorge Barreiro. + * Update Swedish debconf translation. + Thanks to Martin Bagge / brother. (Closes: #769867) + * Update Spanish debconf translation. + Thanks to Camaleón. (Closes: #770715) + * Fix doubled spaces in po files, caused by trailing spaces in the templates + file. + * Run debconf-updatepo to refresh PO files. + + -- Ryan Tandy <ryan@nardis.ca> Sun, 23 Nov 2014 10:33:10 -0800 + +openldap (2.4.40-2) unstable; urgency=medium + + * Fix typo (chmod/chgrp) in previous changelog, spotted by Ferenc Wagner. + * debian/patches/contrib-modules-use-dpkg-buildflags: Also use CPPFLAGS from + dpkg-buildflags. Spotted by Lintian. + * debian/slapd.init.ldif: Don't bother explicitly granting rights to the + rootdn, since it already has unlimited privileges. Thanks Ferenc Wagner. + * Recommend MDB for new installations, per upstream's recommendation. + * Don't re-create the default DB_CONFIG if there wasn't one in the backup, + for example if the active backend doesn't use it. Thanks Ferenc Wagner. + * On upgrade, if an access rule begins with "to * by self write", show a + debconf note warning that it should be changed. (Closes: #761406) + * Build and install the lastbind contrib module. (Closes: #701111) + * Build and install the passwd/sha2 contrib module. (Closes: #746727) + + -- Ryan Tandy <ryan@nardis.ca> Mon, 20 Oct 2014 22:19:24 -0700 + +openldap (2.4.40-1) unstable; urgency=low + + [ Ryan Tandy ] + * New upstream release. + - fixed ldap_get_dn(3) ldap_ava definition (ITS#7860) (Closes: #465024) + - fixed slapcat with external schema (ITS#7895) (Closes: #599235) + - fixed double free with invalid ciphersuite (ITS#7500) (Closes: #640384) + - fixed modrdn crash on naming attr with no matching rule (ITS#7850) + (Closes: #666515) + - fixed slapacl causing unclean database (ITS#7827) (Closes: #741248) + * slapd.scripts-common: + - Anchor grep patterns to avoid matching commented lines in ldif files + under cn=config. (Closes: #723957) + - Don't silently ignore nonexistent directories that should be dumped. + - Invoke find, chown, and chgrp with -H in case /var/lib/ldap is a + symlink. (Closes: #742862) + - When upgrading a database, ignore extra nested directories as they might + contain other databases. Patch from Kenny Millington. (LP: #1003854) + - Fix dumping and reloading when multiple databases hold the same suffix, + thanks Peder Stray. (Closes: #759596, LP: #1362481) + - Remove trailing dot from slapd/domain. (Closes: #637996) + * debian/rules: + - Enable parallel building. + - Copy libldap-2.4-2.shlibs into place manually, as a workaround for + #676168. (Closes: #742841) + * debian/slapd.README.Debian: Add a note about database format upgrades and + the consequences of missing one. (Closes: #594711) + * Build with GnuTLS 3 (Closes: #745231, #760559). + * Drop debian/patches/fix-ftbfs-binutils-gold, no longer needed. + * Drop debconf-utils from Build-Depends, no longer used (replaced by + po-debconf). Thanks Johannes Schauer. + * Acknowledge NMU fixing #729367, thanks to Michael Gilbert. + * Offer the MDB backend as a choice during initial configuration. (Closes: + #750022) + * debian/slapd.init.ldif: + - Disallow modifying one's own entry by default, except specific + attributes. (Closes: #761406) + - Index some more common search attributes by default. (Closes: #762111) + * Introduce a symbols file for libldap-2.4-2. + * debian/schema/pmi.schema: Add a copyright clarification. There does not + appear to be any copyrighted text in this file, only ASN.1 assignments and + LDAP schema definitions. Fixes a Lintian error on the original. + * debian/schema/duaconf.schema: Strip Internet-Draft text from + duaconf.schema. + * Drop debian/patches/CVE-2013-4449.patch, applied upstream. + * Update debian/patches/no-AM_INIT_AUTOMAKE with upstream changes. + * debian/schema/ppolicy.schema: Update with ordering rules added in + draft-behera-ldap-password-policy-11. + * Suggest GSSAPI SASL modules. (Closes: #762424) + * debian/patches/ITS6035-olcauthzregex-needs-restart.patch: Document in + slapd-config.5 the fact that changes to olcAuthzRegexp only take effect + after the server is restarted. (Closes: #761407) + * Add myself to Uploaders. + + [ Jelmer Vernooij ] + * Depend on heimdal-multidev rather than heimdal-dev. (Closes: #745356, + #706123) + + [ Updated debconf translations ] + * Turkish, thanks to Atila KOÇ <akoc@artielektronik.com.tr>. + (Closes: #661641) + + -- Ryan Tandy <ryan@nardis.ca> Fri, 17 Oct 2014 08:19:28 -0700 + +openldap (2.4.39-1.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix CVE-2013-4449: reference counting logic issue (closes: #729367). + + -- Michael Gilbert <mgilbert@debian.org> Sat, 09 Aug 2014 09:26:51 +0000 + +openldap (2.4.39-1) unstable; urgency=low + + [ Peter Marschall ] + * debian/patches/wrong-database-location: fix database location in + doc/man/man5/slapd-mdb.5 + * debian/configure.options: add info on --enable-mdb + + [ Russ Allbery ] + * Remove myself from Uploaders. + + [ Steve Langasek ] + * Remove Stephen Frost from Uploaders, per discussion with him. Thanks for + your contributions, Stephen! + * Adjust dh_autoreconf usage to update all config.sub/config.guess + instances in the source, so that we can be forwards-compatible with new + ports. Thanks to Colin Watson <cjwatson@ubuntu.com> for the patch. + Closes: #725824. + * Add Timo to Uploaders. + * Update Vcs-* fields to point at the new git repo; thanks to Timo for + driving this migration! + * Rebuild against db5.3, with a corresponding dump/restore of the database + on upgrade. Closes: #738641. + + [ Timo Aaltonen ] + * contrib-modules-use-dpkg-buildflags, autogroup-makefile, + smbk5pwd-makefile: + - Updated for current upstream. + * Refresh patches to apply cleanly. + * rules: Use dpkg-parsechangelog to determine the upstream version for + get-orig-source. + * source: Add lintian overrides for non-transatable internal + templates. + + -- Steve Langasek <vorlon@debian.org> Mon, 17 Mar 2014 15:27:31 -0700 + +openldap (2.4.31-1) unstable; urgency=low + + * New upstream release. + - Fixes a denial of service attack, CVE-2012-1164, when using the rwm + overlay. Closes: #663644. + - Fixes a bug with ldap_result always returning -1 when called from + sssd. Closes: #666230. + - Fix a build failure on armel due to unaligned memory access. + Closes: #677158. + * Incorporate NMU (thanks, Julien Cristau, Mattias Ellert): + - Disable the mdb backend on non-Linux, it looks like it doesn't work + with linuxthreads (closes: #654824). + - Backport fix for shell backend configuration. Closes: #662940. + + [ Peter Marschall ] + * debian/slapd.scripts-common: avoid grep warnings + * debian/patches/heimdal-fix: fix arguments of + hdb_generate_key_set_password(). Closes: #664930 + + [ Steve Langasek ] + * debian/patches/contrib-modules-use-dpkg-buildflags: pass CFLAGS to + contrib builds. Thanks to Simon Ruderich <simon@ruderich.org>. + Closes: #663724. + + -- Steve Langasek <vorlon@debian.org> Wed, 27 Jun 2012 03:27:34 +0000 + +openldap (2.4.28-1) unstable; urgency=low + + * New upstream release. + - Fixes CVE-2011-4079. Closes: #647610. + - Fixes support for proxy authorization with SASL-GSSAPI. + Closes: #608815. + - Drop patch service-operational-before-detach, which came from upstream. + - Drop patch fix-its6898-locking-issue, included upstream. + - Refresh other patches as needed. + * debian/slapd.scripts-common: quote the argument to slappasswd, to cope + with shell characters in the string. Thanks to Nicolai Ehemann + <en@englightened.de> for the patch. Closes: #635931. + * Install ldif.h in libldap2-dev, now that it's been blessed upstream. + Closes: #644985. + * debian/patches/no-bdb-ABI-second-guessing: don't force an exact match on + the upstream version of libdb; this is redundant with our packaging + system, and causes spurious errors when there's a non-ABI-breaking + BDB upstream release. Closes: #651333. + * Build-conflict with the ancient autoconf2.13, which is incompatible with + dh-autoreconf. (Maybe dh-autoreconf itself should conflict with it?) + Closes: #651598. + + [ Updated debconf translations ] + * Dutch, thanks to Jeroen Schot <schot@A-Eskwadraat.nl>. Closes: #651400. + + -- Steve Langasek <vorlon@debian.org> Thu, 05 Jan 2012 06:07:11 +0000 + +openldap (2.4.25-4) unstable; urgency=low + + * Drop explicit depends on libdb4.8, since we're now linking against + libdb5.1. Thanks to Peter Marschall for catching. Closes: #621403 + again. + * Rebuild against cyrus-sasl2 2.1.25. Closes: #628237. + * Use dh_autoreconf instead of a locally-patched autogen.sh. + * debian/patches/no-AM_INIT_AUTOMAKE: don't use AM_INIT_AUTOMAKE macro + when we aren't using automake. + * Convert debian/rules to dh(1). + * use DEB_CFLAGS_MAINT_APPEND with appropriate versioned dependency on + debhelper and dpkg-dev, so we can pick up dpkg-buildflags for our + policy-mandated flags - as well as our security-enhancing ones! + Closes: #644427. + * Also set hardening=+pie,+bindnow buildflags options for maximum + security, since this is a security-sensitive daemon dealing with + untrusted input. Ubuntu has been building with these flags for a + while via hardening-wrappers, so the change is presumed safe. + * Drop debian/check_config. The upstream configure script now enforces + --with-cyrus-sasl, so there's no need for a second check. + * debian/po/es.po: tweak an ambiguous string in the Spanish debconf + translation, noticed in response to a submitted Catalan translation + * debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff: + Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL. + Thanks to Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de> for the + patch. Closes: #327585. + + [ Updated debconf translations ] + * Catalan, thanks to Innocent De Marchi <tangram.peces@gmail.com>. + Closes: #644274. + + -- Steve Langasek <vorlon@debian.org> Tue, 18 Oct 2011 01:08:34 +0000 + +openldap (2.4.25-3) unstable; urgency=low + + * Brown paper bag: really fix the .links.in handling, so we don't generate + broken /usr/lib/${DEB_HOST_MULTIARCH} dirs. + + -- Steve Langasek <vorlon@debian.org> Mon, 15 Aug 2011 09:50:37 +0000 + +openldap (2.4.25-2) unstable; urgency=low + + [ Matthijs Möhlmann ] + * Change to bdb 5.1 (Closes: #621403) + * Add note to ldap-utils package how to unfold lines. (Closes: #530519) + (Thanks to Peter Marschall and Javier Barroso) + + [ Steve Langasek ] + * Acknowledge NMU for bug #596343; thanks to Thijs Kinkhorst for the fix! + * Bump to compat level 7, so we don't have to spell out debian/tmp in + every single .install file + * Build for multiarch. + + -- Steve Langasek <vorlon@debian.org> Sun, 14 Aug 2011 23:17:09 -0700 + +openldap (2.4.25-1.1) unstable; urgency=low + + * Non-maintainer upload to fix RC bug. + * Fix "dpkg-reconfigure slapd". Closes: #596343 + + -- Thijs Kinkhorst <thijs@debian.org> Tue, 31 May 2011 11:57:29 +0200 + +openldap (2.4.25-1) unstable; urgency=low + + * New upstream version (Closes: #617606, #618904, #606815, #608813) + - Fixes CVE-2011-1024, CVE-2011-1025, CVE-2011-1081 + - slapd server process frequently hangs during everyday usage is fixed in + newer versions of openldap according to the bug submitter + * Refresh all patches + * Remove manpage-tlscyphersuite-additions, applied upstream + * Remove issue-6534-patch, applied upstream + * Add Slovak translation, thanks Slavko <linux@slavino.sk> (Closes: #608699) + * Add debian specific patch for ldap.conf. Add TLS_CACERT option and set it + by default to /etc/ssl/certs/ca-certificates.crt (Closes: #555409, #616703) + * Add patch to fix a FTBFS with binutils-gold (Closes: #555867) + * Add slapschema, just hardlink it (Closes: #601569) + * Update patch service-operational-before-detach (Closes: #616164, #598361) + * Add ldif_* symbols to libldap-2.4-2 + * Add upstream patch for a locking issue in libldap_r + * Fix build failure, use @SHELL@ instead of hardcoded /bin/sh (build/top.mk) + (Closes: #621925) + + -- Matthijs Möhlmann <matthijs@cacholong.nl> Mon, 11 Apr 2011 22:10:14 +0200 + +openldap (2.4.23-7) unstable; urgency=low + + * Updated vietnamese translation, thanks Clytie Siddall + (Closes: #601537, #598575) + * Updated portuguese translation, thanks Traduz (Closes: #599760) + * Updated danish translation, thanks Joe Dalton (Closes: #599835) + + -- Matthijs Mohlmann <matthijs@cacholong.nl> Sat, 06 Nov 2010 12:13:01 +0100 + +openldap (2.4.23-6) unstable; urgency=high + + * Check for an empty directory to prevent an rm -f /*. (Closes: #597704) + + -- Matthijs Mohlmann <matthijs@cacholong.nl> Thu, 23 Sep 2010 10:17:50 +0200 + +openldap (2.4.23-5) unstable; urgency=high + + [ Steve Langasek ] + * High-urgency upload for RC bugfix. + * debian/slapd.scripts-common: fix gratuitous (and wrong) use of grep in + get_suffix(), which causes us to incorrectly parse any slapd.conf that + uses tabs instead of spaces. Closes: #595672. + * debian/slapd.init, debian/slapd.scripts-common: when $SLAPD_CONF is not + set in /etc/default/slapd, we should always set a default value, giving + precedence to slapd.d and falling back to slapd.conf. Users who don't + want to use an existing slapd.d should point at slapd.conf explicitly. + Closes: #594714, #596343. + * debian/slapd.init: 'invoke-rc.d slapd stop' should not fail due to the + absence of a slapd configuration; we should still exit 0 so that the + package can be removed gracefully. Closes: #596100. + * drop build-conflicts with libssl-dev; we explicitly pass + --with-tls=gnutls to configure, so there's no risk of a misbuild here. + * debian/slapd.default: now that we have a sensible default behavior in + both slapd.init and the maintainer scripts, leave SLAPD_CONF empty to + save pain later. + * debian/slapd.scripts-common: ... and do the same in + migrate_to_slapd_d_style, we just need to comment out the user's + previous entry instead of blowing it away. + * debian/slapd.scripts-common: call get_suffix in a way that lets us + separate responses by newlines, to properly handle the case when a + DN has embedded spaces. Introduces a few more stupid fd tricks to work + around possible problems with debconf. Closes: #595466. + * debian/slapd.scripts-common: when parsing the names of includes, handle + double-quotes and escape characters as described in slapd.conf(5). + Closes: #595784. + * debian/slapd.scripts-common, debian/slapd.postinst: on upgrade from + versions <= 2.4.23-4, explicitly grant access to cn=Subschema, which + otherwise is blocked by our added olcAccess settings. Closes: #596326. + * debian/slapd.init.ldif: set the acl in the default LDIF for new installs, + too. + * Likewise, grant access to dn.exact="" so that base dn autodiscovery + works as intended. Closes: #596049. + * debian/slapd.init.ldif: synchronize our behavior on new installs with + that on upgrades, avoiding the non-standard cn=localroot,cn=config. + * debian/slapd.scripts-common: don't run the migration code if slapd.d + already exists. Closes: #593965. + + [ Matthijs Mohlmann ] + * Remove upgrade_supported_from_backend, implemented patch from + Peter Marschall <peter@adpm.de> to automatically detect if an upgrade is + supported. (Closes: #594712) + + [ Peter Marschall ] + * debian/slapd.init: correctly set the slapd.conf argument even when + SLAPD_PIDFILE is non-empty in /etc/default/slapd. Closes: #593880. + * debian/slapd.scripts-common: pass -g to slapadd/slapcat, so that + subordinate databases aren't incorrectly included in the dump/restore of + the parent database. Closes: #594821. + + -- Steve Langasek <vorlon@debian.org> Mon, 13 Sep 2010 06:59:11 +0000 + +openldap (2.4.23-4) unstable; urgency=low + + [ Steve Langasek ] + * Bump the database upgrade version check to 2.4.23-4; should have been + set to 2.4.23-1 when we switched to db4.8, but was missed so we need to + clean up. Closes: #593550. + + [ Matthijs Mohlmann ] + * Fix root access to cn=config on upgrades from configuration style slapd.conf + Thanks to Mathias Gug (Closes: #593566, #593878) + + -- Matthijs Mohlmann <matthijs@cacholong.nl> Thu, 26 Aug 2010 20:30:51 +0200 + +openldap (2.4.23-3) unstable; urgency=low + + * Configure the newly installed openldap package using slapd.d instead of + slapd.conf, merged from ubuntu. (Closes: #562723, #494155, #333428) + * Update the debconf templates by running debconf-updatepo. + * We do not support upgrades from older releases then lenny, so removed some + upgrade functions from slapd.scripts-common. + * Updated japanese translation, thanks Kenshi Muto (Closes: #589508) + * Updated czech translation, thanks Miroslav Kure (Closes: #589569) + * Update slapd.README.Debian and slapd.NEWS and note the new configuration + style. + * Fixes CVE-2010-0211 and CVE-2010-0212 (Closes: #589852) + * Update italian translation, thanks Luca Monducci (Closes: #590154) + * Update spanish translation, thanks Francisco Javier Cuadrado + (Closes: #590829) + * Update basque translation, thanks Iñaki Larrañaga Murgoitio + * Bump Standards-Version to 3.9.1 + * Added debian specific patch to wait until slapd is operational before + detaching to the terminal (Closes: #589915) + * Add a lintian overrides for libldap. + * Empty dependency_libs line in .la files. (Closes: #591550) + * Update galician translation, thanks Jorge Barreiro (Closes: #592815) + + -- Matthijs Mohlmann <matthijs@cacholong.nl> Tue, 17 Aug 2010 22:00:16 +0200 + +openldap (2.4.23-2) unstable; urgency=medium + + * Depend on libdb4.8 >= 4.8.30 (Closes: #588969) + * Urgency previous as previous version fixes a RC bug. + + -- Matthijs Mohlmann <matthijs@cacholong.nl> Wed, 14 Jul 2010 10:17:27 +0200 + +openldap (2.4.23-1) unstable; urgency=low + + * New upstream version + * Change to build dependency libdb4.8-dev instead of libdb4.7-dev + * Updated french translation thanks Christian Perrier (Closes: #579192) + * Updated swedish translation thanks Martin Bagge (Closes: #580145) + * Updated german translation thanks Helge Kreutzmann (Closes: #579582) + * Updated russian translation thanks Yuri Kozlov (Closes: #585688) + * Fix bashisms in debian/rules (Closes: #581454) + * Add documentation patch (Closes: #513270) + * Refreshed all quilt patches. + * Bump Standards-Version to 3.9.0 + + -- Matthijs Mohlmann <matthijs@cacholong.nl> Mon, 12 Jul 2010 13:25:00 +0200 + +openldap (2.4.21-1) unstable; urgency=low + + [ Steve Langasek ] + * New upstream version + (Closes: #561144, #465024, #502769, #528695, #564686, #504728) + * Add upstream manpage for ldapexop; thanks to Peter Marschall + <peter@adpm.de>. Closes: #549291. + + [ Matthijs Mohlmann ] + * Ack NMU (Closes: #553432) + * Update Standards-Version to 3.8.4 + * Fix NEWS entry to have the correct version number + * Improve the wording for the slapd/invalid_config question (Closes: #452834) + * Make lintian a bit more happy (Closes: #518660) + * Fix bashism (Closes: #518657) + * Refresh all patches + * Add patch from upstream (Closes: #549642) + * Reworked the configure.options a bit to include some more options + * Enable dynamic acls + * Use slappasswd to create a secure password (Closes: #490930) + * Set a rootdn and rootpw if no password is given by debconf (Closes: #231950) + * Better document the TLSCipherSuite in slapd.conf manpage (Closes: #563113) + * Better document the TLS_CIPHER_SUITE in ldap.conf manpage (Closes: #510346) + * Add smbk5pwd slapd module, used patch from Mark Hymers (Closes: #443073) + * Add autogroup slapd module, used patch from Mathieu Parent (Closes: #575900) + * Add lsb logging, used patch from David Härdeman (Closes: #385898) + * Use dh_lintian to install the lintian-overrides + * Added critical error report when slapcat fails (Closes: #226090) + + -- Matthijs Mohlmann <matthijs@cacholong.nl> Thu, 22 Apr 2010 23:40:30 +0200 + +openldap (2.4.17-2.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fixed CVE-2009-3767: libraries/libldap/tls_o.c doesn't properly handle NULL + character in subject Common Name (Closes: #553432) + + -- Giuseppe Iuculano <iuculano@debian.org> Tue, 10 Nov 2009 19:09:45 +0100 + +openldap (2.4.17-2) unstable; urgency=low + + * Fix up the lintian warnings: + - add missing misc-depends on all packages + - slapd, libldap-2.4-2-dbg sections changed to 'debug' to match archive + overrides + - bump Standards-Version to 3.8.2, no changes required. + * slapd.scripts-common: fix upgrade to correctly handle multiple database + declarations; thanks, Peter Marschall <peter@adpm.de>! Closes: #517556 + * Add 'status' argument to init script; thanks to Peter Eisentraut + <petere@debian.org>. Closes: #545898. + * New patch, do-not-second-guess-sonames, to remove an incorrect check for + the Cyrus SASL version number at runtime. If there's any reason this is + needed, it needs to be addressed in the cyrus-sasl soname and Debian + shlibs, not here. Closes: #546885. + + -- Steve Langasek <vorlon@debian.org> Tue, 22 Sep 2009 20:06:34 -0700 + +openldap (2.4.17-1) unstable; urgency=low + + * New upstream version. + - Fixes FTBFS on ia64 with -fPIE. Closes: #524770. + - Fixes some TLS issues with GnuTLS. Closes: #505191. + * Update priority of libldap-2.4-2 to match the archive override. + * Add the missing ldapexop and ldapurl tools to ldap-utils, as well as the + ldapurl(1) manpage. Thanks to Peter Marschall for the patch. + Closes: #496749. + * Bump build-dependency on debhelper to 6 instead of 5, since that's + what we're using. Closes: #498116. + * Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using + the built-in default of ldap:/// only. + * Build-depend on libltdl-dev | libltdl3-dev (>= 1.4.3), for the package + name change. Closes: #522965. + + [ Updated debconf translations ] + * Spanish, thanks to Francisco Javier Cuadrado <fcocuadrado@gmail.com>. + Closes: #521804. + + -- Steve Langasek <vorlon@debian.org> Tue, 28 Jul 2009 10:17:15 -0700 + +openldap (2.4.15-1) unstable; urgency=low + + * New upstream version + - Fixes a bug with the pcache overlay not returning cached entries + (closes: #497697) + - Update evolution-ntlm patch to apply to current Makefiles. + - (tentatively) drop gnutls-ciphers, since this bug was reported to be + fixed upstream in 2.4.8. The fix applied in 2.4.8 didn't match the + patch from the bug report, so this should be watched for regressions. + * Build against db4.7 instead of db4.2 at last! Closes: #421946. + * Build with --disable-ndb, to avoid a misbuild when libmysqlclient is + installed in the build environment. + * Add -D_GNU_SOURCE to CFLAGS, apparently required for building with + current headers in unstable + + -- Steve Langasek <vorlon@debian.org> Tue, 24 Feb 2009 14:27:35 -0800 + +openldap (2.4.11-1) unstable; urgency=low + + * New upstream version (closes: #499560). + - Fixes a crash with syncrepl and delcsn (closes: #491066). + - Fix CRL handling with GnuTLS (closes: #498410). + - Drop patches no_backend_inter-linking, + CVE-2008-2952_BER-decoding-assertion, and gnutls-ssf, applied + upstream. + + [ Russ Allbery ] + * New patch, back-perl-init, which updates the calling conventions + around initialization and shutdown of the Perl interpreter to match + the current perlembed recommendations. Fixes probable hangs on HPPA + in back-perl. Thanks, Niko Tyni. (Closes: #495069) + + [ Steve Langasek ] + * Drop the conflict with libldap2, which is not the standard means of + handling symbol conflicts in Debian and which causes serious upgrade + problems from etch. Closes: #487211. + + -- Steve Langasek <vorlon@debian.org> Sat, 11 Oct 2008 01:53:55 -0700 + +openldap (2.4.10-3) unstable; urgency=low + + [ Steve Langasek ] + * New patch, CVE-2008-2952_BER-decoding-assertion, to fix a remote DoS + vulnerability in the BER decoder. Addresses CVE-2008-2952, + closes: #488710. + * debian/slapd.scripts-common, debian/slapd.postinst: drop + update_path_argsfile_pidfile function, not needed for updates from etch + or newer. + * Drop the code to check for and upgrade ldbm databases. The etch + release of slapd had already dropped support for them and direct + upgrades from sarge are not supported. + + [ Russ Allbery ] + * Apply upstream patch to convert GnuTLS cipher strength from bytes to + bits, as expected by OpenLDAP. (Closes: #473796) + * Add Build-Depends on time, used by the test suite and only a shell + built-in with bash. Thanks, Daniel Schepler. (Closes: #490754) + * Refresh all patches, convert all patches to -p1, and remove extraneous + Index: lines. (Closes: #485263) + * Unless DFSG_NONFREE is set, also check whether the upstream schemas + with RFC comments are included. + * Update standards version to 3.8.0. + - Include debian/README.source pointing to the quilt README.source. + - Wrap Uploaders for readability. + * Wrap slapd's Depends for readability. + + [ Updated debconf translations ] + * Swedish, thanks to Martin Ågren <martin.agren@gmail.com>. + Closes: #492748. + + -- Steve Langasek <vorlon@debian.org> Mon, 28 Jul 2008 15:26:06 -0700 + +openldap (2.4.10-2) unstable; urgency=low + + * Support DEB_BUILD_OPTIONS=nocheck to disable running the test suite at + build time + * Hack around glibc behavior when resolving localhost, by exporting + RESOLV_MULTI=off when invoking the test suite + * Reclaim the 'openldap' source package name; openldap2.3 has been a + misnomer for some time, causing undue confusion, so switch to a + permanent source package name that we won't need to change again later. + - Along the way, kill off non-DFSG-compliant schema files that snuck + back into the archive due to my bad merge of 2.4.10. + + -- Steve Langasek <vorlon@debian.org> Sun, 06 Jul 2008 22:03:32 -0700 + +openldap2.3 (2.4.10-1) unstable; urgency=low + + [ Steve Langasek ] + * New upstream release. + - Clean up ld_defconn if it was freed, fixing an assertion failure in + various clients. Closes: #469232. + - Fixes slapd syncrepl hang on back-config. Closes: #471253. + - Drop patch hurd-path-max, integrated upstream. + * Drop spurious build-dependency on heimdal-dev, introduced accidentally + as part of an aborted attempt to build the smbk5pwd overlay. + * Use hardlinks instead of symlinks for the various slap* commands; this + is functionally equivalent for us, and reduces divergence from + derivatives such as Ubuntu that use apparmor. Closes: #488409. + * New patch, no_backend_inter-linking, to fix the meta backend to not + try to look up symbols in external objects (back_ldap) that it + doesn't link against. + * Turn on 'make test' during builds, now that back_meta is fixed. + + [ Matthijs Mohlmann ] + * All manpages in category 5 were missing, wrong directory. + (Closes: #474976, #483631, #483633) + + -- Steve Langasek <vorlon@debian.org> Mon, 30 Jun 2008 04:28:34 -0700 + +openldap2.3 (2.4.9-1) unstable; urgency=low + + [ Updated debconf translations ] + * French, thanks to Christian Perrier <bubulle@debian.org>. + Closes: #471792. + * Finnish, thanks to Esko Arajärvi <edu@iki.fi>. Closes: #475238. + * Czech, thanks to Miroslav Kure <kurem@upcase.info.upol.cz>. + Closes: #480138. + * Basque, thanks to Piarres Beobide <pi+debian@beobide.net>. + Closes: #480177. + * Vietnamese, thanks to Clytie Siddall <clytie@riverland.net.au>. + Closes: #480181. + * Galician, thanks to Jacobo Tarrio <jtarrio@trasno.net>. Closes: #480218. + * Japanese, thanks to Kenshi Muto <kmuto@debian.org>. Closes: #480247. + * Italian, thanks to Luca Monducci <luca.mo@tiscali.it>. (Closes: #477718) + * Brazilian Portuguese, thanks to Eder L. Marques <eder@edermarques.net> + (Closes: #480172) + * Portuguese, thanks to Tiago Fernandes <tjg.fernandes@gmail.com> + (Closes: #481126) + * Russian, thanks to Yuri Kozlov <kozlov.y@gmail.com> (Closes: #481214) + * Dutch, thanks to "cobaco (aka Bart Cornelis)" <cobaco@skolelinux.no>. + Closes: #483014. + + [ Matthijs Mohlmann ] + * New upstream release. + - Bad entryUUID no longer crashes slapd. (Closes: #471867) + - Fix assertion failure in some modify operations. (Closes: #474161) + - Mention index in slapd.conf's man page. (Closes: #414650) + - Fixes to slapd include handling. (Closes: #457261) + - Fix syncrepl cookie truncation. (Closes: #464024) + - Fix memory allocation in ldap_parse_page_control. (Closes: #464877) + - Fix slapd crash when accessed by multiple threads. (Closes: #479237) + * Acknowledge NMU. + (Closes: #474976, #471225, #475856, #474652, #465875) + * Bump Standards-Version to 3.7.3 + * Add versioned build dependency on libgnutls-dev (Closes: #466558) + * Bump debhelper compat level to 6. + + [ Russ Allbery ] + * Use MAXPATHLEN rather than PATH_MAX, since OpenLDAP defines the + former and the latter isn't defined on GNU Hurd. Thanks, Samuel + Thibault. (Closes: #475744) + + -- Matthijs Mohlmann <matthijs@cacholong.nl> Mon, 26 May 2008 22:34:16 +0200 + +openldap2.3 (2.4.7-6.3) unstable; urgency=low + + * Non-maintainer upload. + * Install all slapd relevant manpages into slapd package. + (closes: #474976) + * Make libldap-2.4-2 conflict against libldap2. (closes: #475856) + + -- Bastian Blank <waldi@debian.org> Tue, 29 Apr 2008 18:00:23 +0200 + +openldap2.3 (2.4.7-6.2) unstable; urgency=low + + * Non-maintainer upload to solve release goal issues. + * Add LSB dependency header to init.d scripts (Closes: #474652) + + -- Petter Reinholdtsen <pere@debian.org> Wed, 16 Apr 2008 08:04:49 +0200 + +openldap2.3 (2.4.7-6.1) unstable; urgency=high + + * Non-maintainer upload by security team. + * Fix possible remote denial of service vulnerability in the BDB backend + via a modrdn operation with a NOOP control + (CVE-2008-0658; Closes: #465875). + + -- Nico Golde <nion@debian.org> Tue, 04 Mar 2008 14:34:44 +0100 + +openldap2.3 (2.4.7-6) unstable; urgency=low + + [ Updated debconf translations ] + * Dutch, thanks to Bart Cornelis <cobaco@skolelinux.no>. Closes: #452950. + * Brazilian Portuguese, thanks to Eder L. Marques <frolic@debian-ce.org>. + Closes: #463460. + * German, thanks to Helge Kreutzmann <debian@helgefjell.de>. + Closes: #465784. + + [ Steve Langasek ] + * Relax build-dependency on libsasl2-dev now that the versioned dependency + is satisfied by all extant versions (including in oldstable), fixing a + lintian warning about versioned build-deps on Debian revisions. + * Avoid using a mutex around getaddrinfo() and getnameinfo() calls, which + are guaranteed by glibc to be threadsafe; this fixes a deadlock when + using nss_ldap for host lookups. Closes: #340601. + * debian/libldap2-dev.manpages: install all of man3/* instead of + enumerating specific manpages to install. Closes: #320073. + * Add new patch, sasl-cleartext-strncasecmp, to correct a regression that + prevented the use of the {CLEARTEXT} password scheme with SASL. + Closes LP: #191563. + * drop LGPL from debian/copyright; there is no longer any code under this + license in the package. + * Drop patch gnutls-altname-nulterminated; it's been determined that the + "length" discrepancy was a bug in gnutls, and fixed in that package. + * debian/configure.options: explicitly pass --with-odbc=unixodbc, so + that we depend on the right ODBC implementation when both happen to + be installed at build time. + + [ Russ Allbery ] + * Add a stamp file for the configure rule to avoid rerunning configure + needlessly. Closes: #465588. + * Don't create the openldap user if slapd has been configured to run as + a different user. If slapd has been configured to run as openldap, do + create the user on reconfigure. Closes: #452438. + * Reformat, reorganize, and update slapd's README.Debian. + - Include SASL configuration information. + - Remove LDBM information, since upstream no longer even ships LDBM + and the debconf prompting and maintainer scripts already take care + of any lingering databases. + - Document the differences between the Debian OpenLDAP packages and + upstream. + + -- Steve Langasek <vorlon@debian.org> Thu, 28 Feb 2008 22:15:17 -0800 + +openldap2.3 (2.4.7-5) unstable; urgency=low + + [ Updated debconf translations ] + * Finnish, thanks to Esko Arajärvi <edu@iki.fi>. Closes: #462688. + * Galician, thanks to Jacobo Tarrio <jtarrio@trasno.net>. Closes: #462987. + * French, thanks to Christian Perrier <bubulle@debian.org>. + Closes: #463149. + * Russian, thanks to Yuri Kozlov <kozlov.y@gmail.com>. Closes: #463442. + * Czech, thanks to Miroslav Kure <kurem@debian.cz>. Closes: #463472. + * German, thanks to Helge Kreutzmann <debian@helgefjell.de>. + Closes: #464718. + + [ Steve Langasek ] + * Fix various regressions related to the introduction of GnuTLS: + - Add new patch, gnutls-ciphers, to fix support for specifying multiple + ciphers with TLSCipherSuite option in slapd.conf. Thanks to Kyle + Moffett <kyle@moffetthome.net> for the patch. Closes LP: #188200. + - Add new patch, slapd-tlsverifyclient-default, to set the intended + default value of "TLSVerifyClient never" in the right place. + - Add new patch, gnutls-altname-nulterminated, to account for differences + in how the "length" is returned for commonName vs. subjectAltName. + - Comment out TLSCipherSuite settings on upgrade from all versions prior + to 2.4.7-5, and throw a debconf error to the user notifying them of + this, since all OpenSSL cipher suite values are incompatible with + GnuTLS. + Closes: #462588. + * Add new patch from upstream, entryCSN-backwards-compatibility, to support + auto-converting entryCSN attributes in a previously supported old format, + fixing an upgrade failure. Closes: #462099. + * Use --retry TERM/10 instead of --retry 10 when stopping slapd, since the + latter resorts to a SIGKILL and may corrupt backend data; whereas the + former will exit non-zero if slapd is still running but won't directly + cause data-loss. Thanks to Mark McDonald for the patch. LP: #92139. + * Fix manpage symlinks in libldap2-dev; thanks to Reuben Thomas for + reporting. Closes: #463971. + * Fix a superfluous space in the debconf templates, due to a trailing space + in the templates. Closes: #464719. + + -- Steve Langasek <vorlon@debian.org> Sat, 09 Feb 2008 14:25:55 -0800 + +openldap2.3 (2.4.7-4) unstable; urgency=high + + [ Steve Langasek ] + * Build-conflict with libicu-dev, for consistent dependencies in all + build environments. + * Fix an oversight in the checkpoint migration, which caused the checkpoint + option to not be moved far enough down. Closes: #462304, LP: #185257. + * Build-depend on unixodbc instead of iODBC. + + [ Updated debconf translations ] + * Japanese, thanks to Kenshi Muto <kmuto@debian.org>. Closes: #462191. + + -- Steve Langasek <vorlon@debian.org> Fri, 25 Jan 2008 02:17:23 -0800 + +openldap2.3 (2.4.7-3) unstable; urgency=low + + * Add missing build-dependency on groff-base, to allow use of soelim during + build. + + -- Steve Langasek <vorlon@debian.org> Mon, 21 Jan 2008 15:18:27 -0800 + +openldap2.3 (2.4.7-2) unstable; urgency=low + + * Temporarily drop slapi-dev from the package to get through NEW; this + functionality should be readded later, either by restoring the slapi-dev + package or by moving it to libldap2-dev, depending on the outcome of + discussion with the ftp-masters. + + -- Steve Langasek <vorlon@debian.org> Mon, 21 Jan 2008 06:13:21 -0800 + +openldap2.3 (2.4.7-1) unstable; urgency=low + + [ Steve Langasek ] + * New upstream version; closes: #449354. + - remove another schema from upstream source, collective.schema, + that contains text from the IETF RFCs and include a stripped copy + in debian/schema. + - drop patches slurpd-in-spool and man-slurpd, since slurpd is no + longer provided upstream. + - libldap2.3-0 is now libldap2.4-2 + - build libldap2-dev from this source package now, superseding + openldap2; closes: #428385, #260118, #262539, #391899, #393215. + - lastmod and denyop have been moved to contrib upstream and are no + longer shipped as supported overlays + - drop dependency on libldap2 and take ownership of the + /etc/ldap/ldap.conf conffile, since libldap2 is now obsolete + - need to dump and reload databases again for the upgrade from 2.3.39. + - ldap_init(3) no longer attempts to document the internals of the + LDAP opaque type. Closes: #320072. + - ldap-utils utilities find LDAP servers via SRV records when given a + URL with -H and no host in the URL. Closes: #221173. + - if the old slapd.conf included any replica commands, automatically + enable syncprov for the corresponding database and print an error + with debconf. + * slapd.conf and DB_CONFIG are used in the postinst, they shouldn't be + shipped under doc/examples because /usr/share/doc can't be depended + on per policy; ship the files under /usr/share/slapd and symlink the + /other/ way, which also spares us from dh_compress trying to gzip + slapd.conf. Closes: #452749. + * Drop libldap.so as was done for libldap2, making it a link to + libldap_r.so to avoid unfortunate symbol collisions. + * Add new patch, libldap-symbol-versions, to build libldap and liblber + with symbol versions; needed to avoid segfaults when applications + manage to pull both libldap2 and the new libldap-2.4-2 into the same + process (as during a partial upgrade or the initial soname + transition), and also when the library soname changes again in the + future (as it's likely to do). + * Reintroduce add-autogen-sh patch, with build deps on libtool, automake, + and autoconf, required due to the previous patch; this time around, take + care to clean up the autogenerated files in the clean target as well + * Build-depend on libgnutls-dev instead of on libssl-dev, so that at long + last we can build the server and lib from the same source package again + without licensing problems. Closes: #457182, #407334, #428468, #381788. + Closes: #412706. + * slapd.prerm, slapd.postinst: drop no-longer-needed upgrade code for + openldap < 2.1.22 + * Ask about ldbm to bdb migration in the preinst, since there is no + guarantee that the debconf config script will be run before the unpack + phase. + * Don't stop slapd in the preinst by hand, the prerm already stops the + old slapd using the standard interfaces. + * Don't build with LAN Manager password support; these passwords are more + insecure than traditional Unix crypt, and only relevant when talking to + Windows 98. + * Move libslapi into the slapd package and provide a virtual package for + library dependencies, since this is expected to stay lockstep with the + server. + * Split slapi dev support into a new libslapi-dev package, as this is + unrelated to libldap; and drop libslapi.a since it would be insane to try + to statically link a dynamically-loaded slapi plugin. + * "checkpoint" directives are no longer supported as part of the backend + config, only as part of the database config; move the lines around in + slapd.conf on upgrade. + * "schemacheck" directives are no longer supported; comment them out + on upgrade since this option was set by default in sarge. + * Package description updates; thanks to Christian Perrier + <bubulle@debian.org> and the Smith review project for these + improvements. + * Incorporate debconf template changes suggested by the debian-l10n-english + team as part of the Smith review project. Closes: #447224. + + [ Russ Allbery ] + * Removed fix_ldif and all remaining code to try running it on LDIF + dumps. Schema checking has been imposed since 2.1 and it's highly + unlikely that anyone still needs this. + * Move the checkpoint directive in the default slapd.conf below the + database and suffix directives for the primary database. This is now + required for OpenLDAP 2.4. + * Create /etc/ldap/slapd.conf owned by the openldap group and mode 640 + by default so that slapindex and friends can read it when run as the + openldap user. Fix permissions on upgrade if slapd.conf is owned by + root and mode 600. Closes: #432662. + * Drop slapd patch to read slapd.conf before dropping privileges, since + slapd.conf should now be readable by SLAPD_GROUP. + * If SLAPD_CONF is set to a directory in /etc/default/slapd, assume + the cn=config backend is used and start slapd with the appropriate + options. Based on a patch from Mike Burr. Closes: #411413. + * Rework slapd's README.Debian: + - Document the BerkeleyDB version. Closes: #438127. + - Document how to direct slapd's logs to another file. Closes: #258931. + - Remove obsolete information about TLS/SSL and OpenLDAP 2.0 upgrades. + - Recommend HDB instead of BDB. + - Generally reformat and reorganize. + * Patch cleanup: + - Combine the NTLM patches for Evolution into a single patch. + - Add explanatory comments to every patch. + - Refresh all patches to remove diff garbage and trailing whitespace. + * debian/rules cleanup: + - Fix patch dependencies for parallel build (hopefully). + - Tell configure the system type. + - Rewrite upstream_strip_nondfsg.sh as a get-orig-source target. + - Remove stamp files as the first step of the clean target. + - Add trivial build-arch and build-indep targets. + - Remove dead code and unnecessary comments. + * Remove postrm code to delete /var/lib/slapd/upgrade* flag files. We + haven't used those since the 2.1 upgrade. + * Update Vcs-* headers for new repository layout. + * Remove versioned dependency on an ancient dpkg-dev. + * Wrap and reorder Build-Depends for readability. + + [ Updated debconf translations ] + * Czech, thanks to Miroslav Kure <kurem@debian.cz>. Closes: #458215. + * German, thanks to Helge Kreutzmann <debian@helgefjell.de>. + Closes: #452833. + * Spanish + * Finnish, thanks to Esko Arajärvi <edu@iki.fi>. Closes: #448061. + * French, thanks to Christian Perrier <bubulle@debian.org>. + Closes: #452632. + * Galician, thanks to Jacobo Tarrio <jtarrio@trasno.net>. + Closes: #451158. + * Italian, thanks to Luca Monducci <luca.mo@tiscali.it>. Closes: #449442. + * Japanese, thanks to Kenshi Muto <kmuto@debian.org>. Closes: #451325. + * Dutch, thanks to Bart Cornelis <cobaco@skolelinux.no>. Closes: #448935. + * Brazilian Portuguese + * Portuguese, thanks to Tiago Fernandes <tjg.fernandes@gmail.com>. + Closes: #453341. + * Russian, thanks to Yuri Kozlov <kozlov.y@gmail.com>. Closes: #453318. + * Vietnamese, thanks to Clytie Siddall <clytie@riverland.net.au>. + Closes: #453411. + + -- Steve Langasek <vorlon@debian.org> Mon, 21 Jan 2008 04:58:24 -0800 + +openldap2.3 (2.3.39-1) unstable; urgency=medium + + * Medium severity due to denial of service fix. + * New upstream release. + - CVE-2007-5708: Fix remote denial of service attack in slapo-pcache + (the overlay for proxy caching). (Closes: #448644) + - Multiple additional more minor bug fixes. + * Document in the default slapd.conf that dbconfig options only generate + the DB_CONFIG file on first slapd start and have no effect afterwards + unless DB_CONFIG is removed. (Closes: #442191) + * Inline the checkpoint and BerkeleyDB backend settings in the default + slapd.conf rather than generating them dynamically in postinst. All + the allowable default database choices are now BerekelyDB variants and + will probably continue to be so for the forseeable future, and this is + easier to maintain. + * Drop debconf questions, warnings, and maintainer script functions + dealing with upgrades from OpenLDAP 2.1, which is now too hold for + supported direct upgrades. (Closes: #444806) + * Add a watch file. Thanks, Fernando Ribeiro. (Closes: #435290) + * Add Homepage, Vcs-Svn, and Vcs-Browser control fields. + + -- Russ Allbery <rra@debian.org> Mon, 12 Nov 2007 16:00:47 -0800 + +openldap2.3 (2.3.38-1) unstable; urgency=low + + [ Steve Langasek ] + * Drop debian/patches/use-lpthread, which is no longer needed on mips* + because gcc has been fixed. + * Drop debian/patches/add-autogen-sh, also no longer needed now that + the above patch is gone. + + [ Matthijs Mohlmann ] + * Fix bashism in initscript. (Closes: #428883) + * Drop upstream patches ITS4924, ITS4925 and ITS4966. + * Add patch for objectClasses which causes slapd to crash. (Closes: #440632) + - CVE-2007-5707. + - Upstream bug ITS5119. + * Change default loglevel to none, to log high priority messages. + (Closes: #442000) + * Tighten up the build dependencies, now that autogen patch is removed. + + -- Matthijs Mohlmann <matthijs@cacholong.nl> Mon, 17 Sep 2007 22:58:54 +0200 + +openldap2.3 (2.3.35-2) unstable; urgency=low + + * Enable LAN Manager password support in slapd. (Closes: #245341) + * If automatic configuration is selected and slapd.conf doesn't exist + during an upgrade, treat this as a fresh installation rather than + aborting with an error. Also try to provide a better error message if + the user has deleted /etc/ldap/schema but we just generated a new + configuration that references it. These cases can occur if someone + removes (rather than purges) the package, manually deletes /etc/ldap, + and then reinstalls. (Closes: #205010) + * Don't fail in slapd's postrm if /etc/ldap/schema has already been + deleted. + * Remove slapd conflicts with libbind-dev and bind-dev. There no longer + appears to be anything in those packages that would break slapd's + resolver. (Closes: #225896) + * Add libldap-2.3-0-dbg and slapd-dbg packages with detached debugging + information. + * db_recover is no longer required after changing DB_CONFIG; slapd now + detects changes itself and does the right thing. Also note in + README.DB_CONFIG the existence of the dbconfig slapd.conf parameter + and slapd's DB_CONFIG writing support. (Closes: #412575) + * Add options to /etc/default/slapd to let the system administrator tell + the init script to not start slapd on boot. (Closes: #254999) + * Redirect fd 3 to /dev/null in the slapd init script for additional + robustness when debconf is running. (Closes: #227482) + * Add to /etc/default/slapd a commented-out example of how to change the + keytab file used for GSSAPI authentication. (Closes: #412017) + * Use variables in /etc/init.d/slapd for the paths to slapd and slurpd + so that someone who really wants to can override them in + /etc/default/slapd. (Closes: #403948) + * Allow people building packages for outside Debian to skip the checks + for non-DFSG-free material by setting a variable. Thanks, Peter + Marschall. (Closes: #427245) + * Remove duplicate libldap-2.3-0 dependencies. (Closes: #408987) + * Use binary:Version instead of Source-Version for the tight + dependencies between slapd and ldap-utils and libldap-2.3-0. + + -- Russ Allbery <rra@debian.org> Mon, 11 Jun 2007 20:26:26 -0700 + +openldap2.3 (2.3.35-1) unstable; urgency=low + + * New upstream release with many bug fixes. + - Allow syncprov to follow aliases. (Closes: #422087) + * Apply upstream patches: + - ITS#4924: client crash on incorrectly tagged result from server. + - ITS#4925: NOOP modify with BDB backend crashed slapd. + - ITS#4966: Delete of valsort-controlled entries crashed slapd. + * Enable SLAPI support. (Closes: #390954) + * Re-enable use of the epoll system call since Debian no longer supports + 2.4 kernels. This means that the OpenLDAP packages will not work on + pre-2.6 kernels. + * Remove schema files that contain text from IETF RFCs from the upstream + source since that text is not DFSG-free. Instead, install stripped + versions of those schema files containing only the functional + interface specifications, a comment explaining why this is needed, and + a pointer to the relevant RFC. (Closes: #361846) + * Document the repackaging of the upstream source in debian/copyright. + * Update config.guess and config.sub during the build instead of in the + clean target and remove them in the clean target for a clean diff. + Build-depend on autotools-dev so that we can unconditionally copy over + the latest versions. + * Added commentary and upstream ITS numbers for several patches + applicable upstream. + * Use debian/compat rather than the deprecated DH_COMPAT rules setting. + * Update to debhelper compatibility level V5 (no changes required). + + -- Russ Allbery <rra@debian.org> Wed, 30 May 2007 22:42:28 -0700 + +openldap2.3 (2.3.30-5) unstable; urgency=low + + [ Steve Langasek ] + * Add Portuguese debconf translation; thanks to Tiago Fernandes. + Closes: #409632. + * Re-add .la files to the slapd package, for greater compatibility + with upstream documentation. + + [ Russ Allbery ] + * When starting slapd, create a symlink from /var/run/ldapi to + /var/run/slapd/ldapi for compatibility with 2.1 client libraries. + Closes: #385809. + * Apply upstream patch to prevent a race condition in slapd when + shutting down connections. + * Update the Brazilian Portuguese debconf translation; thanks to Felipe + Augusto van de Wiel. + + -- Russ Allbery <rra@debian.org> Thu, 8 Mar 2007 18:21:02 -0800 + +openldap2.3 (2.3.30-4) unstable; urgency=low + + * Ok, argh, it helps to check that the function being re-added to the + preinst hasn't been removed again from the common include. Re-add + break_on_ldbm_to_bdb_migration_disagree, because by all appearances + we /should/ be using this in the preinst. Closes: #411474. + + -- Steve Langasek <vorlon@debian.org> Mon, 19 Feb 2007 03:55:22 -0800 + +openldap2.3 (2.3.30-3) unstable; urgency=medium + + [ Matthijs Mohlmann ] + * Added spanish translation. (Closes: #404250) + * Documentation updates backported from upstream. + * Fix a security bug in kerberos kbind code. (Only used when enabling with + --enable-kbind option) But better safe then sorry. + * Backported a mem leak fix on failed binds. + * Added patch from upstream that fixes a memory leak in ACLs that use sets. + + [ Steve Langasek ] + * *Really* abort in preinst if the user doesn't accept the upgrade + from ldbm to bdb. Closes: #392747. + * Set the name of debian/slapd.NEWS right so that it gets + installed in the binary package. Closes: #409923. + * Add Russian debconf translation; thanks to Yuri Kozlov. + Closes: #405706. + * Add Galician debconf translation; thanks to Jacobo Tarrio. + Closes: #407267. + + -- Steve Langasek <vorlon@debian.org> Sun, 18 Feb 2007 16:47:16 -0800 + +openldap2.3 (2.3.30-2) unstable; urgency=low + + * Make sure that the pidfile directory doesn't exist in the init script. + (Closes: #402705) + + -- Matthijs Mohlmann <matthijs@cacholong.nl> Tue, 12 Dec 2006 21:34:44 +0100 + +openldap2.3 (2.3.30-1) unstable; urgency=low + + * New upstream release. + - Fixed authzTo/authzFrom URL matching. + - Fixed syncrepl consumer memory leaks. + - Fixed slapd-hdb livelock. + - Fixed slapo-ppolicy external quality check. + - Fixed ldapsearch(1) man page acknowledgement. + * Added patch to make sure that the pidfile directory exists. + (Closes: #390337) + * Do not ask the question allow ldap v2 logins when user wants manual + configuration. (Closes: #401003) + * Add patch to look also in /etc/ldap/sasl2 for sasl configuration. + (Closes: #398657) + * Removed db4.2-util recommend, the slapd binary includes checking code to + fix DB errors. + * Updated README in schema directory. It doesn't list collective.schema + anymore. (Closes: #287358) + * Updated manpages to point to right paths. (Closes: #398790) + + -- Matthijs Mohlmann <matthijs@cacholong.nl> Sat, 9 Dec 2006 20:50:58 +0100 + +openldap2.3 (2.3.29-1) unstable; urgency=medium + + [ Matthijs Mohlmann ] + * New upstream release. + - Fixes Denial of Service through a certain combination of LDAP BIND + requests (CVE-2006-5779) (Closes: #397673) + * LSB section added to the init script. + * Updated README.Debian about running as non-root user (Closes: #389369) + * Updated de translation (Closes: #396096) + * Added some documentation / warning when running slapindex as root. + * Remove drafts and rfc from the tarball. (Closes: #393404) + + -- Matthijs Mohlmann <matthijs@cacholong.nl> Sat, 11 Nov 2006 11:24:42 +0100 + +openldap2.3 (2.3.27-1) unstable; urgency=low + + [ Matthijs Mohlmann ] + * New upstream release. + * pidfile location is changed 3 years ago, when people are upgrading from + back then they have a broken slapd because the openldap user is not able + to write to /var/run. (Closes: #380687) + * Patches by Quanah Gibson-Mount <quanah@stanford.edu> + - Fix one time memleak on startup in the accesslog db. + * Changed priority of libldap-2.3-0 to optional as it is only used by slapd. + + [ Torsten Landschoff ] + * Remove RFC documents as they do not meet the DFSG. + + debian/rules: Check that the RFCs are gone to make sure it does not + get included again by accident. + + -- Matthijs Mohlmann <matthijs@cacholong.nl> Sat, 2 Sep 2006 00:33:44 +0200 + +openldap2.3 (2.3.25-1) unstable; urgency=low + + [ Matthijs Mohlmann ] + * New upstream release: + - Accepts 'require none' in slapd.conf (closes: #370023). + - Added patch to fix a bold issue in the manpage ldapsearch. Thanks to + Matt Kraai. (Closes: #355670) + * Added commented out rootdn parameter in slapd.conf. (Closes: #303245) + * Make the scripts output a bit more consistent. + * Fix a regression in the slapd packages. Data directory is /var/lib/ldap + and not /var/openldap-data, also adjust the manpages to reflect these + change. Thanks to Peter Marschall. (Closes: #368891) + * Removed script move_files, dh_install is used instead. (Closes: #368896) + * Dutch translation already updated. Closes: #375101) + * Documented that slapd is compiled with TCP wrappers (Closes: #351428) + * dpkg-reconfigure slapd now just reinstalls slapd and moves old databases + to /var/backups. Already done in previous version (Closes: #230366, #208056) + + [ Torsten Landschoff ] + * debian/libldap-2.3-0.install: Ignore version information when installing + libraries. This way it does not need updating for each new upstream + release. + + -- Matthijs Mohlmann <matthijs@cacholong.nl> Wed, 26 Jul 2006 18:05:40 +0200 + +openldap2.3 (2.3.24-2) unstable; urgency=low + + * Switch slapd from running as root to running as user. + (Closes: #292845, #261696) + * Changing configuration in slapd.conf by the postinst will now also follow + includes. (Closes: #304488) + * Patches by Quanah Gibson-Mount <quanah@stanford.edu> + - fix a lock bug with a virtual root entry in the BDB backend. + - fix boolean logic in the overlays. + - fix that slurpd can use ldaps. + - fix initialization of auditdb. + - fix TLS concurrency issues. + - fix exop password change that didn't reset pwdMustChange. + - fix syncrepl that fails when no rootdn is defined. + * Add dependency on adduser. + * Specify the PATH variable in the init script. (Closes: #367981) + * Added patch to read config before dropping privileges. + * epoll(4) system call is missing on kernels <2.6, this causes slapd to + not work on 2.4 kernels. Added patch that remove the #define in + portable.in (Closes: #369352, #372194, #373233) + * In 2.3.24 slapd won't segfault if the moduleload directive appears + somewhere else. (Closes: #349011) + * Removed fileutils dependency, it's superseeded in Sarge already. + (Closes: #370013) + * Use find in combination with mv to move an old directory away. + (Closes: #306435) + * Updated Dutch debconf translation (Closes: #365172) + * Added an example backup script that can be put into cron (Closes: #319477) + * Make the db directories 0700. On new installations this is the default. + (Closes: #354450) + * Get rid of a '.' in front of a domain. (Closes: #318143) + * Added shadowLastChange to the ACL in the default slapd.conf + (Closes: #370550) + * Updated Japanese translation (Closes: #378565) + + -- Matthijs Mohlmann <matthijs@cacholong.nl> Mon, 17 Jul 2006 18:22:45 +0200 + +openldap2.3 (2.3.24-1) unstable; urgency=low + + [ Matthijs Mohlmann ] + * New upstream version. (Closes: #369544) + * Update patch slurpd-in-spool. (Closes: #368586, #368709, #368889) + * Added slapi-errorlog-file to be into /var/log (Closes: #368895) + * Removed patch configure.in-fix, incorporated upstream. + * Move debian/configure.options.new to debian/configure.options. + * Added patch to put ldapi socket in /var/run/slapd. + * Removed bdb recovery from the init.d script. This was introduced to fix + bug #255276. Now that slapd has the ability to check and recover from bdb + failures, this function is not needed anymore. (Closes: #369484, #369093) + * Updated the lintian overrides. + + [ Torsten Landschoff ] + * Include man pages for accesslog and auditlog overlays, patch by + Peter Marschall (closes: #368888). + + -- Matthijs Mohlmann <matthijs@cacholong.nl> Thu, 1 Jun 2006 08:16:02 +0200 + +openldap2.3 (2.3.23-1) unstable; urgency=low + + [ Matthijs Mohlmann ] + * New upstream release. (Closes: #308906, #310282, #353877, #335618, #315158) + (Closes: #310282, #319155) + * OpenLDAP checks database before starting up. + (Closes: #190165, #195079, #294701, #308416) + * move_old_database_away isn't called in a while loop anymore (which would + kill debconf interaction) (Closes: #299100) + * BDB_CONFIG file will be installed on new installations (Closes: #301292) + * Move to dh_install. + * Move to quilt patch system. + * Fix manpage. + * Make ldiftopasswd and fix_ldif executable. (fixes lintian warnings) + * Wipe passwords after we created the initial configuration. + * The config scripts is runned twice, this causes the password in + slapd/internal/adminpw to be empty. This fixes the issue with having an + empty password in the ldap database. (Closes: #343113, #347725) + * Added #DEBHELPER# token to fix a lintian warning. + * bdb has changed between major versions, so dump the database and import it + again for versions before 2.3.19. + * Remove comments from debian/control (The out commented control information + is actually in debian/control.dev) + * Enable all backends and overlays with: --enable-backends=mod and + --enable-overlays=mod + * Add | debconf-2.0 to unblock cdebconf transition (Closes: #332053) + * Added Danish debconf translation (Closes: #353897) + * Updated French debconf translation (Closes: #320739) + * Updated Vietnamese debconf translation (Closes: #319706) + * Updated Czech debconf translation (Closes: #356554) + * Encode the organization to utf8 (Closes: #236097) + * Disabled the LDBM backend. Break in preinstallation if user doesn't want + to migrate to BDB backend. + * Removed choice for LDBM backend from slapd templates. And some explanation + in that question about the LDBM backend. + * Add sizelimit and tool-threads and some documentation to slapd.conf + (Closes: #327808) + * slapd.scripts-common had two functions with the same name. + * Don't return a error message if hostname fails. + * Backup the config only once on upgrade. + * For new installations do not install a DB_CONFIG file but use the + slapd.conf as file for BDB/HDB configuration parameters. See: slapd-bdb(5) + * Added various "exit 0" to the installation scripts. + * Add configure.in patch to fix C comparison what should be bash (ITS#4416) + * Raise debconf configuration level from low to medium for + slapd/no_configuration. + * Updated Standards-Version to 3.7.2.0 + * Added build-dependency on perl which is used in the debian/rules file. + Considered by lintian. + * Added lintian override for too-long-extended-description-in-templates, it + is an explanation about the backends. + + [ Steve Langasek ] + * debian/slapd.templates: Fix typo durin -> during; re-run + debconf-updatepo, fixing up the fuzzies (closes: #319596). + + [ Torsten Landschoff ] + * debian/slapd.scripts-common: Rename backend_supported to + upgrade_supported_from_backend for more clarity. + + -- Matthijs Mohlmann <matthijs@cacholong.nl> Sat, 13 May 2006 00:28:11 +0200 + +openldap2.2 (2.2.26-4) unstable; urgency=low + + * [l10n] Vietnamese translations by Clytie Siddall (closes: #316623). + * debian/slapd.templates: Fix typos occured -> occurred (closes: #316624). + * libraries/libldap/url.c: Apply patch from upstream CVS to fix URI + parsing (closes: #317100). + + -- Torsten Landschoff <torsten@debian.org> Tue, 19 Jul 2005 20:52:17 +0200 + +openldap2.2 (2.2.26-3) unstable; urgency=low + + * [SECURITY] Applied the patch available at + http://bugzilla.padl.com/show_bug.cgi?id=210 + to force libldap to really use TLS when requested in /etc/ldap/ldap.conf + (cf. CAN-2005-2069). Clients still will use libldap2 from openldap2 + source package so this is only to prepare unleashing the libraries of + OpenLDAP 2.2 for unstable... + + -- Torsten Landschoff <torsten@debian.org> Sun, 3 Jul 2005 10:41:37 +0200 + +openldap2.2 (2.2.26-2) unstable; urgency=low + + * Assembled changes from patches supplied by Peter Marschall (thanks, + Peter): + | debian/move_files: Move slapd and slurpd to /usr/sbin and adjust symlinks + (closes: #316354). + + debian/slapd.links: Remove symlinks from /usr/sbin to /usr/lib. + | debian/rules: Don't install cron jobs needed for GnuTLS as long as we are + using OpenSSL. + | debian/control: Remove build-dependencies needed for GnuTLS + (closes: #316355). + + Require libsasl >= 2.1.18 as recommended by OpenLDAP project. + | Update quicktool patch from Quanah Gibson-Mount (closes: #316361). + | debian/slapd.init: Use /bin/sh as shell when running db_recover + (closes: #316350). + | debian/configure.options: Enabled dynlist and proxycache overlays + (closes: #316351). + + * debian/po/de.po: Apply typo correction patch (closes: #313809). + * debian/po/fr.po: Apply updates by Christian Perrier (closes: #315122). + + -- Torsten Landschoff <torsten@debian.org> Fri, 1 Jul 2005 12:53:18 +0200 + +openldap2.2 (2.2.26-1) unstable; urgency=low + + * New upstream release. + * debian/slapd.init: Run db_recover as the user configured for slapd + (closes: #311331). + * debian/po/cs.po: Add Czech translation by Miroslav Kure (closes: #312064). + * Run debconf-updatepo, oh my :( + * Update configure via libtoolize -cf; aclocal-1.4; autoconf2.50. + * configure.in: Try to fix memcmp check (probably does not work anymore, but + we should have a working memcmp on all Debian systems anyway). + * debian/rules: Remove config.{sub,guess} before installing new versions + (just in case there were symlinks for them...). + + -- Torsten Landschoff <torsten@debian.org> Tue, 21 Jun 2005 12:06:40 +0200 + +openldap2.2 (2.2.23-8) unstable; urgency=low + + * debian/DB_CONFIG: Fixed the log cache configuration (used the wrong + command so there was about no effect). + + -- Torsten Landschoff <torsten@debian.org> Mon, 30 May 2005 08:48:10 +0200 + +openldap2.2 (2.2.23-7) unstable; urgency=low + + * debian/slapd.scripts-common: Install the default DB_CONFIG for each + database loaded from LDIF which didn't have a DB_CONFIG before. + * (automatic) Updated config.sub and config.guess from autotools-dev. + + -- Torsten Landschoff <torsten@debian.org> Mon, 30 May 2005 08:08:37 +0200 + +openldap2.2 (2.2.23-6) unstable; urgency=low + + Torsten Landschoff <torsten@debian.org>: + * debian/po/ja.po: Merge updates from Kenshi Muto (closes: #303505). + * debian/po/fr.po: Merge updates from Christian Perrier (closes: #306229). + * debian/slapd.scripts-common: If the user enters the empty value for + the database dumping directory use the default value. Seems like the + readline interface does not care about the default value + (closes: #308234). + * debian/slapd.postinst: Make sure the debhelper commands are executed + in all cases (closes: #310422). + * Merged suggested changes by Eugene Konev to automatically run + db_recover before starting slapd (closes: #255276). + + debian/slapd.init: Run db_recover if enabled and available and no + slapd process running. + + debian/slapd.default: Add configuration option to disable it. + * Applied and improved patch by Matthijs Mohlmann to support migration + from ldbm to bdb backend. + + debian/slapd.config: Ask if migration is wanted. + + debian/slapd.postinst: Update configuration from ldbm to bdb if yes. + + debian/slapd.scripts-common: Implemented some parts in their own + functions. + * Add a README.DB_CONFIG.gz and reference it where referring to BDB + configuration. + * Update default DB_CONFIG with some senseful values. + + Steve Langasek <vorlon@debian.org>: + * libraries/libldap_r/Makefile.in: make sure the ximian-connector ntlm + patch is applied to libldap_r, not just to libldap + * debian/move_files: make libldap a symlink to libldap_r, as carrying + two versions of this library around is more trouble than it's worth, + and can cause glorious segfaults down the line + + -- Torsten Landschoff <torsten@debian.org> Mon, 30 May 2005 08:07:49 +0200 + +openldap2.2 (2.2.23-5) unstable; urgency=low + + Torsten Landschoff <torsten@debian.org>: + * debian/lintian-overrides: Add. Contains lintian warnings/errors to + override for each package (plus comments). + + debian/move_files: Automatically install applying overrides into + each package. + + Steve Langasek <vorlon@debian.org>: + * configure.in: reinstate the remainder of the fix for 195990 from + 2.1.22-2: give preference to -lpthread over -pthread in configure.in, + because some archs (mipsel, at least) don't like -pthread. + + -- Steve Langasek <vorlon@debian.org> Sun, 24 Apr 2005 05:01:02 -0700 + +openldap2.2 (2.2.23-4) unstable; urgency=low + + Torsten Landschoff <torsten@debian.org>: + * debian/control: Make the requirement for debconf a pre-dependency as + we are using it from the maintainer scripts. + * debian/slapd.preinst: Always use debconf (don't check for availability). + * debian/slapd.scripts-common: Remove the alert_user function which + was there to output an error message in case debconf is not available. + + Steve Langasek <vorlon@debian.org>: + * debian/fix_ldif: Add code to fix up oddly formatted integer attribs; + limited use because it only fixes those attributes that we have + prior knowledge of (i.e., those in the default schemas we ship), but + it's something at least. Closes: #302629. + * debian/fix_ldif: Also change fix_ldif to not chew up everything that + has a # in the line: treat lines beginning with # as comments, but # + is a valid character in an attribute value. + * debian/rules: Fix the check for missing lib symbols to use + LD_LIBRARY_PATH, so the package builds on systems that don't already + have libldap-2.2-7 installed. Closes: #305785. + * debian/po/ja.po: Use the partial translation provided by Kenshi Muto. + + Stephen Frost <sfrost@debian.org>: + * debian/slapd.scripts-common: Make sure - ends up at the end of the + bracket expression given to grep so it's not treated as a range + (closes: #302743). + + -- Steve Langasek <vorlon@debian.org> Sat, 23 Apr 2005 22:01:20 -0700 + +openldap2.2 (2.2.23-3) unstable; urgency=low + + Steve Langasek <vorlon@debian.org> + * libraries/libldap_r/Makefile.in: Code that uses pthreads *must* be + linked with -pthread, even if it's a library; without this, the + libldap_r library ends up with dangling unversioned reference to + pthread_create() which gets resolved to a wrong version that causes + segfaults on 64-bit platforms. Closes: #304549. + * debian/rules: error out on build if an installed library has + undefined symbols; future-proofing against a repeat of #304549. + * debian/slapd.postinst: don't dump and reload directories unless we + know we're upgrading from an incompatible version! Closes: #304840. + * debian/slapd.scripts-common: don't use merge_logical_lines for + functions that will be writing back to the config; the code is not + as pretty now, but the output is much less ugly. Closes: #303243. + * debian/slapd.examples, debian/slapd.scripts-common, + debian/slapd.links, debian/move_files: install DB_CONFIG in + /usr/share/slapd/ instead of /usr/share/doc/slapd/examples/; this + simplifies the code, and ensures users who don't install + /usr/share/doc aren't penalized. Create links for the DB_CONFIG and + slapd.confg templates to /usr/share/doc/slapd/examples, since these + are worthwhile examples as well. + * Updated maintainer scripts to keep DB_CONFIG for LDAP databases over + upgrades (closes: #265860). + * Move slappasswd to the slapd package, since it's now a symlink and + isn't actually useful without the slapd binary (closes: #304339). + + -- Torsten Landschoff <torsten@debian.org> Thu, 21 Apr 2005 01:29:57 +0200 + +openldap2.2 (2.2.23-2) unstable; urgency=low + + * debian/configure.options: Change localstatedir to /var from /var/run + as the current upstream version adds /run to that during runtime for + slapi sockets etc. Problem: The database location is specified relative + to localstatedir/openldap-data. Another thing to fix... + (closes: #298271, #304491). + * debian/slapd.scripts-common (load_databases): Reimplement automatic + fixing of LDIF data via the fix_ldif script. Only tried if an + initial slapadd using the original LDIF data fails. With this change + upgrading from woody for some simple cases does work again. + * Disabled the version check for Berkeley DB in upstream code. Any + libdb4.2 package should work but of course using the latest will give + you the best results (closes: #300851). + * debian/slapd.scripts-common (import_database): Removed, no longer used. + * debian/slapd.scripts-common: Store the diagnostic output from + slapadd and output it before aborting if the command failed. + * debian/po/fr.po: Use the translations provided by Christian Perrier + (closes: #304141). + * debian/slapd.scripts-common: Use the -q option during slapadd to + improve performance. + * debian/slapd.templates (slapd/dump_database_destdir): Apply rewording + changes from Thomas Prokosch. Gives the user more information about + the usage of that directory. + + Run debconf-updatepo to update the translation templates. + * debian/slapd.templates: Clean up the debconf templates of the slapd + packages by merging the changes suggested by Christian Perrier + (closes: #302829). Thanks, Christian! + + Changed the wording of some of the templates. + + Adapt to the DTSG (Debconf Templates Style Guide). + + Removed item slapd/admin which is not used anymore. + + Run debconf-updatepo and send new fr.po to Christian Perrier. + * debian/slapd.postinst: Make a backup copy of slapd.conf before changing + anything (closes: #304485). + * Trivial improvements: + + Don't ask to move contents of /var/lib/ldap if it does not even + exist (but also is not an empty directory...) in initial config. + + Move check for current installation status out of configure_dumping. + + -- Torsten Landschoff <torsten@debian.org> Thu, 14 Apr 2005 19:57:11 +0200 + +openldap2.2 (2.2.23-1) unstable; urgency=low + + * debian/slapd.scripts-common: Move all shell functions of the maintainer + scripts here to have it all in one place. + * Another pass over the maintainer scripts to remove cruft and tidy up + the code a bit. Fixed some bugs on the way. + * Test upgrade and installation revealed some bugs, mostly typos: + + return in shell actually is "return $?", not "return 0" as I though + + Referenced $src where $srcdir was meant. + + Only load old directories on upgrade and not during initial + installation. + + -- Torsten Landschoff <torsten@debian.org> Fri, 1 Apr 2005 18:50:21 +0200 + +openldap2.2 (2.2.23-0.pre6) experimental; urgency=low + + Torsten Landschoff <torsten@debian.org>: + * debian/slapd.postinst: Add a testing interface to test the helper + functions. + * debian/slapd.postinst: Make sure that debconf actually displays the + error message even if the user has already seen it before. + * debian/slapd.postinst (compute_backup_path): Make function more robust + in case we don't know the old version or the suffix of the database. + Converted the backup dir to a more simple scheme which should be save + against accidental overwriting. + * Rewrote part of the maintainer scripts for correct handling of + directory dumps in preinst. New debconf questions etc. + * Move the manpage of slappasswd to ldap-utils where slappasswd itself + is included (closes: #300212). + + debian/control: Add Replaces: slapd << 2.2.23-0.pre6 to ldap-utils. + + debian/move_files: Move slappasswd manpage into ldap-utils. + * debian/slapd.config: Don't fail if hostname is unset (pulled from + Ubuntu, thanks to Jeff Bailey). + * Applied patch by Quanah Gibson-Mount (directory administrator of Stanford) + to add -q option to some tools for quick operation without updating + logs. This is mostly for importing directories from LDIF backups. + * Go back to libdb4.2 as OpenLDAP is known to have problems with BDB 4.3. + + debian/control: Update dependencies for BDB 4.2. + + debian/slapd.scripts-common: Mark all databases before this version + as incompatible. + * Fix some bashisms in maintainer scripts. + * debian/slapd.postinst: Include the version of the backup in the + backup of a database directory. + + Carlo Contavalli <ccontavalli@debian.org>: + * debian/slapd.init: Print command line if starting a daemon failed. + * debian/slapd.postinst: Handle hdb backend just as if it was bdb. + * debian/README.Debian: Add some notes about DB_CONFIG and how to run + slapd under a different uid/gid. + * Install an example DB_CONFIG file during initial configuration + + slapd.postinst: Add a function to implement this and hook it into + create_new_configuration. + + debian/DB_CONFIG: Example DB_CONFIG that is installed. + + debian/slapd.examples: Mark DB_CONFIG as an example. + * servers/slapd/daemon.c: Actually change the permissions of the + unix socket if requested using an ldapi url with x-mod. + * debian/slapd.scripts-common: change privileges of upgraded databases + as indicated by SLAPD_USER and SLAPD_GROUP variables. + * debian/slapd.scripts-common,slapd.postinst: corrected some minor + typos. + + -- Torsten Landschoff <torsten@debian.org> Fri, 1 Apr 2005 12:26:35 +0200 + +openldap2.2 (2.2.23-0.pre5) experimental; urgency=low + + * Apply NTLM patch from ximian-connector source package. + * debian/slapd.postinst: Fix small typo leading to upgrade failures. + Added some notes while wading through maintainer scripts. + * debian/slapd.postinst: Make slapadd more noisy, writing the new + directory to stderr if something goes wrong (should help for + bug #236097). + * Make slapd.init idempotent by adding --oknodo to start-stop-daemon + invocations (closes: #298741). Kudos to Bill Allombert for this + patch. + * slapd.postinst: Try to fix slapd.conf for syntactic and semantic changes + introduced upstream into 2.2.x. + * slapd.scripts-common: Make sure directories before 2.2.23 are dumped + and reloaded on upgrade. + + -- Torsten Landschoff <torsten@debian.org> Fri, 11 Mar 2005 18:54:57 +0100 + +openldap2.2 (2.2.23-0.pre4) experimental; urgency=low + + * Rename libldap2.2 to libldap-2.2-7 to match soname. Updated + debian/{control,rules,...}. + * Checked the usage of the ucdata files shipped with libldap2 before. + Actually they stem from liblunicode which is only linked to slapd. + Therefore those files are shipped with slapd now. This change is + relevant so that multiple libldap-2.2-x packages can coexist later. + * debian/control: Updated for slapd replacing files from libldap2. + * debian/control: Recommend db4.3-util instead of db4.2-util as we are + using the former version now for slapd. + * debian/control: Add Build-Depends for libperl-dev, this time for + real. I wonder what went wrong last time as it built correctly with + pdebuild (closes: #297123). + + -- Torsten Landschoff <torsten@debian.org> Mon, 28 Feb 2005 15:17:52 +0100 + +openldap2.2 (2.2.23-0.pre3) experimental; urgency=low + + * debian/slapd.prerm: Reformat and fix double stopping of slapd. Find + out which bug we are working around and document it. + * debian/configure.options: Enable ACI support (closes: #101602). + Looked through the source code and it seems to be properly + insulated to not make a difference when not used. + * .../Makefile.in: Remove -s option from install invocations and let + dh_strip handle stripping binaries (closes: #264448). + * debian/slapd.postinst: Code cleanup and reading, unused and duplicate + code removed. Main body still needs fixing. + * debian/slapd.postinst: Fixed chmod --reference calls to keep the + permissions of slapd.conf. Putting data into the file using shell + redirection recreates the file with default umask and owner, killing + the permissions we applied using chod --reference after creating the + file. Instead we change the permissions directly before renaming the + file now. Wrapped it into a function and update the owner as well. + How do we do this correctly for ACLs etc.!? Thanks to Carlo Contavalli + for pointing this out. + * servers/slapd/main.c: Log a warning if writing the pidfile or writing + the arguments file fails (closes: #261696). + * debian/control: Add missing build dependency for perl development + library (closes: #297123). + + -- Torsten Landschoff <torsten@debian.org> Sun, 27 Feb 2005 17:44:03 +0100 + +openldap2.2 (2.2.23-0.pre2) experimental; urgency=low + + * servers/slurpd/slurp.h: Relocate the default spool directory to + /var/spool/slurpd again. + * Merged some changes done by Fabio M. Di Nitto for the ubuntu + distribution (thanks, Fabio!): + + debian/slapd.{postinst,conf}: Checkpoint BDB databases every 512kb + or 30 minutes by default. + + debian/slapd.scripts-common: Make is_empty_dir less noisy on first + install (cosmetic). + * Applied some changes suggested by Ondrej Sury: + + debian/rules: Add MAKEVARS variable and set datadir = + /usr/share/libldap2.2/ucdata instead of changing build/top.mk as + suggested. + + debian/move_files: Install /usr/share/libldap2.2 into libldap2.2 + and remove duplicate ldap.conf manpage. + + debian/control: Let libldap2.2 dependon libldap2 for config files. + * Also in Ondrej's patch: + + doc/man/man8/slapd.8: Refer to slapd.conf instead of ldap.h for + loglevel documentation. Changed by ubuntu? I don't know... + * debian/slapd.README.Debian: Update TLS/SSL information. + + -- Torsten Landschoff <torsten@debian.org> Fri, 25 Feb 2005 14:44:59 +0100 + +openldap2.2 (2.2.23-0.pre1) experimental; urgency=low + + * Merge new upstream release 2.2.23. + * Change name of source package to openldap2.2. + * configure.in: Fix AC_LIBOBJ for configure2.50. + * Run libtoolize, aclocal-1.4 and autoconf2.50 to get a working + configure script. + * debian/slapd.init: Output failure reasons using "$failure" so that + no glob substitution is done. Had a hard time grokking why slapd + would mention the contents of the current directory in its error + message... + * debian/rules: Disable building -dev packages as we don't want + other packages to link against the new libraries before sarge. + Remove the binary-indep target from the binary dependends list. + * debian/control: Move packages that are no longer build into control-dev. + * debian/configure.options: Build against OpenSSL with --with-tls + (this can only be done for slapd itself, we need GnuTLS support + before enabling this for libldap2.2-dev). + * debian/control: Update build dependencies for libdb4.3 and OpenSSL. + + -- Torsten Landschoff <torsten@debian.org> Wed, 23 Feb 2005 19:29:38 +0100 + +openldap2 (2.2.18-0.pre2) experimental; urgency=low + + * debian/check_config: Make sasl2 check more robust against file + format changes in config.status. + * debian/libldap2.shlibs: Remove. + * Update configure script using libtoolize, aclocal-1.4 and autoconf2.50 + to fix wrong shared library dependency in libldap2.2 (depended on + libldap2 by linking against the system's liblber). + * debian/libldap2.README.Debian: Move to libldap2.2.README.Debian. + * Lintian cleanup: + + Run debconf-updatepo for debian/rules clean and manually as + requested. + + Update config.guess and config.sub in debian/rules clean as well. + First update done. + + debian/rules (install): Fix the manpage section of the admin commands + from 8C to 8. + + debian/rules (binary-arch): Run dh_fixperms to fix the permissions + on shared libraries. + + -- Torsten Landschoff <torsten@debian.org> Thu, 13 Jan 2005 11:53:28 +0100 + +openldap2 (2.2.18-0.pre1) experimental; urgency=low + + * New upstream release. + * Disable TLS for now. + * debian/rules: Don't run autoheader and autoconf. + * debian/configure.options: Recreated and updated for new setup. + * debian/rules: Move slapd, slurpd from /usr/lib to /usr/sbin. + * Rename library packages to include the OpenLDAP version. + * Remove /etc/ldap/ldap*.conf from libldap2.2 to avoid clash with + libldap2. Also add Replaces entry for libldap2 to allow overwriting + for now. Needs fixing... + * Instead of moving slapd from /usr/lib to /usr/sbin create a symlink. + Seems like slapadd etc. are now all included in the slapd binary + and all link to its binary. + * debian/rules: Run dh_link for arch dependend packages. + * configure: Fix broken libdb checking which forced static building of + back-bdb. + * debian/slapd.conf: Fix access directive to use "attrs=" instead of + "attribute=" which wasn't officially supported anyway. + + -- Torsten Landschoff <torsten@debian.org> Wed, 3 Nov 2004 09:57:14 +0100 + +openldap2 (2.1.30-3) unstable; urgency=high + + * Urgeny high since previous releases were hardly usable (at least + with TLS). + * Roland Bauerschmidt <rb@debian.org> + + libraries/libldap/gnutls.c, libraries/libldap/tls.c, + include/ldap_pvt_gnutls.h: Use callback with + gnutls_certificate_set_params_function to generate dh_params and + rsa_params (this is also the way, it's done with OpenSSL). We need + GNUTLS 1.0.9 for this. With the new version of libgcrypt, we also + need to initialize threading explicitly. The previous + segmentation faults resulted from the *global* param structure + being recreated and freed for every session. Many thanks to + Matthias Urlichs who helped debugging a lot and also packaged + GNUTLS 1.0.16 very quickly... Closes: #244827. + + debian/control: Add build dependency to libgcrypt11-dev (we're + initializing it directly now) and change libgnutls10-dev to + libgnutls11-dev. + + libraries/libldap/gnutls.c: in tls_gnutls_need_{dh,rsa}_params + (formerly ldap_gnutls_need_...), create temp files more securely, + doing unlink before opening and opening them with O_EXCL. This is + necessary because under Linux 2.6 all threads have the same PID. + Thanks to Andrew Suffield for pointing this out. + + debian/slapd.cron.daily: cron job to remove GNUTLS rsa_export and + dh param cache files every day. + + debian/slapd.README.Debian: add note that we use GNUTLS rather + than OpenSSL. + + -- Roland Bauerschmidt <rb@debian.org> Mon, 26 Jul 2004 18:41:23 +0200 + +openldap2 (2.1.30-2) unstable; urgency=low + + * Roland Bauerschmidt <rb@debian.org> + + debian/slapd.scripts-common: add missing space before ! + Closes: #251036, #253633, #257513. + * Torsten Landschoff <torsten@debian.org> + + Applied patch by Ralf Hack to support non-standard config file + location in /etc/default/slapd (closes: #229195). + + Applied patch to fix handling of abandoned commands + (closes: #254183). Thanks to Peter Marschall for submitting it. + + Applied patch to fix memory leak after search (closes: #254184). + Thanks again, Peter! + + Applied trivial patch to support logging to DAEMON facility + as well as LOCAL* (closes: #254186). Here you are, Peter ;) + + -- Roland Bauerschmidt <rb@debian.org> Fri, 09 Jul 2004 15:56:06 +0200 + +openldap2 (2.1.30-1) unstable; urgency=low + + * Torsten Landschoff <torsten@debian.org>: + + debian/control: Have slapd conflict with libltdl3 version 1.5.4-1 + as with that version loading of .so files is broken which breaks + slapd (closes: #249152). + + Applied patch to fix Perl backend (closes: #245347). Kudos + to Peter Marschall. + + debian/configure.options: Enable building of Perl backend. + + * Roland Bauerschmidt <rb@debian.org> + + debian/slapd.templates: replace 'domain' with 'DNS domain name' + which is little more specific + + debian/slapd.config: check if the domain has a valid syntax to + prevent slapadd from failing. Closes: #235749. + + New upstream version with fix for NS-MTA-MD5 hash length + checking. Closes: #226583. + + -- Torsten Landschoff <torsten@debian.org> Mon, 24 May 2004 23:33:21 +0200 + +openldap2 (2.1.29-2) unstable; urgency=low + + * Roland Bauerschmidt <rb@debian.org> + + debian/rules: Revert change to install ldapadd as symlink. + Somehow, with that change, ldapadd didn't get installed at all. + Closes: #243537. + + -- Roland Bauerschmidt <rb@debian.org> Tue, 13 Apr 2004 19:49:55 +0200 + +openldap2 (2.1.29-1) unstable; urgency=low + + * Stephen Frost <sfrost@debian.org> + + libraries/gnutls.c: Generate and store RSA/DH parameters, + based off a patch by Petr Vandrovec (though changed alot). + Closes: #234639, #234593 + + * Roland Bauerschmidt <rb@debian.org> + + Merged new upstream release. + + debian/slapd.prerm: add #DEBHELPER# token. + + debian/control: have slapd depend on debconf (>= 0.5) to ensure + it supports the seen flag. + + debian/rules: ldapadd is installed as a hardlink to ldapmodify; + use a symlink instead. + + debian/slapd.{scripts-common,postinst,preinst,config}: Add new + function read_slapd_conf that evaluates include statements. + + -- Torsten Landschoff <torsten@debian.org> Mon, 12 Apr 2004 15:27:55 +0200 + +openldap2 (2.1.26-1) unstable; urgency=low + + * Torsten Landschoff <torsten@debian.org>: + + Merged new upstream release. + + debian/slapd.templates (slapd/purge_database): Set default value to + false. + + debian/slapd.config (manual_configuration_wanted): Don't exit + from the script directly if the user wants to configure + slapd manually (exit 0 -> return 0). + + Build-depend on libgnutls10-dev instead of libgnutls7-dev and + rebuild (closes: #233833). + + Move previous content of /var/lib/ldap away during creation of + an initial directory (closes: #228886, #233512). + + debian/slapd.postrm: Remove flag files in /var/lib/slapd on purge. + + Removed functionality (verbose error messages) from gnutls.c until + it compiled with libgnutls10-dev :-(( + + debian/slapd.postinst: Overwrite existing /etc/ldap/slapd.conf (only + reached during initial installation/dpkg-reconfigure). + + -- Torsten Landschoff <torsten@debian.org> Mon, 23 Feb 2004 09:36:32 +0100 + +openldap2 (2.1.25-1) unstable; urgency=low + + * Roland Bauerschmidt <rb@debian.org>: + + New upstream version. + - Build against libdb4.2. Hopefully, this resolves the BDB + lock ups when configured improperly. + + debian/control: Have ldap-utils depend on the same version of + libldap2, and libldap2 conflict with ldap-utils (<= 2.1.23-1). + Closes: #216661. + + debian/slapd.{templates,config}: Check if there are slave + databases in slapd.conf lacking an updateref option, and warn + about it. Closes: #216797. + + debian/slapd.{templates,config,postinst,conf}: Ask which + database backend to use (BDB or LDBM). + + debian/slapd.README.Debian: cleanup + + servers/slapd/back-bdb/dbcache.c: Turn off subdatabases. This + is an incompatible database format change, but according to + Howard Chu "using them (subdatabases) is known to cause deadlocks + on multiprocessor machines, among other issues." + + debian/control: add Recommends: db4.2-util to slapd + + debian/control: add Recommends: libsasl2-modules to slapd and + ldap-utils. Closes: #224058. + + debian/slapd.{scripts-common,preinst,postinst}: Extended dump + and restore code to deal with different versions for different + backends. + + debian/control: Geez, centipede seems to have vanished a long + time ago. So don't claim it's included in the slapd package. + + debian/slapd.docs: created with servers/slapd/back-sql/ + rdbms_depends. Closes: #225807. + + * Torsten Landschoff <torsten@debian.org>: + + debian/move_files: Install slappasswd into ldap-utils instead + of slapd as it's useful without slapd as well (closes: #228705). + + debian/control: Make ldap-utils Replaces: slapd < 2.1.25 because + of that change. + + debian/control: Use libdb4.2-dev instead of libdb4.1-dev as a + number of problems seem to be related to DB 4.1. + + -- Torsten Landschoff <torsten@debian.org> Fri, 6 Feb 2004 20:48:22 +0100 + +openldap2 (2.1.23-1) unstable; urgency=low + + * Roland Bauerschmidt <rb@debian.org>: + + New upstream version. + + Applied fix for admin password breakage from Michael Beattie + <mjb@debian.org>. Closes: #214270. + + Added Dutch Debconf template translation by cobaco@linux.be. + Closes: #215373. + + Bumped Standards-Version (no changes needed). + + * Torsten Landschoff <torsten@debian.org>: + + debian/move_files: Install slappasswd into ldap-utils instead + of slapd (closes: #228705). + + -- Roland Bauerschmidt <rb@debian.org> Sat, 18 Oct 2003 19:56:54 +0200 + +openldap2 (2.1.22-3) unstable; urgency=low + + * Call perl -w to run debian/dh_installscripts-common. Closes: #214054. + + -- Roland Bauerschmidt <rb@debian.org> Sat, 4 Oct 2003 14:22:11 +0200 + +openldap2 (2.1.22-2) unstable; urgency=high + + * Stephen Frost <sfrost@debian.org> + + servers/slapd/daemon.c: Apply patch from head for select handling. + + debian/rules: Fix build options to optimize correctly and to use + DEB_BUILD_OPTIONS (Policy, 10.1). Closes: #202306 + + debian/slapd.conf: Add in ACL for root DSE explicitly. + + debian/slapd.init: Add --oknodo in stop_slurpd. Closes: #202592 + + debian/rules: Need quotes around $(CFLAGS) on configure line. + + debian/slapd.init: Remove \'s before quotes around pidfile. + + debian/slapd.init: Add support for -h slapd flag. Closes: #201991 + + debian/slapd.default: Add variable $SLAPD_SERVICES for slapd -h. + + libraries/libldap/tls.c: Apply patch from asuffield in #202741 to + fix subjectAltName usage. Closes: #202741 + + * Torsten Landschoff <torsten@debian.org>: + + Fix invocation of "head" in maintainer scripts and replace usage of + [ foo -a bar ] by [ foo ] && [ bar ] (closes: #203292). + + debian/slapd.postrm: Small cleanup, only remove the directory, not + the backups, on purge. + + debian/rules: Don't run the upstream install target if we did not + rebuild the whole tree. Makes debugging maintainer script much more + tolerable. + + debian/slapd.config: Cleaned up and restructured for readability. + + debian/slapd.templates: Replaced the invalid_suffix template with + invalid_config which is more general and can be used for any + inconsistency in the initial configuration. + + debian/slapd.postinst: Rewritten to eliminate all that spaghetti. + Did not yet implement all old features again... + - Now the #DEBHELPER# part is always reached so that the daemon + will be restarted even if no automatic configuration is wanted + (closes: #204008). + + Fixed the undefined symbols in libldap_r.so.2 (closes: #195990). + | configure.in: Try -lpthread before -pthread to link the thread + library. libtool does not pass -pthread through, -lpthread seems + to work though. + | libraries/libldap_r/Makefile.in: Add $(LTHREAD_LIBS) to + UNIX_LINK_LIBS so that pthread is linked when creating a shared library + as well. + + * Roland Bauerschmidt <rb@debian.org>: + + debian/configure.options: change --localstatedir=/var/lib to + --localstatedir=/var/run. Since localstatedir isn't used anywhere + in the code, except for the ldapi socket (and examples in the + manpages which are correct at the moment anyway), all this change + does should be changing the default location of the ldapi socket + from /var/lib/ldapi to /var/run/ldapi. Closes: #160965. + + libraries/libldap/tls.c: In get_ca_list, walk through CACERTDIR + manually if building against GNUTLS (since there is no equivalent + to SSL_add_dir_cert_subjects_to_stack). Closes: #205609. + + debian/slapd.preinst: create /var/backups/ldap/$oldver with + permissions 0700. Also change permissions for /var/backups/ldap + to 0700 if it already exists. Closes: #209019. + + Added Japanese translation of Debconf templates by Kenshi Muto + <kmuto@debian.org>. Closes: #210731. + + debian/slapd.{postinst,preinst,config}: Replaced duplicate + implementations of the same functions with one version and moved + those into debian/slapd.scripts-common which will be included by + debian/dh_installscripts-common. + + debian/slapd.preinst: before dumping the database, check if the + backend is supported + + debian/slapd.postinst: + - add -q to grep call for allow bind_v2 + - readded pre-2.1 (woody) upgrade path (that is, dumping, fixing + and reimporting the database) + + -- Roland Bauerschmidt <rb@debian.org> Fri, 3 Oct 2003 15:35:29 +0200 + +openldap2 (2.1.22-1) unstable; urgency=low + + * Stephen Frost <sfrost@debian.org>: + + New upstream version (minor changes). + + debian/control: Change build-deps to autoconf2.13, Closes: #201482 + + debian/rules: Add dh_compress -i for binary-indep. + + debian/slapd.postinst: Give variable for read (avoids bashism). + + configure/.in: Use upstream's version of back-meta/back-ldap fix. + + -- Stephen Frost <sfrost@debian.org> Wed, 16 Jul 2003 08:42:23 -0400 + +openldap2 (2.1.21-2) unstable; urgency=low + + * Stephen Frost <sfrost@debian.org>: + + debian/slapd.preinst: slapcat here if possible, if slapcat not + available then slapcat in postinst. Also remove old unused + function. + + debian/slapd.postinst: Check if slapcat in preinst worked and use + those results in preference. Also moved to using /var/backups/ldap. + + servers/slapd/daemon.c: Provide more information on socket/bind + failures. Patch submitted upstream. Closes: #94967. + + ./configure, ./configure.in: Fix check for back_ldap in back_meta. + back_ldap now included as module. back_ldap and back_meta appear + to load fine, though order may matter. Closes: #196995. + + debian/control: Add versioned Depends on perl, need recent version + for migration script. + + debian/slapd.{pre,post}inst: Allow for whitespace in postinst + before database definitions + + debian/control: Drop the libldap2-dev Depends that aren't actually + necessary. + + debian/slapd.preinst: Add create_sed_script to create the script to + deal with multi-line commands in slapd.conf. Modify things to use + sed script to preprocess slapd.conf before using it. Remove + support for whitespace preceeding commands. + + debian/slapd.postinst: Add create_sed_script here too and modify + everything to use it as necessary. Also change everything to + reference $SLAPD_CONF instead of /etc/ldap/slapd.conf everywhere. + Remove support for whitespace preceeding commands. + + debian/slapd.postinst: Removed all tabs. Changed all sed scripts + to used [:space:] instead of [space tab]. + + debian/slapd.postinst: Removed debugging statements from ldap_v2 + support handling code. + + debian/slapd.preinst: Changed to use mktemp for sed script. + + debian/slapd.postinst: Changed to use mktemp for sed script. + + debian/slapd.config: If no hostname set just use debian.org. + + contrib/ldapc++/config.{sub,guess}: Resync back to upstream, no + reason not to, we don't even build this stuff... + + debian/control: Change build-depends to libgnutls7-dev instead of + libssl-dev. + + debian/rules: Now run autoconf && autoheader to pick up on the + configure.in changes needed for GNU TLS. + + debian/copyright: Added Steve Langasek (SL) copyright statement. + + Patch from Steve Langasek for GNU TLS support, Closes: #198553 + | include/ldap_pvt_gnutls.h: Added for GNU TLS + | configure.in: Now uses GNU TLS where available. + | servers/slapd/schema_init.c: Modified for GNU TLS- some functions + removed because GNU TLS layer does not support them yet. + | build/install-sh: Added for new autoconf. + | libraries/libldap/Makefile.in: Changed to compile GNU TLS portions. + | libraries/libldap/getdn.c: Stub function added, GNU TLS layer does + not support TLS certificates for authentication yet. + | libraries/libldap/tls.c: Now calls GNU TLS functions instead of + OpenSSL. + | libraries/libldap/gnutls.c: Added to support GNU TLS in place of + OpenSSL for TLS connections. + | libraries/libldap_r/Makefile.in: Changed to compile GNU TLS portions. + + debian/slapd.postinst: remove temp file if upgrading or doing a + reconfigure but the OLDSUFFIX and basedn match so that we do not + move an empty file overtop of slapd.conf. Closes: #190797. + + debian/slapd.init: Inform user when not starting slapd due to + no configuration file found. Deals with users who select to not + configure slapd during installation. + + debian/slapd.init: Removed cat <<-EOF and got rid of associated + tabs; best to not depend on tab vs. space distinction. + + debian/slapd.config: Change debconf question names to be fully + qualified in the $var from the for loop- organization is under + shared/ and domain is under slapd/, not both under slapd/. + + debian/slapd.postrm: Can not depend on debconf being around in + postrm so check before attempting to source it. Also protect + against failure from db_get. + + debian/slapd.postinst: Check for old directory and move it out + of the way if it exists on new configure or reconfigure. + + debian/slapd.postinst: Fix db_input's for error messages, + should be high priority and need to || true them. + + debian/slapd.postinst: Do not error exit once we've told the + user about the problem, if there was one, with slapcat/slapadd. + + debian/slapd.postinst: Make sure we get the organization before + we attempt to fix_ldif on old slapcat output. Default to unknown + if the organization is not set. + + debian/slapd.postinst: Be sure that slapd has been stopped before + attempting to fix and slapadd old slapcat. + + debian/slapd.postinst: Do not use --exec with s-s-d in postinst. + + debian/slapd.postinst: grep calls need to be || true'd when no + matching lines found is possible (this case is handled). + + debian/slapd.postinst: Be very sure slapd has stopped before + attempting to upgrade database. + + debian/slapd.preinst: Use either the pidfile or exec if pidfile + is not available when stopping. Do not put \"\" around pidfile. + Use $oldver instead of $2. + + debian/slapd.config: Reask questions on a reconfigure. Use the + same logic as slapd.postinst for when to ask questions regarding + the db. Be sure to db_go after db_input's. + + debian/slapd.templates: Fix allow_bind_v2 short description to + make more sense since the default is off. + + debian/slapd.preinst: Use perl instead of sed for handling conf. + + debian/slapd.postinst: Use perl instead of sed for handling conf, + use old sed method to insert \n's, user invoke-rc.d when slapd + needs to be stopped. Assume preinst shuts slapd down for upgrade. + + debian/slapd.postinst: Only stop slapd on reconfigure. + + * Torsten Landschoff <torsten@debian.org>: + + doc/man/man8/slapd.8: Refer to slapd.conf(5) for a description of + the debugging level (closes: #176980). + + debian/move_files: Kill of the static archives of our backend + modules as they are of absolutely no use. + + * Steve Langasek <vorlon@debian.org>: + + debian/slapd.postinst: Add a new function, get_database_list, that + prints out the list of configured databases from slapd.conf + one row at a time. Move all of the upgrade handling into a + loop, and iterate through the configured databases. Since the + while loop is in fact a subshell, be sure to handle errors + correctly. We also have to look at the configured directory + for each database, instead of assuming /var/lib/ldap. + Closes: #190155, #190156. + + debian/slapd.preinst: Simplify the handling of error status: if + the slapcat fails, just remove the ldif file. Also, add the + suffix to the name of the output file, and add the + get_database_list function here as well. + + * Roland Bauerschmidt <rb@debian.org>: + + debian/rules: call dh_makeshlibs with -plibldap2 rather than just + with libldap2 + + debian/slapd.postinst: Add question about no configuration. + + debian/slapd.templates: Add template for no config question. + + debian/slapd.templates: Add template for invalid suffix. + + debian/slapd.config: Add no configuration option. Closes: #87986 + + debian/slapd.config: Complain to the user on invalid domain/org. + + -- Stephen Frost <sfrost@debian.org> Tue, 15 Jul 2003 12:37:05 -0400 + +openldap2 (2.1.21-1) unstable; urgency=low + + * Torsten Landschoff <torsten@debian.org>: + + Merged new upstream release. + + * Stephen Frost <sfrost@debian.org>: + + debian/control: Add libbind-dev and bind-dev to the conflicts for + slapd, the libs in them can end up being used even when not + compiled against causing getaddrinfo() to fail. Closes: #166777 + + debian/copyright: Flush out the copyright file to include all found + copyrights and updates to those. + + debian/copyright: Add clarification of MA license + + debian/copyright: Add clarification of JC license + + debian/slapd.templates: More clearly inform users of important + config change. Closes: #194192. + + debian/control: Remove patch from build-depends (dpkg-dev depends on it) + + debian/fix_ldif: Correctly handle base64-encoded DNs. Closes: #197014. + + debian/slapd.templates: Added templates for asking about LDAPv2 support + and telling the user of slapcat/slapadd failures during upgrade. + + debian/slapd.postinst: Added support for adding LDAPv2 support + + debian/slapd.postinst: Modified to handle slapcat/slapadd failure. + In the event of an upgrade failure the database will be left untouched + and the user notified. Closes: #192431 + + debian/slapd.postinst: Use ldif_dump_location in more places... + + debian/slapd.prerm: Check if upgrade failed and assume bad old init.d + script was used and attempt to shut down slapd with --oknodo in case + slapd isn't running. Closes: #193854. (Again) + + debian/slapd.conf: Add commented out allow line + + debian/rules: Tell dh_installinit to not touch slapd.prerm now. + + debian/slapd.postinst: Do a dry-run with slapadd first and check if + that worked or not. If it did not work then tell the user, otherwise + do a real slapadd which should work. + + debian/slapd.postinst: Make sure slapd is stopped before doing + slapadd/slapcat's and the like. (Note: The woody version does not + stop slapd). Closes: #189777. + + debian/slapd.postinst: Check if directories exist before attempting + to mkdir them. Closes: #189947 + + debian/slapd.README.debian: Add note about runlevel issue. + Closes: #175736 + + debian/move_files: Copy ldiftopasswd into /usr/share/slapd for users + to use, if they find it useful. Closes: #94963. + + debian/slapd.README.Debian: Added note about ldiftopasswd. + + * Roland Bauerschmidt <rb@debian.org>: + + debian/slapd.postinst: fixed typos and check for the existence of + slapd.conf before reading it. + + -- Torsten Landschoff <torsten@debian.org> Thu, 19 Jun 2003 17:35:32 +0200 + +openldap2 (2.1.17-3) unstable; urgency=low + + * Stephen Frost <sfrost@debian.org>: + + debian/slapd.init: Add --oknodo for stopping slapd. Closes: #192423, #193854. + + debian/slapd.init: Change START_SLURPD to SLURPD_START. Closes: #190724. + + debian/libldap2.shlibs: Bump to 2.1.17- 2.1.12 never hit the archive. + These should only be bumped when new symbols are added so we should + figure out a way to handle checking that. + + debian/slapd.dirs: Added /var/run/slapd for pidfile + + debian/slapd.conf: Moved pidfile to /var/run/slapd; Needed if running + non-root. + + debian/slapd.conf: Clean up config file, be more explicit about what + directives are 'general', 'backend', and 'database'. Moved and + commented out 'replogfile' since it is database specific, wasn't doing + anything where it was and use of it depends on slurpd usage. + I consider this solving #151511 since we don't ask if you want to use + replication anymore anyway. Closes: #151511 + + debian/copy_slapd_dev_files: Added to copy the include files for + building slapd back-ends. + + debian/control: Add warning about libslapd2-dev + + debian/control: Add build-depend on po-debconf for dh_installdebconf + + debian/slapd.default: Add option for settings SLAPD_CONF file + + debian/slapd.init: Changed to use SLAPD_CONF, setting it to + /etc/ldap/slapd.conf if it is not specified. Closes: #91318 + + debian/control: Added libslapd2-dev to control file. Closes: #192163. + + debian/rules: Added binary-indep to the binary: build line and flushed + it out to build the libslapd2-dev deb. Added -k to dh_clean since we're + building arch and indep debs now. + + Maintainer upload, acknowledge NMU. Closes: #98039. + + Add debian/po/fr.po from 194740. Closes: #194740 + + Add space before ']' on line 113 of postinst. Closes: #194192, #194943 + + * Torsten Landschoff <torsten@debian.org>: + + debian/control: Enforce libldap2 to be the same version as slapd + as slapd (legitimately) uses internal functions of that library + (closes: #190164). + + debian/slapd.postinst: Fix the regexp for finding the database + definitions. + + * Steve Langasek <vorlon@debian.org>: + + debian/slapd.preinst: don't use debconf or ldapsearch in the + preinst, as this is a policy violation (even if a previous + version was installed, it could've been removed-but-not-purged). + Closes: #189811, #195029. + + debian/slapd.{pre,post}inst: dump & fix up the directory in the + postinst, not in the preinst -- using slapcat/slapadd, not + ldapmodify. This ensures that the dump will succeed whenever the + database is present, rather than depending on access to an admin + dn. Closes: #190085. + + debian/fix_ldif, debian/move_files, debian/copyright: add Dave + Horsfall's dn-fixing script, to handle objectClass upgrading + + debian/slapd.postinst: Skip the duplicate prompting for the + organization name; we're guaranteed to always have one. + + -- Torsten Landschoff <torsten@debian.org> Fri, 6 Jun 2003 16:56:16 +0200 + +openldap2 (2.1.17-2) unstable; urgency=low + + * The who-says-slavery-is-dead upload. + * Steve Langasek <vorlon@debian.org>: + + debian/slapd.postinst: Fix the database regexp. + + debian/slapd.postinst: Only add moduleload lines *once* on upgrade + from 2.0. Wrap the backup code with a check for + /var/lib/slapd/upgrade_2.0, to guarantee idempotency. + Closes: #190401. + + debian/slapd.{config,templates,postinst}: On dpkg-reconfigure, + don't wipe out an existing config; only merge in any requested + changes. Also, prompt before wiping out the existing db. + Closes: #190799. + + debian/slapd.{postinst,examples},debian/rules: Move slapd.conf + from doc/slapd/examples to /usr/share/slapd, per policy. + + debian/slapd.postinst: make sure slapd.conf is always created + atomically. + + debian/slapd.postrm: If removing databases on package purge, + remove any database backups as well. + + * Torsten Landschoff <torsten@debian.org>: + + debian/configure.options: Disable ACIs because they are still + experimental. + + debian/control: Change section and priority of libldap2-dev to + libdevel and extra respectively (dinstall message). + + debian/slapd.preinst: Only query the object classes of the root + dn if there was no error parsing the config. + + Update templates for po-debconf using the patch submitted by + Andre Luis Lopes (closes: #189933). + + Use [[:space:]] instead of [\t ] in sed invocations since the + latter does not seem to work (reported by Daniel Lutz). + + debian/control: Add Replaces: entry for openldapd since ldif.5.gz + was included in the potato package of that name (closes: #190660). + + debian/control: Tighten the build dependency on libtldl3-dev as + versions before 1.4.3 required the .la file for dynamic binding + (thanks to Josip Rodin for pointing this out). + + -- Torsten Landschoff <torsten@debian.org> Sat, 19 Apr 2003 02:28:32 +0200 + +openldap2 (2.1.17-1) unstable; urgency=low + + * New upstream release. + * Torsten Landschoff <torsten@debian.org>: + + debian/slapd.init: Improve the error reporting. If nothing is output + by the failing command don't leave the user alone but print a hint + to look into the logfile etc. + + debian/control: Require at least version 2.1.3 of libsasl2-dev + as this is what the configure script checks for. Pointed out by + Norbert Tretkowski. + + debian/slapd.{pre,post}inst: Small cleanups, added some comments, + adapted for the removal of the .la files in slapd package. + + -- Torsten Landschoff <torsten@debian.org> Sat, 19 Apr 2003 01:59:26 +0200 + +openldap2.1 (2.1.16-1) unstable; urgency=low + + * New upstream release. + + build/top.mk: Remove patch to omit "-static" at linking time. Upstream + now respects the --enable-shared flag used at configuration time. + + debian/slapd.postinst: Automagically add the module load directives + after upgrade as needed. + + debian/slapd.config: + - Only ask questions to create a new directory on fresh install. + - Ask wether the right modules should automatically be loaded in + slapd.conf. + + debian/slapd.templates: Add the templates for autoloading modules + and fixing the directory. + + debian/slapd.preinst: New script to support upgrading from 2.0. + The old prerm did not stop the daemon so we have to do it here. + Also a first attempt to fix broken LDAP directories not acceptable + to 2.1. + - Conditionally load debconf when upgrading as it only has to + be available in that case. + + debian/slapd.preinst: Dump database before upgrade. + + debian/slapd.postinst: Recreate database from dump after upgrade. + Move old database out of the way. + + * Roland Bauerschmidt <rb@debian.org> + + debian/slapd.README.Debian: mention that backend database modules are + now compiled as shared objects + + * Stephen Frost <sfrost@debian.org> + + debian/slapd.conf: Drop the '.la' file extension + + debian/move_files: Drop and rm the .la files, they aren't necessary. + + debian/slapd.README.Debian: Dropped the .la from the module_load line. + + servers/slapd/daemon.c: check slapd_srvurls is not NULL before + deref; included in upstream CVS. + + servers/slapd/back-*/init.c: Change the munged symbol names to + init_module, they do not need to be munged, and cause problems when + they are and not using .la files (which cause other problems) + + servers/slapd/module.c: Change to use lt_dlopenext() so we don't + need the .la files + + -- Torsten Landschoff <torsten@debian.org> Wed, 26 Mar 2003 20:34:35 +0100 + +openldap2.1 (2.1.12-1) experimental; urgency=low + + * Initial release of OpenLDAP 2.1 packages. Closes: #167566, #178014. + - this includes support for the >= and <= operators. Closes: #159078. + - fixes various upstream bugs. Closes: #171008. + + * Torsten Landschoff <torsten@debian.org> + - debian/check_config: Added script to check if OpenLDAP was configured + the way we want it. + - Don't build special TLS packages anymore - SSL is enabled in the + stock ldap library. Everything else will just give me more headaches. + - Build against libsasl2 instead of libsasl1. Closes: #176462. + - debian/control: + - Build-depend on debhelper 4.0 as debian/rules uses DH_COMPAT=4. + - Depend on coreutils | fileutils. Closes: #175704, #185676. + - Make libldap2 conflict with libldap2-tls which is obsolete now. + - debian/rules: Move the long list of configure options to a new + file debian/configure.options and read $(CONFIG) from that file. + - configure with --enable-aci. Closes: #101602. + - debian/slapd.init: Rewrite and add comments. + - Add support for running as non-root (closes: #111765, #157037). + - servers/slapd/main.c (main): Remove pid file on exit (closes: #162284). + - servers/slurpd/slurp.h: Change the default spool directory to + /var/spool/slurpd (avoids passing it via -t in init.d). + - servers/{slapd,slurpd}/Makefile.in: Install binaries into sbindir + instead of libexecdir. + - debian/control: Add Stephen Frost to the Uploaders field. Thanks + for your help, Stephen! + - contrib/ldapc++/config.{guess,sub}: Replaced with current files from + autotools-dev (lintian). Not actually neccessary since this part of + the package is not currently built but I think this is the best way + to shut up lintian :) + - build/mod.mk: Use -m 644 instead of -m 755 in installing shared + libraries. Shared libraries should not be marked as executable + (lintian). + - debian/libldap2.conffiles: Remove, since we are using version 4 + of debhelper which tags everything in /etc as conffile by default. + - debian/rules: Change the mode of everything upstream installed into + /etc to 0644 as required by policy (lintian). + - debian/rules: Call dh_installdeb later in the binary target so that + the conffiles are already there for listing. Without this nothing in + /etc gets tagged as conffile... (lintian). + - debian/rules: Pass the start and stop priority of slapd to + dh_installinit in preparation for a postinst supported by debhelper. + - debian/rules: Call dh_installdirs again. + - Rewrite slapd.config, slapd.postinst, slapd.templates - a first try + in getting slapd to configure itself. Way to go. + + * Roland Bauerschmidt <rb@debian.org> + - debian/control: + - build-depend on libdb4.1-dev instead of libdb4.0-dev + - conflict, replace, and provide libldap2-tls (libldap2) + - removed ldap-gateways binary package + - drop suggestion to obsolete openldap-guide. Closes: #171894, #146968. + - debian/rules: + - build with BDB backend + - run dh_installdeb + - only run dh_makeshlibs for libldap2 + - debian/slapd.dirs: added to create /var/lib/ldap and /var/spool/slurpd + - debian/slapd.postinst: + - properly remove temporary files on errors. Closes: #160412. + - install init.d link if slapd.conf already exists. Closes: #159542. + - run db_stop even if package isn't configured for the first time. This + prevents hanging during upgrades. + - added debian/slapd.default and use it from debian/slapd.init. + Closes: #160964, #176832. + - added debian/slapd.README.Debian + - added versioned dependency on coreutils to make lintian quiet. + - added debian/slapd.postrm + - remove slapd.conf when package is purged + - remove /var/lib/ldap when slapd/purge_database is true + - remove /etc/ldap/schema if empty. Closes: #185173. + - debian/templates: added slapd/purge_database template + - build/top.mk: link against libcrypt before other SECURITY_LIBS + - debian/libldap2.shlibs: tighten dependencies. Closes: #181168. + + * Stephen Frost <sfrost@debian.org> + - debian/control: added libltdl2-dev and libslp-dev to the build-depends + - Correct typo for back-sql init routine; already in OpenLDAP upstream + CVS + - Correct free of SASL interact results; already in OpenLDAP upstream CVS + - Duplicate the DN from SASL to ensure '\0' termination; already in + OpenLDAP upstream CVS + - debian/control: added Replaces: slapd (<< 2.1) for ldap-utils due to + ldif.5 move. + - Add modulepath /usr/lib/ldap to default slapd config + - Add moduleload back_bdb to default slapd config + - Changed libexecdir to ${prefix}/lib + - Add usr/lib/ldap to slapd portion of move_files + - Modified backend types to be built as modules for dynamic loading + - Fixed pt_BR translation + + -- Roland Bauerschmidt <rb@debian.org> Sat, 15 Mar 2003 21:35:24 +0100 + +openldap2 (2.0.27-3) unstable; urgency=high + + * [SECURITY]: Apply the patch used by SuSE in SuSE-SA:2002:047 + (or rather the parts of it not yet included upstream). + + -- Torsten Landschoff <torsten@debian.org> Fri, 20 Dec 2002 04:47:15 +0100 + +openldap2 (2.0.27-2) unstable; urgency=low + + * debian/control: Make libldap2-dev depend on libssl-dev and + libsasl-dev, since those libs are pulled via the libldap.la file + (closes: #164791). + * debian/control: Add shlibs:Depends to libldap2-tls as well. Most + of those depends are pulled via libldap2 but of course libssl + is not among those. (closes: #169950). + * debian/libldap2-tls: Remove old divertions on "configure" and not + on "upgrade" - the latter is not really called. + + -- Torsten Landschoff <torsten@debian.org> Fri, 22 Nov 2002 00:35:29 +0100 + +openldap2 (2.0.27-1) unstable; urgency=low + + * New upstream release. + + -- Torsten Landschoff <torsten@debian.org> Wed, 6 Nov 2002 01:12:06 +0100 + +openldap2 (2.0.23-14) unstable; urgency=low + + * debian/rules: Remove search paths from .la files using some perl + trickery (closes: #110479). + * debian/libldap2.README.debian: Document the NSS problem which stops /usr + from being unmounted cleanly when using libnss-ldap (for more info + see bug#159771). + + * Started cleaning up the maintainer scripts: + - Remove creation of the /usr/doc symlinks (lintian). + - Don't run ldconfig in prerm scripts (lintian). + + -- Torsten Landschoff <torsten@debian.org> Mon, 30 Sep 2002 12:10:05 +0200 + +openldap2 (2.0.23-13) unstable; urgency=low + + * As Ashley Clark found out the preinst of libldap-tls fails for a new + install. My fault - I did not check that (removing ldap is cumbersome + if you are using it... :) and the scripts were only checked without + "set -e" in effect. + + debian/libldap2-tls.preinst: Apply Ashley's patch (thanks a lot, + Ashley. closes: #162123). + + Coincidently the other installation scripts seem to be okay, the + failing command is in the middle of a pipe and therefore ignored. + + -- Torsten Landschoff <torsten@debian.org> Tue, 24 Sep 2002 12:56:18 +0200 + +openldap2 (2.0.23-12) unstable; urgency=low + + * Apply the patch from upstream ITS#2012 to support MD5 hashes. Problem + is that OpenSSL comes with its own version of the crypt() function + which is linked in instead of the system's version from libcrypt. + The patch changes the link order so that slapd takes the system's + implementation. + * debian/rules: Pass --enable-crypt-first to configure to enable the + patch (closes: #160763). + * Fix the diversion handling of libldap2-tls: + - preinst: Only install diversions that are not there. + - postrm: Remove this package's diversions. + - postinst: Remove obsolete diversions after upgrade. + - Removal of diversions is done in reverted order of the installation. + + * Enable DNSSRV support as requested by Turbo. No Kerberos for now, sorry. + * debian/control: Updates Standards-Version to 3.5.7 and fix running + of ldconfig in maintainer scripts. + + -- Torsten Landschoff <torsten@debian.org> Mon, 23 Sep 2002 12:18:40 +0200 + +openldap2 (2.0.23-11) unstable; urgency=low + + * debian/rules: Build with --with-tls (closes: #80591, #155937). + * debian/control: + + Add build dependency on libssl-dev. + + Specify Roland Bauerschmidt as co maintainer. + * Added the trickery to have libldap2 without TLS and libldap2-tls + with the TLS stuff. Otherwise we have to change the base system, + and god knows how long that would take. + + Most of the changes done by Roland Bauerschmidt. We now build the + source two times - with and without ssl. We mostly use the ssl enabled + stuff with the exception of a libldap2 package which does not have + support for that. If you need TLS support you have to install + libldap2-tls, which diverts the libraries from libldap2 out of the + way and replaces them with the TLS enabled version. + + -- Torsten Landschoff <torsten@debian.org> Thu, 29 Aug 2002 13:35:39 +0200 + +openldap2 (2.0.23-10) unstable; urgency=low + + * debian/control: Build depend on libdb4.0-dev instead of libdb3-dev. + This should fix the index corruption problems (closes: #152959). + + -- Torsten Landschoff <torsten@debian.org> Sun, 18 Aug 2002 19:47:02 +0200 + +openldap2 (2.0.23-9) unstable; urgency=low + + * debian/slapd.init: Wait for the daemons to actually terminate for + the stop action (which is used for restart) and trap all errors + (closes: #148033). + * debian/rules: Build with -D_FILE_OFFSET_BITS=64 to support files + bigger than 2GB on all architectures (closes: #155197). As off_t is + about never used in the source that should not create any problems. + * debian/control: Make libldap2-dev depend on libsasl-dev + (closes: #135223, #96957). + * doc/man/man1/ldapmodify.1: Fix typo (closes: #105905). + * debian/rules: Create symlinks for some manpages (closes: #99547). + * Fix spelling error in description of ldap-gateways (closes: #124859). + * debian/copyright: Include the full content of the LICENSE file + (closes: #151222). + + -- Torsten Landschoff <torsten@debian.org> Thu, 8 Aug 2002 15:54:46 +0200 + +openldap2 (2.0.23-8) unstable; urgency=low + + * New maintainer. + * debian/control: Build-Conflict with libbind-dev to use the right + resolver library everywhere (closes: #112459). Of course, the + real solution must be to fix the configure script to not detect + libbind-dev and use the right resolver all the time. But a work around + is better than nothing I would say... + + -- Torsten Landschoff <torsten@debian.org> Wed, 7 Aug 2002 14:53:39 +0200 + +openldap2 (2.0.23-7) unstable; urgency=low + + * Add Brazilian translation for debconf templates. Closes: Bug#114021 + * Fix hostless LDAP URLs, patch from Lamont Jones. Closes: Bug#140387 + + -- Wichert Akkerman <wakkerma@debian.org> Sat, 4 May 2002 20:05:32 +0200 + +openldap2 (2.0.23-6) unstable; urgency=high + + * Make slapd.config idempotent, so that calling it once (during + preconfiguration) and again (during postinst) doesn't break things. + Patch from Anthony Towns. Closes: Bug#137552). + + -- Wichert Akkerman <wakkerma@debian.org> Sun, 14 Apr 2002 19:10:50 +0200 + +openldap2 (2.0.23-5) unstable; urgency=high + + * Fix slurpd invocation in slapd.init. Closes: Bug#141959 + * Ask for admin DN when using LDIF initialization as well. + Lets hope this finally Closes: Bug#137552 + * Merge German translation for debconf templates. Closes: Bug#141712 + * Add Build-Depends on debconf-utils since we use debconf-mergetemplate + * Remove bogus error from slapd.init. Closes: Bug#137718 + + -- Wichert Akkerman <wakkerma@debian.org> Tue, 9 Apr 2002 14:49:27 +0200 + +openldap2 (2.0.23-4) unstable; urgency=high + + * Only show already-configured note on initial installs. Closes: Bug#137100 + * Supply -t option to slurpd when starting it, not when stopping it. + Closes: Bug#136240 + * Use db_input instead of db_get for notes in the slapd postinst. + * Only fetch password from debconf when not using ldif initialization. + Closes: Bug#138558,#137552 + * Check if slapd.conf exists in slapd postinst. Closes: Bug#138136 + + -- Wichert Akkerman <wakkerma@debian.org> Sat, 6 Apr 2002 23:02:42 +0200 + +openldap2 (2.0.23-3) unstable; urgency=high + + * If can not get a password for the admin entry when installing slapd + generate one randomly. Closes: Bug#134774 + * Bump shlibs dependency to 2.0.23 + + -- Wichert Akkerman <wakkerma@debian.org> Thu, 21 Feb 2002 23:23:57 +0100 + +openldap2 (2.0.23-2) unstable; urgency=high + + * Create /var/spool/slurpd and tell slurpd to use that as temporary + directory. Closes: Bug#134564 + * Improve debconf prompts a bit. Closes: Bug#134945 + * Properly set default value for domain + * Clear crypted password from debconf after creating the LDAP directory + + -- Wichert Akkerman <wakkerma@debian.org> Sun, 17 Feb 2002 16:07:18 +0100 + +openldap2 (2.0.23-1) unstable; urgency=high + + * Upstream updated config.{guess,sub} so we are back to zero patches + again. + * Apply fix from Klaus Duscher for the missing password problem: the + config script did not check if it was run twice without slapd.conf + being generated in between and would abort with a missing password + error. Closes: Bug#132566 + * Change slapd priority for boot sequence to start earlier and stop + later so people can use LDAP for NSS purposes. Closes: Bug#130277 + + -- Wichert Akkerman <wakkerma@debian.org> Sun, 17 Feb 2002 16:07:18 +0100 + +openldap2 (2.0.22-2) unstable; urgency=low + + * Update config.{guess,sub} again. Closes: Bug#131469 + + -- Wichert Akkerman <wakkerma@debian.org> Thu, 7 Feb 2002 22:33:01 +0100 + +openldap2 (2.0.22-1) unstable; urgency=low + + * New upstream version + * Build properly as non-native package + + -- Wichert Akkerman <wakkerma@debian.org> Wed, 6 Feb 2002 00:17:20 +0100 + +openldap2 (2.0.21-3) unstable; urgency=high + + * Add logic to config and postinst to configure replication as well + * Don't fail in slapd postinst if we can't stop slapd. Closes: Bug#131617 + * Change localstatedir to /var/lib + * Remove /var/lib/ldap when purging slapd + * Don't remove user-supplied ldif file after creating the directory + * Set default replogfile + * Fix typo in severity for no_password note + * Encrypt admin password and remove it from the debconf database + + -- Wichert Akkerman <wakkerma@debian.org> Thu, 31 Jan 2002 17:03:36 +0100 + +openldap2 (2.0.21-2) unstable; urgency=medium + + * Update config.{guess,sub} and forwarded upstream (ITS#1567). + Closes: Bug#131469 + * Remove -x from slapd postinst. Closes: Bug#131502 + + -- Wichert Akkerman <wakkerma@debian.org> Wed, 30 Jan 2002 10:53:45 +0100 + +openldap2 (2.0.21-1) unstable; urgency=high + + * New upstream version, + * Update copyright + * Update config.guess and config.sub + * Redone packaging, no more dbs or debhelper + * Drop all patches, they are either unnecessary or alternatives have + been made upstream + + -- Wichert Akkerman <wakkerma@debian.org> Tue, 29 Jan 2002 17:04:10 +0100 + +openldap2 (2.0.14-1) unstable; urgency=high + + * New upstream version, which includes a billion second bug. + Closes: Bug#111833 + * Drop 005_libldbm_dbopen, upgrading the database in place no longer works + with the new db-env code. + * Redo 008_porting_maxpathlen + + -- Wichert Akkerman <wakkerma@debian.org> Sat, 15 Sep 2001 13:39:46 +0200 + +openldap2 (2.0.11-2) unstable; urgency=low + + * Test if /etc/init.d/slapd is executable when purging slapd. + Closes: Bug#100938 + * Update 008_porting_maxpathlen. Closes: Bug#100584 + * Don't use four11 as referral example anymore. Closes: Bug#99998 + * Fix synopsis of slapindex manpage. Added to 002_man_fixes. + Closes: Bug#98805 + * Removed stray backup file from 002_man_fixes + + -- Wichert Akkerman <wakkerma@debian.org> Tue, 19 Jun 2001 01:01:17 +0200 + +openldap2 (2.0.11-1) unstable; urgency=low + + * New upstream version + * Add autoconf to Build-Depends. Closes: Bug#99440 + * Fix new db upgrade patch. Closes: Bug#98853 + + -- Wichert Akkerman <wakkerma@debian.org> Sun, 3 Jun 2001 00:25:47 +0200 + +openldap2 (2.0.10-2) unstable; urgency=low + + * Tighten shlibs dependency to >= 2.0.1-1. Closes: Bug#98683 + + -- Wichert Akkerman <wakkerma@debian.org> Fri, 25 May 2001 16:32:35 +0200 + +openldap2 (2.0.10-1) unstable; urgency=low + + * New upstream version + * New maintainer + * Remove useless LINE_WIDTH bit from patch 000_clients + * Patch 004_ssl_fix has been merged upstream, removed + * Redo 005_db3_upgrade + * Rediff all other patches + + -- Wichert Akkerman <wakkerma@debian.org> Thu, 24 May 2001 14:56:02 +0200 + +openldap2 (2.0.7-6) unstable; urgency=low + + * Make sure autoconf is run if configure.in is changed (for Hurd patch), + closes: #96145 + * Fix slapd.postinst in the case of using an ldif file, closes: #95600 + * Use a var for slapd.conf in slapd init script. Partially fixes bug + 91318. + * Fixed hurd patch for strrchr in replog.c, closes: #93605 + + -- Ben Collins <bcollins@debian.org> Mon, 7 May 2001 23:00:27 -0400 + +openldap2 (2.0.7-5) unstable; urgency=low + + * Fixed db3 upgrade code, closes: #92331, #92916 + * m68k should compile fine with db3 now, closes: #90165 + * Included provided patch for Hurd compilation, closes: #88079 + + -- Ben Collins <bcollins@debian.org> Wed, 4 Apr 2001 17:46:47 -0400 + +openldap2 (2.0.7-4) unstable; urgency=low + + * slapd.conf is no longer a conffile, and not provided by the package. + Instead, it is only generated. closes: #81359 + * Fixed by previous upload, closes: #71852, #78950, #82491 + * Actually install the netscape schema, closes: #90323 + * Add comment to README.Debian about being compiled with libwrap, + closes: #84954 + * Provide example sasl config file, closes: #90855 + * Conflict replace openldap-utils (ldap-utils), and libopenldap-dev + (libldap2-dev), closes: #71471 + * Revert to using some code to upgrade previous db's. Remove slapd's dep + on db3-util, and remove postinst code that upgrades the db's. + + -- Ben Collins <bcollins@debian.org> Sat, 24 Mar 2001 21:59:20 -0500 + +openldap2 (2.0.7-3) unstable; urgency=low + + * netscape-profile.schema: new schema for old roaming support + * 004_ssl_fix.diff: Fix for SSL support (not compiled in, but some + people use it). + * slapd.config: FINALLY fix the "dc=" base bug. + * Build-Depend on libdb3-dev now that it is available. + * Now that we use db3, make sure we upgrade existing databases to the + db3 format with db3_upgrade. + + -- Ben Collins <bcollins@debian.org> Sun, 11 Mar 2001 23:36:34 -0500 + +openldap2 (2.0.7-2) unstable; urgency=low + + * slapd.postinst: fix debhelper wraper so it gets the right @argv, + closes: #71854 + * sendmail appears to be compiled against glibc2.2/libdb2 now, + closes: #71602 + * %strace ldapsearch cn=admin | & grep /etc | grep ldap + open("/etc/ldap/ldap.conf", O_RDONLY) = 3 + closes: #71716 + * ldap_first_attribute.3: s/ber_free(3)/ber_free/. closes: #76719 + * init.d/slapd: fix reference to pidfile, and also remove the pidfile + after killing the daemon, closes: #77633, #77635 + * Fix fgets buffer size thinko in slurpd. closes: #78003 + * slapd.8: s/ldap.h/slapd.conf(5)/. closes: #80457 + + -- Ben Collins <bcollins@debian.org> Sun, 31 Dec 2000 00:02:46 -0500 + +openldap2 (2.0.7-1) unstable; urgency=low + + * New upstream + * Removed hack for shlibs now that dpkg 1.7 is available, added dpkg-dev + 1.7.1 to build-depends. + * start using DH_COMPAT=2 + + -- Ben Collins <bcollins@debian.org> Fri, 10 Nov 2000 18:53:25 -0500 + +openldap2 (2.0.2-2) unstable; urgency=low + + * Recompile against libdb2/glibc 2.1.94/sasl + + -- Ben Collins <bcollins@debian.org> Wed, 27 Sep 2000 11:31:59 -0400 + +openldap2 (2.0.2-1) unstable; urgency=low + + * New upstream version, includes some patches from me that fix some + stability issues + * debian/control:Build-Depends: change libwrap-dev to libwrap0-dev for + clarity, closes: #71366 + * debian/rules: make sure mail500 docs do not get installed under bogus + subdirs, closes: #71473 + * debian/README.build,debian/scripts/dbs-build.mk: Fix and document + build system better, closes: #71584 + * debian/local/slapd.conf: Setup default ACL's to work with openldap2 + correctly, closes: #71127, #71131 + * debian/README: document how to access OpenLDAP 1 servers via + ldap-utils, closes: #71469 + * debian/rules:CFLAGS: add -I/usr/include/db2 to make sure we get the + right <db.h> header, closes: #71470 + * I cannot reproduce this. In debian/rules I have done exactly what is + needed to keep it from happening, and sparc, i386 and powerpc builds + do not show it, closes: #71472 + + -- Ben Collins <bcollins@debian.org> Wed, 13 Sep 2000 22:32:35 -0400 + +openldap2 (2.0.1-2) unstable; urgency=low + + * Fixed up depend for libldap2 on itself + + -- Ben Collins <bcollins@debian.org> Wed, 6 Sep 2000 13:24:06 -0400 + +openldap2 (2.0.1-1) unstable; urgency=low + + * New upstream version + * Added libsasl-dev to build-deps, closes: #70923 + + -- Ben Collins <bcollins@debian.org> Tue, 5 Sep 2000 06:49:05 -0400 + +openldap2 (2.0-1) unstable; urgency=low + + * Initial release of OpenLDAP 2 test code + + -- Ben Collins <bcollins@debian.org> Tue, 29 Aug 2000 14:28:39 -0400 |