openldap (2.6.10+dfsg-1) unstable; urgency=medium
* New upstream release.
-- Ryan Tandy <ryan@nardis.ca> Thu, 29 May 2025 16:41:48 -0700
openldap (2.6.9+dfsg-2) unstable; urgency=medium
[ Adriano Rafael Gomes ]
* Update Brazilian Portuguese debconf templates translation
(Closes: #1093449)
[ Ryan Tandy ]
* d/salsa-ci.yml: Switch to including just recipes/debian.yml.
* Fix FTCBFS: use AC_CHECK_TOOLS to detect host-prefixed tools. Thanks to
Helmut Grohne for the patch. (Closes: #1094386)
* d/rules: Add answers for native-only configure checks when cross-building.
Thanks to Helmut Grohne for his input.
* d/salsa-ci.yml: Enable cross-build test job.
* d/control: Annotate slapd's test dependencies with <!pkg.openldap.noslapd>
in addition to <!nocheck>.
* Delete obsolete manual testing scripts:
d/tests/{check_upgradepath,create_account,hammer_slapd}.
* d/rules: Stop including /usr/share/dpkg/buildtools.mk; no longer needed.
* d/control: Update Standards-Version to 4.7.2. No changes needed.
-- Ryan Tandy <ryan@nardis.ca> Tue, 11 Mar 2025 16:27:52 -0700
openldap (2.6.9+dfsg-1) unstable; urgency=medium
* Upload to unstable.
* d/slapd.preinst: Back up config as LDIF before transitioning to OpenSSL.
* d/NEWS, d/slapd.README.Debian:
- Announce the switch to OpenSSL.
- Document behaviour and config settings affected by the change.
* d/control: Declare Standards-Version: 4.7.0.
* d/slapd.service: Delete After=syslog.target. Fixes a Lintian warning
(systemd-service-file-refers-to-obsolete-target).
* Disable flaky tests test063-delta-multiprovider and
test069-delta-multiprovider-starttls. Mitigates #1010608.
* d/rules: Delete override_dh_auto_build target, so that -indep/-arch are
actually used. See #1014334.
* d/slapd.init:
- Fix status_of_proc pidfile argument.
- Fix olcPidFile regexp.
* d/control: Remove inactive team members from Uploaders. Thanks to Torsten
and Steve for their many past contributions.
* d/gbp.conf: Return to master branch.
-- Ryan Tandy <ryan@nardis.ca> Tue, 14 Jan 2025 18:30:51 -0800
openldap (2.6.9+dfsg-1~exp2) experimental; urgency=medium
[ Ryan Tandy ]
* Change TLS library from GnuTLS to OpenSSL.
- d/control: Replace Build-Depends: libgnutls28-dev, nettle-dev with
libssl-dev.
- d/configure.options: Configure --with-tls=openssl.
- d/p/contrib-makefiles: Drop changes to pbkdf2 and smbk5pwd to use
nettle.
- d/p/add-tlscacert-option-to-ldap-conf: Drop patch since the OpenSSL
backend activates the default CAs automatically.
- d/p/ldap-conf-tls-cacertdir: Drop patch since GnuTLS caveats are no
longer applicable.
- d/slapd.README.Debian: Drop GnuTLS caveat.
[ Michael Tokarev ]
* d/control: remove very old (before buster) versioned depends/conflicts
* d/libldap2.README.Debian: remove: umounting /usr is not very interesting
in 2025 (see also #182536)
* remove ldiftopasswd script (it is a rather dangerous example to carry on)
* d/slapd.scripts-common,d/debian/slapd.postinst: do not create
/var/run/slapd (created in the startup script)
* d/slapd.init: stop providing /var/run/slapd/ldapi symlink for compatibility
with openldap 2.1
* d/slapd.init: simplify it significantly
* d/configure-options: enable systemd support (Closes: #1039299 #877512)
* d/slapd.default, d/slapd.init: do not use "export" keyword in the default
file (so it is processed by systemd), but export KRB5_KTNAME in init if set
* d/rules: fix $? usage in clean target
* d/rules: stop overriding dh_missing --fail-missing: it is the default
in dh-compat 13+
* d/rules: only do actual work in arch-dependent build
* d/control: add myself to Uploaders
* d/rules: add -Wno-unused-const-variable to CFLAGS
* d/rules: add LC_ALL=C for the build rule
* d/rules: add slapdS.c to blhc ignore-line
* d/libldap-dev.links: stop generating it, dh is capable to expand variables
* d/rules: fix override_dh_makeshlibs & override_dh_installdeb conditionals
* d/slapd.preinst: remove stopping of slapd
(#989155 in debhelper has been fixed)
* d/rules: build flags & build tools
* d/rules: simplify noslapd build-profile expressions by using noslapd var
* d/rules: export DEB_MAINTAINER only once
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 08 Jan 2025 21:02:34 +0300
openldap (2.6.9+dfsg-1~exp1) experimental; urgency=medium
[ Carles Pina i Estany ]
* Update po-debconf Catalan translation
[ Ryan Tandy ]
* New upstream release.
- Update patch 64-bit-time-t-compat.patch.
- Drop ITS#10253 patch, applied upstream.
* Apply patch from Helmut Grohne to fix cross-building ppm.
(Closes: #1079533)
-- Ryan Tandy <ryan@nardis.ca> Mon, 23 Dec 2024 12:07:55 -0800
openldap (2.6.8+dfsg-1~exp4) experimental; urgency=medium
* Add a superficial autopkgtest to ensure back_perl can be loaded.
* Fix FTBFS on 32-bit architectures. (ITS#10253) (Closes: #1078822)
-- Ryan Tandy <ryan@nardis.ca> Fri, 23 Aug 2024 12:15:12 -0700
openldap (2.6.8+dfsg-1~exp3) experimental; urgency=medium
[ Helmut Grohne ]
* Move systemd drop-in to /usr (DEP17). (Closes: #1073059)
-- Ryan Tandy <ryan@nardis.ca> Wed, 12 Jun 2024 20:12:08 -0700
openldap (2.6.8+dfsg-1~exp2) experimental; urgency=medium
* Ship slapo-nestgroup files in the main slapd binary package.
- d/slapd-contrib.{install,manpages}: Move slapo-nestgroup files to...
- d/slapd.{install,manpages}: ...here.
Thanks to Ryan Tandy for letting me know about this mistake.
-- Sergio Durigan Junior <sergiodj@debian.org> Fri, 31 May 2024 13:30:18 -0400
openldap (2.6.8+dfsg-1~exp1) experimental; urgency=medium
[ Sergio Durigan Junior ]
* d/rules: Anchor DEB_MAINTAINER regexp.
This is needed in Ubuntu because of XSBC-Original-Maintainer.
* New upstream version 2.6.8+dfsg
* d/p/smbk5pwd-implicit-declaration: Remove; fixed upstream.
* d/control: B-D on pkgconf instead of pkg-config.
* d/p/slapd-contrib.{install,manpages}: Install new slapo-nestgroup overlay.
[ Steve Langasek ]
* debian/patches/64-bit-time-t-compat:
handle sizeof(time_t) > sizeof(long) in format strings.
[ Ryan Tandy ]
* Drop transitional package slapd-smbk5pwd. (Closes: #1032742)
* Drop dbgsym migration for slapd-dbg.
The dbgsym transition was done in buster.
* Build and install the ppm module in slapd-contrib. (Closes: #1039740)
* Fix implicit declaration of kadm5_s_init_with_password_ctx.
(Closes: #1065633)
* debian/patches/64-bit-time-t-compat.patch: Refresh patch.
* debian/copyright: Exclude doc/guide/admin/guide.html from
the upstream source.
The tool required to build it from source is not packaged in Debian.
Fixes a Lintian error (source-is-missing).
* Update Swedish debconf translation.
Thanks to Martin Bagge and Anders Jonsson (Closes: #1056955)
* debian/salsa-ci.yml: Enable Salsa CI pipeline.
* debian/copyright: Remove build/missing.
Fixes a Lintian warning (superfluous-file-pattern).
-- Sergio Durigan Junior <sergiodj@debian.org> Thu, 30 May 2024 23:18:02 -0400
openldap (2.6.7+dfsg-1~exp1) experimental; urgency=medium
* New upstream version 2.6.7+dfsg
* d/p/contrib-makefiles: Refresh patch.
-- Sergio Durigan Junior <sergiodj@debian.org> Thu, 01 Feb 2024 16:24:20 -0500
openldap (2.6.6+dfsg-1~exp2) experimental; urgency=medium
* Update debconf translations:
- German, thanks to Helge Kreutzmann. (Closes: #1007728)
- Spanish, thanks to Camaleón. (Closes: #1008529)
- Dutch, thanks to Frans Spiesschaert. (Closes: #1010034)
- Turkish, thanks to Atila KOÇ. (Closes: #1029758)
- Romanian, thanks to Remus-Gabriel Chelu. (Closes: #1033177)
* Create an autopkgtest covering basic TLS functionality.
Thanks to John Scott.
-- Ryan Tandy <ryan@nardis.ca> Wed, 09 Aug 2023 10:10:54 -0700
openldap (2.6.6+dfsg-1~exp1) experimental; urgency=medium
* New upstream version 2.6.6+dfsg
-- Sergio Durigan Junior <sergiodj@debian.org> Mon, 31 Jul 2023 18:24:38 -0400
openldap (2.6.5+dfsg-1~exp1) experimental; urgency=medium
[ Sergio Durigan Junior ]
* New upstream version 2.6.5+dfsg
* d/control: Bump Standards-Version to 4.6.2; no changes needed.
* d/control: Bump debhelper-compat to 13.
* d/control: Drop lsb-base from slapd's Depends.
[ Ryan Tandy ]
* d/tests/smbk5pwd: Grant slapd access to /var/lib/heimdal-kdc. Fixes the
autopkgtest failure due to heimdal setting mode 700 on this directory.
(Closes: #1020442)
* d/source/lintian-overrides: Add wildcards to make overrides compatible
with both older and newer versions of lintian.
* d/slapd-contrib.lintian-overrides: Remove unused
custom-library-search-path override now that krb5-config no longer sets
-rpath.
* Fix sha2-contrib autopkgtest failure. Call slappasswd using its full path.
(Closes: #1030814)
[ Gioele Barabucci ]
* slapd.scripts-common: Avoid double-UTF8-encoding org name.
(Closes: #1016185)
* d/slapd.scripts-common: Remove outdated `migrate_to_slapd_d_style`
* d/slapd.postinst: Remove test for ancient version.
* slapd.scripts-common: Remove unused `normalize_ldif`
* d/slapd.scripts-common: Use sed instead of perl in `release_diagnostics`
[ Andreas Hasenack ]
* d/rules: Fix passwd/sha2 build.
Build the passwd/sha2 contrib module with -fno-strict-aliasing to avoid
computing an incorrect SHA256 hash with some versions of the compiler
(Closes: #1030716, LP: #2000817)
* d/t/sha2-contrib: add test for sha2 module.
DEP8 test to verify the SHA256 hash produced by passwd/sha2
-- Sergio Durigan Junior <sergiodj@debian.org> Mon, 24 Jul 2023 19:26:16 -0400
openldap (2.6.4+dfsg-1~exp1) experimental; urgency=medium
* New upstream version 2.6.4+dfsg.
-- Sergio Durigan Junior <sergiodj@debian.org> Sat, 04 Mar 2023 16:35:10 -0500
openldap (2.6.3+dfsg-1~exp1) experimental; urgency=medium
* d/rules: Remove get-orig-source, now unnecessary.
* Check PGP signature when running uscan.
* d/watch: Modernize watch file; use repacksuffix.
* d/copyright: Expand Files-Excluded to account for other schemas/ldifs.
* New upstream release.
-- Sergio Durigan Junior <sergiodj@debian.org> Mon, 19 Sep 2022 14:07:32 -0400
openldap (2.6.2+dfsg-1~exp2) experimental; urgency=medium
* Enable SASL/GSSAPI tests
- d/control: Update B-D to include required dependencies needed to run
SASL/GSSAPI tests during build time, and mark them "!nocheck".
Thanks to Andreas Hasenack <andreas.hasenack@canonical.com>
-- Sergio Durigan Junior <sergiodj@debian.org> Thu, 25 Aug 2022 15:16:24 -0400
openldap (2.6.2+dfsg-1~exp1) experimental; urgency=medium
* d/gbp.conf: Prepare to import 2.6.x.
* New upstream version 2.6.2+dfsg
* d/patches/*.patch: Refresh patches.
* Adjust package to ship renamed libldap.
- d/clean: Adjust to remove d/libldap2.links.
- d/control: New binary package libldap2. Remove binary package
libldap-2.5-0. Adjust package relationships (Depends, Replaces) due
to new package. Remove old Conflicts with old ldap-utils.
- d/libldap-2.5-0.install: Delete file.
- d/libldap-2.5-0.symbols: Likewise.
- d/libldap-2.5-0.README.Debian: Rename to...
- d/libldap2.README.Debian: ... this.
- d/libldap2.install: New file, based on d/libldap-2.5-0.install
- d/libldap2.symbols: New file, based on d/libldap-2.5-0.symbols.
- d/slapd.install: Install libslapi.so.2*.
- d/slapd.lintian-overrides: Remove
lacks-unversioned-link-to-shared-library override. Adjust
package-name-doesnt-match-sonames to reflect libslapd2 name change.
* Remove ndb references, given the plugin has been removed upstream.
- d/configure.options: Remove "--disable-ndb".
- d/slapd.manpages: Don't install slapd-ndb.5.
* d/control: Add myself to Uploaders.
* d/README.source: New file with instructions on how to import a new
release.
* d/copyright: Write new copyright file from scratch.
-- Sergio Durigan Junior <sergiodj@debian.org> Fri, 20 May 2022 17:41:04 -0400
openldap (2.5.19+dfsg-1) unstable; urgency=medium
[ Carles Pina i Estany ]
* Update po-debconf Catalan translation
[ Ryan Tandy ]
* New upstream release.
- Drop ITS#10221 and ITS#10253 patches, applied upstream.
* Apply patch from Helmut Grohne to fix cross-building ppm.
(Closes: #1079533)
-- Ryan Tandy <ryan@nardis.ca> Mon, 23 Dec 2024 12:05:58 -0800
openldap (2.5.18+dfsg-3) unstable; urgency=medium
* Fix FTBFS on 32-bit architectures. (ITS#10253) (Closes: #1078822)
-- Ryan Tandy <ryan@nardis.ca> Wed, 21 Aug 2024 20:38:08 -0700
openldap (2.5.18+dfsg-2) unstable; urgency=medium
* Apply upstream patch to fix back-perl linking with libperl.
(ITS#10221, LP: #2072976)
* Add a superficial autopkgtest to ensure back_perl can be loaded.
-- Ryan Tandy <ryan@nardis.ca> Sun, 14 Jul 2024 14:37:43 -0700
openldap (2.5.18+dfsg-1) unstable; urgency=medium
[ Ryan Tandy ]
* New upstream release.
* Drop patch smbk5pwd-implicit-declaration, applied upstream.
[ Sergio Durigan Junior ]
* d/control: B-D on pkgconf instead of pkg-config.
[ Helmut Grohne ]
* Move systemd drop-in to /usr (DEP17). (Closes: #1073059)
-- Ryan Tandy <ryan@nardis.ca> Wed, 12 Jun 2024 19:23:12 -0700
openldap (2.5.17+dfsg-1) unstable; urgency=medium
* New upstream release.
- fixed slapo-dynlist so it can't be global (ITS#10091) (Closes: #1040382)
* debian/copyright: Exclude doc/guide/admin/guide.html from the upstream
source, because the tool required to build it from source is not packaged
in Debian. Fixes a Lintian error (source-is-missing).
* Update Swedish debconf translation. (Closes: #1056955)
Thanks to Martin Bagge and Anders Jonsson.
* debian/salsa-ci.yml: Enable Salsa CI pipeline.
-- Ryan Tandy <ryan@nardis.ca> Fri, 26 Apr 2024 16:09:29 -0700
openldap (2.5.16+dfsg-2) unstable; urgency=medium
* debian/patches/64-bit-time-t-compat: handle sizeof(time_t) >
sizeof(long) in format strings.
-- Steve Langasek <vorlon@debian.org> Tue, 12 Mar 2024 06:26:07 +0000
openldap (2.5.16+dfsg-1) unstable; urgency=medium
[ Ryan Tandy ]
* New upstream release.
- fixed possible null pointer dereferences if strdup fails
(ITS#9904) (Closes: #1036995, CVE-2023-2953)
- fixed unaligned accesses in LMDB on sparc64
(ITS#9916) (Closes: #1020319)
* Update Turkish debconf translation. (Closes: #1029758)
Thanks to Atila KOÇ.
* Add Romanian debconf translation. (Closes: #1033177)
Thanks to Remus-Gabriel Chelu.
* Create an autopkgtest covering basic TLS functionality.
Thanks to John Scott.
* Drop transitional package slapd-smbk5pwd. (Closes: #1032742)
* Drop dbgsym migration for slapd-dbg.
* Build and install the ppm module in slapd-contrib. (Closes: #1039740)
* Fix implicit declaration of kadm5_s_init_with_password_ctx.
(Closes: #1065633)
[ Sergio Durigan Junior ]
* d/control: Bump Standards-Version to 4.6.2; no changes needed.
* d/control: Bump debhelper-compat to 13.
* d/control: Drop lsb-base from slapd's Depends.
* Enable SASL/GSSAPI tests.
Thanks to Andreas Hasenack <andreas.hasenack@canonical.com>
-- Ryan Tandy <ryan@nardis.ca> Fri, 08 Mar 2024 21:46:26 -0800
openldap (2.5.13+dfsg-5) unstable; urgency=medium
* Fix sha2-contrib autopkgtest failure. Call slappasswd using its full path.
(Closes: #1030814)
* Disable flaky test test069-delta-multiprovider-starttls.
-- Ryan Tandy <ryan@nardis.ca> Tue, 07 Feb 2023 17:56:12 -0800
openldap (2.5.13+dfsg-4) unstable; urgency=medium
[ Andreas Hasenack ]
* d/rules: Fix passwd/sha2 build (Closes: #1030716, LP: #2000817)
* d/t/sha2-contrib: add test for sha2 module
-- Ryan Tandy <ryan@nardis.ca> Mon, 06 Feb 2023 19:21:05 -0800
openldap (2.5.13+dfsg-3) unstable; urgency=medium
[ Ryan Tandy ]
* Disable flaky test test063-delta-multiprovider. Mitigates #1010608.
[ Gioele Barabucci ]
* slapd.scripts-common: Avoid double-UTF8-encoding org name (Closes: #1016185)
* d/slapd.scripts-common: Remove outdated `migrate_to_slapd_d_style`
* d/slapd.postinst: Remove test for ancient version
* slapd.scripts-common: Remove unused `normalize_ldif`
* d/slapd.scripts-common: Use sed instead of perl in `release_diagnostics`
-- Ryan Tandy <ryan@nardis.ca> Fri, 13 Jan 2023 16:29:59 -0800
openldap (2.5.13+dfsg-2) unstable; urgency=medium
* d/tests/smbk5pwd: Grant slapd access to /var/lib/heimdal-kdc. Fixes the
autopkgtest failure due to heimdal setting mode 700 on this directory.
(Closes: #1020442)
* d/source/lintian-overrides: Add wildcards to make overrides compatible
with both older and newer versions of lintian.
* d/slapd-contrib.lintian-overrides: Remove unused
custom-library-search-path override now that krb5-config no longer sets
-rpath.
-- Ryan Tandy <ryan@nardis.ca> Sat, 24 Sep 2022 12:40:21 -0700
openldap (2.5.13+dfsg-1) unstable; urgency=medium
* d/rules: Remove get-orig-source, now unnecessary.
* Check PGP signature when running uscan.
* d/watch: Modernize watch file; use repacksuffix.
* d/copyright: Update according to DEP-5.
* d/control: Add myself to Uploaders.
* New upstream release.
-- Sergio Durigan Junior <sergiodj@debian.org> Sun, 18 Sep 2022 18:29:46 -0400
openldap (2.5.12+dfsg-2) unstable; urgency=medium
* Stop slapd explicitly in prerm as a workaround for #1006147, which caused
dpkg-reconfigure to not restart the service, so the new configuration was
not applied. See also #994204. (Closes: #1010971)
-- Ryan Tandy <ryan@nardis.ca> Mon, 23 May 2022 10:14:53 -0700
openldap (2.5.12+dfsg-1) unstable; urgency=medium
* New upstream release.
- Fixed SQL injection in back-sql (ITS#9815) (CVE-2022-29155)
* Update debconf translations:
- German, thanks to Helge Kreutzmann. (Closes: #1007728)
- Spanish, thanks to Camaleón. (Closes: #1008529)
- Dutch, thanks to Frans Spiesschaert. (Closes: #1010034)
-- Ryan Tandy <ryan@nardis.ca> Wed, 04 May 2022 18:00:16 -0700
openldap (2.5.11+dfsg-1) unstable; urgency=medium
* Upload to unstable.
-- Ryan Tandy <ryan@nardis.ca> Fri, 11 Mar 2022 19:38:02 -0800
openldap (2.5.11+dfsg-1~exp1) experimental; urgency=medium
* New upstream release.
* Add openssl to Build-Depends to enable more checks in test067-tls.
* Update slapd-contrib's custom-library-search-path override to work with
current Lintian.
-- Ryan Tandy <ryan@nardis.ca> Sun, 23 Jan 2022 17:16:05 -0800
openldap (2.5.8+dfsg-1~exp1) experimental; urgency=medium
* New upstream release.
* Update slapd-contrib's custom-library-search-path override to work with
Lintian 2.108.0.
-- Ryan Tandy <ryan@nardis.ca> Wed, 13 Oct 2021 18:42:55 -0700
openldap (2.5.7+dfsg-1~exp1) experimental; urgency=medium
* New upstream release.
* Don't run autoreconf in contrib/ldapc++. We don't build it, and it is not
yet compatible with autoconf 2.71. (Closes: #993032)
* Stop disabling automake in debian/rules now that upstream removed the
AM_INIT_AUTOMAKE invocation.
* Drop custom config.{guess,sub} handling. dh_update_autotools_config does
the right thing for us.
* Update Standards-Version to 4.6.0; no changes required.
* debian/not-installed: Add the ldapvc.1 man page.
-- Ryan Tandy <ryan@nardis.ca> Mon, 30 Aug 2021 18:54:25 -0700
openldap (2.5.6+dfsg-1~exp1) experimental; urgency=medium
[ Ryan Tandy ]
* New upstream release.
* Export the cn=config database to LDIF format before upgrading from 2.4.
* slapd.README.Debian:
- Remove text about the dropped evolution-ntlm patch.
- Add guidance for recovering from upgrade failures.
* Remove the debconf warning and README text about the unsafe ACL configured
by default in versions before jessie.
* Remove upgrade code for adding the pwdMaxRecordedFailure attribute to the
ppolicy schema. It's obsolete since the schema has been internalized.
[ Sergio Durigan Junior ]
* Implement the "escape hatch" mechanism.
- d/po/*.po: Update PO files given the new template note.
- d/po/templates.pot: Update file.
- d/slapd.templates: Add note warning user about a postinst failure,
its possible cause and what to do.
- d/slapd.postinst: Make certain upgrade functions return failure
instead of exiting, which allows the postinst script to gracefully
fail when applicable. Also, when the general configuration upgrade
fails, display a critical warning to the user. Implement
ignore_init_failure function.
- d/slapd.prerm: Implement ignore_init_failure function.
- d/slapd.scripts-common: Make certain functions return failure
instead of exiting.
- d/rules: Use dh_installinit's --error-handler to instruct it on how
to handle possible errors with the init script.
- d/slapd.NEWS: Add excerpt mentioning that the postinst script might
error out if it can't migrate the existing (old) database backend.
-- Ryan Tandy <ryan@nardis.ca> Mon, 16 Aug 2021 18:32:29 -0700
openldap (2.5.5+dfsg-1~exp1) experimental; urgency=medium
* New upstream release.
- Drop patches applied upstream: ITS#9544, ITS#9548.
* Mark slapd-contrib as breaking the old version of slapd to reduce the
chance of upgrade failure due to slapd-contrib being unpacked first.
-- Ryan Tandy <ryan@nardis.ca> Fri, 11 Jun 2021 11:43:15 -0700
openldap (2.5.4+dfsg-1~exp1) experimental; urgency=medium
* New upstream release.
- Changing olcAuthzRegexp dynamically is supported. (Closes: #761407)
- Support for LANMAN password hashes has been removed. (Closes: #988033)
- Added pkg-config files for liblber and libldap. (Closes: #670824)
- libldap_r has been merged into libldap. The Debian package will continue
to install a libldap_r.so symlink for backwards compatibility with
applications that still link with -lldap_r.
- The Berkeley DB backends, slapd-bdb(5) and slapd-hdb(5), have been
removed.
- The shell backend, slapd-shell(5), has been removed.
- New backend: slapd-asyncmeta(5).
- New core overlays: slapd-homedir(5), slapd-otp(5), and
slapd-remoteauth(5).
- The ppolicy schema has been merged into the slapo-ppolicy(5) module.
- The argon2 password module has been promoted from contrib to core.
* Add a superficial autopkgtest for smbk5pwd.
* Update Standards-Version to 4.5.1; no changes needed.
* Upgrade to debhelper compat level 12.
- Remove debian/compat, add Build-Depends: debhelper-compat.
* Run dh_missing --fail-missing during build.
- Add debian/not-installed.
* Drop debian/tmp/ prefix from paths in *.install and *.manpages.
* Override Lintian false positives:
* slapd: lacks-unversioned-link-to-shared-library. See #687022.
* libldap-2.4-2: shared-library-not-shipped.
* Follow renamed Lintian tags:
- dev-pkg-without-shlib-symlink => lacks-unversioned-link-to-shared-library
- binary-or-shlib-defines-rpath => custom-library-search-path
* Rename libldap2-dev to libldap-dev (Policy 8.4). Keep libldap2-dev as a
transitional package for now.
- Drop ancient Conflicts/Replaces: libopenldap-dev.
* Prune implied or unneeded directories from debian/*.dirs.
- Stop installing empty /var/lib/slapd directory. (Closes: #714174)
* Stop disabling test060-mt-hot on ppc64el. The underlying kernel bug
(#866122) is fixed in all relevant suites by now.
* Drop evolution-ntlm patch. (Closes: #457374)
* Drop patches applied or superseded upstream.
* Update or refresh remaining patches as needed.
* debian/configure.options:
- Refresh with new `./configure --help' output.
- Drop directory options set automatically by debhelper: --prefix,
--sysconfdir, --localstatedir, and --mandir.
- Enable the perl and sql backends explicitly. They are deprecated and
--enable-backends= no longer includes them.
- Disable the experimental wiredtiger backend.
- Disable the autoca overlay. It does not support GnuTLS yet.
- Enable the argon2 password hashing module.
- Disable the new load balancer daemon (lloadd) for now.
- Disable systemd service notification support for now.
* debian/rules:
- Enable all current and future hardening flags.
- Use the new STRIP_OPTS variable to disable stripping.
- Drop -Wno-format-extra-args from DEB_CFLAGS_MAINT_APPEND.
The Debug macro has been changed upstream to use variadic args.
- Override OPT variable to empty for contrib modules.
* debian/schema: Sync with upstream.
- core.{schema,ldif}: Update description of deltaCRL.
- cosine.schema, pmi.schema: spelling fixes.
- namedobject.schema: Added.
- ppolicy.schema: Removed upstream, dropped.
* Add Build-Depends: pkg-config, required for autoreconf.
* Add upstream patch to fix SLAPI compilation. (ITS#9544)
* Move the argon2 password module from slapd-contrib to slapd.
- Add upstream patch to fix argon2 installation.
* Transition libldap-2.4-2 to libldap-2.5-0.
- Install the real libldap instead of a symlink to libldap_r.
- Symlink libldap_r.{a,so} to libldap for backwards compatibility.
- Drop the shlibs file, no longer needed.
* Remove references to removed BDB backends.
- Drop Build-Depends: libdb5.3-dev.
- Drop arch-specific configure options to disable those backends on Hurd.
- Delete example DB_CONFIG file and README.DB_CONFIG.
- Remove information about Berkeley DB from slapd README.
* Install new slapmodify(8) tool as a hard link to slapd(8).
* Install new man pages: slapo-deref(5), slapo-pw-pbkdf2(5), and
slapo-pw-sha2(5).
- Drop debian/slapo-pw-pbkdf2.5, included upstream.
* Add unpackaged files to debian/not-installed:
- ldapvc(1): undocumented tool supporting the vc overlay (contrib)
- lloadd(8) and lloadd.conf(5) man pages
- slapd-wt(5) and slapo-autoca(5) man pages
* Delete obsolete ppolicy.schema and ppolicy.ldif conffiles on upgrade.
* Dump and reload slapd-mdb(5) databases on upgrade from 2.4.
- Call dh_installinit with --no-restart-after-upgrade to ensure slapd is
stopped before dumping the old database.
-- Ryan Tandy <ryan@nardis.ca> Sun, 30 May 2021 08:41:25 -0700
openldap (2.4.59+dfsg-1) unstable; urgency=medium
* New upstream release.
* Fix FTBFS with autoconf 2.71 (Closes: #993032):
- Backport upstream changes to support Autoconf 2.69 instead of simply
disabling automake in debian/rules. Fixes FTBFS due to autoreconf
thinking files required by Automake are missing, even though Automake is
not actually used.
- Stop running autoreconf in contrib/ldapc++ since we don't build it.
- Drop custom config.{guess,sub} handling. dh_update_autotools_config does
the right thing for us.
* Update Standards-Version to 4.6.0; no changes required.
* Add a superficial autopkgtest for smbk5pwd.
* Stop disabling test060-mt-hot on ppc64el. The underlying kernel bug
(#866122) is fixed in all relevant suites by now.
-- Ryan Tandy <ryan@nardis.ca> Fri, 27 Aug 2021 09:42:31 -0700
openldap (2.4.57+dfsg-3) unstable; urgency=medium
* Link smbk5pwd with -lkrb5. (Closes: #988565)
-- Ryan Tandy <ryan@nardis.ca> Sat, 15 May 2021 16:03:34 -0700
openldap (2.4.57+dfsg-2) unstable; urgency=medium
* Fix slapd assertion failure in Certificate List Exact Assertion validation
(ITS#9454) (CVE-2021-27212)
-- Ryan Tandy <ryan@nardis.ca> Sun, 14 Feb 2021 09:26:41 -0800
openldap (2.4.57+dfsg-1) unstable; urgency=medium
* New upstream release.
- Fixed slapd crashes in Certificate Exact Assertion processing
(ITS#9404, ITS#9424) (CVE-2020-36221)
- Fixed slapd assertion failures in saslAuthzTo validation
(ITS#9406, ITS#9407) (CVE-2020-36222)
- Fixed slapd crash in Values Return Filter control handling
(ITS#9408) (CVE-2020-36223)
- Fixed slapd crashes in saslAuthzTo processing
(ITS#9409, ITS#9412, ITS#9413)
(CVE-2020-36224, CVE-2020-36225, CVE-2020-36226)
- Fixed slapd assertion failure in X.509 DN parsing
(ITS#9423) (CVE-2020-36230)
- Fixed slapd crash in X.509 DN parsing (ITS#9425) (CVE-2020-36229)
- Fixed slapd crash in Certificate List Exact Assertion processing
(ITS#9427) (CVE-2020-36228)
- Fixed slapd infinite loop with Cancel operation
(ITS#9428) (CVE-2020-36227)
-- Ryan Tandy <ryan@nardis.ca> Sat, 23 Jan 2021 08:57:07 -0800
openldap (2.4.56+dfsg-1) unstable; urgency=medium
* New upstream release.
- Fixed slapd abort due to assertion failure in Certificate List syntax
validation (ITS#9383) (CVE-2020-25709)
- Fixed slapd abort due to assertion failure in CSN normalization with
invalid input (ITS#9384) (CVE-2020-25710)
-- Ryan Tandy <ryan@nardis.ca> Wed, 11 Nov 2020 09:13:56 -0800
openldap (2.4.55+dfsg-1) unstable; urgency=medium
* New upstream release.
- Fixed slapd normalization handling with modrdn
(ITS#9370) (CVE-2020-25692)
-- Ryan Tandy <ryan@nardis.ca> Tue, 27 Oct 2020 21:07:29 -0700
openldap (2.4.54+dfsg-1) unstable; urgency=medium
* New upstream release.
* Change upstream Homepage and get-orig-source URLs to HTTPS.
* Create debian/gbp.conf.
-- Ryan Tandy <ryan@nardis.ca> Sun, 18 Oct 2020 16:03:46 +0000
openldap (2.4.53+dfsg-1) unstable; urgency=medium
* New upstream release.
-- Ryan Tandy <ryan@nardis.ca> Mon, 07 Sep 2020 09:47:28 -0700
openldap (2.4.51+dfsg-1) unstable; urgency=medium
* New upstream release.
- Add ldap_parse_password_expiring_control to libldap-2.4-2.symbols.
* Merge some changes from Ubuntu:
- slapd.default, slapd.README.Debian: update to refer to slapd.d instead
of slapd.conf.
- debian/slapd.scripts-common: dump_databases: make slapcat_opts a local
variable.
* Drop paragraph about patch gnutls-altname-nulterminated (#465197) from
slapd.README.Debian. The patch referred to was dropped in 2.4.7-6.
* debian/patches/set-maintainer-name: Extract maintainer address dynamically
from debian/control. (Closes: #960448)
* Fix Torsten's email address in a historic debian/changelog entry to
resolve a Lintian error (bogus-mail-host-in-debian-changelog).
* Rename debian/source.lintian-overrides to debian/source/lintian-overrides.
Fixes a Lintian pedantic tag (old-source-override-location).
* Override Lintian pedantic tag maintainer-manual-page for
slapo-pw-pbkdf2.5, which will be included upstream in a future release.
* Remove the trailing whitespaces from debian/changelog, debian/control, and
debian/rules. Fixes a Lintian pedantic tag (trailing-whitespace).
* Convert debian/po/de.po to UTF-8. Fixes a Lintian warning
(national-encoding).
* Relax libldap's dependency on libldap-common to Recommends.
This is intended to mitigate the impact of bug #915948 in the case where
the arch:all build is delayed for so long that the old libldap-common
disappears. Previously, a delayed arch:all build could become
BD-Uninstallable if new amd64 binaries were published before the arch:all
build starts, due to the transitive build-dependency on libldap.
Although libldap works fine without libldap-common, in normal
installations it is still recommended to install libldap-common.
* Append a timestamp to the backup directory created by dpkg-reconfigure.
(Closes: #599585, #960449)
* Remove the redundant cn=admin,<suffix> entry from the default DIT for new
installs. For new installs going forward, the root credentials will be
stored in olcRootDN/olcRootPW only. (Closes: #821331)
* Change slapd's Suggests: ldap-utils to Recommends. While any LDAP client
suffices, ldap-utils contains the standard tools recommended by upstream
for basic administration and management.
* Relax Recommends: libsasl2-modules to Suggests on slapd and ldap-utils.
Many deployments do not use SASL at all, and therefore SASL mechanisms are
not needed "in all but unusual installations".
-- Ryan Tandy <ryan@nardis.ca> Sun, 23 Aug 2020 11:09:57 -0700
openldap (2.4.50+dfsg-1) unstable; urgency=medium
* New upstream release.
- Fixed slapd to limit depth of nested filters
(ITS#9202) (CVE-2020-12243)
- Drop patches included upstream: argon2.patch, ITS#9171, ITS#8650.
* Update Spanish debconf translation.
Thanks to Camaleón. (Closes: #958869)
-- Ryan Tandy <ryan@nardis.ca> Tue, 28 Apr 2020 10:18:12 -0700
openldap (2.4.49+dfsg-4) unstable; urgency=medium
* Annotate libsodium-dev dependency with <!pkg.openldap.noslapd>.
Thanks to Helmut Grohne. (Closes: #955993)
* Add the man page for the Argon2 password module.
Thanks to Peter Marschall. (Closes: #955977)
* Build the Argon2 password module with libargon2-dev instead of
libsodium-dev. Rationale:
- libargon2 contains the specific functionality needed; libsodium is a
larger library and contains many features not used here
- libsodium does not support configuring the p= (parallelism) parameter
* Import upstream patch to properly retry gnutls_handshake() after it
returns GNUTLS_E_AGAIN. (ITS#8650) (Closes: #861838)
* Update the Argon2 password module to upstream commit feb6f21d2e.
-- Ryan Tandy <ryan@nardis.ca> Tue, 14 Apr 2020 21:33:16 -0700
openldap (2.4.49+dfsg-3) unstable; urgency=medium
* Drop patch no-AM_INIT_AUTOMAKE. Instead, configure dh_autoreconf to skip
automake by setting AUTOMAKE=/bin/true. (Closes: #864637)
* debian/patches/debian-version: Show Debian version, instead of upstream
version, in version strings.
* Add ${perl:Depends} to slapd Depends to silence a dpkg-gencontrol warning.
This is practically a no-op since slapd explicitly Depends on perl because
of the maintainer scripts.
* Import the Argon2 password module from upstream git and install it in
slapd-contrib. New Build-Depends: libsodium-dev. (Closes: #920283)
-- Ryan Tandy <ryan@nardis.ca> Sat, 04 Apr 2020 10:43:56 -0700
openldap (2.4.49+dfsg-2) unstable; urgency=medium
* slapd.README.Debian: Document the initial setup performed by slapd's
maintainer scripts in more detail. Thanks to Karl O. Pinc.
(Closes: #952501)
* Import upstream patch to fix slapd crashing in certain configurations when
a client attempts a login to a locked account.
(ITS#9171) (Closes: #953150)
-- Ryan Tandy <ryan@nardis.ca> Thu, 05 Mar 2020 12:59:46 -0800
openldap (2.4.49+dfsg-1) unstable; urgency=medium
* New upstream release.
- Drop patch no-gnutls_global_set_mutex, applied upstream.
* When validating the DNS domain chosen for slapd's default suffix, set
LC_COLLATE explicitly for grep to ensure character ranges behave as
expected. Thanks to Fredrik Roubert. (Closes: #940908)
* Backport proposed upstream patch to emit detailed messages about errors in
the TLS configuration. (ITS#9086) (Closes: #837341)
* slapd.scripts-common: Delete unused copy_example_DB_CONFIG function.
* Remove debconf support for choosing a database backend. Always use the
LMDB backend for new installs, as recommended by upstream.
* Remove the empty olcBackend section from the default configuration.
* Remove the unused slapd.conf template from /usr/share/slapd. Continue
shipping it as an example in /usr/share/doc/slapd.
* Fix a typo in index-files-created-as-root patch.
Thanks to Quanah Gibson-Mount.
* Annotate slapd's Depends on perl with :any. Fixes installation of
foreign-arch slapd. Thanks to Andreas Hasenack.
* Rename 'stage1' build profile to 'pkg.openldap.noslapd'.
Thanks to Helmut Grohne. (Closes: #949722)
* Drop Build-Conflicts: libicu-dev as upstream's configure no longer tests
for or links with libicu.
* Note ITS#9126 recommendation in slapd.NEWS.
* Update Standards-Version to 4.5.0; no changes required.
-- Ryan Tandy <ryan@nardis.ca> Thu, 06 Feb 2020 10:08:12 -0800
openldap (2.4.48+dfsg-1) unstable; urgency=medium
* New upstream release.
- fixed slapd to restrict rootDN proxyauthz to its own databases
(CVE-2019-13057) (ITS#9038) (Closes: #932997)
- fixed slapd to enforce sasl_ssf ACL statement on every connection
(CVE-2019-13565) (ITS#9052) (Closes: #932998)
- added new openldap.h header with OpenLDAP specific libldap interfaces
(ITS#8671)
- updated lastbind overlay to support forwarding authTimestamp updates
(ITS#7721) (Closes: #880656)
* Update Standards-Version to 4.4.0.
* Add a systemd drop-in to set RemainAfterExit=no on the slapd service, so
that systemd marks the service as dead after it crashes or is killed.
Thanks to Heitor Alves de Siqueira. (Closes: #926657, LP: #1821343)
* Use more entropy for generating a random admin password, if none was set
during initial configuration. Thanks to Judicael Courant.
(Closes: #932270)
* Replace debian/rules calls to dpkg-architecture and dpkg-parsechangelog
with variables provided by dpkg-dev includes.
* Declare R³: no.
* Create a simple autopkgtest that tests installing slapd and connecting to
it with an ldap tool.
* Install the new openldap.h header in libldap2-dev.
-- Ryan Tandy <ryan@nardis.ca> Thu, 25 Jul 2019 08:32:00 -0700
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libldap2`.
Generated by dwww version 1.16 on Tue Dec 16 07:03:38 CET 2025.