summaryrefslogtreecommitdiffstats
path: root/debian/changelog
blob: 50e401a9f397cc430ea0dd51fe3d07422dbd52a2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
3326
3327
3328
3329
3330
3331
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371
3372
3373
3374
3375
3376
3377
3378
3379
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400
3401
3402
3403
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413
3414
3415
3416
3417
3418
3419
3420
3421
3422
3423
3424
3425
3426
3427
3428
3429
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
3447
3448
3449
3450
3451
3452
3453
3454
3455
3456
3457
3458
3459
3460
openldap (2.4.57+dfsg-3+deb11u1) bullseye-security; urgency=high

  * Fix SQL injection in back-sql (ITS#9815) (CVE-2022-29155)

 -- Ryan Tandy <ryan@nardis.ca>  Sat, 14 May 2022 11:32:57 -0700

openldap (2.4.57+dfsg-3) unstable; urgency=medium

  * Link smbk5pwd with -lkrb5. (Closes: #988565)

 -- Ryan Tandy <ryan@nardis.ca>  Sat, 15 May 2021 16:03:34 -0700

openldap (2.4.57+dfsg-2) unstable; urgency=medium

  * Fix slapd assertion failure in Certificate List Exact Assertion validation
    (ITS#9454) (CVE-2021-27212)

 -- Ryan Tandy <ryan@nardis.ca>  Sun, 14 Feb 2021 09:26:41 -0800

openldap (2.4.57+dfsg-1) unstable; urgency=medium

  * New upstream release.
    - Fixed slapd crashes in Certificate Exact Assertion processing
      (ITS#9404, ITS#9424) (CVE-2020-36221)
    - Fixed slapd assertion failures in saslAuthzTo validation
      (ITS#9406, ITS#9407) (CVE-2020-36222)
    - Fixed slapd crash in Values Return Filter control handling
      (ITS#9408) (CVE-2020-36223)
    - Fixed slapd crashes in saslAuthzTo processing
      (ITS#9409, ITS#9412, ITS#9413)
      (CVE-2020-36224, CVE-2020-36225, CVE-2020-36226)
    - Fixed slapd assertion failure in X.509 DN parsing
      (ITS#9423) (CVE-2020-36230)
    - Fixed slapd crash in X.509 DN parsing (ITS#9425) (CVE-2020-36229)
    - Fixed slapd crash in Certificate List Exact Assertion processing
      (ITS#9427) (CVE-2020-36228)
    - Fixed slapd infinite loop with Cancel operation
      (ITS#9428) (CVE-2020-36227)

 -- Ryan Tandy <ryan@nardis.ca>  Sat, 23 Jan 2021 08:57:07 -0800

openldap (2.4.56+dfsg-1) unstable; urgency=medium

  * New upstream release.
    - Fixed slapd abort due to assertion failure in Certificate List syntax
      validation (ITS#9383) (CVE-2020-25709)
    - Fixed slapd abort due to assertion failure in CSN normalization with
      invalid input (ITS#9384) (CVE-2020-25710)

 -- Ryan Tandy <ryan@nardis.ca>  Wed, 11 Nov 2020 09:13:56 -0800

openldap (2.4.55+dfsg-1) unstable; urgency=medium

  * New upstream release.
    - Fixed slapd normalization handling with modrdn
      (ITS#9370) (CVE-2020-25692)

 -- Ryan Tandy <ryan@nardis.ca>  Tue, 27 Oct 2020 21:07:29 -0700

openldap (2.4.54+dfsg-1) unstable; urgency=medium

  * New upstream release.
  * Change upstream Homepage and get-orig-source URLs to HTTPS.
  * Create debian/gbp.conf.

 -- Ryan Tandy <ryan@nardis.ca>  Sun, 18 Oct 2020 16:03:46 +0000

openldap (2.4.53+dfsg-1) unstable; urgency=medium

  * New upstream release.

 -- Ryan Tandy <ryan@nardis.ca>  Mon, 07 Sep 2020 09:47:28 -0700

openldap (2.4.51+dfsg-1) unstable; urgency=medium

  * New upstream release.
    - Add ldap_parse_password_expiring_control to libldap-2.4-2.symbols.
  * Merge some changes from Ubuntu:
    - slapd.default, slapd.README.Debian: update to refer to slapd.d instead
      of slapd.conf.
    - debian/slapd.scripts-common: dump_databases: make slapcat_opts a local
      variable.
  * Drop paragraph about patch gnutls-altname-nulterminated (#465197) from
    slapd.README.Debian. The patch referred to was dropped in 2.4.7-6.
  * debian/patches/set-maintainer-name: Extract maintainer address dynamically
    from debian/control. (Closes: #960448)
  * Fix Torsten's email address in a historic debian/changelog entry to
    resolve a Lintian error (bogus-mail-host-in-debian-changelog).
  * Rename debian/source.lintian-overrides to debian/source/lintian-overrides.
    Fixes a Lintian pedantic tag (old-source-override-location).
  * Override Lintian pedantic tag maintainer-manual-page for
    slapo-pw-pbkdf2.5, which will be included upstream in a future release.
  * Remove the trailing whitespaces from debian/changelog, debian/control, and
    debian/rules. Fixes a Lintian pedantic tag (trailing-whitespace).
  * Convert debian/po/de.po to UTF-8. Fixes a Lintian warning
    (national-encoding).
  * Relax libldap's dependency on libldap-common to Recommends.
    This is intended to mitigate the impact of bug #915948 in the case where
    the arch:all build is delayed for so long that the old libldap-common
    disappears. Previously, a delayed arch:all build could become
    BD-Uninstallable if new amd64 binaries were published before the arch:all
    build starts, due to the transitive build-dependency on libldap.
    Although libldap works fine without libldap-common, in normal
    installations it is still recommended to install libldap-common.
  * Append a timestamp to the backup directory created by dpkg-reconfigure.
    (Closes: #599585, #960449)
  * Remove the redundant cn=admin,<suffix> entry from the default DIT for new
    installs. For new installs going forward, the root credentials will be
    stored in olcRootDN/olcRootPW only. (Closes: #821331)
  * Change slapd's Suggests: ldap-utils to Recommends. While any LDAP client
    suffices, ldap-utils contains the standard tools recommended by upstream
    for basic administration and management.
  * Relax Recommends: libsasl2-modules to Suggests on slapd and ldap-utils.
    Many deployments do not use SASL at all, and therefore SASL mechanisms are
    not needed "in all but unusual installations".

 -- Ryan Tandy <ryan@nardis.ca>  Sun, 23 Aug 2020 11:09:57 -0700

openldap (2.4.50+dfsg-1) unstable; urgency=medium

  * New upstream release.
    - Fixed slapd to limit depth of nested filters
      (ITS#9202) (CVE-2020-12243)
    - Drop patches included upstream: argon2.patch, ITS#9171, ITS#8650.
  * Update Spanish debconf translation.
    Thanks to Camaleón. (Closes: #958869)

 -- Ryan Tandy <ryan@nardis.ca>  Tue, 28 Apr 2020 10:18:12 -0700

openldap (2.4.49+dfsg-4) unstable; urgency=medium

  * Annotate libsodium-dev dependency with <!pkg.openldap.noslapd>.
    Thanks to Helmut Grohne. (Closes: #955993)
  * Add the man page for the Argon2 password module.
    Thanks to Peter Marschall. (Closes: #955977)
  * Build the Argon2 password module with libargon2-dev instead of
    libsodium-dev. Rationale:
    - libargon2 contains the specific functionality needed; libsodium is a
      larger library and contains many features not used here
    - libsodium does not support configuring the p= (parallelism) parameter
  * Import upstream patch to properly retry gnutls_handshake() after it
    returns GNUTLS_E_AGAIN. (ITS#8650) (Closes: #861838)
  * Update the Argon2 password module to upstream commit feb6f21d2e.

 -- Ryan Tandy <ryan@nardis.ca>  Tue, 14 Apr 2020 21:33:16 -0700

openldap (2.4.49+dfsg-3) unstable; urgency=medium

  * Drop patch no-AM_INIT_AUTOMAKE. Instead, configure dh_autoreconf to skip
    automake by setting AUTOMAKE=/bin/true. (Closes: #864637)
  * debian/patches/debian-version: Show Debian version, instead of upstream
    version, in version strings.
  * Add ${perl:Depends} to slapd Depends to silence a dpkg-gencontrol warning.
    This is practically a no-op since slapd explicitly Depends on perl because
    of the maintainer scripts.
  * Import the Argon2 password module from upstream git and install it in
    slapd-contrib. New Build-Depends: libsodium-dev. (Closes: #920283)

 -- Ryan Tandy <ryan@nardis.ca>  Sat, 04 Apr 2020 10:43:56 -0700

openldap (2.4.49+dfsg-2) unstable; urgency=medium

  * slapd.README.Debian: Document the initial setup performed by slapd's
    maintainer scripts in more detail. Thanks to Karl O. Pinc.
    (Closes: #952501)
  * Import upstream patch to fix slapd crashing in certain configurations when
    a client attempts a login to a locked account.
    (ITS#9171) (Closes: #953150)

 -- Ryan Tandy <ryan@nardis.ca>  Thu, 05 Mar 2020 12:59:46 -0800

openldap (2.4.49+dfsg-1) unstable; urgency=medium

  * New upstream release.
    - Drop patch no-gnutls_global_set_mutex, applied upstream.
  * When validating the DNS domain chosen for slapd's default suffix, set
    LC_COLLATE explicitly for grep to ensure character ranges behave as
    expected. Thanks to Fredrik Roubert. (Closes: #940908)
  * Backport proposed upstream patch to emit detailed messages about errors in
    the TLS configuration. (ITS#9086) (Closes: #837341)
  * slapd.scripts-common: Delete unused copy_example_DB_CONFIG function.
  * Remove debconf support for choosing a database backend. Always use the
    LMDB backend for new installs, as recommended by upstream.
  * Remove the empty olcBackend section from the default configuration.
  * Remove the unused slapd.conf template from /usr/share/slapd. Continue
    shipping it as an example in /usr/share/doc/slapd.
  * Fix a typo in index-files-created-as-root patch.
    Thanks to Quanah Gibson-Mount.
  * Annotate slapd's Depends on perl with :any. Fixes installation of
    foreign-arch slapd. Thanks to Andreas Hasenack.
  * Rename 'stage1' build profile to 'pkg.openldap.noslapd'.
    Thanks to Helmut Grohne. (Closes: #949722)
  * Drop Build-Conflicts: libicu-dev as upstream's configure no longer tests
    for or links with libicu.
  * Note ITS#9126 recommendation in slapd.NEWS.
  * Update Standards-Version to 4.5.0; no changes required.

 -- Ryan Tandy <ryan@nardis.ca>  Thu, 06 Feb 2020 10:08:12 -0800

openldap (2.4.48+dfsg-1) unstable; urgency=medium

  * New upstream release.
    - fixed slapd to restrict rootDN proxyauthz to its own databases
      (CVE-2019-13057) (ITS#9038) (Closes: #932997)
    - fixed slapd to enforce sasl_ssf ACL statement on every connection
      (CVE-2019-13565) (ITS#9052) (Closes: #932998)
    - added new openldap.h header with OpenLDAP specific libldap interfaces
      (ITS#8671)
    - updated lastbind overlay to support forwarding authTimestamp updates
      (ITS#7721) (Closes: #880656)
  * Update Standards-Version to 4.4.0.
  * Add a systemd drop-in to set RemainAfterExit=no on the slapd service, so
    that systemd marks the service as dead after it crashes or is killed.
    Thanks to Heitor Alves de Siqueira. (Closes: #926657, LP: #1821343)
  * Use more entropy for generating a random admin password, if none was set
    during initial configuration. Thanks to Judicael Courant.
    (Closes: #932270)
  * Replace debian/rules calls to dpkg-architecture and dpkg-parsechangelog
    with variables provided by dpkg-dev includes.
  * Declare R³: no.
  * Create a simple autopkgtest that tests installing slapd and connecting to
    it with an ldap tool.
  * Install the new openldap.h header in libldap2-dev.

 -- Ryan Tandy <ryan@nardis.ca>  Thu, 25 Jul 2019 08:32:00 -0700

openldap (2.4.47+dfsg-3) unstable; urgency=medium

  * Restore patches to contrib Makefiles to set CFLAGS, CPPFLAGS, and LDFLAGS
    individually in the relevant command lines instead of overriding OPT. The
    change to use OPT caused FTBFS on some ports arches where PIE enablement
    uses spec files, by mixing compile-time and link-time flags.
    (Closes: #919136)
  * Fix architecture-specific path in smbk5pwd's binary-or-shlib-defines-rpath
    Lintian override.
  * Skip exporting cn=config to LDIF in preinst for upgrades where nothing
    needs to be checked in it.
  * Update Standards-Version to 4.3.0.

 -- Ryan Tandy <ryan@nardis.ca>  Sat, 02 Feb 2019 10:30:10 -0800

openldap (2.4.47+dfsg-2) unstable; urgency=medium

  * Reintroduce slapi-dev binary package. (Closes: #711469)
    Thanks to Florian Schlichting.
  * Do not call gnutls_global_set_mutex(). (Closes: #803197)
  * Use dh_auto_* to build and install contrib modules.
    - Stop patching the clean rule in smbk5pwd's Makefile.
  * Explicitly list overlays and man pages installed by slapd package in
    slapd.install and slapd.manpages files.
  * Set common variables for contrib Makefiles by make(1) command line instead
    of patching every Makefile.
  * Build and install more contrib plugins in a new slapd-contrib package:
    - pw-apr1 and pw-netscape (Closes: #592362)
    - pw-pbkdf2 (Closes: #794999)
  * Import the slapo-pw-pbkdf2 man page from upstream git master and install
    it with the slapd-contrib package.
  * Add smbk5pwd to slapd-contrib and turn slapd-smbk5pwd into a transitional
    package. Drop smbk5pwd README since it now has a man page which is a
    better resource for users.
    - Use Breaks to ensure that slapd is not upgraded in between removing the
      old smbk5pwd module and installing the new one.
  * Include the apr1-atol.pl and apr1-lota.pl helper scripts in the
    slapd-contrib package as examples.
  * Merge remaining contrib Makefile patches into a single contrib-makefiles
    patch.

 -- Ryan Tandy <ryan@nardis.ca>  Sat, 12 Jan 2019 11:18:03 -0800

openldap (2.4.47+dfsg-1) unstable; urgency=medium

  * New upstream release.
    - reverted GnuTLS handshake change in libldap as it regressed slapd
      (Reopens: #861838)
  * Update Standards-Version to 4.2.1.

 -- Ryan Tandy <ryan@nardis.ca>  Sun, 23 Dec 2018 12:50:40 -0800

openldap (2.4.46+dfsg-5) unstable; urgency=medium

  * Restore slapd-smbk5pwd now that libldap is installable in unstable.
    This reverts the changes from -3 and -4.

 -- Ryan Tandy <ryan@nardis.ca>  Fri, 04 May 2018 16:12:27 -0700

openldap (2.4.46+dfsg-4) unstable; urgency=medium

  * Disable building the smbk5pwd plugin temporarily.

 -- Ryan Tandy <ryan@nardis.ca>  Fri, 04 May 2018 08:06:58 -0700

openldap (2.4.46+dfsg-3) unstable; urgency=medium

  * Build without heimdal temporarily to resolve BD-Uninstallable loop.

 -- Ryan Tandy <ryan@nardis.ca>  Fri, 04 May 2018 07:36:58 -0700

openldap (2.4.46+dfsg-2) unstable; urgency=medium

  * Remove version constraint from libldap-2.4-2 dependency on libldap-common.

 -- Ryan Tandy <ryan@nardis.ca>  Thu, 03 May 2018 14:16:49 -0700

openldap (2.4.46+dfsg-1) unstable; urgency=medium

  * Move the repository to Salsa.
    Update debian/control Vcs-* fields.
  * Remove Matthijs Möhlmann from Uploaders. (Closes: #891308)
    Thank you Matthijs for your past contributions.
  * New upstream release.
    - fixed slapd out-of-sync issue with delta-MMR and memberof overlay
      (ITS#8444) (Closes: #877166)
  * Rebase patch no-AM_INIT_AUTOMAKE to apply cleanly.
  * Drop patch ITS8650-retry-gnutls_handshake-after-GNUTLS_E_AGAIN, applied
    upstream.
  * Really fix upgrades when the config contains backslash-escaped special
    characters. The previous fix was incomplete and didn't fully fix upgrades
    involving a database reload. (Closes: #864719)
  * Update Standards-Version to 4.1.4.
    - Change the Priority of libldap-2.4-2 and libldap-common to optional.
  * Change download URL in debian/watch to https. Fixes a Lintian info.
  * Override the binary-or-shlib-defines-rpath Lintian tag for slapd-smbk5pwd.
    The rpath is set by krb5-config.heimdal; see bug #868840.

 -- Ryan Tandy <ryan@nardis.ca>  Thu, 03 May 2018 07:03:30 -0700

openldap (2.4.45+dfsg-1) unstable; urgency=medium

  * New upstream release.
    - fixed a use-after-free in GnuTLS options handling
      (ITS#8385) (Closes: #820244) (LP: #1557248)
    - fixed unsafe concurrent SASL calls causing memory corruption
      (ITS#8648) (Closes: #860947) (LP: #1688575)
    - fixed syncrepl infinite looping with multi-master delta-syncrepl
      (ITS#8432) (Closes: #868753)
  * Rebase patches to apply cleanly:
    - do-not-second-guess-sonames
    - no-AM_INIT_AUTOMAKE
  * Drop patches applied upstream:
    - ITS-8554-kFreeBSD-is-like-BSD.patch
    - ITS-8644-wait-for-slapd-to-start-in-test064.patch
    - ITS-8655-paged-results-double-free.patch
  * Upgrade to debhelper compat level 10.
    - Depend on debhelper 10.
    - Stop enabling parallel and autoreconf explicitly. They are now enabled
      by default.
    - Drop dh-autoreconf from build-depends since debhelper requires it.
  * Add -Wno-format-extra-args to CFLAGS to reduce the noise in the build
    logs, as this warning is emitted on each use of the Debug() macro.
  * Drop libldap-2.4-4-dbg and slapd-dbg binary packages in favour of
    automatic dbgsym packages.
  * Update Standards-Version to 4.0.0; no changes required.
  * Drop Priority and Section from binary package stanzas when they only
    duplicate information from the source stanza.
  * Update Priority of slapd-smbk5pwd and libldap2-dev to optional to match
    the archive.
  * Remove retired developer, Roland Bauerschmidt, from Uploaders.
    (Closes: #856422)
  * Remove Timo Aaltonen from Uploaders, with his agreement.
  * debian/patches/ITS8650-retry-gnutls_handshake-after-GNUTLS_E_AGAIN.patch:
    If gnutls_handshake() returns EAGAIN, call it again. Fixes TLS handshake
    failures when the ServerHello message exceeds 16K.
    (ITS#8650) (Closes: #861838)
  * Drop time from Build-Depends. The upstream testsuite no longer calls it.

 -- Ryan Tandy <ryan@nardis.ca>  Thu, 27 Jul 2017 18:04:41 -0700

openldap (2.4.44+dfsg-8) unstable; urgency=medium

  * Disable test060-mt-hot on ppc64el temporarily to avoid failing tests until
    the underlying kernel bug #866122 is fixed.
  * Fix FTBFS with Heimdal 7.2.0: Drop patch heimdal-fix as the
    hdb_generate_key_set_password change was reverted in heimdal. Depend on an
    appropriate minimum version of heimdal.

 -- Ryan Tandy <ryan@nardis.ca>  Sun, 16 Jul 2017 12:57:41 -0700

openldap (2.4.44+dfsg-7) unstable; urgency=medium

  * Relax the dependency of libldap-2.4-2 on libldap-common to also permit
    later versions. (Closes: #860774)

 -- Ryan Tandy <ryan@nardis.ca>  Tue, 27 Jun 2017 18:53:12 -0700

openldap (2.4.44+dfsg-6) unstable; urgency=medium

  * Update the list of non-translatable strings for the
    slapd/ppolicy_schema_needs_update template. Thanks Ferenc Wágner.
  * Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719)

 -- Ryan Tandy <ryan@nardis.ca>  Mon, 26 Jun 2017 19:42:02 -0700

openldap (2.4.44+dfsg-5) unstable; urgency=medium

  * debian/patches/ITS-8644-wait-for-slapd-to-start-in-test064.patch: Fix an
    intermittently failing test by waiting for slapd to start before running
    tests. (ITS#8644) (Closes: #770890)
  * debian/patches/ITS-8655-paged-results-double-free.patch: Fix a double free
    in the MDB backend on a search including the Paged Results control with a
    page size of 0. (ITS#8655) (CVE-2017-9287) (Closes: #863563)

 -- Ryan Tandy <ryan@nardis.ca>  Sun, 28 May 2017 09:59:46 -0700

openldap (2.4.44+dfsg-4) unstable; urgency=medium

  * Improve the slapd/ppolicy_schema_needs_update debconf template. Thanks to
    Justin B Rye for the review.
  * Update Catalan debconf translation. (Closes: #851905)
    Thanks to Innocent De Marchi.
  * Update Czech debconf translation. (Closes: #852190)
    Thanks to Miroslav Kure.
  * Update Danish debconf translation. (Closes: #850859)
    Thanks to Joe Dalton.
  * Update German debconf translation. (Closes: #851480)
    Thanks to Helge Kreutzmann.
  * Update Basque debconf translation. (Closes: #850812)
    Thanks to Iñaki Larrañaga Murgoitio.
  * Update French debconf translation. (Closes: #852459)
    Thanks to Jean-Pierre Giraud.
  * Update Italian debconf translation. (Closes: #852074)
    Thanks to Luca Monducci.
  * Update Japanese debconf translation. (Closes: #851457)
    Thanks to Kenshi Muto.
  * Update Dutch debconf translation. (Closes: #852405)
    Thanks to Frans Spiesschaert.
  * Update Brazilian Portuguese debconf translation. (Closes: #852443)
    Thanks to Adriano Rafael Gomes.
  * Update Russian debconf translation. (Closes: #850833)
    Thanks to Yuri Kozlov.
  * Update Slovak debconf translation. (Closes: #850796)
    Thanks to Ivan Masár.
  * Update Swedish debconf translation. (Closes: #851168)
    Thanks to Martin Bagge.
  * Update Turkish debconf translation. (Closes: #851470)
    Thanks to Atila KOÇ.
  * Update Vietnamese debconf translation.
    Thanks to Trần Ngọc Quân.
  * Update Build-Depends on debhelper to ensure shlibs files are installed at
    the expected time during build. (Closes: #854158)
  * Update Portuguese debconf translation. (Closes: #859943)
    Thanks to Rui Branco and DebianPT.
  * Dump the configuration and databases to LDIF before removing slapd, so
    that they are available if a newer version requiring migration is
    installed later. (Closes: #665199)
  * When creating a new configuration with dpkg-reconfigure, back up the old
    configuration before overwriting it.

 -- Ryan Tandy <ryan@nardis.ca>  Sun, 16 Apr 2017 20:10:43 -0700

openldap (2.4.44+dfsg-3) unstable; urgency=medium

  * Apply upstream patch to fix FTBFS on kFreeBSD. (Closes: #845394)
  * Restore heimdal support to the smbk5pwd overlay.

 -- Ryan Tandy <ryan@nardis.ca>  Sun, 01 Jan 2017 19:47:36 -0800

openldap (2.4.44+dfsg-2) unstable; urgency=medium

  [ Ryan Tandy ]
  * Update Standards-Version to 3.9.8; no changes required.
  * Enable dh_makeshlibs for libldap-2.4-2. Remove libldap-2.4-2.postinst, now
    replaced by the automatic ldconfig trigger.
  * Don't execute slapd's override_dh_install when building only
    arch-independent packages. (Closes: #845506)
  * Override lintian false positives on slapd.README.Debian,
    slapd-smbk5pwd.postinst, and slapd-smbk5pwd triggering ldconfig.
  * Perform permissions changes in override_dh_fixperms instead of in
    override_dh_install.
  * Remove manual chmod of schema files since dh_fixperms sets correct
    permissions automatically.
  * Fix slapd-smbk5pwd failing to upgrade when there are no instances of the
    overlay configured.

  [ Helmut Grohne ]
  * Fix FTCBFS: Pass CC to make explicitly. (Closes: #839251)

 -- Ryan Tandy <ryan@nardis.ca>  Thu, 01 Dec 2016 19:40:20 -0800

openldap (2.4.44+dfsg-1) unstable; urgency=medium

  [ Ryan Tandy ]
  * New upstream release.
    - Fixed ppolicy not unlocking policy entry after initialization failure
      (ITS#7537) (Closes: #702414)
  * Drop ITS8240-remove-obsolete-assert.patch, included upstream.
  * Update debian/schema/ppolicy.schema to add the pwdMaxRecordedFailure
    attribute.
  * Update libldap-2.4-2.symbols with new ldap_build_*_req symbols.
  * Mark the build target in debian/rules as phony, since the upstream source
    includes a build/ directory.
  * Correct the list of files to be cleaned for the pw-sha2 contrib module.
  * Fix a typo (slpad -> slapd) in the Catalan debconf translation.
  * Disable OpenSLP support and remove libslp-dev from Build-Depends.
    (Closes: #815364)
  * Ensure /var/run/slapd exists when starting slapd, even if the pid file is
    somewhere else. Thanks to Dave Beach for the report. (Closes: #815571)
  * Create the pidfile directory when starting slapd, but not when running the
    init script in other modes.
  * Remove support for enabling the obsolete LDAPv2 protocol via debconf.
  * debian/copyright: Update the OpenLDAP copyright and license.
  * debian/control: Update VCS URIs to the modern canonical form.
  * Override Lintian errors about schema files derived from RFC documents.
    Copyrightable content has been removed from these files; however, the
    copyright notices have been retained to preserve attribution.
  * On upgrade, if the cn=config database contains the ppolicy schema, add the
    new pwdMaxRecordedFailure attribute to it.
  * Add debian/patches/set-maintainer-name to omit the builder's username and
    working directory from version strings and thereby make the build
    reproducible. Thanks to Daniel Shahaf for the patch. (Closes: #833179)
  * Build smbk5pwd without Kerberos support and drop the build-dependency on
    heimdal. (Closes: #836885)
  * On upgrade, comment the krb5 setting on any instances of the smbk5pwd
    overlay in slapd.conf. Require cn=config users to disable krb5 manually
    before upgrading.

  [ Helmut Grohne ]
  * Fix policy 8.2 violation (Closes: #330695)
    + Move /etc/ldap/ldap.conf and manpage to new package libldap-common.

 -- Ryan Tandy <ryan@nardis.ca>  Mon, 14 Nov 2016 18:59:30 -0800

openldap (2.4.42+dfsg-2) unstable; urgency=medium

  [ Ryan Tandy ]
  * Change explicit Pre-Depends: multiarch-support to ${misc:Pre-Depends}, as
    recommended by lintian.
  * Omit slapd, slapd-dbg, and slapd-smbk5pwd from the stage1 build profile.
    This allows the dependency loop with heimdal to be broken for
    bootstrapping, and the dependency on libperl-dev to be avoided for
    cross-building. Thanks Daniel Schepler and Helmut Grohne.
    (Closes: #724518)
  * Apply wrap-and-sort to the Build-Depends field.
  * Drop libncurses5-dev from Build-Depends, no longer needed since the ud
    tool was removed in OpenLDAP 2.1.4.
  * Drop libltdl3-dev as an alternate Build-Depends, since that package was
    removed after lenny.
  * Annotate Build-Depends on perl with :any to allow running the system perl
    interpreter during cross builds.
  * Ensure CC is set correctly for cross builds. Thanks Helmut Grohne.
  * Build-Depend on dpkg-dev (>= 1.17.14) and debhelper (>= 9.20141010) for
    restriction formula support.
  * Override the 'dev-pkg-without-shlib-symlink' lintian tag. The symlink is
    actually in the form libldap_r.so -> libldap_r-2.4.so.xyz and the tag is a
    false positive; see #687022.
  * Include the smbk5pwd man page in the slapd-smbk5pwd package.
  * Allow anonymous read access to the shadowLastChange attribute by default,
    allowing nss-ldap/nss-ldapd to handle password expiry correctly even when
    bound anonymously. This was the only restricted shadow attribute, the
    others were already world-readable. (Closes: #669235)
  * Drop the redundant default ACL for dn.base="" from the database entry.
    It's already covered by the fallback case below.
  * Copy more comments from the slapd.conf template to slapd.init.ldif. Also
    comment the shadowLastChange access rule.
  * Import upstream patch to remove an unnecessary assert(0) that could be
    triggered remotely by an unauthenticated user by sending a malformed BER
    element. (ITS#8240) (CVE-2015-6908) (Closes: #798622)

  [ Peter Marschall ]
  * Add a manual page slapo-smbk5pwd.5 and update smbk5pwd's Makefile to
    install the new manual page. (Closes: #794998)

 -- Ryan Tandy <ryan@nardis.ca>  Thu, 10 Sep 2015 20:13:17 -0700

openldap (2.4.42+dfsg-1) unstable; urgency=medium

  [ Peter Marschall ]
  * slapd.scripts-common:
    - Use update_permissions instead of direct calls to chown and chgrp.
    - Make variables only used within a function local to that function.
    - Restore databases ordered by increasing suffix path length.
      This should help configurations with databases glued together using the
      'subordinate' keyword / 'olcSubordinate' attribute in slapd's
      configuration.
    (Closes: #794996)
  * Install slapo-lastbind.5 man page. (Closes: #794997)

  [ Ryan Tandy ]
  * slapd.scripts-common: Delete an outdated comment.
  * New upstream release.
  * Enable the MDB backend again on GNU/kFreeBSD. The new pthread library
    provides all the required interfaces, and the test suite now passes.
    Leave it disabled on the Hurd. LMDB requires POSIX semaphores, which have
    not yet been implemented.
  * Disable the BDB/HDB backends on the Hurd. BDB requires record locks
    (F_SETLK), which have not yet been implemented; see #693971.

 -- Ryan Tandy <ryan@nardis.ca>  Fri, 21 Aug 2015 13:07:51 -0700

openldap (2.4.41+dfsg-1) unstable; urgency=medium

  * New upstream release.
  * Update patches for upstream changes, drop patches included upstream.
  * debian/rules: Adjust get-orig-source target to add +dfsg to version.
  * Convert to source format 3.0 (quilt).
  * debian/slapd.scripts-common: Fix nesting of fold markers.

 -- Ryan Tandy <ryan@nardis.ca>  Wed, 08 Jul 2015 21:07:24 -0700

openldap (2.4.40+dfsg-2) unstable; urgency=medium

  * Actually install libldap-2.4-2.symbols.
  * Update Standards-Version to 3.9.6.
  * Build-Depend on debhelper (>= 9) to fix a Lintian warning.
  * Import upstream patch to fix FTBFS with gcc-5. (Addresses #778045)

 -- Ryan Tandy <ryan@nardis.ca>  Sun, 28 Jun 2015 20:40:37 -0700

openldap (2.4.40+dfsg-1) unstable; urgency=medium

  * Remove inetorgperson.schema from the upstream source. Replace it with a
    copy stripped of RFC text. (Closes: #780283)
  * Adjust debian/watch for +dfsg versioning.
  * debian/patches/ITS7975-fix-mdb-onelevel-search.patch: Import upstream
    patch to fix scope=onelevel searches wrongly including the search base in
    results under the MDB backend. (ITS#7975) (Closes: #782212)

 -- Ryan Tandy <ryan@nardis.ca>  Thu, 09 Apr 2015 08:38:38 -0700

openldap (2.4.40-4) unstable; urgency=medium

  * debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream
    patch to fix a crash when a search includes the Deref control with an
    empty attribute list. (ITS#8027) (CVE-2015-1545, Closes: #776988)
  * debian/patches/ITS8046-fix-vrFilter_free-crash.patch: Import upstream
    patch to fix a double free triggered by certain search queries using the
    Matched Values control. (ITS#8046) (CVE-2015-1546, Closes: #776991)

 -- Ryan Tandy <ryan@nardis.ca>  Sun, 08 Feb 2015 20:19:11 +0000

openldap (2.4.40-3) unstable; urgency=medium

  * Remove trailing spaces from slapd.templates.
  * Update Vietnamese debconf translation.
    Thanks to Trần Ngọc Quân.
  * Update Danish debconf translation.
    Thanks to Joe Hansen. (Closes: #766848)
  * Update Japanese debconf translation.
    Thanks to Kenshi Muto. (Closes: #766824)
  * Update Russian debconf translation.
    Thanks to Yuri Kozlov. (Closes: #766825)
  * Update Basque translation.
    Thanks to Iñaki Larrañaga Murgoitio. (Closes: #767070)
  * Update French debconf translation.
    Thanks to Christian Perrier. (Closes: #767634)
  * Update German debconf translation.
    Thanks to Helge Kreutzmann. (Closes: #767686)
  * Update Portuguese debconf translation.
    Thanks to Ricardo Silva. (Closes: #768085)
  * Update Italian debconf translation.
    Thanks to Luca Monducci. (Closes: #768195)
  * Update Turkish debconf translation.
    Thanks to Atila KOÇ. (Closes: #768409)
  * Update Czech debconf translation.
    Thanks to Miroslav Kure. (Closes: #768591)
  * Update Catalan debconf translation.
    Thanks to Innocent De Marchi. (Closes: #768605)
  * Update Dutch debconf translation.
    Thanks to Frans Spiesschaert. (Closes: #769024)
  * Update Brazilian Portuguese debconf translation.
    Thanks to Adriano Rafael Gomes. (Closes: #769717)
  * Update Galician debconf translation.
    Thanks to Jorge Barreiro.
  * Update Swedish debconf translation.
    Thanks to Martin Bagge / brother. (Closes: #769867)
  * Update Spanish debconf translation.
    Thanks to Camaleón. (Closes: #770715)
  * Fix doubled spaces in po files, caused by trailing spaces in the templates
    file.
  * Run debconf-updatepo to refresh PO files.

 -- Ryan Tandy <ryan@nardis.ca>  Sun, 23 Nov 2014 10:33:10 -0800

openldap (2.4.40-2) unstable; urgency=medium

  * Fix typo (chmod/chgrp) in previous changelog, spotted by Ferenc Wagner.
  * debian/patches/contrib-modules-use-dpkg-buildflags: Also use CPPFLAGS from
    dpkg-buildflags. Spotted by Lintian.
  * debian/slapd.init.ldif: Don't bother explicitly granting rights to the
    rootdn, since it already has unlimited privileges. Thanks Ferenc Wagner.
  * Recommend MDB for new installations, per upstream's recommendation.
  * Don't re-create the default DB_CONFIG if there wasn't one in the backup,
    for example if the active backend doesn't use it. Thanks Ferenc Wagner.
  * On upgrade, if an access rule begins with "to * by self write", show a
    debconf note warning that it should be changed. (Closes: #761406)
  * Build and install the lastbind contrib module. (Closes: #701111)
  * Build and install the passwd/sha2 contrib module. (Closes: #746727)

 -- Ryan Tandy <ryan@nardis.ca>  Mon, 20 Oct 2014 22:19:24 -0700

openldap (2.4.40-1) unstable; urgency=low

  [ Ryan Tandy ]
  * New upstream release.
    - fixed ldap_get_dn(3) ldap_ava definition (ITS#7860) (Closes: #465024)
    - fixed slapcat with external schema (ITS#7895) (Closes: #599235)
    - fixed double free with invalid ciphersuite (ITS#7500) (Closes: #640384)
    - fixed modrdn crash on naming attr with no matching rule (ITS#7850)
      (Closes: #666515)
    - fixed slapacl causing unclean database (ITS#7827) (Closes: #741248)
  * slapd.scripts-common:
    - Anchor grep patterns to avoid matching commented lines in ldif files
      under cn=config. (Closes: #723957)
    - Don't silently ignore nonexistent directories that should be dumped.
    - Invoke find, chown, and chgrp with -H in case /var/lib/ldap is a
      symlink. (Closes: #742862)
    - When upgrading a database, ignore extra nested directories as they might
      contain other databases. Patch from Kenny Millington. (LP: #1003854)
    - Fix dumping and reloading when multiple databases hold the same suffix,
      thanks Peder Stray. (Closes: #759596, LP: #1362481)
    - Remove trailing dot from slapd/domain. (Closes: #637996)
  * debian/rules:
    - Enable parallel building.
    - Copy libldap-2.4-2.shlibs into place manually, as a workaround for
      #676168. (Closes: #742841)
  * debian/slapd.README.Debian: Add a note about database format upgrades and
    the consequences of missing one. (Closes: #594711)
  * Build with GnuTLS 3 (Closes: #745231, #760559).
  * Drop debian/patches/fix-ftbfs-binutils-gold, no longer needed.
  * Drop debconf-utils from Build-Depends, no longer used (replaced by
    po-debconf). Thanks Johannes Schauer.
  * Acknowledge NMU fixing #729367, thanks to Michael Gilbert.
  * Offer the MDB backend as a choice during initial configuration. (Closes:
    #750022)
  * debian/slapd.init.ldif:
    - Disallow modifying one's own entry by default, except specific
      attributes. (Closes: #761406)
    - Index some more common search attributes by default. (Closes: #762111)
  * Introduce a symbols file for libldap-2.4-2.
  * debian/schema/pmi.schema: Add a copyright clarification. There does not
    appear to be any copyrighted text in this file, only ASN.1 assignments and
    LDAP schema definitions. Fixes a Lintian error on the original.
  * debian/schema/duaconf.schema: Strip Internet-Draft text from
    duaconf.schema.
  * Drop debian/patches/CVE-2013-4449.patch, applied upstream.
  * Update debian/patches/no-AM_INIT_AUTOMAKE with upstream changes.
  * debian/schema/ppolicy.schema: Update with ordering rules added in
    draft-behera-ldap-password-policy-11.
  * Suggest GSSAPI SASL modules. (Closes: #762424)
  * debian/patches/ITS6035-olcauthzregex-needs-restart.patch: Document in
    slapd-config.5 the fact that changes to olcAuthzRegexp only take effect
    after the server is restarted. (Closes: #761407)
  * Add myself to Uploaders.

  [ Jelmer Vernooij ]
  * Depend on heimdal-multidev rather than heimdal-dev. (Closes: #745356,
    #706123)

  [ Updated debconf translations ]
  * Turkish, thanks to Atila KOÇ <akoc@artielektronik.com.tr>.
    (Closes: #661641)

 -- Ryan Tandy <ryan@nardis.ca>  Fri, 17 Oct 2014 08:19:28 -0700

openldap (2.4.39-1.1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix CVE-2013-4449: reference counting logic issue (closes: #729367).

 -- Michael Gilbert <mgilbert@debian.org>  Sat, 09 Aug 2014 09:26:51 +0000

openldap (2.4.39-1) unstable; urgency=low

  [ Peter Marschall ]
  * debian/patches/wrong-database-location: fix database location in
    doc/man/man5/slapd-mdb.5
  * debian/configure.options: add info on --enable-mdb

  [ Russ Allbery ]
  * Remove myself from Uploaders.

  [ Steve Langasek ]
  * Remove Stephen Frost from Uploaders, per discussion with him.  Thanks for
    your contributions, Stephen!
  * Adjust dh_autoreconf usage to update all config.sub/config.guess
    instances in the source, so that we can be forwards-compatible with new
    ports.  Thanks to Colin Watson <cjwatson@ubuntu.com> for the patch.
    Closes: #725824.
  * Add Timo to Uploaders.
  * Update Vcs-* fields to point at the new git repo; thanks to Timo for
    driving this migration!
  * Rebuild against db5.3, with a corresponding dump/restore of the database
    on upgrade.  Closes: #738641.

  [ Timo Aaltonen ]
  * contrib-modules-use-dpkg-buildflags, autogroup-makefile,
    smbk5pwd-makefile:
    - Updated for current upstream.
  * Refresh patches to apply cleanly.
  * rules: Use dpkg-parsechangelog to determine the upstream version for
    get-orig-source.
  * source: Add lintian overrides for non-transatable internal
    templates.

 -- Steve Langasek <vorlon@debian.org>  Mon, 17 Mar 2014 15:27:31 -0700

openldap (2.4.31-1) unstable; urgency=low

  * New upstream release.
    - Fixes a denial of service attack, CVE-2012-1164, when using the rwm
      overlay.  Closes: #663644.
    - Fixes a bug with ldap_result always returning -1 when called from
      sssd.  Closes: #666230.
    - Fix a build failure on armel due to unaligned memory access.
      Closes: #677158.
  * Incorporate NMU (thanks, Julien Cristau, Mattias Ellert):
    - Disable the mdb backend on non-Linux, it looks like it doesn't work
      with linuxthreads (closes: #654824).
    - Backport fix for shell backend configuration.  Closes: #662940.

  [ Peter Marschall ]
  * debian/slapd.scripts-common: avoid grep warnings
  * debian/patches/heimdal-fix: fix arguments of
    hdb_generate_key_set_password().  Closes: #664930

  [ Steve Langasek ]
  * debian/patches/contrib-modules-use-dpkg-buildflags: pass CFLAGS to
    contrib builds.  Thanks to Simon Ruderich <simon@ruderich.org>.
    Closes: #663724.

 -- Steve Langasek <vorlon@debian.org>  Wed, 27 Jun 2012 03:27:34 +0000

openldap (2.4.28-1) unstable; urgency=low

  * New upstream release.
    - Fixes CVE-2011-4079.  Closes: #647610.
    - Fixes support for proxy authorization with SASL-GSSAPI.
      Closes: #608815.
    - Drop patch service-operational-before-detach, which came from upstream.
    - Drop patch fix-its6898-locking-issue, included upstream.
    - Refresh other patches as needed.
  * debian/slapd.scripts-common: quote the argument to slappasswd, to cope
    with shell characters in the string.  Thanks to Nicolai Ehemann
    <en@englightened.de> for the patch.  Closes: #635931.
  * Install ldif.h in libldap2-dev, now that it's been blessed upstream.
    Closes: #644985.
  * debian/patches/no-bdb-ABI-second-guessing: don't force an exact match on
    the upstream version of libdb; this is redundant with our packaging
    system, and causes spurious errors when there's a non-ABI-breaking
    BDB upstream release.  Closes: #651333.
  * Build-conflict with the ancient autoconf2.13, which is incompatible with
    dh-autoreconf.  (Maybe dh-autoreconf itself should conflict with it?)
    Closes: #651598.

  [ Updated debconf translations ]
  * Dutch, thanks to Jeroen Schot <schot@A-Eskwadraat.nl>.  Closes: #651400.

 -- Steve Langasek <vorlon@debian.org>  Thu, 05 Jan 2012 06:07:11 +0000

openldap (2.4.25-4) unstable; urgency=low

  * Drop explicit depends on libdb4.8, since we're now linking against
    libdb5.1.  Thanks to Peter Marschall for catching.  Closes: #621403
    again.
  * Rebuild against cyrus-sasl2 2.1.25.  Closes: #628237.
  * Use dh_autoreconf instead of a locally-patched autogen.sh.
  * debian/patches/no-AM_INIT_AUTOMAKE: don't use AM_INIT_AUTOMAKE macro
    when we aren't using automake.
  * Convert debian/rules to dh(1).
  * use DEB_CFLAGS_MAINT_APPEND with appropriate versioned dependency on
    debhelper and dpkg-dev, so we can pick up dpkg-buildflags for our
    policy-mandated flags - as well as our security-enhancing ones!
    Closes: #644427.
  * Also set hardening=+pie,+bindnow buildflags options for maximum
    security, since this is a security-sensitive daemon dealing with
    untrusted input.  Ubuntu has been building with these flags for a
    while via hardening-wrappers, so the change is presumed safe.
  * Drop debian/check_config.  The upstream configure script now enforces
    --with-cyrus-sasl, so there's no need for a second check.
  * debian/po/es.po: tweak an ambiguous string in the Spanish debconf
    translation, noticed in response to a submitted Catalan translation
  * debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff:
    Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL.
    Thanks to Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de> for the
    patch.  Closes: #327585.

  [ Updated debconf translations ]
  * Catalan, thanks to Innocent De Marchi <tangram.peces@gmail.com>.
    Closes: #644274.

 -- Steve Langasek <vorlon@debian.org>  Tue, 18 Oct 2011 01:08:34 +0000

openldap (2.4.25-3) unstable; urgency=low

  * Brown paper bag: really fix the .links.in handling, so we don't generate
    broken /usr/lib/${DEB_HOST_MULTIARCH} dirs.

 -- Steve Langasek <vorlon@debian.org>  Mon, 15 Aug 2011 09:50:37 +0000

openldap (2.4.25-2) unstable; urgency=low

  [ Matthijs Möhlmann ]
  * Change to bdb 5.1 (Closes: #621403)
  * Add note to ldap-utils package how to unfold lines. (Closes: #530519)
    (Thanks to Peter Marschall and Javier Barroso)

  [ Steve Langasek ]
  * Acknowledge NMU for bug #596343; thanks to Thijs Kinkhorst for the fix!
  * Bump to compat level 7, so we don't have to spell out debian/tmp in
    every single .install file
  * Build for multiarch.

 -- Steve Langasek <vorlon@debian.org>  Sun, 14 Aug 2011 23:17:09 -0700

openldap (2.4.25-1.1) unstable; urgency=low

  * Non-maintainer upload to fix RC bug.
  * Fix "dpkg-reconfigure slapd". Closes: #596343

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 31 May 2011 11:57:29 +0200

openldap (2.4.25-1) unstable; urgency=low

  * New upstream version (Closes: #617606, #618904, #606815, #608813)
    - Fixes CVE-2011-1024, CVE-2011-1025, CVE-2011-1081
    - slapd server process frequently hangs during everyday usage is fixed in
      newer versions of openldap according to the bug submitter
  * Refresh all patches
  * Remove manpage-tlscyphersuite-additions, applied upstream
  * Remove issue-6534-patch, applied upstream
  * Add Slovak translation, thanks Slavko <linux@slavino.sk> (Closes: #608699)
  * Add debian specific patch for ldap.conf. Add TLS_CACERT option and set it
    by default to /etc/ssl/certs/ca-certificates.crt (Closes: #555409, #616703)
  * Add patch to fix a FTBFS with binutils-gold (Closes: #555867)
  * Add slapschema, just hardlink it (Closes: #601569)
  * Update patch service-operational-before-detach (Closes: #616164, #598361)
  * Add ldif_* symbols to libldap-2.4-2
  * Add upstream patch for a locking issue in libldap_r
  * Fix build failure, use @SHELL@ instead of hardcoded /bin/sh (build/top.mk)
    (Closes: #621925)

 -- Matthijs Möhlmann <matthijs@cacholong.nl>  Mon, 11 Apr 2011 22:10:14 +0200

openldap (2.4.23-7) unstable; urgency=low

  * Updated vietnamese translation, thanks Clytie Siddall
    (Closes: #601537, #598575)
  * Updated portuguese translation, thanks Traduz (Closes: #599760)
  * Updated danish translation, thanks Joe Dalton (Closes: #599835)

 -- Matthijs Mohlmann <matthijs@cacholong.nl>  Sat, 06 Nov 2010 12:13:01 +0100

openldap (2.4.23-6) unstable; urgency=high

  * Check for an empty directory to prevent an rm -f /*. (Closes: #597704)

 -- Matthijs Mohlmann <matthijs@cacholong.nl>  Thu, 23 Sep 2010 10:17:50 +0200

openldap (2.4.23-5) unstable; urgency=high

  [ Steve Langasek ]
  * High-urgency upload for RC bugfix.
  * debian/slapd.scripts-common: fix gratuitous (and wrong) use of grep in
    get_suffix(), which causes us to incorrectly parse any slapd.conf that
    uses tabs instead of spaces.  Closes: #595672.
  * debian/slapd.init, debian/slapd.scripts-common: when $SLAPD_CONF is not
    set in /etc/default/slapd, we should always set a default value, giving
    precedence to slapd.d and falling back to slapd.conf.  Users who don't
    want to use an existing slapd.d should point at slapd.conf explicitly.
    Closes: #594714, #596343.
  * debian/slapd.init: 'invoke-rc.d slapd stop' should not fail due to the
    absence of a slapd configuration; we should still exit 0 so that the
    package can be removed gracefully.  Closes: #596100.
  * drop build-conflicts with libssl-dev; we explicitly pass
    --with-tls=gnutls to configure, so there's no risk of a misbuild here.
  * debian/slapd.default: now that we have a sensible default behavior in
    both slapd.init and the maintainer scripts, leave SLAPD_CONF empty to
    save pain later.
  * debian/slapd.scripts-common: ... and do the same in
    migrate_to_slapd_d_style, we just need to comment out the user's
    previous entry instead of blowing it away.
  * debian/slapd.scripts-common: call get_suffix in a way that lets us
    separate responses by newlines, to properly handle the case when a
    DN has embedded spaces.  Introduces a few more stupid fd tricks to work
    around possible problems with debconf.  Closes: #595466.
  * debian/slapd.scripts-common: when parsing the names of includes, handle
    double-quotes and escape characters as described in slapd.conf(5).
    Closes: #595784.
  * debian/slapd.scripts-common, debian/slapd.postinst: on upgrade from
    versions <= 2.4.23-4, explicitly grant access to cn=Subschema, which
    otherwise is blocked by our added olcAccess settings.  Closes: #596326.
  * debian/slapd.init.ldif: set the acl in the default LDIF for new installs,
    too.
  * Likewise, grant access to dn.exact="" so that base dn autodiscovery
    works as intended.  Closes: #596049.
  * debian/slapd.init.ldif: synchronize our behavior on new installs with
    that on upgrades, avoiding the non-standard cn=localroot,cn=config.
  * debian/slapd.scripts-common: don't run the migration code if slapd.d
    already exists.  Closes: #593965.

  [ Matthijs Mohlmann ]
  * Remove upgrade_supported_from_backend, implemented patch from
    Peter Marschall <peter@adpm.de> to automatically detect if an upgrade is
    supported. (Closes: #594712)

  [ Peter Marschall ]
  * debian/slapd.init: correctly set the slapd.conf argument even when
    SLAPD_PIDFILE is non-empty in /etc/default/slapd.  Closes: #593880.
  * debian/slapd.scripts-common: pass -g to slapadd/slapcat, so that
    subordinate databases aren't incorrectly included in the dump/restore of
    the parent database.  Closes: #594821.

 -- Steve Langasek <vorlon@debian.org>  Mon, 13 Sep 2010 06:59:11 +0000

openldap (2.4.23-4) unstable; urgency=low

  [ Steve Langasek ]
  * Bump the database upgrade version check to 2.4.23-4; should have been
    set to 2.4.23-1 when we switched to db4.8, but was missed so we need to
    clean up.  Closes: #593550.

  [ Matthijs Mohlmann ]
  * Fix root access to cn=config on upgrades from configuration style slapd.conf
    Thanks to Mathias Gug (Closes: #593566, #593878)

 -- Matthijs Mohlmann <matthijs@cacholong.nl>  Thu, 26 Aug 2010 20:30:51 +0200

openldap (2.4.23-3) unstable; urgency=low

  * Configure the newly installed openldap package using slapd.d instead of
    slapd.conf, merged from ubuntu. (Closes: #562723, #494155, #333428)
  * Update the debconf templates by running debconf-updatepo.
  * We do not support upgrades from older releases then lenny, so removed some
    upgrade functions from slapd.scripts-common.
  * Updated japanese translation, thanks Kenshi Muto (Closes: #589508)
  * Updated czech translation, thanks Miroslav Kure (Closes: #589569)
  * Update slapd.README.Debian and slapd.NEWS and note the new configuration
    style.
  * Fixes CVE-2010-0211 and CVE-2010-0212 (Closes: #589852)
  * Update italian translation, thanks Luca Monducci (Closes: #590154)
  * Update spanish translation, thanks Francisco Javier Cuadrado
    (Closes: #590829)
  * Update basque translation, thanks Iñaki Larrañaga Murgoitio
  * Bump Standards-Version to 3.9.1
  * Added debian specific patch to wait until slapd is operational before
    detaching to the terminal (Closes: #589915)
  * Add a lintian overrides for libldap.
  * Empty dependency_libs line in .la files. (Closes: #591550)
  * Update galician translation, thanks Jorge Barreiro (Closes: #592815)

 -- Matthijs Mohlmann <matthijs@cacholong.nl>  Tue, 17 Aug 2010 22:00:16 +0200

openldap (2.4.23-2) unstable; urgency=medium

  * Depend on libdb4.8 >= 4.8.30 (Closes: #588969)
  * Urgency previous as previous version fixes a RC bug.

 -- Matthijs Mohlmann <matthijs@cacholong.nl>  Wed, 14 Jul 2010 10:17:27 +0200

openldap (2.4.23-1) unstable; urgency=low

  * New upstream version
  * Change to build dependency libdb4.8-dev instead of libdb4.7-dev
  * Updated french translation thanks Christian Perrier (Closes: #579192)
  * Updated swedish translation thanks Martin Bagge (Closes: #580145)
  * Updated german translation thanks Helge Kreutzmann (Closes: #579582)
  * Updated russian translation thanks Yuri Kozlov (Closes: #585688)
  * Fix bashisms in debian/rules (Closes: #581454)
  * Add documentation patch (Closes: #513270)
  * Refreshed all quilt patches.
  * Bump Standards-Version to 3.9.0

 -- Matthijs Mohlmann <matthijs@cacholong.nl>  Mon, 12 Jul 2010 13:25:00 +0200

openldap (2.4.21-1) unstable; urgency=low

  [ Steve Langasek ]
  * New upstream version
    (Closes: #561144, #465024, #502769, #528695, #564686, #504728)
  * Add upstream manpage for ldapexop; thanks to Peter Marschall
    <peter@adpm.de>.  Closes: #549291.

  [ Matthijs Mohlmann ]
  * Ack NMU (Closes: #553432)
  * Update Standards-Version to 3.8.4
  * Fix NEWS entry to have the correct version number
  * Improve the wording for the slapd/invalid_config question (Closes: #452834)
  * Make lintian a bit more happy (Closes: #518660)
  * Fix bashism (Closes: #518657)
  * Refresh all patches
  * Add patch from upstream (Closes: #549642)
  * Reworked the configure.options a bit to include some more options
  * Enable dynamic acls
  * Use slappasswd to create a secure password (Closes: #490930)
  * Set a rootdn and rootpw if no password is given by debconf (Closes: #231950)
  * Better document the TLSCipherSuite in slapd.conf manpage (Closes: #563113)
  * Better document the TLS_CIPHER_SUITE in ldap.conf manpage (Closes: #510346)
  * Add smbk5pwd slapd module, used patch from Mark Hymers (Closes: #443073)
  * Add autogroup slapd module, used patch from Mathieu Parent (Closes: #575900)
  * Add lsb logging, used patch from David Härdeman (Closes: #385898)
  * Use dh_lintian to install the lintian-overrides
  * Added critical error report when slapcat fails (Closes: #226090)

 -- Matthijs Mohlmann <matthijs@cacholong.nl>  Thu, 22 Apr 2010 23:40:30 +0200

openldap (2.4.17-2.1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fixed CVE-2009-3767: libraries/libldap/tls_o.c doesn't properly handle NULL
    character in subject Common Name (Closes: #553432)

 -- Giuseppe Iuculano <iuculano@debian.org>  Tue, 10 Nov 2009 19:09:45 +0100

openldap (2.4.17-2) unstable; urgency=low

  * Fix up the lintian warnings:
    - add missing misc-depends on all packages
    - slapd, libldap-2.4-2-dbg sections changed to 'debug' to match archive
      overrides
    - bump Standards-Version to 3.8.2, no changes required.
  * slapd.scripts-common: fix upgrade to correctly handle multiple database
    declarations; thanks, Peter Marschall <peter@adpm.de>!  Closes: #517556
  * Add 'status' argument to init script; thanks to Peter Eisentraut
    <petere@debian.org>.  Closes: #545898.
  * New patch, do-not-second-guess-sonames, to remove an incorrect check for
    the Cyrus SASL version number at runtime.  If there's any reason this is
    needed, it needs to be addressed in the cyrus-sasl soname and Debian
    shlibs, not here.  Closes: #546885.

 -- Steve Langasek <vorlon@debian.org>  Tue, 22 Sep 2009 20:06:34 -0700

openldap (2.4.17-1) unstable; urgency=low

  * New upstream version.
    - Fixes FTBFS on ia64 with -fPIE. Closes: #524770.
    - Fixes some TLS issues with GnuTLS.  Closes: #505191.
  * Update priority of libldap-2.4-2 to match the archive override.
  * Add the missing ldapexop and ldapurl tools to ldap-utils, as well as the
    ldapurl(1) manpage.  Thanks to Peter Marschall for the patch.
    Closes: #496749.
  * Bump build-dependency on debhelper to 6 instead of 5, since that's
    what we're using.  Closes: #498116.
  * Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using
    the built-in default of ldap:/// only.
  * Build-depend on libltdl-dev | libltdl3-dev (>= 1.4.3), for the package
    name change.  Closes: #522965.

  [ Updated debconf translations ]
  * Spanish, thanks to Francisco Javier Cuadrado <fcocuadrado@gmail.com>.
    Closes: #521804.

 -- Steve Langasek <vorlon@debian.org>  Tue, 28 Jul 2009 10:17:15 -0700

openldap (2.4.15-1) unstable; urgency=low

  * New upstream version
    - Fixes a bug with the pcache overlay not returning cached entries
      (closes: #497697)
    - Update evolution-ntlm patch to apply to current Makefiles.
    - (tentatively) drop gnutls-ciphers, since this bug was reported to be
      fixed upstream in 2.4.8.  The fix applied in 2.4.8 didn't match the
      patch from the bug report, so this should be watched for regressions.
  * Build against db4.7 instead of db4.2 at last!  Closes: #421946.
  * Build with --disable-ndb, to avoid a misbuild when libmysqlclient is
    installed in the build environment.
  * Add -D_GNU_SOURCE to CFLAGS, apparently required for building with
    current headers in unstable

 -- Steve Langasek <vorlon@debian.org>  Tue, 24 Feb 2009 14:27:35 -0800

openldap (2.4.11-1) unstable; urgency=low

  * New upstream version (closes: #499560).
    - Fixes a crash with syncrepl and delcsn (closes: #491066).
    - Fix CRL handling with GnuTLS (closes: #498410).
    - Drop patches no_backend_inter-linking,
      CVE-2008-2952_BER-decoding-assertion, and gnutls-ssf, applied
      upstream.

  [ Russ Allbery ]
  * New patch, back-perl-init, which updates the calling conventions
    around initialization and shutdown of the Perl interpreter to match
    the current perlembed recommendations.  Fixes probable hangs on HPPA
    in back-perl.  Thanks, Niko Tyni.  (Closes: #495069)

  [ Steve Langasek ]
  * Drop the conflict with libldap2, which is not the standard means of
    handling symbol conflicts in Debian and which causes serious upgrade
    problems from etch.  Closes: #487211.

 -- Steve Langasek <vorlon@debian.org>  Sat, 11 Oct 2008 01:53:55 -0700

openldap (2.4.10-3) unstable; urgency=low

  [ Steve Langasek ]
  * New patch, CVE-2008-2952_BER-decoding-assertion, to fix a remote DoS
    vulnerability in the BER decoder.  Addresses CVE-2008-2952,
    closes: #488710.
  * debian/slapd.scripts-common, debian/slapd.postinst: drop
    update_path_argsfile_pidfile function, not needed for updates from etch
    or newer.
  * Drop the code to check for and upgrade ldbm databases.  The etch
    release of slapd had already dropped support for them and direct
    upgrades from sarge are not supported.

  [ Russ Allbery ]
  * Apply upstream patch to convert GnuTLS cipher strength from bytes to
    bits, as expected by OpenLDAP.  (Closes: #473796)
  * Add Build-Depends on time, used by the test suite and only a shell
    built-in with bash.  Thanks, Daniel Schepler.  (Closes: #490754)
  * Refresh all patches, convert all patches to -p1, and remove extraneous
    Index: lines.  (Closes: #485263)
  * Unless DFSG_NONFREE is set, also check whether the upstream schemas
    with RFC comments are included.
  * Update standards version to 3.8.0.
    - Include debian/README.source pointing to the quilt README.source.
    - Wrap Uploaders for readability.
  * Wrap slapd's Depends for readability.

  [ Updated debconf translations ]
  * Swedish, thanks to Martin Ågren <martin.agren@gmail.com>.
    Closes: #492748.

 -- Steve Langasek <vorlon@debian.org>  Mon, 28 Jul 2008 15:26:06 -0700

openldap (2.4.10-2) unstable; urgency=low

  * Support DEB_BUILD_OPTIONS=nocheck to disable running the test suite at
    build time
  * Hack around glibc behavior when resolving localhost, by exporting
    RESOLV_MULTI=off when invoking the test suite
  * Reclaim the 'openldap' source package name; openldap2.3 has been a
    misnomer for some time, causing undue confusion, so switch to a
    permanent source package name that we won't need to change again later.
    - Along the way, kill off non-DFSG-compliant schema files that snuck
      back into the archive due to my bad merge of 2.4.10.

 -- Steve Langasek <vorlon@debian.org>  Sun, 06 Jul 2008 22:03:32 -0700

openldap2.3 (2.4.10-1) unstable; urgency=low

  [ Steve Langasek ]
  * New upstream release.
    - Clean up ld_defconn if it was freed, fixing an assertion failure in
      various clients.  Closes: #469232.
    - Fixes slapd syncrepl hang on back-config.  Closes: #471253.
    - Drop patch hurd-path-max, integrated upstream.
  * Drop spurious build-dependency on heimdal-dev, introduced accidentally
    as part of an aborted attempt to build the smbk5pwd overlay.
  * Use hardlinks instead of symlinks for the various slap* commands; this
    is functionally equivalent for us, and reduces divergence from
    derivatives such as Ubuntu that use apparmor.  Closes: #488409.
  * New patch, no_backend_inter-linking, to fix the meta backend to not
    try to look up symbols in external objects (back_ldap) that it
    doesn't link against.
  * Turn on 'make test' during builds, now that back_meta is fixed.

  [ Matthijs Mohlmann ]
  * All manpages in category 5 were missing, wrong directory.
    (Closes: #474976, #483631, #483633)

 -- Steve Langasek <vorlon@debian.org>  Mon, 30 Jun 2008 04:28:34 -0700

openldap2.3 (2.4.9-1) unstable; urgency=low

  [ Updated debconf translations ]
  * French, thanks to Christian Perrier <bubulle@debian.org>.
    Closes: #471792.
  * Finnish, thanks to Esko Arajärvi <edu@iki.fi>.  Closes: #475238.
  * Czech, thanks to Miroslav Kure <kurem@upcase.info.upol.cz>.
    Closes: #480138.
  * Basque, thanks to Piarres Beobide <pi+debian@beobide.net>.
    Closes: #480177.
  * Vietnamese, thanks to Clytie Siddall <clytie@riverland.net.au>.
    Closes: #480181.
  * Galician, thanks to Jacobo Tarrio <jtarrio@trasno.net>.  Closes: #480218.
  * Japanese, thanks to Kenshi Muto <kmuto@debian.org>.  Closes: #480247.
  * Italian, thanks to Luca Monducci <luca.mo@tiscali.it>. (Closes: #477718)
  * Brazilian Portuguese, thanks to Eder L. Marques <eder@edermarques.net>
    (Closes: #480172)
  * Portuguese, thanks to Tiago Fernandes <tjg.fernandes@gmail.com>
    (Closes: #481126)
  * Russian, thanks to Yuri Kozlov <kozlov.y@gmail.com> (Closes: #481214)
  * Dutch, thanks to "cobaco (aka Bart Cornelis)" <cobaco@skolelinux.no>.
    Closes: #483014.

  [ Matthijs Mohlmann ]
  * New upstream release.
    - Bad entryUUID no longer crashes slapd.  (Closes: #471867)
    - Fix assertion failure in some modify operations.  (Closes: #474161)
    - Mention index in slapd.conf's man page.  (Closes: #414650)
    - Fixes to slapd include handling.  (Closes: #457261)
    - Fix syncrepl cookie truncation.  (Closes: #464024)
    - Fix memory allocation in ldap_parse_page_control.  (Closes: #464877)
    - Fix slapd crash when accessed by multiple threads.  (Closes: #479237)
  * Acknowledge NMU.
    (Closes: #474976, #471225, #475856, #474652, #465875)
  * Bump Standards-Version to 3.7.3
  * Add versioned build dependency on libgnutls-dev (Closes: #466558)
  * Bump debhelper compat level to 6.

  [ Russ Allbery ]
  * Use MAXPATHLEN rather than PATH_MAX, since OpenLDAP defines the
    former and the latter isn't defined on GNU Hurd.  Thanks, Samuel
    Thibault.  (Closes: #475744)

 -- Matthijs Mohlmann <matthijs@cacholong.nl>  Mon, 26 May 2008 22:34:16 +0200

openldap2.3 (2.4.7-6.3) unstable; urgency=low

  * Non-maintainer upload.
  * Install all slapd relevant manpages into slapd package.
    (closes: #474976)
  * Make libldap-2.4-2 conflict against libldap2. (closes: #475856)

 -- Bastian Blank <waldi@debian.org>  Tue, 29 Apr 2008 18:00:23 +0200

openldap2.3 (2.4.7-6.2) unstable; urgency=low

   * Non-maintainer upload to solve release goal issues.
   * Add LSB dependency header to init.d scripts (Closes: #474652)

 -- Petter Reinholdtsen <pere@debian.org>  Wed, 16 Apr 2008 08:04:49 +0200

openldap2.3 (2.4.7-6.1) unstable; urgency=high

  * Non-maintainer upload by security team.
  * Fix possible remote denial of service vulnerability in the BDB backend
    via a modrdn operation with a NOOP control
    (CVE-2008-0658; Closes: #465875).

 -- Nico Golde <nion@debian.org>  Tue, 04 Mar 2008 14:34:44 +0100

openldap2.3 (2.4.7-6) unstable; urgency=low

  [ Updated debconf translations ]
  * Dutch, thanks to Bart Cornelis <cobaco@skolelinux.no>.  Closes: #452950.
  * Brazilian Portuguese, thanks to Eder L. Marques <frolic@debian-ce.org>.
    Closes: #463460.
  * German, thanks to Helge Kreutzmann <debian@helgefjell.de>.
    Closes: #465784.

  [ Steve Langasek ]
  * Relax build-dependency on libsasl2-dev now that the versioned dependency
    is satisfied by all extant versions (including in oldstable), fixing a
    lintian warning about versioned build-deps on Debian revisions.
  * Avoid using a mutex around getaddrinfo() and getnameinfo() calls, which
    are guaranteed by glibc to be threadsafe; this fixes a deadlock when
    using nss_ldap for host lookups.  Closes: #340601.
  * debian/libldap2-dev.manpages: install all of man3/* instead of
    enumerating specific manpages to install.  Closes: #320073.
  * Add new patch, sasl-cleartext-strncasecmp, to correct a regression that
    prevented the use of the {CLEARTEXT} password scheme with SASL.
    Closes LP: #191563.
  * drop LGPL from debian/copyright; there is no longer any code under this
    license in the package.
  * Drop patch gnutls-altname-nulterminated; it's been determined that the
    "length" discrepancy was a bug in gnutls, and fixed in that package.
  * debian/configure.options: explicitly pass --with-odbc=unixodbc, so
    that we depend on the right ODBC implementation when both happen to
    be installed at build time.

  [ Russ Allbery ]
  * Add a stamp file for the configure rule to avoid rerunning configure
    needlessly.  Closes: #465588.
  * Don't create the openldap user if slapd has been configured to run as
    a different user.  If slapd has been configured to run as openldap, do
    create the user on reconfigure.  Closes: #452438.
  * Reformat, reorganize, and update slapd's README.Debian.
    - Include SASL configuration information.
    - Remove LDBM information, since upstream no longer even ships LDBM
      and the debconf prompting and maintainer scripts already take care
      of any lingering databases.
    - Document the differences between the Debian OpenLDAP packages and
      upstream.

 -- Steve Langasek <vorlon@debian.org>  Thu, 28 Feb 2008 22:15:17 -0800

openldap2.3 (2.4.7-5) unstable; urgency=low

  [ Updated debconf translations ]
  * Finnish, thanks to Esko Arajärvi <edu@iki.fi>.  Closes: #462688.
  * Galician, thanks to Jacobo Tarrio <jtarrio@trasno.net>.  Closes: #462987.
  * French, thanks to Christian Perrier <bubulle@debian.org>.
    Closes: #463149.
  * Russian, thanks to Yuri Kozlov <kozlov.y@gmail.com>.  Closes: #463442.
  * Czech, thanks to Miroslav Kure <kurem@debian.cz>.  Closes: #463472.
  * German, thanks to Helge Kreutzmann <debian@helgefjell.de>.
    Closes: #464718.

  [ Steve Langasek ]
  * Fix various regressions related to the introduction of GnuTLS:
    - Add new patch, gnutls-ciphers, to fix support for specifying multiple
      ciphers with TLSCipherSuite option in slapd.conf.  Thanks to Kyle
      Moffett <kyle@moffetthome.net> for the patch.  Closes LP: #188200.
    - Add new patch, slapd-tlsverifyclient-default, to set the intended
      default value of "TLSVerifyClient never" in the right place.
    - Add new patch, gnutls-altname-nulterminated, to account for differences
      in how the "length" is returned for commonName vs. subjectAltName.
    - Comment out TLSCipherSuite settings on upgrade from all versions prior
      to 2.4.7-5, and throw a debconf error to the user notifying them of
      this, since all OpenSSL cipher suite values are incompatible with
      GnuTLS.
    Closes: #462588.
  * Add new patch from upstream, entryCSN-backwards-compatibility, to support
    auto-converting entryCSN attributes in a previously supported old format,
    fixing an upgrade failure.  Closes: #462099.
  * Use --retry TERM/10 instead of --retry 10 when stopping slapd, since the
    latter resorts to a SIGKILL and may corrupt backend data; whereas the
    former will exit non-zero if slapd is still running but won't directly
    cause data-loss.  Thanks to Mark McDonald for the patch.  LP: #92139.
  * Fix manpage symlinks in libldap2-dev; thanks to Reuben Thomas for
    reporting.  Closes: #463971.
  * Fix a superfluous space in the debconf templates, due to a trailing space
    in the templates.  Closes: #464719.

 -- Steve Langasek <vorlon@debian.org>  Sat, 09 Feb 2008 14:25:55 -0800

openldap2.3 (2.4.7-4) unstable; urgency=high

  [ Steve Langasek ]
  * Build-conflict with libicu-dev, for consistent dependencies in all
    build environments.
  * Fix an oversight in the checkpoint migration, which caused the checkpoint
    option to not be moved far enough down.  Closes: #462304, LP: #185257.
  * Build-depend on unixodbc instead of iODBC.

  [ Updated debconf translations ]
  * Japanese, thanks to Kenshi Muto <kmuto@debian.org>.  Closes: #462191.

 -- Steve Langasek <vorlon@debian.org>  Fri, 25 Jan 2008 02:17:23 -0800

openldap2.3 (2.4.7-3) unstable; urgency=low

  * Add missing build-dependency on groff-base, to allow use of soelim during
    build.

 -- Steve Langasek <vorlon@debian.org>  Mon, 21 Jan 2008 15:18:27 -0800

openldap2.3 (2.4.7-2) unstable; urgency=low

  * Temporarily drop slapi-dev from the package to get through NEW; this
    functionality should be readded later, either by restoring the slapi-dev
    package or by moving it to libldap2-dev, depending on the outcome of
    discussion with the ftp-masters.

 -- Steve Langasek <vorlon@debian.org>  Mon, 21 Jan 2008 06:13:21 -0800

openldap2.3 (2.4.7-1) unstable; urgency=low

  [ Steve Langasek ]
  * New upstream version; closes: #449354.
    - remove another schema from upstream source, collective.schema,
      that contains text from the IETF RFCs and include a stripped copy
      in debian/schema.
    - drop patches slurpd-in-spool and man-slurpd, since slurpd is no
      longer provided upstream.
    - libldap2.3-0 is now libldap2.4-2
    - build libldap2-dev from this source package now, superseding
      openldap2; closes: #428385, #260118, #262539, #391899, #393215.
    - lastmod and denyop have been moved to contrib upstream and are no
      longer shipped as supported overlays
    - drop dependency on libldap2 and take ownership of the
      /etc/ldap/ldap.conf conffile, since libldap2 is now obsolete
    - need to dump and reload databases again for the upgrade from 2.3.39.
    - ldap_init(3) no longer attempts to document the internals of the
      LDAP opaque type.  Closes: #320072.
    - ldap-utils utilities find LDAP servers via SRV records when given a
      URL with -H and no host in the URL. Closes: #221173.
    - if the old slapd.conf included any replica commands, automatically
      enable syncprov for the corresponding database and print an error
      with debconf.
  * slapd.conf and DB_CONFIG are used in the postinst, they shouldn't be
    shipped under doc/examples because /usr/share/doc can't be depended
    on per policy; ship the files under /usr/share/slapd and symlink the
    /other/ way, which also spares us from dh_compress trying to gzip
    slapd.conf.  Closes: #452749.
  * Drop libldap.so as was done for libldap2, making it a link to
    libldap_r.so to avoid unfortunate symbol collisions.
  * Add new patch, libldap-symbol-versions, to build libldap and liblber
    with symbol versions; needed to avoid segfaults when applications
    manage to pull both libldap2 and the new libldap-2.4-2 into the same
    process (as during a partial upgrade or the initial soname
    transition), and also when the library soname changes again in the
    future (as it's likely to do).
  * Reintroduce add-autogen-sh patch, with build deps on libtool, automake,
    and autoconf, required due to the previous patch; this time around, take
    care to clean up the autogenerated files in the clean target as well
  * Build-depend on libgnutls-dev instead of on libssl-dev, so that at long
    last we can build the server and lib from the same source package again
    without licensing problems.  Closes: #457182, #407334, #428468, #381788.
    Closes: #412706.
  * slapd.prerm, slapd.postinst: drop no-longer-needed upgrade code for
    openldap < 2.1.22
  * Ask about ldbm to bdb migration in the preinst, since there is no
    guarantee that the debconf config script will be run before the unpack
    phase.
  * Don't stop slapd in the preinst by hand, the prerm already stops the
    old slapd using the standard interfaces.
  * Don't build with LAN Manager password support; these passwords are more
    insecure than traditional Unix crypt, and only relevant when talking to
    Windows 98.
  * Move libslapi into the slapd package and provide a virtual package for
    library dependencies, since this is expected to stay lockstep with the
    server.
  * Split slapi dev support into a new libslapi-dev package, as this is
    unrelated to libldap; and drop libslapi.a since it would be insane to try
    to statically link a dynamically-loaded slapi plugin.
  * "checkpoint" directives are no longer supported as part of the backend
    config, only as part of the database config; move the lines around in
    slapd.conf on upgrade.
  * "schemacheck" directives are no longer supported; comment them out
    on upgrade since this option was set by default in sarge.
  * Package description updates; thanks to Christian Perrier
    <bubulle@debian.org> and the Smith review project for these
    improvements.
  * Incorporate debconf template changes suggested by the debian-l10n-english
    team as part of the Smith review project.  Closes: #447224.

  [ Russ Allbery ]
  * Removed fix_ldif and all remaining code to try running it on LDIF
    dumps. Schema checking has been imposed since 2.1 and it's highly
    unlikely that anyone still needs this.
  * Move the checkpoint directive in the default slapd.conf below the
    database and suffix directives for the primary database. This is now
    required for OpenLDAP 2.4.
  * Create /etc/ldap/slapd.conf owned by the openldap group and mode 640
    by default so that slapindex and friends can read it when run as the
    openldap user. Fix permissions on upgrade if slapd.conf is owned by
    root and mode 600. Closes: #432662.
  * Drop slapd patch to read slapd.conf before dropping privileges, since
    slapd.conf should now be readable by SLAPD_GROUP.
  * If SLAPD_CONF is set to a directory in /etc/default/slapd, assume
    the cn=config backend is used and start slapd with the appropriate
    options.  Based on a patch from Mike Burr.  Closes: #411413.
  * Rework slapd's README.Debian:
    - Document the BerkeleyDB version.  Closes: #438127.
    - Document how to direct slapd's logs to another file. Closes: #258931.
    - Remove obsolete information about TLS/SSL and OpenLDAP 2.0 upgrades.
    - Recommend HDB instead of BDB.
    - Generally reformat and reorganize.
  * Patch cleanup:
    - Combine the NTLM patches for Evolution into a single patch.
    - Add explanatory comments to every patch.
    - Refresh all patches to remove diff garbage and trailing whitespace.
  * debian/rules cleanup:
    - Fix patch dependencies for parallel build (hopefully).
    - Tell configure the system type.
    - Rewrite upstream_strip_nondfsg.sh as a get-orig-source target.
    - Remove stamp files as the first step of the clean target.
    - Add trivial build-arch and build-indep targets.
    - Remove dead code and unnecessary comments.
  * Remove postrm code to delete /var/lib/slapd/upgrade* flag files.  We
    haven't used those since the 2.1 upgrade.
  * Update Vcs-* headers for new repository layout.
  * Remove versioned dependency on an ancient dpkg-dev.
  * Wrap and reorder Build-Depends for readability.

  [ Updated debconf translations ]
  * Czech, thanks to Miroslav Kure <kurem@debian.cz>.  Closes: #458215.
  * German, thanks to Helge Kreutzmann <debian@helgefjell.de>.
    Closes: #452833.
  * Spanish
  * Finnish, thanks to Esko Arajärvi <edu@iki.fi>.  Closes: #448061.
  * French, thanks to Christian Perrier <bubulle@debian.org>.
    Closes: #452632.
  * Galician, thanks to Jacobo Tarrio <jtarrio@trasno.net>.
    Closes: #451158.
  * Italian, thanks to Luca Monducci <luca.mo@tiscali.it>.  Closes: #449442.
  * Japanese, thanks to Kenshi Muto <kmuto@debian.org>.  Closes: #451325.
  * Dutch, thanks to Bart Cornelis <cobaco@skolelinux.no>.  Closes: #448935.
  * Brazilian Portuguese
  * Portuguese, thanks to Tiago Fernandes <tjg.fernandes@gmail.com>.
    Closes: #453341.
  * Russian, thanks to Yuri Kozlov <kozlov.y@gmail.com>.  Closes: #453318.
  * Vietnamese, thanks to Clytie Siddall <clytie@riverland.net.au>.
    Closes: #453411.

 -- Steve Langasek <vorlon@debian.org>  Mon, 21 Jan 2008 04:58:24 -0800

openldap2.3 (2.3.39-1) unstable; urgency=medium

  * Medium severity due to denial of service fix.
  * New upstream release.
    - CVE-2007-5708: Fix remote denial of service attack in slapo-pcache
      (the overlay for proxy caching).  (Closes: #448644)
    - Multiple additional more minor bug fixes.
  * Document in the default slapd.conf that dbconfig options only generate
    the DB_CONFIG file on first slapd start and have no effect afterwards
    unless DB_CONFIG is removed.  (Closes: #442191)
  * Inline the checkpoint and BerkeleyDB backend settings in the default
    slapd.conf rather than generating them dynamically in postinst.  All
    the allowable default database choices are now BerekelyDB variants and
    will probably continue to be so for the forseeable future, and this is
    easier to maintain.
  * Drop debconf questions, warnings, and maintainer script functions
    dealing with upgrades from OpenLDAP 2.1, which is now too hold for
    supported direct upgrades.  (Closes: #444806)
  * Add a watch file.  Thanks, Fernando Ribeiro.  (Closes: #435290)
  * Add Homepage, Vcs-Svn, and Vcs-Browser control fields.

 -- Russ Allbery <rra@debian.org>  Mon, 12 Nov 2007 16:00:47 -0800

openldap2.3 (2.3.38-1) unstable; urgency=low

  [ Steve Langasek ]
  * Drop debian/patches/use-lpthread, which is no longer needed on mips*
    because gcc has been fixed.
  * Drop debian/patches/add-autogen-sh, also no longer needed now that
    the above patch is gone.

  [ Matthijs Mohlmann ]
  * Fix bashism in initscript. (Closes: #428883)
  * Drop upstream patches ITS4924, ITS4925 and ITS4966.
  * Add patch for objectClasses which causes slapd to crash. (Closes: #440632)
    - CVE-2007-5707.
    - Upstream bug ITS5119.
  * Change default loglevel to none, to log high priority messages.
    (Closes: #442000)
  * Tighten up the build dependencies, now that autogen patch is removed.

 -- Matthijs Mohlmann <matthijs@cacholong.nl>  Mon, 17 Sep 2007 22:58:54 +0200

openldap2.3 (2.3.35-2) unstable; urgency=low

  * Enable LAN Manager password support in slapd.  (Closes: #245341)
  * If automatic configuration is selected and slapd.conf doesn't exist
    during an upgrade, treat this as a fresh installation rather than
    aborting with an error.  Also try to provide a better error message if
    the user has deleted /etc/ldap/schema but we just generated a new
    configuration that references it.  These cases can occur if someone
    removes (rather than purges) the package, manually deletes /etc/ldap,
    and then reinstalls.  (Closes: #205010)
  * Don't fail in slapd's postrm if /etc/ldap/schema has already been
    deleted.
  * Remove slapd conflicts with libbind-dev and bind-dev.  There no longer
    appears to be anything in those packages that would break slapd's
    resolver.  (Closes: #225896)
  * Add libldap-2.3-0-dbg and slapd-dbg packages with detached debugging
    information.
  * db_recover is no longer required after changing DB_CONFIG; slapd now
    detects changes itself and does the right thing.  Also note in
    README.DB_CONFIG the existence of the dbconfig slapd.conf parameter
    and slapd's DB_CONFIG writing support.  (Closes: #412575)
  * Add options to /etc/default/slapd to let the system administrator tell
    the init script to not start slapd on boot.  (Closes: #254999)
  * Redirect fd 3 to /dev/null in the slapd init script for additional
    robustness when debconf is running.  (Closes: #227482)
  * Add to /etc/default/slapd a commented-out example of how to change the
    keytab file used for GSSAPI authentication.  (Closes: #412017)
  * Use variables in /etc/init.d/slapd for the paths to slapd and slurpd
    so that someone who really wants to can override them in
    /etc/default/slapd.  (Closes: #403948)
  * Allow people building packages for outside Debian to skip the checks
    for non-DFSG-free material by setting a variable. Thanks, Peter
    Marschall.  (Closes: #427245)
  * Remove duplicate libldap-2.3-0 dependencies.  (Closes: #408987)
  * Use binary:Version instead of Source-Version for the tight
    dependencies between slapd and ldap-utils and libldap-2.3-0.

 -- Russ Allbery <rra@debian.org>  Mon, 11 Jun 2007 20:26:26 -0700

openldap2.3 (2.3.35-1) unstable; urgency=low

  * New upstream release with many bug fixes.
    - Allow syncprov to follow aliases.  (Closes: #422087)
  * Apply upstream patches:
    - ITS#4924: client crash on incorrectly tagged result from server.
    - ITS#4925: NOOP modify with BDB backend crashed slapd.
    - ITS#4966: Delete of valsort-controlled entries crashed slapd.
  * Enable SLAPI support.  (Closes: #390954)
  * Re-enable use of the epoll system call since Debian no longer supports
    2.4 kernels.  This means that the OpenLDAP packages will not work on
    pre-2.6 kernels.
  * Remove schema files that contain text from IETF RFCs from the upstream
    source since that text is not DFSG-free.  Instead, install stripped
    versions of those schema files containing only the functional
    interface specifications, a comment explaining why this is needed, and
    a pointer to the relevant RFC.  (Closes: #361846)
  * Document the repackaging of the upstream source in debian/copyright.
  * Update config.guess and config.sub during the build instead of in the
    clean target and remove them in the clean target for a clean diff.
    Build-depend on autotools-dev so that we can unconditionally copy over
    the latest versions.
  * Added commentary and upstream ITS numbers for several patches
    applicable upstream.
  * Use debian/compat rather than the deprecated DH_COMPAT rules setting.
  * Update to debhelper compatibility level V5 (no changes required).

 -- Russ Allbery <rra@debian.org>  Wed, 30 May 2007 22:42:28 -0700

openldap2.3 (2.3.30-5) unstable; urgency=low

  [ Steve Langasek ]
  * Add Portuguese debconf translation; thanks to Tiago Fernandes.
    Closes: #409632.
  * Re-add .la files to the slapd package, for greater compatibility
    with upstream documentation.

  [ Russ Allbery ]
  * When starting slapd, create a symlink from /var/run/ldapi to
    /var/run/slapd/ldapi for compatibility with 2.1 client libraries.
    Closes: #385809.
  * Apply upstream patch to prevent a race condition in slapd when
    shutting down connections.
  * Update the Brazilian Portuguese debconf translation; thanks to Felipe
    Augusto van de Wiel.

 -- Russ Allbery <rra@debian.org>  Thu,  8 Mar 2007 18:21:02 -0800

openldap2.3 (2.3.30-4) unstable; urgency=low

  * Ok, argh, it helps to check that the function being re-added to the
    preinst hasn't been removed again from the common include.  Re-add
    break_on_ldbm_to_bdb_migration_disagree, because by all appearances
    we /should/ be using this in the preinst.  Closes: #411474.

 -- Steve Langasek <vorlon@debian.org>  Mon, 19 Feb 2007 03:55:22 -0800

openldap2.3 (2.3.30-3) unstable; urgency=medium

  [ Matthijs Mohlmann ]
  * Added spanish translation. (Closes: #404250)
  * Documentation updates backported from upstream.
  * Fix a security bug in kerberos kbind code. (Only used when enabling with
    --enable-kbind option) But better safe then sorry.
  * Backported a mem leak fix on failed binds.
  * Added patch from upstream that fixes a memory leak in ACLs that use sets.

  [ Steve Langasek ]
  * *Really* abort in preinst if the user doesn't accept the upgrade
    from ldbm to bdb.  Closes: #392747.
  * Set the name of debian/slapd.NEWS right so that it gets
    installed in the binary package.  Closes: #409923.
  * Add Russian debconf translation; thanks to Yuri Kozlov.
    Closes: #405706.
  * Add Galician debconf translation; thanks to Jacobo Tarrio.
    Closes: #407267.

 -- Steve Langasek <vorlon@debian.org>  Sun, 18 Feb 2007 16:47:16 -0800

openldap2.3 (2.3.30-2) unstable; urgency=low

  * Make sure that the pidfile directory doesn't exist in the init script.
    (Closes: #402705)

 -- Matthijs Mohlmann <matthijs@cacholong.nl>  Tue, 12 Dec 2006 21:34:44 +0100

openldap2.3 (2.3.30-1) unstable; urgency=low

  * New upstream release.
    - Fixed authzTo/authzFrom URL matching.
    - Fixed syncrepl consumer memory leaks.
    - Fixed slapd-hdb livelock.
    - Fixed slapo-ppolicy external quality check.
    - Fixed ldapsearch(1) man page acknowledgement.
  * Added patch to make sure that the pidfile directory exists.
    (Closes: #390337)
  * Do not ask the question allow ldap v2 logins when user wants manual
    configuration. (Closes: #401003)
  * Add patch to look also in /etc/ldap/sasl2 for sasl configuration.
    (Closes: #398657)
  * Removed db4.2-util recommend, the slapd binary includes checking code to
    fix DB errors.
  * Updated README in schema directory. It doesn't list collective.schema
    anymore. (Closes: #287358)
  * Updated manpages to point to right paths. (Closes: #398790)

 -- Matthijs Mohlmann <matthijs@cacholong.nl>  Sat,  9 Dec 2006 20:50:58 +0100

openldap2.3 (2.3.29-1) unstable; urgency=medium

  [ Matthijs Mohlmann ]
  * New upstream release.
    - Fixes Denial of Service through a certain combination of LDAP BIND
      requests (CVE-2006-5779) (Closes: #397673)
  * LSB section added to the init script.
  * Updated README.Debian about running as non-root user (Closes: #389369)
  * Updated de translation (Closes: #396096)
  * Added some documentation / warning when running slapindex as root.
  * Remove drafts and rfc from the tarball. (Closes: #393404)

 -- Matthijs Mohlmann <matthijs@cacholong.nl>  Sat, 11 Nov 2006 11:24:42 +0100

openldap2.3 (2.3.27-1) unstable; urgency=low

  [ Matthijs Mohlmann ]
  * New upstream release.
  * pidfile location is changed 3 years ago, when people are upgrading from
    back then they have a broken slapd because the openldap user is not able
    to write to /var/run. (Closes: #380687)
  * Patches by Quanah Gibson-Mount <quanah@stanford.edu>
    - Fix one time memleak on startup in the accesslog db.
  * Changed priority of libldap-2.3-0 to optional as it is only used by slapd.

  [ Torsten Landschoff ]
  * Remove RFC documents as they do not meet the DFSG.
    + debian/rules: Check that the RFCs are gone to make sure it does not
      get included again by accident.

 -- Matthijs Mohlmann <matthijs@cacholong.nl>  Sat,  2 Sep 2006 00:33:44 +0200

openldap2.3 (2.3.25-1) unstable; urgency=low

  [ Matthijs Mohlmann ]
  * New upstream release:
    - Accepts 'require none' in slapd.conf (closes: #370023).
    - Added patch to fix a bold issue in the manpage ldapsearch. Thanks to
      Matt Kraai. (Closes: #355670)
  * Added commented out rootdn parameter in slapd.conf. (Closes: #303245)
  * Make the scripts output a bit more consistent.
  * Fix a regression in the slapd packages. Data directory is /var/lib/ldap
    and not /var/openldap-data, also adjust the manpages to reflect these
    change. Thanks to Peter Marschall. (Closes: #368891)
  * Removed script move_files, dh_install is used instead. (Closes: #368896)
  * Dutch translation already updated. Closes: #375101)
  * Documented that slapd is compiled with TCP wrappers (Closes: #351428)
  * dpkg-reconfigure slapd now just reinstalls slapd and moves old databases
    to /var/backups. Already done in previous version (Closes: #230366, #208056)

  [ Torsten Landschoff ]
  * debian/libldap-2.3-0.install: Ignore version information when installing
    libraries. This way it does not need updating for each new upstream
    release.

 -- Matthijs Mohlmann <matthijs@cacholong.nl>  Wed, 26 Jul 2006 18:05:40 +0200

openldap2.3 (2.3.24-2) unstable; urgency=low

  * Switch slapd from running as root to running as user.
   (Closes: #292845, #261696)
  * Changing configuration in slapd.conf by the postinst will now also follow
    includes. (Closes: #304488)
  * Patches by Quanah Gibson-Mount <quanah@stanford.edu>
    - fix a lock bug with a virtual root entry in the BDB backend.
    - fix boolean logic in the overlays.
    - fix that slurpd can use ldaps.
    - fix initialization of auditdb.
    - fix TLS concurrency issues.
    - fix exop password change that didn't reset pwdMustChange.
    - fix syncrepl that fails when no rootdn is defined.
  * Add dependency on adduser.
  * Specify the PATH variable in the init script. (Closes: #367981)
  * Added patch to read config before dropping privileges.
  * epoll(4) system call is missing on kernels <2.6, this causes slapd to
    not work on 2.4 kernels. Added patch that remove the #define in
    portable.in (Closes: #369352, #372194, #373233)
  * In 2.3.24 slapd won't segfault if the moduleload directive appears
    somewhere else. (Closes: #349011)
  * Removed fileutils dependency, it's superseeded in Sarge already.
    (Closes: #370013)
  * Use find in combination with mv to move an old directory away.
    (Closes: #306435)
  * Updated Dutch debconf translation (Closes: #365172)
  * Added an example backup script that can be put into cron (Closes: #319477)
  * Make the db directories 0700. On new installations this is the default.
    (Closes: #354450)
  * Get rid of a '.' in front of a domain. (Closes: #318143)
  * Added shadowLastChange to the ACL in the default slapd.conf
    (Closes: #370550)
  * Updated Japanese translation (Closes: #378565)

 -- Matthijs Mohlmann <matthijs@cacholong.nl>  Mon, 17 Jul 2006 18:22:45 +0200

openldap2.3 (2.3.24-1) unstable; urgency=low

  [ Matthijs Mohlmann ]
  * New upstream version. (Closes: #369544)
  * Update patch slurpd-in-spool. (Closes: #368586, #368709, #368889)
  * Added slapi-errorlog-file to be into /var/log (Closes: #368895)
  * Removed patch configure.in-fix, incorporated upstream.
  * Move debian/configure.options.new to debian/configure.options.
  * Added patch to put ldapi socket in /var/run/slapd.
  * Removed bdb recovery from the init.d script. This was introduced to fix
    bug #255276. Now that slapd has the ability to check and recover from bdb
    failures, this function is not needed anymore. (Closes: #369484, #369093)
  * Updated the lintian overrides.

  [ Torsten Landschoff ]
  * Include man pages for accesslog and auditlog overlays, patch by
    Peter Marschall (closes: #368888).

 -- Matthijs Mohlmann <matthijs@cacholong.nl>  Thu,  1 Jun 2006 08:16:02 +0200

openldap2.3 (2.3.23-1) unstable; urgency=low

  [ Matthijs Mohlmann ]
  * New upstream release. (Closes: #308906, #310282, #353877, #335618, #315158)
    (Closes: #310282, #319155)
  * OpenLDAP checks database before starting up.
    (Closes: #190165, #195079, #294701, #308416)
  * move_old_database_away isn't called in a while loop anymore (which would
    kill debconf interaction) (Closes: #299100)
  * BDB_CONFIG file will be installed on new installations (Closes: #301292)
  * Move to dh_install.
  * Move to quilt patch system.
  * Fix manpage.
  * Make ldiftopasswd and fix_ldif executable. (fixes lintian warnings)
  * Wipe passwords after we created the initial configuration.
  * The config scripts is runned twice, this causes the password in
    slapd/internal/adminpw to be empty. This fixes the issue with having an
    empty password in the ldap database. (Closes: #343113, #347725)
  * Added #DEBHELPER# token to fix a lintian warning.
  * bdb has changed between major versions, so dump the database and import it
    again for versions before 2.3.19.
  * Remove comments from debian/control (The out commented control information
    is actually in debian/control.dev)
  * Enable all backends and overlays with: --enable-backends=mod and
    --enable-overlays=mod
  * Add | debconf-2.0 to unblock cdebconf transition (Closes: #332053)
  * Added Danish debconf translation (Closes: #353897)
  * Updated French debconf translation (Closes: #320739)
  * Updated Vietnamese debconf translation (Closes: #319706)
  * Updated Czech debconf translation (Closes: #356554)
  * Encode the organization to utf8 (Closes: #236097)
  * Disabled the LDBM backend. Break in preinstallation if user doesn't want
    to migrate to BDB backend.
  * Removed choice for LDBM backend from slapd templates. And some explanation
    in that question about the LDBM backend.
  * Add sizelimit and tool-threads and some documentation to slapd.conf
    (Closes: #327808)
  * slapd.scripts-common had two functions with the same name.
  * Don't return a error message if hostname fails.
  * Backup the config only once on upgrade.
  * For new installations do not install a DB_CONFIG file but use the
    slapd.conf as file for BDB/HDB configuration parameters. See: slapd-bdb(5)
  * Added various "exit 0" to the installation scripts.
  * Add configure.in patch to fix C comparison what should be bash (ITS#4416)
  * Raise debconf configuration level from low to medium for
    slapd/no_configuration.
  * Updated Standards-Version to 3.7.2.0
  * Added build-dependency on perl which is used in the debian/rules file.
    Considered by lintian.
  * Added lintian override for too-long-extended-description-in-templates, it
    is an explanation about the backends.

  [ Steve Langasek ]
  * debian/slapd.templates: Fix typo durin -> during; re-run
    debconf-updatepo, fixing up the fuzzies (closes: #319596).

  [ Torsten Landschoff ]
  * debian/slapd.scripts-common: Rename backend_supported to
    upgrade_supported_from_backend for more clarity.

 -- Matthijs Mohlmann <matthijs@cacholong.nl>  Sat, 13 May 2006 00:28:11 +0200

openldap2.2 (2.2.26-4) unstable; urgency=low

  * [l10n] Vietnamese translations by Clytie Siddall (closes: #316623).
  * debian/slapd.templates: Fix typos occured -> occurred (closes: #316624).
  * libraries/libldap/url.c: Apply patch from upstream CVS to fix URI
    parsing (closes: #317100).

 -- Torsten Landschoff <torsten@debian.org>  Tue, 19 Jul 2005 20:52:17 +0200

openldap2.2 (2.2.26-3) unstable; urgency=low

  * [SECURITY] Applied the patch available at
      http://bugzilla.padl.com/show_bug.cgi?id=210
    to force libldap to really use TLS when requested in /etc/ldap/ldap.conf
    (cf. CAN-2005-2069). Clients still will use libldap2 from openldap2
    source package so this is only to prepare unleashing the libraries of
    OpenLDAP 2.2 for unstable...

 -- Torsten Landschoff <torsten@debian.org>  Sun,  3 Jul 2005 10:41:37 +0200

openldap2.2 (2.2.26-2) unstable; urgency=low

  * Assembled changes from patches supplied by Peter Marschall (thanks,
    Peter):
  | debian/move_files: Move slapd and slurpd to /usr/sbin and adjust symlinks
    (closes: #316354).
    + debian/slapd.links: Remove symlinks from /usr/sbin to /usr/lib.
  | debian/rules: Don't install cron jobs needed for GnuTLS as long as we are
    using OpenSSL.
  | debian/control: Remove build-dependencies needed for GnuTLS
    (closes: #316355).
    + Require libsasl >= 2.1.18 as recommended by OpenLDAP project.
  | Update quicktool patch from Quanah Gibson-Mount (closes: #316361).
  | debian/slapd.init: Use /bin/sh as shell when running db_recover
    (closes: #316350).
  | debian/configure.options: Enabled dynlist and proxycache overlays
    (closes: #316351).

  * debian/po/de.po: Apply typo correction patch (closes: #313809).
  * debian/po/fr.po: Apply updates by Christian Perrier (closes: #315122).

 -- Torsten Landschoff <torsten@debian.org>  Fri,  1 Jul 2005 12:53:18 +0200

openldap2.2 (2.2.26-1) unstable; urgency=low

  * New upstream release.
  * debian/slapd.init: Run db_recover as the user configured for slapd
    (closes: #311331).
  * debian/po/cs.po: Add Czech translation by Miroslav Kure (closes: #312064).
  * Run debconf-updatepo, oh my :(
  * Update configure via libtoolize -cf; aclocal-1.4; autoconf2.50.
  * configure.in: Try to fix memcmp check (probably does not work anymore, but
    we should have a working memcmp on all Debian systems anyway).
  * debian/rules: Remove config.{sub,guess} before installing new versions
    (just in case there were symlinks for them...).

 -- Torsten Landschoff <torsten@debian.org>  Tue, 21 Jun 2005 12:06:40 +0200

openldap2.2 (2.2.23-8) unstable; urgency=low

  * debian/DB_CONFIG: Fixed the log cache configuration (used the wrong
    command so there was about no effect).

 -- Torsten Landschoff <torsten@debian.org>  Mon, 30 May 2005 08:48:10 +0200

openldap2.2 (2.2.23-7) unstable; urgency=low

  * debian/slapd.scripts-common: Install the default DB_CONFIG for each
    database loaded from LDIF which didn't have a DB_CONFIG before.
  * (automatic) Updated config.sub and config.guess from autotools-dev.

 -- Torsten Landschoff <torsten@debian.org>  Mon, 30 May 2005 08:08:37 +0200

openldap2.2 (2.2.23-6) unstable; urgency=low

  Torsten Landschoff <torsten@debian.org>:
  * debian/po/ja.po: Merge updates from Kenshi Muto (closes: #303505).
  * debian/po/fr.po: Merge updates from Christian Perrier (closes: #306229).
  * debian/slapd.scripts-common: If the user enters the empty value for
    the database dumping directory use the default value. Seems like the
    readline interface does not care about the default value
    (closes: #308234).
  * debian/slapd.postinst: Make sure the debhelper commands are executed
    in all cases (closes: #310422).
  * Merged suggested changes by Eugene Konev to automatically run
    db_recover before starting slapd (closes: #255276).
    + debian/slapd.init: Run db_recover if enabled and available and no
      slapd process running.
    + debian/slapd.default: Add configuration option to disable it.
  * Applied and improved patch by Matthijs Mohlmann to support migration
    from ldbm to bdb backend.
    + debian/slapd.config: Ask if migration is wanted.
    + debian/slapd.postinst: Update configuration from ldbm to bdb if yes.
    + debian/slapd.scripts-common: Implemented some parts in their own
      functions.
  * Add a README.DB_CONFIG.gz and reference it where referring to BDB
    configuration.
  * Update default DB_CONFIG with some senseful values.

  Steve Langasek <vorlon@debian.org>:
  * libraries/libldap_r/Makefile.in: make sure the ximian-connector ntlm
    patch is applied to libldap_r, not just to libldap
  * debian/move_files: make libldap a symlink to libldap_r, as carrying
    two versions of this library around is more trouble than it's worth,
    and can cause glorious segfaults down the line

 -- Torsten Landschoff <torsten@debian.org>  Mon, 30 May 2005 08:07:49 +0200

openldap2.2 (2.2.23-5) unstable; urgency=low

  Torsten Landschoff <torsten@debian.org>:
  * debian/lintian-overrides: Add. Contains lintian warnings/errors to
    override for each package (plus comments).
    + debian/move_files: Automatically install applying overrides into
      each package.

  Steve Langasek <vorlon@debian.org>:
  * configure.in: reinstate the remainder of the fix for 195990 from
    2.1.22-2: give preference to -lpthread over -pthread in configure.in,
    because some archs (mipsel, at least) don't like -pthread.

 -- Steve Langasek <vorlon@debian.org>  Sun, 24 Apr 2005 05:01:02 -0700

openldap2.2 (2.2.23-4) unstable; urgency=low

  Torsten Landschoff <torsten@debian.org>:
  * debian/control: Make the requirement for debconf a pre-dependency as
    we are using it from the maintainer scripts.
  * debian/slapd.preinst: Always use debconf (don't check for availability).
  * debian/slapd.scripts-common: Remove the alert_user function which
    was there to output an error message in case debconf is not available.

  Steve Langasek <vorlon@debian.org>:
  * debian/fix_ldif: Add code to fix up oddly formatted integer attribs;
    limited use because it only fixes those attributes that we have
    prior knowledge of (i.e., those in the default schemas we ship), but
    it's something at least.  Closes: #302629.
  * debian/fix_ldif: Also change fix_ldif to not chew up everything that
    has a # in the line: treat lines beginning with # as comments, but #
    is a valid character in an attribute value.
  * debian/rules: Fix the check for missing lib symbols to use
    LD_LIBRARY_PATH, so the package builds on systems that don't already
    have libldap-2.2-7 installed.  Closes: #305785.
  * debian/po/ja.po: Use the partial translation provided by Kenshi Muto.

  Stephen Frost <sfrost@debian.org>:
  * debian/slapd.scripts-common: Make sure - ends up at the end of the
    bracket expression given to grep so it's not treated as a range
    (closes: #302743).

 -- Steve Langasek <vorlon@debian.org>  Sat, 23 Apr 2005 22:01:20 -0700

openldap2.2 (2.2.23-3) unstable; urgency=low

  Steve Langasek <vorlon@debian.org>
  * libraries/libldap_r/Makefile.in: Code that uses pthreads *must* be
    linked with -pthread, even if it's a library; without this, the
    libldap_r library ends up with dangling unversioned reference to
    pthread_create() which gets resolved to a wrong version that causes
    segfaults on 64-bit platforms.  Closes: #304549.
  * debian/rules: error out on build if an installed library has
    undefined symbols; future-proofing against a repeat of #304549.
  * debian/slapd.postinst: don't dump and reload directories unless we
    know we're upgrading from an incompatible version!  Closes: #304840.
  * debian/slapd.scripts-common: don't use merge_logical_lines for
    functions that will be writing back to the config; the code is not
    as pretty now, but the output is much less ugly. Closes: #303243.
  * debian/slapd.examples, debian/slapd.scripts-common,
    debian/slapd.links, debian/move_files: install DB_CONFIG in
    /usr/share/slapd/ instead of /usr/share/doc/slapd/examples/; this
    simplifies the code, and ensures users who don't install
    /usr/share/doc aren't penalized.  Create links for the DB_CONFIG and
    slapd.confg templates to /usr/share/doc/slapd/examples, since these
    are worthwhile examples as well.
  * Updated maintainer scripts to keep DB_CONFIG for LDAP databases over
    upgrades (closes: #265860).
  * Move slappasswd to the slapd package, since it's now a symlink and
    isn't actually useful without the slapd binary (closes: #304339).

 -- Torsten Landschoff <torsten@debian.org>  Thu, 21 Apr 2005 01:29:57 +0200

openldap2.2 (2.2.23-2) unstable; urgency=low

  * debian/configure.options: Change localstatedir to /var from /var/run
    as the current upstream version adds /run to that during runtime for
    slapi sockets etc. Problem: The database location is specified relative
    to localstatedir/openldap-data. Another thing to fix...
    (closes: #298271, #304491).
  * debian/slapd.scripts-common (load_databases): Reimplement automatic
    fixing of LDIF data via the fix_ldif script. Only tried if an
    initial slapadd using the original LDIF data fails. With this change
    upgrading from woody for some simple cases does work again.
  * Disabled the version check for Berkeley DB in upstream code. Any
    libdb4.2 package should work but of course using the latest will give
    you the best results (closes: #300851).
  * debian/slapd.scripts-common (import_database): Removed, no longer used.
  * debian/slapd.scripts-common: Store the diagnostic output from
    slapadd and output it before aborting if the command failed.
  * debian/po/fr.po: Use the translations provided by Christian Perrier
    (closes: #304141).
  * debian/slapd.scripts-common: Use the -q option during slapadd to
    improve performance.
  * debian/slapd.templates (slapd/dump_database_destdir): Apply rewording
    changes from Thomas Prokosch. Gives the user more information about
    the usage of that directory.
    + Run debconf-updatepo to update the translation templates.
  * debian/slapd.templates: Clean up the debconf templates of the slapd
    packages by merging the changes suggested by Christian Perrier
    (closes: #302829). Thanks, Christian!
    + Changed the wording of some of the templates.
    + Adapt to the DTSG (Debconf Templates Style Guide).
    + Removed item slapd/admin which is not used anymore.
    + Run debconf-updatepo and send new fr.po to Christian Perrier.
  * debian/slapd.postinst: Make a backup copy of slapd.conf before changing
    anything (closes: #304485).
  * Trivial improvements:
    + Don't ask to move contents of /var/lib/ldap if it does not even
      exist (but also is not an empty directory...) in initial config.
    + Move check for current installation status out of configure_dumping.

 -- Torsten Landschoff <torsten@debian.org>  Thu, 14 Apr 2005 19:57:11 +0200

openldap2.2 (2.2.23-1) unstable; urgency=low

  * debian/slapd.scripts-common: Move all shell functions of the maintainer
    scripts here to have it all in one place.
  * Another pass over the maintainer scripts to remove cruft and tidy up
    the code a bit. Fixed some bugs on the way.
  * Test upgrade and installation revealed some bugs, mostly typos:
    + return in shell actually is "return $?", not "return 0" as I though
    + Referenced $src where $srcdir was meant.
    + Only load old directories on upgrade and not during initial
      installation.

 -- Torsten Landschoff <torsten@debian.org>  Fri,  1 Apr 2005 18:50:21 +0200

openldap2.2 (2.2.23-0.pre6) experimental; urgency=low

  Torsten Landschoff <torsten@debian.org>:
  * debian/slapd.postinst: Add a testing interface to test the helper
    functions.
  * debian/slapd.postinst: Make sure that debconf actually displays the
    error message even if the user has already seen it before.
  * debian/slapd.postinst (compute_backup_path): Make function more robust
    in case we don't know the old version or the suffix of the database.
    Converted the backup dir to a more simple scheme which should be save
    against accidental overwriting.
  * Rewrote part of the maintainer scripts for correct handling of
    directory dumps in preinst. New debconf questions etc.
  * Move the manpage of slappasswd to ldap-utils where slappasswd itself
    is included (closes: #300212).
    + debian/control: Add Replaces: slapd << 2.2.23-0.pre6 to ldap-utils.
    + debian/move_files: Move slappasswd manpage into ldap-utils.
  * debian/slapd.config: Don't fail if hostname is unset (pulled from
    Ubuntu, thanks to Jeff Bailey).
  * Applied patch by Quanah Gibson-Mount (directory administrator of Stanford)
    to add -q option to some tools for quick operation without updating
    logs. This is mostly for importing directories from LDIF backups.
  * Go back to libdb4.2 as OpenLDAP is known to have problems with BDB 4.3.
    + debian/control: Update dependencies for BDB 4.2.
    + debian/slapd.scripts-common: Mark all databases before this version
      as incompatible.
  * Fix some bashisms in maintainer scripts.
  * debian/slapd.postinst: Include the version of the backup in the
    backup of a database directory.

  Carlo Contavalli <ccontavalli@debian.org>:
  * debian/slapd.init: Print command line if starting a daemon failed.
  * debian/slapd.postinst: Handle hdb backend just as if it was bdb.
  * debian/README.Debian: Add some notes about DB_CONFIG and how to run
    slapd under a different uid/gid.
  * Install an example DB_CONFIG file during initial configuration
    + slapd.postinst: Add a function to implement this and hook it into
      create_new_configuration.
    + debian/DB_CONFIG: Example DB_CONFIG that is installed.
    + debian/slapd.examples: Mark DB_CONFIG as an example.
  * servers/slapd/daemon.c: Actually change the permissions of the
    unix socket if requested using an ldapi url with x-mod.
  * debian/slapd.scripts-common: change privileges of upgraded databases
    as indicated by SLAPD_USER and SLAPD_GROUP variables.
  * debian/slapd.scripts-common,slapd.postinst: corrected some minor
    typos.

 -- Torsten Landschoff <torsten@debian.org>  Fri,  1 Apr 2005 12:26:35 +0200

openldap2.2 (2.2.23-0.pre5) experimental; urgency=low

  * Apply NTLM patch from ximian-connector source package.
  * debian/slapd.postinst: Fix small typo leading to upgrade failures.
    Added some notes while wading through maintainer scripts.
  * debian/slapd.postinst: Make slapadd more noisy, writing the new
    directory to stderr if something goes wrong (should help for
    bug #236097).
  * Make slapd.init idempotent by adding --oknodo to start-stop-daemon
    invocations (closes: #298741). Kudos to Bill Allombert for this
    patch.
  * slapd.postinst: Try to fix slapd.conf for syntactic and semantic changes
    introduced upstream into 2.2.x.
  * slapd.scripts-common: Make sure directories before 2.2.23 are dumped
    and reloaded on upgrade.

 -- Torsten Landschoff <torsten@debian.org>  Fri, 11 Mar 2005 18:54:57 +0100

openldap2.2 (2.2.23-0.pre4) experimental; urgency=low

  * Rename libldap2.2 to libldap-2.2-7 to match soname. Updated
    debian/{control,rules,...}.
  * Checked the usage of the ucdata files shipped with libldap2 before.
    Actually they stem from liblunicode which is only linked to slapd.
    Therefore those files are shipped with slapd now. This change is
    relevant so that multiple libldap-2.2-x packages can coexist later.
  * debian/control: Updated for slapd replacing files from libldap2.
  * debian/control: Recommend db4.3-util instead of db4.2-util as we are
    using the former version now for slapd.
  * debian/control: Add Build-Depends for libperl-dev, this time for
    real. I wonder what went wrong last time as it built correctly with
    pdebuild (closes: #297123).

 -- Torsten Landschoff <torsten@debian.org>  Mon, 28 Feb 2005 15:17:52 +0100

openldap2.2 (2.2.23-0.pre3) experimental; urgency=low

  * debian/slapd.prerm: Reformat and fix double stopping of slapd. Find
    out which bug we are working around and document it.
  * debian/configure.options: Enable ACI support (closes: #101602).
    Looked through the source code and it seems to be properly
    insulated to not make a difference when not used.
  * .../Makefile.in: Remove -s option from install invocations and let
    dh_strip handle stripping binaries (closes: #264448).
  * debian/slapd.postinst: Code cleanup and reading, unused and duplicate
    code removed. Main body still needs fixing.
  * debian/slapd.postinst: Fixed chmod --reference calls to keep the
    permissions of slapd.conf. Putting data into the file using shell
    redirection recreates the file with default umask and owner, killing
    the permissions we applied using chod --reference after creating the
    file. Instead we change the permissions directly before renaming the
    file now. Wrapped it into a function and update the owner as well.
    How do we do this correctly for ACLs etc.!? Thanks to Carlo Contavalli
    for pointing this out.
  * servers/slapd/main.c: Log a warning if writing the pidfile or writing
    the arguments file fails (closes: #261696).
  * debian/control: Add missing build dependency for perl development
    library (closes: #297123).

 -- Torsten Landschoff <torsten@debian.org>  Sun, 27 Feb 2005 17:44:03 +0100

openldap2.2 (2.2.23-0.pre2) experimental; urgency=low

  * servers/slurpd/slurp.h: Relocate the default spool directory to
    /var/spool/slurpd again.
  * Merged some changes done by Fabio M. Di Nitto for the ubuntu
    distribution (thanks, Fabio!):
    + debian/slapd.{postinst,conf}: Checkpoint BDB databases every 512kb
      or 30 minutes by default.
    + debian/slapd.scripts-common: Make is_empty_dir less noisy on first
      install (cosmetic).
  * Applied some changes suggested by Ondrej Sury:
    + debian/rules: Add MAKEVARS variable and set datadir =
      /usr/share/libldap2.2/ucdata instead of changing build/top.mk as
      suggested.
    + debian/move_files: Install /usr/share/libldap2.2 into libldap2.2
      and remove duplicate ldap.conf manpage.
    + debian/control: Let libldap2.2 dependon libldap2 for config files.
  * Also in Ondrej's patch:
    + doc/man/man8/slapd.8: Refer to slapd.conf instead of ldap.h for
      loglevel documentation. Changed by ubuntu? I don't know...
  * debian/slapd.README.Debian: Update TLS/SSL information.

 -- Torsten Landschoff <torsten@debian.org>  Fri, 25 Feb 2005 14:44:59 +0100

openldap2.2 (2.2.23-0.pre1) experimental; urgency=low

  * Merge new upstream release 2.2.23.
  * Change name of source package to openldap2.2.
  * configure.in: Fix AC_LIBOBJ for configure2.50.
  * Run libtoolize, aclocal-1.4 and autoconf2.50 to get a working
    configure script.
  * debian/slapd.init: Output failure reasons using "$failure" so that
    no glob substitution is done. Had a hard time grokking why slapd
    would mention the contents of the current directory in its error
    message...
  * debian/rules: Disable building -dev packages as we don't want
    other packages to link against the new libraries before sarge.
    Remove the binary-indep target from the binary dependends list.
  * debian/control: Move packages that are no longer build into control-dev.
  * debian/configure.options: Build against OpenSSL with --with-tls
    (this can only be done for slapd itself, we need GnuTLS support
    before enabling this for libldap2.2-dev).
  * debian/control: Update build dependencies for libdb4.3 and OpenSSL.

 -- Torsten Landschoff <torsten@debian.org>  Wed, 23 Feb 2005 19:29:38 +0100

openldap2 (2.2.18-0.pre2) experimental; urgency=low

  * debian/check_config: Make sasl2 check more robust against file
    format changes in config.status.
  * debian/libldap2.shlibs: Remove.
  * Update configure script using libtoolize, aclocal-1.4 and autoconf2.50
    to fix wrong shared library dependency in libldap2.2 (depended on
    libldap2 by linking against the system's liblber).
  * debian/libldap2.README.Debian: Move to libldap2.2.README.Debian.
  * Lintian cleanup:
    + Run debconf-updatepo for debian/rules clean and manually as
      requested.
    + Update config.guess and config.sub in debian/rules clean as well.
      First update done.
    + debian/rules (install): Fix the manpage section of the admin commands
      from 8C to 8.
    + debian/rules (binary-arch): Run dh_fixperms to fix the permissions
      on shared libraries.

 -- Torsten Landschoff <torsten@debian.org>  Thu, 13 Jan 2005 11:53:28 +0100

openldap2 (2.2.18-0.pre1) experimental; urgency=low

  * New upstream release.
  * Disable TLS for now.
  * debian/rules: Don't run autoheader and autoconf.
  * debian/configure.options: Recreated and updated for new setup.
  * debian/rules: Move slapd, slurpd from /usr/lib to /usr/sbin.
  * Rename library packages to include the OpenLDAP version.
  * Remove /etc/ldap/ldap*.conf from libldap2.2 to avoid clash with
    libldap2. Also add Replaces entry for libldap2 to allow overwriting
    for now. Needs fixing...
  * Instead of moving slapd from /usr/lib to /usr/sbin create a symlink.
    Seems like slapadd etc. are now all included in the slapd binary
    and all link to its binary.
  * debian/rules: Run dh_link for arch dependend packages.
  * configure: Fix broken libdb checking which forced static building of
    back-bdb.
  * debian/slapd.conf: Fix access directive to use "attrs=" instead of
    "attribute=" which wasn't officially supported anyway.

 -- Torsten Landschoff <torsten@debian.org>  Wed,  3 Nov 2004 09:57:14 +0100

openldap2 (2.1.30-3) unstable; urgency=high

  * Urgeny high since previous releases were hardly usable (at least
    with TLS).
  * Roland Bauerschmidt <rb@debian.org>
    + libraries/libldap/gnutls.c, libraries/libldap/tls.c,
      include/ldap_pvt_gnutls.h: Use callback with
      gnutls_certificate_set_params_function to generate dh_params and
      rsa_params (this is also the way, it's done with OpenSSL). We need
      GNUTLS 1.0.9 for this. With the new version of libgcrypt, we also
      need to initialize threading explicitly. The previous
      segmentation faults resulted from the *global* param structure
      being recreated and freed for every session. Many thanks to
      Matthias Urlichs who helped debugging a lot and also packaged
      GNUTLS 1.0.16 very quickly... Closes: #244827.
    + debian/control: Add build dependency to libgcrypt11-dev (we're
      initializing it directly now) and change libgnutls10-dev to
      libgnutls11-dev.
    + libraries/libldap/gnutls.c: in tls_gnutls_need_{dh,rsa}_params
      (formerly ldap_gnutls_need_...), create temp files more securely,
      doing unlink before opening and opening them with O_EXCL. This is
      necessary because under Linux 2.6 all threads have the same PID.
      Thanks to Andrew Suffield for pointing this out.
    + debian/slapd.cron.daily: cron job to remove GNUTLS rsa_export and
      dh param cache files every day.
    + debian/slapd.README.Debian: add note that we use GNUTLS rather
      than OpenSSL.

 -- Roland Bauerschmidt <rb@debian.org>  Mon, 26 Jul 2004 18:41:23 +0200

openldap2 (2.1.30-2) unstable; urgency=low

  * Roland Bauerschmidt <rb@debian.org>
    + debian/slapd.scripts-common: add missing space before !
      Closes: #251036, #253633, #257513.
  * Torsten Landschoff <torsten@debian.org>
    + Applied patch by Ralf Hack to support non-standard config file
      location in /etc/default/slapd (closes: #229195).
    + Applied patch to fix handling of abandoned commands
      (closes: #254183). Thanks to Peter Marschall for submitting it.
    + Applied patch to fix memory leak after search (closes: #254184).
      Thanks again, Peter!
    + Applied trivial patch to support logging to DAEMON facility
      as well as LOCAL* (closes: #254186). Here you are, Peter ;)

 -- Roland Bauerschmidt <rb@debian.org>  Fri, 09 Jul 2004 15:56:06 +0200

openldap2 (2.1.30-1) unstable; urgency=low

  * Torsten Landschoff <torsten@debian.org>:
    + debian/control: Have slapd conflict with libltdl3 version 1.5.4-1
      as with that version loading of .so files is broken which breaks
      slapd (closes: #249152).
    + Applied patch to fix Perl backend (closes: #245347). Kudos
      to Peter Marschall.
    + debian/configure.options: Enable building of Perl backend.

  * Roland Bauerschmidt <rb@debian.org>
    + debian/slapd.templates: replace 'domain' with 'DNS domain name'
      which is little more specific
    + debian/slapd.config: check if the domain has a valid syntax to
      prevent slapadd from failing. Closes: #235749.
    + New upstream version with fix for NS-MTA-MD5 hash length
      checking. Closes: #226583.

 -- Torsten Landschoff <torsten@debian.org>  Mon, 24 May 2004 23:33:21 +0200

openldap2 (2.1.29-2) unstable; urgency=low

  * Roland Bauerschmidt <rb@debian.org>
    + debian/rules: Revert change to install ldapadd as symlink.
      Somehow, with that change, ldapadd didn't get installed at all.
      Closes: #243537.

 -- Roland Bauerschmidt <rb@debian.org>  Tue, 13 Apr 2004 19:49:55 +0200

openldap2 (2.1.29-1) unstable; urgency=low

  * Stephen Frost <sfrost@debian.org>
    + libraries/gnutls.c: Generate and store RSA/DH parameters,
      based off a patch by Petr Vandrovec (though changed alot).
      Closes: #234639, #234593

  * Roland Bauerschmidt <rb@debian.org>
    + Merged new upstream release.
    + debian/slapd.prerm: add #DEBHELPER# token.
    + debian/control: have slapd depend on debconf (>= 0.5) to ensure
      it supports the seen flag.
    + debian/rules: ldapadd is installed as a hardlink to ldapmodify;
      use a symlink instead.
    + debian/slapd.{scripts-common,postinst,preinst,config}: Add new
      function read_slapd_conf that evaluates include statements.

 -- Torsten Landschoff <torsten@debian.org>  Mon, 12 Apr 2004 15:27:55 +0200

openldap2 (2.1.26-1) unstable; urgency=low

  * Torsten Landschoff <torsten@debian.org>:
    + Merged new upstream release.
    + debian/slapd.templates (slapd/purge_database): Set default value to
      false.
    + debian/slapd.config (manual_configuration_wanted): Don't exit
      from the script directly if the user wants to configure
      slapd manually (exit 0 -> return 0).
    + Build-depend on libgnutls10-dev instead of libgnutls7-dev and
      rebuild (closes: #233833).
    + Move previous content of /var/lib/ldap away during creation of
      an initial directory (closes: #228886, #233512).
    + debian/slapd.postrm: Remove flag files in /var/lib/slapd on purge.
    + Removed functionality (verbose error messages) from gnutls.c until
      it compiled with libgnutls10-dev :-((
    + debian/slapd.postinst: Overwrite existing /etc/ldap/slapd.conf (only
      reached during initial installation/dpkg-reconfigure).

 -- Torsten Landschoff <torsten@debian.org>  Mon, 23 Feb 2004 09:36:32 +0100

openldap2 (2.1.25-1) unstable; urgency=low

  * Roland Bauerschmidt <rb@debian.org>:
    + New upstream version.
      - Build against libdb4.2. Hopefully, this resolves the BDB
        lock ups when configured improperly.
    + debian/control: Have ldap-utils depend on the same version of
      libldap2, and libldap2 conflict with ldap-utils (<= 2.1.23-1).
      Closes: #216661.
    + debian/slapd.{templates,config}: Check if there are slave
      databases in slapd.conf lacking an updateref option, and warn
      about it. Closes: #216797.
    + debian/slapd.{templates,config,postinst,conf}: Ask which
      database backend to use (BDB or LDBM).
    + debian/slapd.README.Debian: cleanup
    + servers/slapd/back-bdb/dbcache.c: Turn off subdatabases. This
      is an incompatible database format change, but according to
      Howard Chu "using them (subdatabases) is known to cause deadlocks
      on multiprocessor machines, among other issues."
    + debian/control: add Recommends: db4.2-util to slapd
    + debian/control: add Recommends: libsasl2-modules to slapd and
      ldap-utils. Closes: #224058.
    + debian/slapd.{scripts-common,preinst,postinst}: Extended dump
      and restore code to deal with different versions for different
      backends.
    + debian/control: Geez, centipede seems to have vanished a long
      time ago. So don't claim it's included in the slapd package.
    + debian/slapd.docs: created with servers/slapd/back-sql/
      rdbms_depends. Closes: #225807.

  * Torsten Landschoff <torsten@debian.org>:
    + debian/move_files: Install slappasswd into ldap-utils instead
      of slapd as it's useful without slapd as well (closes: #228705).
    + debian/control: Make ldap-utils Replaces: slapd < 2.1.25 because
      of that change.
    + debian/control: Use libdb4.2-dev instead of libdb4.1-dev as a
      number of problems seem to be related to DB 4.1.

 -- Torsten Landschoff <torsten@debian.org>  Fri,  6 Feb 2004 20:48:22 +0100

openldap2 (2.1.23-1) unstable; urgency=low

  * Roland Bauerschmidt <rb@debian.org>:
    + New upstream version.
    + Applied fix for admin password breakage from Michael Beattie
      <mjb@debian.org>. Closes: #214270.
    + Added Dutch Debconf template translation by cobaco@linux.be.
      Closes: #215373.
    + Bumped Standards-Version (no changes needed).

  * Torsten Landschoff <torsten@debian.org>:
    + debian/move_files: Install slappasswd into ldap-utils instead
      of slapd (closes: #228705).

 -- Roland Bauerschmidt <rb@debian.org>  Sat, 18 Oct 2003 19:56:54 +0200

openldap2 (2.1.22-3) unstable; urgency=low

  * Call perl -w to run debian/dh_installscripts-common. Closes: #214054.

 -- Roland Bauerschmidt <rb@debian.org>  Sat,  4 Oct 2003 14:22:11 +0200

openldap2 (2.1.22-2) unstable; urgency=high

  * Stephen Frost <sfrost@debian.org>
    + servers/slapd/daemon.c: Apply patch from head for select handling.
    + debian/rules: Fix build options to optimize correctly and to use
      DEB_BUILD_OPTIONS (Policy, 10.1). Closes: #202306
    + debian/slapd.conf: Add in ACL for root DSE explicitly.
    + debian/slapd.init: Add --oknodo in stop_slurpd. Closes: #202592
    + debian/rules: Need quotes around $(CFLAGS) on configure line.
    + debian/slapd.init: Remove \'s before quotes around pidfile.
    + debian/slapd.init: Add support for -h slapd flag. Closes: #201991
    + debian/slapd.default: Add variable $SLAPD_SERVICES for slapd -h.
    + libraries/libldap/tls.c: Apply patch from asuffield in #202741 to
      fix subjectAltName usage.  Closes: #202741

  * Torsten Landschoff <torsten@debian.org>:
    + Fix invocation of "head" in maintainer scripts and replace usage of
      [ foo -a bar ] by [ foo ] && [ bar ] (closes: #203292).
    + debian/slapd.postrm: Small cleanup, only remove the directory, not
      the backups, on purge.
    + debian/rules: Don't run the upstream install target if we did not
      rebuild the whole tree. Makes debugging maintainer script much more
      tolerable.
    + debian/slapd.config: Cleaned up and restructured for readability.
    + debian/slapd.templates: Replaced the invalid_suffix template with
      invalid_config which is more general and can be used for any
      inconsistency in the initial configuration.
    + debian/slapd.postinst: Rewritten to eliminate all that spaghetti.
      Did not yet implement all old features again...
      - Now the #DEBHELPER# part is always reached so that the daemon
        will be restarted even if no automatic configuration is wanted
        (closes: #204008).
    + Fixed the undefined symbols in libldap_r.so.2 (closes: #195990).
    | configure.in: Try -lpthread before -pthread to link the thread
      library. libtool does not pass -pthread through, -lpthread seems
      to work though.
    | libraries/libldap_r/Makefile.in: Add $(LTHREAD_LIBS) to
      UNIX_LINK_LIBS so that pthread is linked when creating a shared library
      as well.

  * Roland Bauerschmidt <rb@debian.org>:
    + debian/configure.options: change --localstatedir=/var/lib to
      --localstatedir=/var/run. Since localstatedir isn't used anywhere
      in the code, except for the ldapi socket (and examples in the
      manpages which are correct at the moment anyway), all this change
      does should be changing the default location of the ldapi socket
      from /var/lib/ldapi to /var/run/ldapi. Closes: #160965.
    + libraries/libldap/tls.c: In get_ca_list, walk through CACERTDIR
      manually if building against GNUTLS (since there is no equivalent
      to SSL_add_dir_cert_subjects_to_stack). Closes: #205609.
    + debian/slapd.preinst: create /var/backups/ldap/$oldver with
      permissions 0700. Also change permissions for /var/backups/ldap
      to 0700 if it already exists. Closes: #209019.
    + Added Japanese translation of Debconf templates by Kenshi Muto
      <kmuto@debian.org>. Closes: #210731.
    + debian/slapd.{postinst,preinst,config}: Replaced duplicate
      implementations of the same functions with one version and moved
      those into debian/slapd.scripts-common which will be included by
      debian/dh_installscripts-common.
    + debian/slapd.preinst: before dumping the database, check if the
      backend is supported
    + debian/slapd.postinst:
      - add -q to grep call for allow bind_v2
      - readded pre-2.1 (woody) upgrade path (that is, dumping, fixing
        and reimporting the database)

 -- Roland Bauerschmidt <rb@debian.org>  Fri,  3 Oct 2003 15:35:29 +0200

openldap2 (2.1.22-1) unstable; urgency=low

  * Stephen Frost <sfrost@debian.org>:
    + New upstream version (minor changes).
    + debian/control: Change build-deps to autoconf2.13, Closes: #201482
    + debian/rules: Add dh_compress -i for binary-indep.
    + debian/slapd.postinst: Give variable for read (avoids bashism).
    + configure/.in: Use upstream's version of back-meta/back-ldap fix.

 -- Stephen Frost <sfrost@debian.org>  Wed, 16 Jul 2003 08:42:23 -0400

openldap2 (2.1.21-2) unstable; urgency=low

  * Stephen Frost <sfrost@debian.org>:
    + debian/slapd.preinst: slapcat here if possible, if slapcat not
      available then slapcat in postinst.  Also remove old unused
      function.
    + debian/slapd.postinst: Check if slapcat in preinst worked and use
      those results in preference.  Also moved to using /var/backups/ldap.
    + servers/slapd/daemon.c: Provide more information on socket/bind
      failures. Patch submitted upstream. Closes: #94967.
    + ./configure, ./configure.in: Fix check for back_ldap in back_meta.
      back_ldap now included as module.  back_ldap and back_meta appear
      to load fine, though order may matter.  Closes: #196995.
    + debian/control: Add versioned Depends on perl, need recent version
      for migration script.
    + debian/slapd.{pre,post}inst: Allow for whitespace in postinst
      before database definitions
    + debian/control: Drop the libldap2-dev Depends that aren't actually
      necessary.
    + debian/slapd.preinst: Add create_sed_script to create the script to
      deal with multi-line commands in slapd.conf.  Modify things to use
      sed script to preprocess slapd.conf before using it.  Remove
      support for whitespace preceeding commands.
    + debian/slapd.postinst: Add create_sed_script here too and modify
      everything to use it as necessary.  Also change everything to
      reference $SLAPD_CONF instead of /etc/ldap/slapd.conf everywhere.
      Remove support for whitespace preceeding commands.
    + debian/slapd.postinst: Removed all tabs.  Changed all sed scripts
      to used [:space:] instead of [space tab].
    + debian/slapd.postinst: Removed debugging statements from ldap_v2
      support handling code.
    + debian/slapd.preinst: Changed to use mktemp for sed script.
    + debian/slapd.postinst: Changed to use mktemp for sed script.
    + debian/slapd.config: If no hostname set just use debian.org.
    + contrib/ldapc++/config.{sub,guess}: Resync back to upstream, no
      reason not to, we don't even build this stuff...
    + debian/control: Change build-depends to libgnutls7-dev instead of
      libssl-dev.
    + debian/rules: Now run autoconf && autoheader to pick up on the
      configure.in changes needed for GNU TLS.
    + debian/copyright: Added Steve Langasek (SL) copyright statement.
    + Patch from Steve Langasek for GNU TLS support, Closes: #198553
    | include/ldap_pvt_gnutls.h: Added for GNU TLS
    | configure.in: Now uses GNU TLS where available.
    | servers/slapd/schema_init.c: Modified for GNU TLS- some functions
      removed because GNU TLS layer does not support them yet.
    | build/install-sh: Added for new autoconf.
    | libraries/libldap/Makefile.in: Changed to compile GNU TLS portions.
    | libraries/libldap/getdn.c: Stub function added, GNU TLS layer does
      not support TLS certificates for authentication yet.
    | libraries/libldap/tls.c: Now calls GNU TLS functions instead of
      OpenSSL.
    | libraries/libldap/gnutls.c: Added to support GNU TLS in place of
      OpenSSL for TLS connections.
    | libraries/libldap_r/Makefile.in: Changed to compile GNU TLS portions.
    + debian/slapd.postinst: remove temp file if upgrading or doing a
      reconfigure but the OLDSUFFIX and basedn match so that we do not
      move an empty file overtop of slapd.conf.  Closes: #190797.
    + debian/slapd.init: Inform user when not starting slapd due to
      no configuration file found.  Deals with users who select to not
      configure slapd during installation.
    + debian/slapd.init: Removed cat <<-EOF and got rid of associated
      tabs; best to not depend on tab vs. space distinction.
    + debian/slapd.config: Change debconf question names to be fully
      qualified in the $var from the for loop- organization is under
      shared/ and domain is under slapd/, not both under slapd/.
    + debian/slapd.postrm: Can not depend on debconf being around in
      postrm so check before attempting to source it.  Also protect
      against failure from db_get.
    + debian/slapd.postinst: Check for old directory and move it out
      of the way if it exists on new configure or reconfigure.
    + debian/slapd.postinst: Fix db_input's for error messages,
      should be high priority and need to || true them.
    + debian/slapd.postinst: Do not error exit once we've told the
      user about the problem, if there was one, with slapcat/slapadd.
    + debian/slapd.postinst: Make sure we get the organization before
      we attempt to fix_ldif on old slapcat output.  Default to unknown
      if the organization is not set.
    + debian/slapd.postinst: Be sure that slapd has been stopped before
      attempting to fix and slapadd old slapcat.
    + debian/slapd.postinst: Do not use --exec with s-s-d in postinst.
    + debian/slapd.postinst: grep calls need to be || true'd when no
      matching lines found is possible (this case is handled).
    + debian/slapd.postinst: Be very sure slapd has stopped before
      attempting to upgrade database.
    + debian/slapd.preinst: Use either the pidfile or exec if pidfile
      is not available when stopping.  Do not put \"\" around pidfile.
      Use $oldver instead of $2.
    + debian/slapd.config: Reask questions on a reconfigure.  Use the
      same logic as slapd.postinst for when to ask questions regarding
      the db.  Be sure to db_go after db_input's.
    + debian/slapd.templates: Fix allow_bind_v2 short description to
      make more sense since the default is off.
    + debian/slapd.preinst: Use perl instead of sed for handling conf.
    + debian/slapd.postinst: Use perl instead of sed for handling conf,
      use old sed method to insert \n's, user invoke-rc.d when slapd
      needs to be stopped.  Assume preinst shuts slapd down for upgrade.
    + debian/slapd.postinst: Only stop slapd on reconfigure.

  * Torsten Landschoff <torsten@debian.org>:
    + doc/man/man8/slapd.8: Refer to slapd.conf(5) for a description of
      the debugging level (closes: #176980).
    + debian/move_files: Kill of the static archives of our backend
      modules as they are of absolutely no use.

  * Steve Langasek <vorlon@debian.org>:
    + debian/slapd.postinst: Add a new function, get_database_list, that
      prints out the list of configured databases from slapd.conf
      one row at a time. Move all of the upgrade handling into a
      loop, and iterate through the configured databases.  Since the
      while loop is in fact a subshell, be sure to handle errors
      correctly.  We also have to look at the configured directory
      for each database, instead of assuming /var/lib/ldap.
      Closes: #190155, #190156.
    + debian/slapd.preinst: Simplify the handling of error status: if
      the slapcat fails, just remove the ldif file.  Also, add the
      suffix to the name of the output file, and add the
      get_database_list function here as well.

  * Roland Bauerschmidt <rb@debian.org>:
    + debian/rules: call dh_makeshlibs with -plibldap2 rather than just
      with libldap2
    + debian/slapd.postinst: Add question about no configuration.
    + debian/slapd.templates: Add template for no config question.
    + debian/slapd.templates: Add template for invalid suffix.
    + debian/slapd.config: Add no configuration option.  Closes: #87986
    + debian/slapd.config: Complain to the user on invalid domain/org.

 -- Stephen Frost <sfrost@debian.org>  Tue, 15 Jul 2003 12:37:05 -0400

openldap2 (2.1.21-1) unstable; urgency=low

  * Torsten Landschoff <torsten@debian.org>:
    + Merged new upstream release.

  * Stephen Frost <sfrost@debian.org>:
    + debian/control: Add libbind-dev and bind-dev to the conflicts for
      slapd, the libs in them can end up being used even when not
      compiled against causing getaddrinfo() to fail. Closes: #166777
    + debian/copyright: Flush out the copyright file to include all found
      copyrights and updates to those.
    + debian/copyright: Add clarification of MA license
    + debian/copyright: Add clarification of JC license
    + debian/slapd.templates: More clearly inform users of important
      config change.  Closes: #194192.
    + debian/control: Remove patch from build-depends (dpkg-dev depends on it)
    + debian/fix_ldif: Correctly handle base64-encoded DNs.  Closes: #197014.
    + debian/slapd.templates: Added templates for asking about LDAPv2 support
      and telling the user of slapcat/slapadd failures during upgrade.
    + debian/slapd.postinst: Added support for adding LDAPv2 support
    + debian/slapd.postinst: Modified to handle slapcat/slapadd failure.
      In the event of an upgrade failure the database will be left untouched
      and the user notified.  Closes: #192431
    + debian/slapd.postinst: Use ldif_dump_location in more places...
    + debian/slapd.prerm: Check if upgrade failed and assume bad old init.d
      script was used and attempt to shut down slapd with --oknodo in case
      slapd isn't running.  Closes: #193854. (Again)
    + debian/slapd.conf: Add commented out allow line
    + debian/rules: Tell dh_installinit to not touch slapd.prerm now.
    + debian/slapd.postinst: Do a dry-run with slapadd first and check if
      that worked or not.  If it did not work then tell the user, otherwise
      do a real slapadd which should work.
    + debian/slapd.postinst: Make sure slapd is stopped before doing
      slapadd/slapcat's and the like. (Note: The woody version does not
      stop slapd).  Closes: #189777.
    + debian/slapd.postinst: Check if directories exist before attempting
      to mkdir them.  Closes: #189947
    + debian/slapd.README.debian: Add note about runlevel issue.
      Closes: #175736
    + debian/move_files: Copy ldiftopasswd into /usr/share/slapd for users
      to use, if they find it useful.  Closes: #94963.
    + debian/slapd.README.Debian: Added note about ldiftopasswd.

  * Roland Bauerschmidt <rb@debian.org>:
    + debian/slapd.postinst: fixed typos and check for the existence of
      slapd.conf before reading it.

 -- Torsten Landschoff <torsten@debian.org>  Thu, 19 Jun 2003 17:35:32 +0200

openldap2 (2.1.17-3) unstable; urgency=low

  * Stephen Frost <sfrost@debian.org>:
    + debian/slapd.init: Add --oknodo for stopping slapd. Closes: #192423, #193854.
    + debian/slapd.init: Change START_SLURPD to SLURPD_START. Closes: #190724.
    + debian/libldap2.shlibs: Bump to 2.1.17- 2.1.12 never hit the archive.
      These should only be bumped when new symbols are added so we should
      figure out a way to handle checking that.
    + debian/slapd.dirs: Added /var/run/slapd for pidfile
    + debian/slapd.conf: Moved pidfile to /var/run/slapd; Needed if running
      non-root.
    + debian/slapd.conf: Clean up config file, be more explicit about what
      directives are 'general', 'backend', and 'database'.  Moved and
      commented out 'replogfile' since it is database specific, wasn't doing
      anything where it was and use of it depends on slurpd usage.
      I consider this solving #151511 since we don't ask if you want to use
      replication anymore anyway. Closes: #151511
    + debian/copy_slapd_dev_files: Added to copy the include files for
      building slapd back-ends.
    + debian/control: Add warning about libslapd2-dev
    + debian/control: Add build-depend on po-debconf for dh_installdebconf
    + debian/slapd.default: Add option for settings SLAPD_CONF file
    + debian/slapd.init: Changed to use SLAPD_CONF, setting it to
      /etc/ldap/slapd.conf if it is not specified. Closes: #91318
    + debian/control: Added libslapd2-dev to control file. Closes: #192163.
    + debian/rules: Added binary-indep to the binary: build line and flushed
      it out to build the libslapd2-dev deb.  Added -k to dh_clean since we're
      building arch and indep debs now.
    + Maintainer upload, acknowledge NMU. Closes: #98039.
    + Add debian/po/fr.po from 194740.  Closes: #194740
    + Add space before ']' on line 113 of postinst. Closes: #194192, #194943

  * Torsten Landschoff <torsten@debian.org>:
    + debian/control: Enforce libldap2 to be the same version as slapd
      as slapd (legitimately) uses internal functions of that library
      (closes: #190164).
    + debian/slapd.postinst: Fix the regexp for finding the database
      definitions.

  * Steve Langasek <vorlon@debian.org>:
    + debian/slapd.preinst: don't use debconf or ldapsearch in the
      preinst, as this is a policy violation (even if a previous
      version was installed, it could've been removed-but-not-purged).
      Closes: #189811, #195029.
    + debian/slapd.{pre,post}inst: dump & fix up the directory in the
      postinst, not in the preinst -- using slapcat/slapadd, not
      ldapmodify.  This ensures that the dump will succeed whenever the
      database is present, rather than depending on access to an admin
      dn.  Closes: #190085.
    + debian/fix_ldif, debian/move_files, debian/copyright: add Dave
      Horsfall's dn-fixing script, to handle objectClass upgrading
    + debian/slapd.postinst: Skip the duplicate prompting for the
      organization name; we're guaranteed to always have one.

 -- Torsten Landschoff <torsten@debian.org>  Fri,  6 Jun 2003 16:56:16 +0200

openldap2 (2.1.17-2) unstable; urgency=low

  * The who-says-slavery-is-dead upload.
  * Steve Langasek <vorlon@debian.org>:
    + debian/slapd.postinst: Fix the database regexp.
    + debian/slapd.postinst: Only add moduleload lines *once* on upgrade
      from 2.0.  Wrap the backup code with a check for
      /var/lib/slapd/upgrade_2.0, to guarantee idempotency.
      Closes: #190401.
    + debian/slapd.{config,templates,postinst}: On dpkg-reconfigure,
      don't wipe out an existing config; only merge in any requested
      changes.  Also, prompt before wiping out the existing db.
      Closes: #190799.
    + debian/slapd.{postinst,examples},debian/rules: Move slapd.conf
      from doc/slapd/examples to /usr/share/slapd, per policy.
    + debian/slapd.postinst: make sure slapd.conf is always created
      atomically.
    + debian/slapd.postrm: If removing databases on package purge,
      remove any database backups as well.

  * Torsten Landschoff <torsten@debian.org>:
    + debian/configure.options: Disable ACIs because they are still
      experimental.
    + debian/control: Change section and priority of libldap2-dev to
      libdevel and extra respectively (dinstall message).
    + debian/slapd.preinst: Only query the object classes of the root
      dn if there was no error parsing the config.
    + Update templates for po-debconf using the patch submitted by
      Andre Luis Lopes (closes: #189933).
    + Use [[:space:]] instead of [\t ] in sed invocations since the
      latter does not seem to work (reported by Daniel Lutz).
    + debian/control: Add Replaces: entry for openldapd since ldif.5.gz
      was included in the potato package of that name (closes: #190660).
    + debian/control: Tighten the build dependency on libtldl3-dev as
      versions before 1.4.3 required the .la file for dynamic binding
      (thanks to Josip Rodin for pointing this out).

 -- Torsten Landschoff <torsten@debian.org>  Sat, 19 Apr 2003 02:28:32 +0200

openldap2 (2.1.17-1) unstable; urgency=low

  * New upstream release.
  * Torsten Landschoff <torsten@debian.org>:
    + debian/slapd.init: Improve the error reporting. If nothing is output
      by the failing command don't leave the user alone but print a hint
      to look into the logfile etc.
    + debian/control: Require at least version 2.1.3 of libsasl2-dev
      as this is what the configure script checks for. Pointed out by
      Norbert Tretkowski.
    + debian/slapd.{pre,post}inst: Small cleanups, added some comments,
      adapted for the removal of the .la files in slapd package.

 -- Torsten Landschoff <torsten@debian.org>  Sat, 19 Apr 2003 01:59:26 +0200

openldap2.1 (2.1.16-1) unstable; urgency=low

  * New upstream release.
    + build/top.mk: Remove patch to omit "-static" at linking time. Upstream
      now respects the --enable-shared flag used at configuration time.
    + debian/slapd.postinst: Automagically add the module load directives
      after upgrade as needed.
    + debian/slapd.config:
      - Only ask questions to create a new directory on fresh install.
      - Ask wether the right modules should automatically be loaded in
        slapd.conf.
    + debian/slapd.templates: Add the templates for autoloading modules
      and fixing the directory.
    + debian/slapd.preinst: New script to support upgrading from 2.0.
      The old prerm did not stop the daemon so we have to do it here.
      Also a first attempt to fix broken LDAP directories not acceptable
      to 2.1.
      - Conditionally load debconf when upgrading as it only has to
        be available in that case.
    + debian/slapd.preinst: Dump database before upgrade.
    + debian/slapd.postinst: Recreate database from dump after upgrade.
      Move old database out of the way.

  * Roland Bauerschmidt <rb@debian.org>
    + debian/slapd.README.Debian: mention that backend database modules are
      now compiled as shared objects

  * Stephen Frost <sfrost@debian.org>
    + debian/slapd.conf: Drop the '.la' file extension
    + debian/move_files: Drop and rm the .la files, they aren't necessary.
    + debian/slapd.README.Debian: Dropped the .la from the module_load line.
    + servers/slapd/daemon.c: check slapd_srvurls is not NULL before
      deref; included in upstream CVS.
    + servers/slapd/back-*/init.c: Change the munged symbol names to
      init_module, they do not need to be munged, and cause problems when
      they are and not using .la files (which cause other problems)
    + servers/slapd/module.c: Change to use lt_dlopenext() so we don't
      need the .la files

 -- Torsten Landschoff <torsten@debian.org>  Wed, 26 Mar 2003 20:34:35 +0100

openldap2.1 (2.1.12-1) experimental; urgency=low

  * Initial release of OpenLDAP 2.1 packages. Closes: #167566, #178014.
    - this includes support for the >= and <= operators. Closes: #159078.
    - fixes various upstream bugs. Closes: #171008.

  * Torsten Landschoff <torsten@debian.org>
    - debian/check_config: Added script to check if OpenLDAP was configured
      the way we want it.
    - Don't build special TLS packages anymore - SSL is enabled in the
      stock ldap library. Everything else will just give me more headaches.
    - Build against libsasl2 instead of libsasl1. Closes: #176462.
    - debian/control:
      - Build-depend on debhelper 4.0 as debian/rules uses DH_COMPAT=4.
      - Depend on coreutils | fileutils. Closes: #175704, #185676.
      - Make libldap2 conflict with libldap2-tls which is obsolete now.
    - debian/rules: Move the long list of configure options to a new
      file debian/configure.options and read $(CONFIG) from that file.
    - configure with --enable-aci. Closes: #101602.
    - debian/slapd.init: Rewrite and add comments.
      - Add support for running as non-root (closes: #111765, #157037).
    - servers/slapd/main.c (main): Remove pid file on exit (closes: #162284).
    - servers/slurpd/slurp.h: Change the default spool directory to
      /var/spool/slurpd (avoids passing it via -t in init.d).
    - servers/{slapd,slurpd}/Makefile.in: Install binaries into sbindir
      instead of libexecdir.
    - debian/control: Add Stephen Frost to the Uploaders field. Thanks
      for your help, Stephen!
    - contrib/ldapc++/config.{guess,sub}: Replaced with current files from
      autotools-dev (lintian). Not actually neccessary since this part of
      the package is not currently built but I think this is the best way
      to shut up lintian :)
    - build/mod.mk: Use -m 644 instead of -m 755 in installing shared
      libraries. Shared libraries should not be marked as executable
      (lintian).
    - debian/libldap2.conffiles: Remove, since we are using version 4
      of debhelper which tags everything in /etc as conffile by default.
    - debian/rules: Change the mode of everything upstream installed into
      /etc to 0644 as required by policy (lintian).
    - debian/rules: Call dh_installdeb later in the binary target so that
      the conffiles are already there for listing. Without this nothing in
      /etc gets tagged as conffile... (lintian).
    - debian/rules: Pass the start and stop priority of slapd to
      dh_installinit in preparation for a postinst supported by debhelper.
    - debian/rules: Call dh_installdirs again.
    - Rewrite slapd.config, slapd.postinst, slapd.templates - a first try
      in getting slapd to configure itself. Way to go.

  * Roland Bauerschmidt <rb@debian.org>
    - debian/control:
      - build-depend on libdb4.1-dev instead of libdb4.0-dev
      - conflict, replace, and provide libldap2-tls (libldap2)
      - removed ldap-gateways binary package
      - drop suggestion to obsolete openldap-guide. Closes: #171894, #146968.
    - debian/rules:
      - build with BDB backend
      - run dh_installdeb
      - only run dh_makeshlibs for libldap2
    - debian/slapd.dirs: added to create /var/lib/ldap and /var/spool/slurpd
    - debian/slapd.postinst:
      - properly remove temporary files on errors. Closes: #160412.
      - install init.d link if slapd.conf already exists. Closes: #159542.
      - run db_stop even if package isn't configured for the first time. This
        prevents hanging during upgrades.
    - added debian/slapd.default and use it from debian/slapd.init.
      Closes: #160964, #176832.
    - added debian/slapd.README.Debian
    - added versioned dependency on coreutils to make lintian quiet.
    - added debian/slapd.postrm
      - remove slapd.conf when package is purged
      - remove /var/lib/ldap when slapd/purge_database is true
      - remove /etc/ldap/schema if empty. Closes: #185173.
    - debian/templates: added slapd/purge_database template
    - build/top.mk: link against libcrypt before other SECURITY_LIBS
    - debian/libldap2.shlibs: tighten dependencies. Closes: #181168.

  * Stephen Frost <sfrost@debian.org>
    - debian/control: added libltdl2-dev and libslp-dev to the build-depends
    - Correct typo for back-sql init routine; already in OpenLDAP upstream
      CVS
    - Correct free of SASL interact results; already in OpenLDAP upstream CVS
    - Duplicate the DN from SASL to ensure '\0' termination; already in
      OpenLDAP upstream CVS
    - debian/control: added Replaces: slapd (<< 2.1) for ldap-utils due to
      ldif.5 move.
    - Add modulepath /usr/lib/ldap to default slapd config
    - Add moduleload back_bdb to default slapd config
    - Changed libexecdir to ${prefix}/lib
    - Add usr/lib/ldap to slapd portion of move_files
    - Modified backend types to be built as modules for dynamic loading
    - Fixed pt_BR translation

 -- Roland Bauerschmidt <rb@debian.org>  Sat, 15 Mar 2003 21:35:24 +0100

openldap2 (2.0.27-3) unstable; urgency=high

  * [SECURITY]: Apply the patch used by SuSE in SuSE-SA:2002:047
    (or rather the parts of it not yet included upstream).

 -- Torsten Landschoff <torsten@debian.org>  Fri, 20 Dec 2002 04:47:15 +0100

openldap2 (2.0.27-2) unstable; urgency=low

  * debian/control: Make libldap2-dev depend on libssl-dev and
    libsasl-dev, since those libs are pulled via the libldap.la file
    (closes: #164791).
  * debian/control: Add shlibs:Depends to libldap2-tls as well. Most
    of those depends are pulled via libldap2 but of course libssl
    is not among those. (closes: #169950).
  * debian/libldap2-tls: Remove old divertions on "configure" and not
    on "upgrade" - the latter is not really called.

 -- Torsten Landschoff <torsten@debian.org>  Fri, 22 Nov 2002 00:35:29 +0100

openldap2 (2.0.27-1) unstable; urgency=low

  * New upstream release.

 -- Torsten Landschoff <torsten@debian.org>  Wed,  6 Nov 2002 01:12:06 +0100

openldap2 (2.0.23-14) unstable; urgency=low

  * debian/rules: Remove search paths from .la files using some perl
    trickery (closes: #110479).
  * debian/libldap2.README.debian: Document the NSS problem which stops /usr
    from being unmounted cleanly when using libnss-ldap (for more info
    see bug#159771).

  * Started cleaning up the maintainer scripts:
    - Remove creation of the /usr/doc symlinks (lintian).
    - Don't run ldconfig in prerm scripts (lintian).

 -- Torsten Landschoff <torsten@debian.org>  Mon, 30 Sep 2002 12:10:05 +0200

openldap2 (2.0.23-13) unstable; urgency=low

  * As Ashley Clark found out the preinst of libldap-tls fails for a new
    install. My fault - I did not check that (removing ldap is cumbersome
    if you are using it... :) and the scripts were only checked without
    "set -e" in effect.
    + debian/libldap2-tls.preinst: Apply Ashley's patch (thanks a lot,
      Ashley. closes: #162123).
    + Coincidently the other installation scripts seem to be okay, the
      failing command is in the middle of a pipe and therefore ignored.

 -- Torsten Landschoff <torsten@debian.org>  Tue, 24 Sep 2002 12:56:18 +0200

openldap2 (2.0.23-12) unstable; urgency=low

  * Apply the patch from upstream ITS#2012 to support MD5 hashes. Problem
    is that OpenSSL comes with its own version of the crypt() function
    which is linked in instead of the system's version from libcrypt.
    The patch changes the link order so that slapd takes the system's
    implementation.
  * debian/rules: Pass --enable-crypt-first to configure to enable the
    patch (closes: #160763).
  * Fix the diversion handling of libldap2-tls:
    - preinst:  Only install diversions that are not there.
    - postrm:   Remove this package's diversions.
    - postinst: Remove obsolete diversions after upgrade.
    - Removal of diversions is done in reverted order of the installation.

  * Enable DNSSRV support as requested by Turbo. No Kerberos for now, sorry.
  * debian/control: Updates Standards-Version to 3.5.7 and fix running
    of ldconfig in maintainer scripts.

 -- Torsten Landschoff <torsten@debian.org>  Mon, 23 Sep 2002 12:18:40 +0200

openldap2 (2.0.23-11) unstable; urgency=low

  * debian/rules: Build with --with-tls (closes: #80591, #155937).
  * debian/control:
    + Add build dependency on libssl-dev.
    + Specify Roland Bauerschmidt as co maintainer.
  * Added the trickery to have libldap2 without TLS and libldap2-tls
    with the TLS stuff. Otherwise we have to change the base system,
    and god knows how long that would take.

    Most of the changes done by Roland Bauerschmidt. We now build the
    source two times - with and without ssl. We mostly use the ssl enabled
    stuff with the exception of a libldap2 package which does not have
    support for that. If you need TLS support you have to install
    libldap2-tls, which diverts the libraries from libldap2 out of the
    way and replaces them with the TLS enabled version.

 -- Torsten Landschoff <torsten@debian.org>  Thu, 29 Aug 2002 13:35:39 +0200

openldap2 (2.0.23-10) unstable; urgency=low

  * debian/control: Build depend on libdb4.0-dev instead of libdb3-dev.
    This should fix the index corruption problems (closes: #152959).

 -- Torsten Landschoff <torsten@debian.org>  Sun, 18 Aug 2002 19:47:02 +0200

openldap2 (2.0.23-9) unstable; urgency=low

  * debian/slapd.init: Wait for the daemons to actually terminate for
    the stop action (which is used for restart) and trap all errors
    (closes: #148033).
  * debian/rules: Build with -D_FILE_OFFSET_BITS=64 to support files
    bigger than 2GB on all architectures (closes: #155197). As off_t is
    about never used in the source that should not create any problems.
  * debian/control: Make libldap2-dev depend on libsasl-dev
    (closes: #135223, #96957).
  * doc/man/man1/ldapmodify.1: Fix typo (closes: #105905).
  * debian/rules: Create symlinks for some manpages (closes: #99547).
  * Fix spelling error in description of ldap-gateways (closes: #124859).
  * debian/copyright: Include the full content of the LICENSE file
    (closes: #151222).

 -- Torsten Landschoff <torsten@debian.org>  Thu,  8 Aug 2002 15:54:46 +0200

openldap2 (2.0.23-8) unstable; urgency=low

  * New maintainer.
  * debian/control: Build-Conflict with libbind-dev to use the right
    resolver library everywhere (closes: #112459). Of course, the
    real solution must be to fix the configure script to not detect
    libbind-dev and use the right resolver all the time. But a work around
    is better than nothing I would say...

 -- Torsten Landschoff <torsten@debian.org>  Wed,  7 Aug 2002 14:53:39 +0200

openldap2 (2.0.23-7) unstable; urgency=low

  * Add Brazilian translation for debconf templates. Closes: Bug#114021
  * Fix hostless LDAP URLs, patch from Lamont Jones. Closes: Bug#140387

 -- Wichert Akkerman <wakkerma@debian.org>  Sat,  4 May 2002 20:05:32 +0200

openldap2 (2.0.23-6) unstable; urgency=high

  * Make slapd.config idempotent, so that calling it once (during
    preconfiguration) and again (during postinst) doesn't break things.
    Patch from Anthony Towns. Closes: Bug#137552).

 -- Wichert Akkerman <wakkerma@debian.org>  Sun, 14 Apr 2002 19:10:50 +0200

openldap2 (2.0.23-5) unstable; urgency=high

  * Fix slurpd invocation in slapd.init. Closes: Bug#141959
  * Ask for admin DN when using LDIF initialization as well.
    Lets hope this finally Closes: Bug#137552
  * Merge German translation for debconf templates. Closes: Bug#141712
  * Add Build-Depends on debconf-utils since we use debconf-mergetemplate
  * Remove bogus error from slapd.init. Closes: Bug#137718

 -- Wichert Akkerman <wakkerma@debian.org>  Tue,  9 Apr 2002 14:49:27 +0200

openldap2 (2.0.23-4) unstable; urgency=high

  * Only show already-configured note on initial installs. Closes: Bug#137100
  * Supply -t option to slurpd when starting it, not when stopping it.
    Closes: Bug#136240
  * Use db_input instead of db_get for notes in the slapd postinst.
  * Only fetch password from debconf when not using ldif initialization.
    Closes: Bug#138558,#137552
  * Check if slapd.conf exists in slapd postinst. Closes: Bug#138136

 -- Wichert Akkerman <wakkerma@debian.org>  Sat,  6 Apr 2002 23:02:42 +0200

openldap2 (2.0.23-3) unstable; urgency=high

  * If can not get a password for the admin entry when installing slapd
    generate one randomly. Closes: Bug#134774
  * Bump shlibs dependency to 2.0.23

 -- Wichert Akkerman <wakkerma@debian.org>  Thu, 21 Feb 2002 23:23:57 +0100

openldap2 (2.0.23-2) unstable; urgency=high

  * Create /var/spool/slurpd and tell slurpd to use that as temporary
    directory. Closes: Bug#134564
  * Improve debconf prompts a bit. Closes: Bug#134945
  * Properly set default value for domain
  * Clear crypted password from debconf after creating the LDAP directory

 -- Wichert Akkerman <wakkerma@debian.org>  Sun, 17 Feb 2002 16:07:18 +0100

openldap2 (2.0.23-1) unstable; urgency=high

  * Upstream updated config.{guess,sub} so we are back to zero patches
    again.
  * Apply fix from Klaus Duscher for the missing password problem: the
    config script did not check if it was run twice without slapd.conf
    being generated in between and would abort with a missing password
    error. Closes: Bug#132566
  * Change slapd priority for boot sequence to start earlier and stop
    later so people can use LDAP for NSS purposes. Closes: Bug#130277

 -- Wichert Akkerman <wakkerma@debian.org>  Sun, 17 Feb 2002 16:07:18 +0100

openldap2 (2.0.22-2) unstable; urgency=low

  * Update config.{guess,sub} again. Closes: Bug#131469

 -- Wichert Akkerman <wakkerma@debian.org>  Thu,  7 Feb 2002 22:33:01 +0100

openldap2 (2.0.22-1) unstable; urgency=low

  * New upstream version
  * Build properly as non-native package

 -- Wichert Akkerman <wakkerma@debian.org>  Wed,  6 Feb 2002 00:17:20 +0100

openldap2 (2.0.21-3) unstable; urgency=high

  * Add logic to config and postinst to configure replication as well
  * Don't fail in slapd postinst if we can't stop slapd. Closes: Bug#131617
  * Change localstatedir to /var/lib
  * Remove /var/lib/ldap when purging slapd
  * Don't remove user-supplied ldif file after creating the directory
  * Set default replogfile
  * Fix typo in severity for no_password note
  * Encrypt admin password and remove it from the debconf database

 -- Wichert Akkerman <wakkerma@debian.org>  Thu, 31 Jan 2002 17:03:36 +0100

openldap2 (2.0.21-2) unstable; urgency=medium

  * Update config.{guess,sub} and forwarded upstream (ITS#1567).
    Closes: Bug#131469
  * Remove -x from slapd postinst. Closes: Bug#131502

 -- Wichert Akkerman <wakkerma@debian.org>  Wed, 30 Jan 2002 10:53:45 +0100

openldap2 (2.0.21-1) unstable; urgency=high

  * New upstream version,
  * Update copyright
  * Update config.guess and config.sub
  * Redone packaging, no more dbs or debhelper
  * Drop all patches, they are either unnecessary or alternatives have
    been made upstream

 -- Wichert Akkerman <wakkerma@debian.org>  Tue, 29 Jan 2002 17:04:10 +0100

openldap2 (2.0.14-1) unstable; urgency=high

  * New upstream version, which includes a billion second bug.
    Closes: Bug#111833
  * Drop 005_libldbm_dbopen, upgrading the database in place no longer works
    with the new db-env code.
  * Redo 008_porting_maxpathlen

 -- Wichert Akkerman <wakkerma@debian.org>  Sat, 15 Sep 2001 13:39:46 +0200

openldap2 (2.0.11-2) unstable; urgency=low

  * Test if /etc/init.d/slapd is executable when purging slapd.
    Closes: Bug#100938
  * Update 008_porting_maxpathlen. Closes: Bug#100584
  * Don't use four11 as referral example anymore. Closes: Bug#99998
  * Fix synopsis of slapindex manpage. Added to 002_man_fixes.
    Closes: Bug#98805
  * Removed stray backup file from 002_man_fixes

 -- Wichert Akkerman <wakkerma@debian.org>  Tue, 19 Jun 2001 01:01:17 +0200

openldap2 (2.0.11-1) unstable; urgency=low

  * New upstream version
  * Add autoconf to Build-Depends. Closes: Bug#99440
  * Fix new db upgrade patch. Closes: Bug#98853

 -- Wichert Akkerman <wakkerma@debian.org>  Sun,  3 Jun 2001 00:25:47 +0200

openldap2 (2.0.10-2) unstable; urgency=low

  * Tighten shlibs dependency to >= 2.0.1-1. Closes: Bug#98683

 -- Wichert Akkerman <wakkerma@debian.org>  Fri, 25 May 2001 16:32:35 +0200

openldap2 (2.0.10-1) unstable; urgency=low

  * New upstream version
  * New maintainer
  * Remove useless LINE_WIDTH bit from patch 000_clients
  * Patch 004_ssl_fix has been merged upstream, removed
  * Redo 005_db3_upgrade
  * Rediff all other patches

 -- Wichert Akkerman <wakkerma@debian.org>  Thu, 24 May 2001 14:56:02 +0200

openldap2 (2.0.7-6) unstable; urgency=low

  * Make sure autoconf is run if configure.in is changed (for Hurd patch),
    closes: #96145
  * Fix slapd.postinst in the case of using an ldif file, closes: #95600
  * Use a var for slapd.conf in slapd init script. Partially fixes bug
    91318.
  * Fixed hurd patch for strrchr in replog.c, closes: #93605

 -- Ben Collins <bcollins@debian.org>  Mon,  7 May 2001 23:00:27 -0400

openldap2 (2.0.7-5) unstable; urgency=low

  * Fixed db3 upgrade code, closes: #92331, #92916
  * m68k should compile fine with db3 now, closes: #90165
  * Included provided patch for Hurd compilation, closes: #88079

 -- Ben Collins <bcollins@debian.org>  Wed,  4 Apr 2001 17:46:47 -0400

openldap2 (2.0.7-4) unstable; urgency=low

  * slapd.conf is no longer a conffile, and not provided by the package.
    Instead, it is only generated. closes: #81359
  * Fixed by previous upload, closes: #71852, #78950, #82491
  * Actually install the netscape schema, closes: #90323
  * Add comment to README.Debian about being compiled with libwrap,
    closes: #84954
  * Provide example sasl config file, closes: #90855
  * Conflict replace openldap-utils (ldap-utils), and libopenldap-dev
    (libldap2-dev), closes: #71471
  * Revert to using some code to upgrade previous db's. Remove slapd's dep
    on db3-util, and remove postinst code that upgrades the db's.

 -- Ben Collins <bcollins@debian.org>  Sat, 24 Mar 2001 21:59:20 -0500

openldap2 (2.0.7-3) unstable; urgency=low

  * netscape-profile.schema: new schema for old roaming support
  * 004_ssl_fix.diff: Fix for SSL support (not compiled in, but some
    people use it).
  * slapd.config: FINALLY fix the "dc=" base bug.
  * Build-Depend on libdb3-dev now that it is available.
  * Now that we use db3, make sure we upgrade existing databases to the
    db3 format with db3_upgrade.

 -- Ben Collins <bcollins@debian.org>  Sun, 11 Mar 2001 23:36:34 -0500

openldap2 (2.0.7-2) unstable; urgency=low

  * slapd.postinst: fix debhelper wraper so it gets the right @argv,
    closes: #71854
  * sendmail appears to be compiled against glibc2.2/libdb2 now,
    closes: #71602
  * %strace ldapsearch cn=admin | & grep /etc | grep ldap
    open("/etc/ldap/ldap.conf", O_RDONLY)   = 3
    closes: #71716
  * ldap_first_attribute.3: s/ber_free(3)/ber_free/. closes: #76719
  * init.d/slapd: fix reference to pidfile, and also remove the pidfile
    after killing the daemon, closes: #77633, #77635
  * Fix fgets buffer size thinko in slurpd. closes: #78003
  * slapd.8: s/ldap.h/slapd.conf(5)/. closes: #80457

 -- Ben Collins <bcollins@debian.org>  Sun, 31 Dec 2000 00:02:46 -0500

openldap2 (2.0.7-1) unstable; urgency=low

  * New upstream
  * Removed hack for shlibs now that dpkg 1.7 is available, added dpkg-dev
    1.7.1 to build-depends.
  * start using DH_COMPAT=2

 -- Ben Collins <bcollins@debian.org>  Fri, 10 Nov 2000 18:53:25 -0500

openldap2 (2.0.2-2) unstable; urgency=low

  * Recompile against libdb2/glibc 2.1.94/sasl

 -- Ben Collins <bcollins@debian.org>  Wed, 27 Sep 2000 11:31:59 -0400

openldap2 (2.0.2-1) unstable; urgency=low

  * New upstream version, includes some patches from me that fix some
    stability issues
  * debian/control:Build-Depends: change libwrap-dev to libwrap0-dev for
    clarity, closes: #71366
  * debian/rules: make sure mail500 docs do not get installed under bogus
    subdirs, closes: #71473
  * debian/README.build,debian/scripts/dbs-build.mk: Fix and document
    build system better, closes: #71584
  * debian/local/slapd.conf: Setup default ACL's to work with openldap2
    correctly, closes: #71127, #71131
  * debian/README: document how to access OpenLDAP 1 servers via
    ldap-utils, closes: #71469
  * debian/rules:CFLAGS: add -I/usr/include/db2 to make sure we get the
    right <db.h> header, closes: #71470
  * I cannot reproduce this. In debian/rules I have done exactly what is
    needed to keep it from happening, and sparc, i386 and powerpc builds
    do not show it, closes: #71472

 -- Ben Collins <bcollins@debian.org>  Wed, 13 Sep 2000 22:32:35 -0400

openldap2 (2.0.1-2) unstable; urgency=low

  * Fixed up depend for libldap2 on itself

 -- Ben Collins <bcollins@debian.org>  Wed,  6 Sep 2000 13:24:06 -0400

openldap2 (2.0.1-1) unstable; urgency=low

  * New upstream version
  * Added libsasl-dev to build-deps, closes: #70923

 -- Ben Collins <bcollins@debian.org>  Tue,  5 Sep 2000 06:49:05 -0400

openldap2 (2.0-1) unstable; urgency=low

  * Initial release of OpenLDAP 2 test code

 -- Ben Collins <bcollins@debian.org>  Tue, 29 Aug 2000 14:28:39 -0400