lp://staging/~mathiaz/ubuntu/lucid/openldap/fix-root-olcaccess-upgrade

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Bug #563829: olcAccess are options broken on upgrade in {-1}frontend.ldif

Medium

Fix Released

Link a bug report

Related blueprints

25. By Mathias Gug on 2010-04-23

Fix local root connection access: replace olcAuthzRegexp mapping to
cn=localroot,cn=config with using the SASL dn directly in olcAccess.
Makes upgrades much simpler and robust (LP: #563829).

24. By Scott Moser on 2010-04-12

[ Simon Olofsson ]
* debian/slapd.postinst:
  - Show a message after successful migration (LP: #538848)

[ Jorgen Rosink ]
* debian/slapd.init: add simple status checking with LSB compatible exit
  codes (LP: #562377)
* debian/slapd.init.ldif:
  - remove admin user in default config database (LP: #556176)
  - in default config, add olcAccess entries giving access to controls
    available and cn=subschema (LP: #427842)

[ Scott Moser ]
* debian/slapd.scripts-common: Do not create /nonexistent directory
   for openldap user's home (LP: #556176)
* debian/slapd.postinst: fix cn=config olcAccess migration (LP: #559070)

23. By Thierry Carrez on 2010-03-29

* debian/slapd.postinst, debian/slapd.scripts-common: Upgrade databases
  before trying to convert to slapd.d, to avoid upgrade failure from hardy
  (LP: #536958)
* debian/slapd.postinst: Add a {1} numeric index to olcAccess entry in
  olcDatabase={0}config.ldif to avoid upgrade failures (LP: #538516, #526230)

22. By Chuck Short on 2010-03-09

debian/apparmor-profile: Update apparmor profile. (LP: #508190)

21. By Mathias Gug on 2010-02-18

* New upstream release.
* debian/rules, debian/schema/extra/:
  Fix get-orig-source rule to supports extra schemas shipped as part of the
  debian/schema/ directory.

20. By Thierry Carrez on 2009-12-11

* debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
  - Add --with-gssapi support
  - Make guess_service_principal() more robust when determining principal
* Enable GSSAPI support (LP: #495418):
  - debian/configure.options: Configure with --with-gssapi
  - debian/control: Added libkrb5-dev as a build depend

19. By Mathias Gug on 2009-09-07

* New upstream release: (LP: #419515):
  + pcache overlay supports disconnected mode.
* Fix nss overlay load (LP: #417163).

18. By Mathias Gug on 2009-08-11

 * Install a minimal slapd configuration instead of creating a default
   database with a default DIT:
   + Move openldap user home from /var/lib/ldap to /nonexistent.
   + Remove all code and templates dealing with the default database and DIT
     creation.
   + Add an Authz map from root user (UID=0) to cn=localroot,cn=config and
     grant all access to the latter in the cn=config database as well as the
     default backend configuration.
 * Add cn=localroot,cn=config authz mapping on upgrades.

17. By Mathias Gug on 2009-07-31

[ Thierry Carrez ]
* debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
  in the openldap library, as required by Likewise-Open (LP: #390579)

[ Mathias Gug ]
* debian/patches/its6077-uniqueness-overlay: fixes some issues with the
  uniqueness overlay.
* debian/patches/its6220-writetimeout-directive: fixes a problem with the
  writetimeout directive being in effect even if it wasn't set,
  closing connections incorrectly.
* debian/patches/its6222-dncachesize-parameter: fixes the behavior of the
  dncachesize parameter that was added in RE24, so that if it is set to
  "0" (now the default), it has an unlimited DN cache (RE23 always
  had an unlimited DN cache).

16. By Mathias Gug on 2009-07-30

[ Steve Langasek ]
* Fix up the lintian warnings:
  - add missing misc-depends on all packages
  - slapd, libldap-2.4-2-dbg sections changed to 'debug' to match archive
    overrides
  - bump Standards-Version to 3.8.2, no changes required.

[ Mathias Gug ]
* Resynchronise with Debian. Remaining changes:
  - AppArmor support:
    - debian/apparmor-profile: add AppArmor profile
    - updated debian/slapd.README.Debian for note on AppArmor
    - debian/slapd.dirs: add etc/apparmor.d/force-complain
    - debian/slapd.postrm: remove symlink in force-complain/ on purge
    - debian/rules: install apparmor profile.
  - Don't use local statement in config script as it fails if /bin/sh
    points to bash.
  - debian/slapd.postinst, debian/slapd.script-common: set correct
    ownership and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group
    readable) and /var/run/slapd (world readable).
  - Enable nssoverlay:
    - debian/patches/nssov-build, debian/rules: Build and package the nss
      overlay.
    - debian/schema/misc.ldif: add ldif file for the misc schema which
      defines rfc822MailMember (required by the nss overlay).
  - debian/{control,rules}: enable PIE hardening
  - Use cn=config as the default configuration backend instead of
    slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade
    asking the end user to enter a new password to control the access to
    the cn=config tree.
  - debian/slapd.postinst: create /var/run/slapd before updating its
    permissions.
  - debian/slapd.init: Correctly set slapd config backend option even if
    the pidfile is configured in slapd default file.
* Dropped:
  - Merged in Debian:
    - Update priority of libldap-2.4-2 to match the archive override.
    - Add the missing ldapexop and ldapurl tools to ldap-utils, as well as
      the ldapurl(1) manpage.
    - Bump build-dependency on debhelper to 6 instead of 5, since that's
      what we're using.
    - Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using
      the built-in default of ldap:/// only.
  - Fixed in upstream release:
    - debian/patches/fix-ldap_back_entry_get_rwa.patch: fix test-0034
      failure when built with PIE.
    - debian/patches/gnutls-enable-v1-ca-certs: Enable V1 CA certs to be
      trusted.
  - Update Apparmor profile support: don't support upgrade from pre-hardy
    systems:
    - debian/slapd.postinst: Reload AA profile on configuration
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
    - debian/control: Conflicts with apparmor-profiles <<
      2.1+1075-0ubuntu4 to make sure that if earlier version of
      apparmor-profiles gets installed it won't overwrite our profile.
    - follow ApparmorProfileMigration and force apparmor complain mode on
      some upgrades
    - debian/slapd.preinst: create symlink for force-complain on
      pre-feisty upgrades, upgrades where apparmor-profiles profile is
      unchanged (ie non-enforcing) and upgrades where apparmor profile
      does not exist.
  - debian/patches/autogen.sh: no longer needed with karmic libtool.
    - Call libtoolize with the --install option to install
      config.{guess,sub} files.