* Revert a commit that makes dscreate to fail.
[dgit import unpatched 389-ds-base 2.0.11-2]
--- /dev/null
--- /dev/null
++usr/include/dirsrv/*
++usr/include/svrcore.h
++usr/lib/*/dirsrv/libldaputil.so
++usr/lib/*/dirsrv/libns-dshttpd.so
++usr/lib/*/dirsrv/librewriters.so
++usr/lib/*/dirsrv/libslapd.so
++usr/lib/*/libsvrcore.so
++usr/lib/*/pkgconfig/*
--- /dev/null
--- /dev/null
++usr/lib/*/dirsrv/lib/libjemalloc.so.*
++usr/lib/*/dirsrv/libldaputil.so.*
++usr/lib/*/dirsrv/libns-dshttpd.so.*
++usr/lib/*/dirsrv/librewriters.so.*
++usr/lib/*/dirsrv/libslapd.so.*
++usr/lib/*/libsvrcore.so.*
--- /dev/null
--- /dev/null
++custom-library-search-path
--- /dev/null
--- /dev/null
++# Defaults for dirsrv
++#
++# This is a POSIX shell fragment
++
++# Enable bindnow hardening
++LD_BIND_NOW=1
--- /dev/null
--- /dev/null
++var/log/dirsrv
++var/lib/dirsrv
--- /dev/null
--- /dev/null
++etc/dirsrv/config/
++etc/dirsrv/schema/*.ldif
++etc/systemd/
++lib/systemd/system/dirsrv-snmp.service
++lib/systemd/system/dirsrv.target
++lib/systemd/system/dirsrv@.service
++lib/systemd/system/dirsrv@.service.d/custom.conf
++usr/bin/dbscan
++usr/bin/ds-logpipe
++usr/bin/ds-replcheck
++usr/bin/ldclt
++usr/bin/logconv
++usr/bin/pwdhash
++usr/lib/*/dirsrv/plugins/*.so
++usr/lib/*/dirsrv/python/
++usr/libexec/dirsrv/dscontainer
++usr/libexec/ds_systemd_ask_password_acl
++usr/lib/sysctl.d/70-dirsrv.conf
++usr/sbin/ldap-agent
++usr/sbin/ns-slapd
++usr/sbin/openldap_to_ds
++usr/share/dirsrv/data
++usr/share/dirsrv/inf
++usr/share/dirsrv/mibs
++usr/share/dirsrv/schema
++usr/share/gdb/auto-load/usr/sbin/ns-slapd-gdb.py
++usr/share/man/man1/dbscan.1
++usr/share/man/man1/ds-logpipe.1
++usr/share/man/man1/ds-replcheck.1
++usr/share/man/man1/ldap-agent.1
++usr/share/man/man1/ldclt.1
++usr/share/man/man1/logconv.1
++usr/share/man/man1/pwdhash.1
++usr/share/man/man5/*.5
++usr/share/man/man8/ns-slapd.8
++usr/share/man/man8/openldap_to_ds.8
--- /dev/null
--- /dev/null
++/dev/null lib/systemd/system/dirsrv.service
--- /dev/null
--- /dev/null
++# these are bogus warnings, no libs shipped in a public libdir
++unused-shlib-entry-in-control-file
++
++# plugins
++custom-library-search-path
--- /dev/null
--- /dev/null
++#!/bin/sh
++set -e
++
++. /usr/share/debconf/confmodule
++
++CONFIG_DIR=/etc/dirsrv
++OUT=/dev/null
++INSTANCES=`ls -d /etc/dirsrv/slapd-* 2>/dev/null | grep -v removed | sed 's/.*slapd-//'`
++
++if [ "$1" = configure ]; then
++ # lets give them a user/group in all cases.
++ if ! getent passwd dirsrv > $OUT; then
++ adduser --quiet --system --home /var/lib/dirsrv \
++ --disabled-password --group \
++ --gecos "389 Directory Server user" \
++ --no-create-home \
++ dirsrv > $OUT
++ fi
++
++ chown -R dirsrv:dirsrv /etc/dirsrv/ /var/log/dirsrv/ /var/lib/dirsrv/ > $OUT || true
++ chmod 750 /etc/dirsrv/ /var/log/dirsrv/ /var/lib/dirsrv/ > $OUT || true
++fi
++
++invoke_failure() {
++ # invoke-rc.d failed, likely because no instance has been configured yet
++ # but exit with an error if an instance is configured and the invoke failed
++ if [ -z $INSTANCES ]; then
++ echo "... because no instance has been configured yet."
++ else
++ exit 1
++ fi
++}
++
++
++#DEBHELPER#
--- /dev/null
--- /dev/null
++#!/bin/sh
++set -e
++
++. /usr/share/debconf/confmodule
++
++if [ "$1" = "purge" ]; then
++ if getent group dirsrv > /dev/null; then
++ deluser --system dirsrv || true
++ fi
++ rm -f /etc/systemd/system/dirsrv.target.wants/dirsrv@*.service
++ rm -rf /etc/dirsrv
++ rm -rf /var/lib/dirsrv
++ rm -rf /var/log/dirsrv
++fi
++
++#DEBHELPER#
--- /dev/null
--- /dev/null
++#!/bin/sh -e
++set -e
++
++#DEBHELPER#
++
++if [ "$1" = "purge" ]; then
++ # remove all installed instances
++ for FILE in `ls -d /etc/dirsrv/slapd-* 2>/dev/null | sed -n '/\.removed$/!$'`
++ do
++ if [ -d "$FILE" ] ; then
++ dsctl $FILE remove --do-it
++ fi
++ done
++fi
--- /dev/null
--- /dev/null
++To complete the 389 Directory Server installation just run /usr/sbin/setup-ds.
++
++If you experience problems accessing the Directory Server, check with
++"netstat -tapen |grep 389" and verify that the server is not listening only
++to ipv6 (check for ^tcp6). In such case you will need to tweak the cn=config
++DIT with something like the following:
++
++dn: cn=config
++changetype: modify
++add: nsslapd-listenhost
++nsslapd-listenhost: <youripv4>
++
--- /dev/null
--- /dev/null
++389-ds-base (2.0.11-2) unstable; urgency=medium
++
++ * Revert a commit that makes dscreate to fail.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 15 Dec 2021 23:23:15 +0200
++
++389-ds-base (2.0.11-1) unstable; urgency=medium
++
++ * New upstream release.
++ * missing-sources: Removed, all the minified javascript files were
++ removed upstream some time ago.
++ * install: Updated.
++ * control: Bump debhelper to 13.
++ * Override some lintian errors.
++ * watch: Update the url.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 15 Dec 2021 21:03:20 +0200
++
++389-ds-base (1.4.4.17-1) unstable; urgency=medium
++
++ * New upstream release.
++ - CVE-2021-3652 (Closes: #991405)
++ * tests: Add isolation-container to restrictions.
++ * Add a dependency to libjemalloc2, and add a symlink to it so the
++ preload works. (Closes: #992696)
++ * CVE-2017-15135.patch: Dropped, fixed by upstream issue #4817.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Mon, 18 Oct 2021 18:36:30 +0300
++
++389-ds-base (1.4.4.16-1) unstable; urgency=medium
++
++ * New upstream release.
++ * fix-s390x-failure.diff: Dropped, upstream.
++ * watch: Updated to use github.
++ * copyright: Fix 'globbing-patterns-out-of-order'.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Mon, 16 Aug 2021 09:54:52 +0300
++
++389-ds-base (1.4.4.11-1) unstable; urgency=medium
++
++ * New upstream release.
++ * fix-s390x-failure.diff: Fix a crash on big-endian architectures like
++ s390x.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Thu, 28 Jan 2021 13:03:32 +0200
++
++389-ds-base (1.4.4.10-1) unstable; urgency=medium
++
++ * New upstream release.
++ * CVE-2017-15135.patch: Refreshed.
++ * source: Update diff-ignore.
++ * install: Drop libsds which got removed.
++ * control: Add libnss3-tools to cockpit-389-ds Depends. (Closes:
++ #965004)
++ * control: Drop python3-six from depends.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Thu, 21 Jan 2021 22:16:28 +0200
++
++389-ds-base (1.4.4.9-1) unstable; urgency=medium
++
++ * New upstream release.
++ * fix-prlog-include.diff: Dropped, upstream.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Fri, 18 Dec 2020 15:29:20 +0200
++
++389-ds-base (1.4.4.8-1) unstable; urgency=medium
++
++ * New upstream release.
++ * fix-systemctl-path.diff, drop-old-man.diff: Dropped, obsolete.
++ * fix-prlog-include.diff: Fix build by dropping nspr4/ prefix.
++ * install, rules: Clean up perl cruft that got removed upstream.
++ * install: Add openldap_to_ds.
++ * watch: Follow 1.4.4.x.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Thu, 12 Nov 2020 15:57:11 +0200
++
++389-ds-base (1.4.4.4-1) unstable; urgency=medium
++
++ * New upstream release.
++ * watch: Update upstream git repo url.
++ * control: Add python3-dateutil to build-depends.
++ * copyright: Drop duplicate globbing patterns.
++ * lintian: Drop obsolete overrides.
++ * postinst: Drop obsolete rule to upgrade the instances.
++ * prerm: Use dsctl instead of remove-ds.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Tue, 22 Sep 2020 09:23:30 +0300
++
++389-ds-base (1.4.4.3-1) unstable; urgency=medium
++
++ * New upstream release.
++ * fix-db-home-dir.diff: Dropped, upstream.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Tue, 02 Jun 2020 11:33:44 +0300
++
++389-ds-base (1.4.3.6-2) unstable; urgency=medium
++
++ * fix-db-home-dir.diff: Set db_home_dir same as db_dir to fix an issue
++ starting a newly created instance.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Tue, 21 Apr 2020 20:19:06 +0300
++
++389-ds-base (1.4.3.6-1) unstable; urgency=medium
++
++ * New upstream release.
++ * install: Updated.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Mon, 20 Apr 2020 15:01:35 +0300
++
++389-ds-base (1.4.3.4-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Add debian/gitlab-ci.yml.
++ - allow blhc to fail
++ * control: Bump policy to 4.5.0.
++ * control: Use https url for upstream.
++ * control: Use canonical URL in Vcs-Browser.
++ * copyright: Use spaces rather than tabs to start continuation lines.
++ * Add lintian-overrides for the source, cockpit index.js has long lines.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 18 Mar 2020 08:47:32 +0200
++
++389-ds-base (1.4.3.2-1) unstable; urgency=medium
++
++ * New upstream release.
++ * prerm: Fix slapd install path. (Closes: #945583)
++ * install: Updated.
++ * control: Use debhelper-compat.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 12 Feb 2020 19:39:22 +0200
++
++389-ds-base (1.4.2.4-1) unstable; urgency=medium
++
++ * New upstream release.
++ - CVE-2019-14824 deref plugin displays restricted attributes
++ (Closes: #944150)
++ * fix-obsolete-target.diff: Dropped, obsolete
++ drop-old-man.diff: Refreshed
++ * control: Add python3-packaging to build-depends and python3-lib389 depends.
++ * dev,libs.install: Nunc-stans got dropped.
++ * source/local-options: Add some files to diff-ignore.
++ * rules: Refresh list of files to purge.
++ * rules: Update dh_auto_clean override.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 27 Nov 2019 00:00:59 +0200
++
++389-ds-base (1.4.1.6-4) unstable; urgency=medium
++
++ * tests: Redirect stderr to stdout.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Tue, 17 Sep 2019 01:37:39 +0300
++
++389-ds-base (1.4.1.6-3) unstable; urgency=medium
++
++ * control: Add openssl to python3-lib389 depends.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Fri, 13 Sep 2019 07:32:27 +0300
++
++389-ds-base (1.4.1.6-2) unstable; urgency=medium
++
++ * Restore perl build partly, setup-ds is still needed for upgrades
++ until Ubuntu 20.04 is released (for versions << 1.4.0.9).
++
++ -- Timo Aaltonen <tjaalton@debian.org> Thu, 12 Sep 2019 14:50:36 +0300
++
++389-ds-base (1.4.1.6-1) unstable; urgency=medium
++
++ * New upstream release.
++ * control: Drop direct depends on python from 389-ds-base. (Closes:
++ #936102)
++ * Drop -legacy-tools and other obsolete scripts.
++ * use-bash-instead-of-sh.diff, rename-online-scripts.diff, perl-use-
++ move-instead-of-rename.diff: Dropped, obsolete.
++ * rules: Fix dsconf/dscreate/dsctl/dsidm manpage section.
++ * tests/setup: Migrate to dscreate.
++ * control: Add libnss3-tools to python3-lib389 depends. (Closes: #920025)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 11 Sep 2019 17:01:03 +0300
++
++389-ds-base (1.4.1.5-1) unstable; urgency=medium
++
++ * New upstream release.
++ * watch: Use https.
++ * control: Bump policy to 4.4.0.
++ * Bump debhelper to 12.
++ * patches: fix-dsctl-remove.diff, fix-nss-path.diff, icu_pkg-config.patch
++ removed, upstream. Others refreshed.
++ * rules: Pass --enable-perl, we still need the perl tools.
++ * *.install: Updated.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 10 Jul 2019 10:05:31 +0300
++
++389-ds-base (1.4.0.22-1) unstable; urgency=medium
++
++ * New upstream bugfix release.
++ * control: Drop 389-ds-base from -legacy-tools Depends. (Closes:
++ #924265)
++ * fix-dsctl-remove.diff: Don't hardcode sysconfig. (Closes: #925221)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Sat, 06 Apr 2019 00:32:06 +0300
++
++389-ds-base (1.4.0.21-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Run offline upgrade only when upgrading from versions below 1.4.0.9,
++ ns-slapd itself handles upgrades in newer versions.
++ * rules: Actually install the minified javascript files. (Closes:
++ #913820)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Tue, 12 Feb 2019 16:28:15 +0200
++
++389-ds-base (1.4.0.20-3) unstable; urgency=medium
++
++ * control: 389-ds-base should depend on the legacy tools for now.
++ (Closes: #919420)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 16 Jan 2019 11:30:51 +0200
++
++389-ds-base (1.4.0.20-2) unstable; urgency=medium
++
++ * Upload to unstable.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Mon, 14 Jan 2019 20:03:58 +0200
++
++389-ds-base (1.4.0.20-1) experimental; urgency=medium
++
++ * New upstream release. (Closes: #913821)
++ * fix-nss-path.diff: Fix includes.
++ * Build ds* manpages, add missing build-depends.
++ * Move deprecated tools in a new subpackage.
++ * control: Add python3-lib389 to 389-ds-base depends.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Sun, 13 Jan 2019 21:13:22 +0200
++
++389-ds-base (1.4.0.19-3) unstable; urgency=medium
++
++ [ Jelmer Vernooij ]
++ * Use secure copyright file specification URI.
++ * Trim trailing whitespace.
++ * Use secure URI in Vcs control header.
++
++ [ Hugh McMaster ]
++ * control: Mark 389-ds-base-libs{,-dev} M-A: same, cockpit-389-ds M-A:
++ foreign and arch:all. (Closes: #916118)
++ * Use pkg-config to detect icu. (Closes: #916115)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 02 Jan 2019 12:43:23 +0200
++
++389-ds-base (1.4.0.19-2) unstable; urgency=medium
++
++ * rules: Add -latomic to LDFLAGS on archs failing to build. (Closes:
++ #910982)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Thu, 06 Dec 2018 01:06:37 +0200
++
++389-ds-base (1.4.0.19-1) unstable; urgency=medium
++
++ * New upstream release.
++ * control: Make C/R backports-compatible. (Closes: #910796)
++ * use-packaged-js.diff: Dropped, packaged versions don't work.
++ (Closes: #913820)
++ * Follow upstream, and drop python3-dirsrvtests.
++ * cockpit-389-ds.install: Updated.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Mon, 03 Dec 2018 15:56:40 +0200
++
++389-ds-base (1.4.0.18-1) unstable; urgency=medium
++
++ * New upstream release.
++ - CVE-2018-14624 (Closes: #907778)
++ - CVE-2018-14638 (Closes: #908859)
++ * control: Build on any arch again.
++ * perl-use-move-instead-of-rename.diff: Use copy instead of move,
++ except when restoring files in case of an error.
++ * Move the new utils (dsconf, dscreate, dsctl, dsidm) to python3-
++ lib389.
++ * control: Add python3-argcomplete to python3-lib389 depends. (Closes:
++ #910761)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Thu, 11 Oct 2018 00:56:02 +0300
++
++389-ds-base (1.4.0.16-1) unstable; urgency=medium
++
++ * New upstream release.
++ * control: 389-ds-base-dev provides libsvrcore-dev. (Closes: #907140)
++ * perl-use-move-instead-of-rename.diff: Fix upgrade on systems where
++ /var is on a separate partition: (Closes: #905184)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Thu, 27 Sep 2018 22:39:34 +0300
++
++389-ds-base (1.4.0.15-2) unstable; urgency=medium
++
++ * control: Build cockpit-389-ds only on 64bit and i386.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Thu, 23 Aug 2018 08:54:06 +0300
++
++389-ds-base (1.4.0.15-1) unstable; urgency=medium
++
++ * New upstream release
++ - CVE-2018-10935 (Closes: #906985)
++ * control: Add libcrack2-dev to build-depends.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Thu, 23 Aug 2018 00:46:45 +0300
++
++389-ds-base (1.4.0.13-1) experimental; urgency=medium
++
++ * New upstream release.
++ - CVE-2018-10850 (Closes: #903501)
++ * control: Update maintainer address.
++ * control: Upstream dropped support for non-64bit architectures, so
++ build only on supported 64bit archs (amd64, arm64, mips64el,
++ ppc64el, s390x).
++ * control: svrcore got merged here, drop it from build-depends.
++ * ftbs_lsoftotkn3.diff: Dropped, obsolete.
++ * control: Add rsync to build-depends.
++ * libs, dev, control: Add libsvrcore files, replace old package.
++ * base: Add new scripts, add python3-selinux, -semanage, -sepolicy to
++ depends.
++ * Add a package for cockpit-389-ds.
++ * rules: Clean up cruft left after build.
++ * control: Drop dh_systemd from build-depends, bump debhelper to 11.
++ * Add varions libjs packages to cockpit-389-ds Depends, add the rest
++ to d/missing-sources.
++ * copyright: Updated. (Closes: #904760)
++ * control: Modify 389-ds to depend on cockpit-389-ds and drop the old
++ GUI packages which are deprecated upstream.
++ * dont-build-new-manpages.diff: Debian doesn't have argparse-manpage,
++ so in order to not FTBFS don't build new manpages.
++ * base.install: Add man5/*.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Tue, 31 Jul 2018 23:46:17 +0300
++
++389-ds-base (1.3.8.2-1) unstable; urgency=medium
++
++ * New upstream release.
++ * fix-saslpath.diff: Updated to support ppc64el and s390x. (LP:
++ #1764744)
++ * CVE-2017-15135.patch: Refreshed
++
++ -- Timo Aaltonen <tjaalton@debian.org> Fri, 01 Jun 2018 11:21:19 +0300
++
++389-ds-base (1.3.7.10-1) unstable; urgency=medium
++
++ * New upstream release.
++ - fix CVE-2018-1054 (Closes: #892124)
++ * control: Update maintainer address, freeipa-team handles this from
++ now on. Drop kklimonda from uploaders.
++ * control: Update VCS urls.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Tue, 13 Mar 2018 11:32:29 +0200
++
++389-ds-base (1.3.7.9-1) unstable; urgency=medium
++
++ * New upstream release.
++ - CVE-2017-15134 (Closes: #888452)
++ * patches: Fix CVE-2017-15135. (Closes: #888451)
++ * tests: Add some debug output.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Mon, 05 Feb 2018 16:25:09 +0200
++
++389-ds-base (1.3.7.8-4) unstable; urgency=medium
++
++ * tests: Drop python3-lib389 from depends, it's not used currently
++ anyway.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Thu, 21 Dec 2017 15:42:04 +0200
++
++389-ds-base (1.3.7.8-3) unstable; urgency=medium
++
++ * tests/control: Depend on python3-lib389.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 20 Dec 2017 23:54:43 +0200
++
++389-ds-base (1.3.7.8-2) unstable; urgency=medium
++
++ * Fix autopkgtest to be robust in the face of changed iproute2 output.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 20 Dec 2017 15:57:26 +0200
++
++389-ds-base (1.3.7.8-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Package python3-lib389 and python3-dirsrvtests.
++ * control: Add python3 depends to 389-ds-base, since it ships a few
++ python scripts.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Tue, 12 Dec 2017 17:32:27 +0200
++
++389-ds-base (1.3.7.5-1) unstable; urgency=medium
++
++ * New upstream release.
++ * patches: ftbfs-fix.diff, reproducible-build.diff dropped (upstream)
++ others refreshed.
++ * *.install: Updated.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 04 Oct 2017 10:33:45 +0300
++
++389-ds-base (1.3.6.7-5) unstable; urgency=medium
++
++ * Move all libs from base to -libs, add B/R. (Closes: #874764)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Thu, 21 Sep 2017 16:44:13 +0300
++
++389-ds-base (1.3.6.7-4) unstable; urgency=medium
++
++ * control, install: Fix library/dev-link installs, add Breaks/Replaces
++ to fit, and drop obsolete B/R.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 30 Aug 2017 00:19:41 +0300
++
++389-ds-base (1.3.6.7-3) unstable; urgency=medium
++
++ * ftbfs-fix.diff: Fix build. (Closes: #873120)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Mon, 28 Aug 2017 15:09:02 +0300
++
++389-ds-base (1.3.6.7-2) unstable; urgency=medium
++
++ * control: Bump policy to 4.1.0, no changes.
++ * rules: Override dh_missing.
++ * control: Add libltdl-dev to build-depends. (Closes: #872979)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Thu, 24 Aug 2017 12:15:03 +0300
++
++389-ds-base (1.3.6.7-1) unstable; urgency=medium
++
++ * New upstream release
++ - fix CVE-2017-7551 (Closes: #870752)
++ * fix-tests.diff: Dropped, fixed upstream.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Tue, 22 Aug 2017 16:30:11 +0300
++
++389-ds-base (1.3.6.5-1) experimental; urgency=medium
++
++ * New upstream release.
++ - fix-bsd.patch, support-kfreebsd.patch, fix-48986-cve-2017-2591.diff:
++ Dropped, upstream.
++ * *.install: Updated.
++ * control: Add doxygen, libcmocka-dev, libevent-dev to build-deps.
++ * rules: Enable cmocka tests.
++ * fix-tests.diff: Fix building the tests.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 10 May 2017 09:38:30 +0300
++
++389-ds-base (1.3.5.17-2) unstable; urgency=medium
++
++ * fix-upstream-49245.diff: Pull commits from upstream 1.3.5.x, which
++ remove rest of the asm code. (Closes: #862194)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 10 May 2017 09:25:03 +0300
++
++389-ds-base (1.3.5.17-1) unstable; urgency=medium
++
++ * New upstream bugfix release.
++ - CVE-2017-2668 (Closes: #860125)
++ * watch: Updated.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Tue, 09 May 2017 11:06:14 +0300
++
++389-ds-base (1.3.5.15-2) unstable; urgency=medium
++
++ * fix-48986-cve-2017-2591.diff: Fix upstream ticket 48986,
++ CVE-2017-2591. (Closes: #851769)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Fri, 27 Jan 2017 00:01:53 +0200
++
++389-ds-base (1.3.5.15-1) unstable; urgency=medium
++
++ * New upstream release.
++ - CVE-2016-5405 (Closes: #842121)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 16 Nov 2016 11:01:00 +0200
++
++389-ds-base (1.3.5.14-1) unstable; urgency=medium
++
++ * New upstream release.
++ * postrm: Remove /etc/dirsrv, /var/lib/dirsrv and /var/log/dirsrv on
++ purge.
++ * control: Bump build-dep on libsvrcore-dev to ensure it has support
++ for systemd password agent.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Fri, 28 Oct 2016 01:42:27 +0300
++
++389-ds-base (1.3.5.13-1) unstable; urgency=medium
++
++ * New upstream release.
++ * control: Bump policy to 3.9.8, no changes.
++ * patches/default_user: Dropped, upstream.
++ * support-non-nss-libldap.diff: Dropped, upstream.
++ * fix-obsolete-target.diff: Updated.
++ * patches: Refreshed.
++ * control: Add libsystemd-dev to build-deps.
++ * control: Add acl to -base depends.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 12 Oct 2016 11:11:20 +0300
++
++389-ds-base (1.3.4.14-2) unstable; urgency=medium
++
++ * tests: Add simple autopkgtests.
++ * postinst: Start instances after offline update.
++ * control, rules: Drop -dbg packages.
++ * control: Drop conflicts on slapd. (Closes: #822532)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Mon, 03 Oct 2016 17:53:26 +0300
++
++389-ds-base (1.3.4.14-1) unstable; urgency=medium
++
++ * New upstream release.
++ * support-non-nss-libldap.diff: Refreshed.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Mon, 29 Aug 2016 10:17:41 +0300
++
++389-ds-base (1.3.4.9-1) unstable; urgency=medium
++
++ * New upstream release.
++ * support-non-nss-libldap.diff: Support libldap built against gnutls.
++ (LP: #1564179)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Mon, 18 Apr 2016 18:08:14 +0300
++
++389-ds-base (1.3.4.8-4) unstable; urgency=medium
++
++ * use-perl-move.diff: Dropped, 'rename' is more reliable.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 30 Mar 2016 08:38:24 +0300
++
++389-ds-base (1.3.4.8-3) unstable; urgency=medium
++
++ * use-perl-move.diff: Fix 60upgradeschemafiles.pl to use File::Copy.
++ (Closes: #818578)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Fri, 18 Mar 2016 11:15:23 +0200
++
++389-ds-base (1.3.4.8-2) unstable; urgency=medium
++
++ * postinst: Silence ls and adduser.
++ * Drop the init file, we depend on systemd anyway.
++ * rules: Don't enable dirsrv-snmp.service by default.
++ * postrm: Clean up /var/lib/dirsrv/scripts-* on purge.
++ * user-perl-move.diff: Use move instead of rename during upgrade.
++ (Closes: #775550)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Thu, 17 Mar 2016 08:13:38 +0200
++
++389-ds-base (1.3.4.8-1) unstable; urgency=medium
++
++ * New upstream release.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Mon, 22 Feb 2016 07:58:40 +0200
++
++389-ds-base (1.3.4.5-2) unstable; urgency=medium
++
++ * fix-systemctl-path.diff: Use correct path to /bin/systemctl.
++ (Closes: #779653)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 09 Dec 2015 08:31:20 +0200
++
++389-ds-base (1.3.4.5-1) unstable; urgency=medium
++
++ * New upstream release.
++ * patches: Refreshed.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 09 Dec 2015 08:14:56 +0200
++
++389-ds-base (1.3.3.13-1) unstable; urgency=medium
++
++ * New upstream release.
++ * control: Add systemd to 389-ds-base Depends. (Closes: #794301)
++ * postrm: Clean target.wants in postrm.
++ * reproducible-build.diff: Make builds reproducible. Thanks, Chris
++ Lamb! (Closes: #799010)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Tue, 20 Oct 2015 14:25:05 +0300
++
++389-ds-base (1.3.3.12-1) unstable; urgency=medium
++
++ * New upstream release
++ - fix CVE-2015-3230 (Closes: #789202)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Wed, 24 Jun 2015 11:47:50 +0300
++
++389-ds-base (1.3.3.10-1) unstable; urgency=medium
++
++ * New upstream release
++ - fix CVE-2015-1854 (Closes: #783923)
++ * postinst: Stop actual instances instead of 'dirsrv' on upgrade, and
++ use service(8) instead of invoke-rc.d.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Thu, 07 May 2015 07:58:35 +0300
++
++389-ds-base (1.3.3.9-1) experimental; urgency=medium
++
++ * New upstream bugfix release.
++ - Drop cve-2014-8*.diff, upstream.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Thu, 02 Apr 2015 14:47:20 +0300
++
++389-ds-base (1.3.3.5-4) unstable; urgency=medium
++
++ * Security fixes (Closes: #779909)
++ - cve-2014-8105.diff: Fix for CVE-2014-8105
++ - cve-2014-8112.diff: Fix for CVE-2014-8112
++
++ -- Timo Aaltonen <tjaalton@debian.org> Mon, 09 Mar 2015 10:53:03 +0200
++
++389-ds-base (1.3.3.5-3) unstable; urgency=medium
++
++ * use-bash-instead-of-sh.diff: Drop admin_scripts.diff and patch the
++ scripts to use bash instead of trying to fix bashisms. (Closes:
++ #772195)
++
++ -- Timo Aaltonen <tjaalton@debian.org> Fri, 16 Jan 2015 15:40:23 +0200
++
++389-ds-base (1.3.3.5-2) unstable; urgency=medium
++
++ * fix-saslpath.diff: Fix SASL library path.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Sat, 25 Oct 2014 01:48:34 +0300
++
++389-ds-base (1.3.3.5-1) unstable; urgency=medium
++
++ * New upstream bugfix release.
++ * control: Bump policy, no changes.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Mon, 20 Oct 2014 09:57:14 +0300
++
++389-ds-base (1.3.3.3-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Dropped upstreamed patches, refresh others.
++ * control, rules, 389-ds-base.install: Add support for systemd.
++ * fix-obsolete-target.diff: Drop syslog.target from the service files.
++ * 389-ds-base.links: Mask the initscript so that it's not used with systemd.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Mon, 06 Oct 2014 17:13:01 +0300
++
++389-ds-base (1.3.2.23-2) unstable; urgency=medium
++
++ * Team upload.
++ * Add fix-bsd.patch and support-kfreebsd.patch to fix the build failure
++ on kFreeBSD.
++
++ -- Benjamin Drung <benjamin.drung@profitbricks.com> Wed, 03 Sep 2014 15:32:22 +0200
++
++389-ds-base (1.3.2.23-1) unstable; urgency=medium
++
++ * New bugfix release.
++ * watch: Update the url.
++ * control: Update Vcs-Browser url to use cgit.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Mon, 01 Sep 2014 13:32:59 +0300
++
++389-ds-base (1.3.2.21-1) unstable; urgency=medium
++
++ * New upstream release.
++ - CVE-2014-3562 (Closes: #757437)
++
++ -- Timo Aaltonen <tjaalton@ubuntu.com> Fri, 08 Aug 2014 10:48:55 +0300
++
++389-ds-base (1.3.2.19-1) unstable; urgency=medium
++
++ * New upstream release.
++ * admin_scripts.diff: Updated to fix more bashisms.
++ * watch: Update the url.
++ * Install failedbinds.py and logregex.py scripts.
++ * init: Use status from init-functions.
++ * control: Update my email.
++
++ -- Timo Aaltonen <tjaalton@debian.org> Tue, 08 Jul 2014 15:50:11 +0300
++
++389-ds-base (1.3.2.9-1.1) unstable; urgency=medium
++
++ * Non-maintainer upload.
++ * Apply fix for CVE-2014-0132, see like named patch (Closes: 741600)
++ * Fix m4-macro for libsrvcore and add missing B-D on libpci-dev
++ (Closes: #745821)
++
++ -- Tobias Frost <tobi@coldtobi.de> Fri, 25 Apr 2014 15:11:16 +0200
++
++389-ds-base (1.3.2.9-1) unstable; urgency=low
++
++ * New upstream release.
++ - fixes CVE-2013-0336 (Closes: #704077)
++ - fixes CVE-2013-1897 (Closes: #704421)
++ - fixes CVE-2013-2219 (Closes: #718325)
++ - fixes CVE-2013-4283 (Closes: #721222)
++ - fixes CVE-2013-4485 (Closes: #730115)
++ * Drop fix-CVE-2013-0312.diff, upstream.
++ * rules: Add new scripts to rename.
++ * fix-sasl-path.diff: Use a triplet path to find libsasl2. (LP:
++ #1088822)
++ * admin_scripts.diff: Add patch from upstream #47511 to fix bashisms.
++ * control: Add ldap-utils to -base depends.
++ * rules, rename-online-scripts.diff: Some scripts with .pl suffix are
++ meant for an online server, so instead of overwriting the offline
++ scripts use -online suffix.
++ * rules: Enable parallel build, but limit the jobs to 1 for
++ dh_auto_install.
++ * control: Bump policy to 3.9.5, no changes.
++ * rules: Add get-orig-source target.
++ * lintian-overrides: Drop obsolete entries, add comments for the rest.
++
++ -- Timo Aaltonen <tjaalton@ubuntu.com> Mon, 03 Feb 2014 11:08:50 +0200
++
++389-ds-base (1.3.0.3-1) unstable; urgency=low
++
++ * New upstream release.
++ * control: Bump the policy to 3.9.4, no changes.
++ * fix-CVE-2013-0312.diff: Patch to fix handling LDAPv3 control data.
++
++ -- Timo Aaltonen <tjaalton@ubuntu.com> Mon, 11 Mar 2013 14:23:20 +0200
++
++389-ds-base (1.2.11.17-1) UNRELEASED; urgency=low
++
++ * New upstream release.
++ * watch: Add a comment about the upstream git tree.
++ * fix-cve-2012-4450.diff: Remove, upstream.
++
++ -- Timo Aaltonen <tjaalton@ubuntu.com> Sat, 01 Dec 2012 14:22:13 +0200
++
++389-ds-base (1.2.11.15-1) unstable; urgency=low
++
++ * New upstream release.
++ * Add fix-cve-2012-4450.diff. (Closes: #688942)
++ * dirsrv.init: Fix stop() to remove the pidfile only when the process
++ is finished. (Closes: #689389)
++ * copyright: Update the source url.
++ * control: Drop quilt from build-depends, since using 3.0 (quilt)
++ * lintian-overrides: Add an override for hardening-no-fortify-
++ functions, since it's a false positive in this case.
++ * control: Drop dpkg-dev from build-depends, no need to specify it
++ directly.
++ * copyright: Add myself as a copyright holder for debian/*.
++ * 389-ds-base.prerm: Add 'set -e'.
++ * rules: drop DEB_HOST_MULTIARCH, dh9 handles it.
++
++ -- Timo Aaltonen <tjaalton@ubuntu.com> Wed, 03 Oct 2012 19:33:52 +0300
++
++389-ds-base (1.2.11.7-5) unstable; urgency=low
++
++ * control: Drop debconf-utils and po-debconf from build-depends.
++ * control: Add libnetaddr-ip-perl and libsocket-getaddrinfo-perl to
++ 389-ds-base Depends for ipv6 support. (Closes: #682847)
++
++ -- Timo Aaltonen <tjaalton@ubuntu.com> Mon, 30 Jul 2012 13:12:23 +0200
++
++389-ds-base (1.2.11.7-4) unstable; urgency=low
++
++ * debian/po: Remove, leftover from the template purge. (Closes: #681543)
++
++ -- Timo Aaltonen <tjaalton@ubuntu.com> Thu, 19 Jul 2012 23:12:01 +0300
++
++389-ds-base (1.2.11.7-3) unstable; urgency=low
++
++ * 389-ds-base.config: Removed, the debconf template is no more.
++ (Closes: #680351)
++ * control: Remove duplicate 'the' from the 389-ds description.
++
++ -- Timo Aaltonen <tjaalton@ubuntu.com> Wed, 11 Jul 2012 11:59:36 +0300
++
++389-ds-base (1.2.11.7-2) unstable; urgency=low
++
++ * control: Stop hardcoding libs to binary depends. (Closes: #679790)
++ * control: Add libnspr4-dev and libldap2-dev to 389-ds-base-dev
++ Depends. (Closes: #679742)
++ * l10n review (Closes: #679870) :
++ - Drop the debconf template, and rewrap README.Debian.
++ - control: Update the descriptions
++
++ -- Timo Aaltonen <tjaalton@ubuntu.com> Tue, 03 Jul 2012 17:58:20 +0300
++
++389-ds-base (1.2.11.7-1) unstable; urgency=low
++
++ [ Timo Aaltonen ]
++ * New upstream release.
++ * watch: Fix the url.
++ * patches/remove_license_prompt: Dropped, included upstream.
++ * patches/default_user: Refreshed.
++ * control: Change the VCS header to point to the git repository.
++ * control: Rename last remnants of Fedora to 389.
++ * changelog, control: Be consistent with the naming; renamed the source
++ to just '389-ds-base', which matches upstream tarball naming.
++ * control: Wrap Depends.
++ * compat, control: Bump compat to 9, and debhelper build-dep to (>= 9).
++ * rules: Switch to dh.
++ * Move dirsrv.lintian to dirsrv.lintian-overrides, adjust dirsrv.install.
++ * *.dirs: Clean up.
++ * control: Build-depend on dh-autoreconf, drop duplicate bdeps.
++ * Fold dirsrv-tools into the main package.
++ * Build against libldap2-dev (>= 2.4.28).
++ * Rename binary package to 389-ds-base.
++ * -dev.install: Install the pkgconfig file.
++ * rules: Enable PIE hardening.
++ * Add a default file, currently sets LD_BIND_NOW=1.
++ * control: 'dbgen' uses old perl libs, add libperl4-corelibs-perl
++ dependency to 389-ds-base.
++ * rules: Add --fail-missing for dh_install, remove files not needed
++ and make sure to install the rest.
++ * rules, control: Fix the installation name of ds-logpipe.py, add
++ python dependency to 389-ds-base..
++ * libns-dshttpd is internal to the server, ship it in 389-ds-base.
++ * Rename libdirsrv{-dev,0} -> 389-ds-base-{dev,libs}, includes only
++ libslapd and headers for external plugin development.
++ * control: Breaks/Replaces old libdirsrv-dev/libdirsrv0/dirsrv.
++ * Drop hyphen_used_as_minus, applied upstream.
++ * copyright: Use DEP5 format.
++ * Cherry-pick upstream commit ee320163c6 to get rid of unnecessary
++ and non-free MIB's from the tree, and build a dfsg compliant tarball.
++ * lintian-overrides: Update, create one for -libs.
++ * Fix the initscript to create the lockdir, and refactor code into separate
++ functions.
++ * Drop obsolete entries from copyright, and make it lintian clean.
++ * debian/po: Refer to the correct file after rename.
++ * control: Bump Standards-Version to 3.9.3, no changes.
++ * postinst: Drop unused 'lastversion'.
++ * patches: Add DEP3 compliant headers.
++ * rules, postinst: Add an error handler function for dh_installinit, so
++ that clean installs don't fail due to missing configuration.
++ * postinst: Run the update tool.
++ * dirsrv.init:
++ - Make the start and stop functions much simpler and LSB compliant
++ - Fix starting multiple instances
++ - Use '-b' for start-stop-daemon, since ns-slapd doesn't detach properly
++ * control: Add 389-ds metapackage.
++ * control: Change libdb4.8-dev build-depends to libdb-dev, since this version
++ supports db5.x.
++ * 389-ds-base.prerm: Add prerm script for removing installed instances on
++ purge.
++
++ [ Krzysztof Klimonda ]
++ * dirsrv.init:
++ - return 0 code if there are no instances configured and tweak message
++ so it doesn't indicate a failure.
++
++ -- Krzysztof Klimonda <kklimonda@syntaxhighlighted.com> Tue, 27 Mar 2012 14:26:16 +0200
++
++389-directory-server (1.2.6.1-5) unstable; urgency=low
++
++ * Removed db_stop from dirsrv.postinst
++ * Fix short description in libdirsrv0-dbg
++
++ -- Michele Baldessari <michele@acksyn.org> Wed, 20 Oct 2010 20:24:20 +0200
++
++389-directory-server (1.2.6.1-4) unstable; urgency=low
++
++ * Make libicu dep dependent on dpkg-vendor
++
++ -- Michele Baldessari <michele@acksyn.org> Mon, 18 Oct 2010 21:21:52 +0200
++
++389-directory-server (1.2.6.1-3) unstable; urgency=low
++
++ * Remove dirsrv user and group in postrm
++ * Clean up postrm and postinst
++
++ -- Michele Baldessari <michele@acksyn.org> Sun, 17 Oct 2010 21:54:08 +0200
++
++389-directory-server (1.2.6.1-2) unstable; urgency=low
++
++ * Fix QUILT_STAMPFN
++
++ -- Michele Baldessari <michele@acksyn.org> Sun, 17 Oct 2010 15:03:34 +0200
++
++389-directory-server (1.2.6.1-1) unstable; urgency=low
++
++ * New upstream
++
++ -- Michele Baldessari <michele@acksyn.org> Sat, 16 Oct 2010 23:08:09 +0200
++
++389-directory-server (1.2.6-2) unstable; urgency=low
++
++ * Update my email address
++
++ -- Michele Baldessari <michele@acksyn.org> Sat, 16 Oct 2010 22:34:19 +0200
++
++389-directory-server (1.2.6-1) unstable; urgency=low
++
++ * New upstream
++ * s/Fedora/389/g to clean up the branding
++ * Remove automatic configuration (breaks too often with every update)
++ * Remove dirsrv.config translation, no questions are asked anymore
++ * Fix old changelog versions with proper ~ on rc versions
++ * Update policy to 3.9.1
++ * Improve README.Debian
++ * Depend on libicu44
++ * Remove /var/run/dirsrv from the postinst scripts (managed by init script)
++
++ -- Michele Baldessari <michele@pupazzo.org> Sat, 04 Sep 2010 11:58:21 +0200
++
++389-directory-server (1.2.6~rc7-1) unstable; urgency=low
++
++ * New upstream
++
++ -- Michele Baldessari <michele@pupazzo.org> Fri, 03 Sep 2010 20:06:08 +0200
++
++389-directory-server (1.2.6~a3-1) unstable; urgency=low
++
++ * New upstream
++ * Rename man page remove-ds.pl in remove-ds
++ * Removed Debian.source
++
++ -- Michele Baldessari <michele@pupazzo.org> Sun, 23 May 2010 22:12:13 +0200
++
++389-directory-server (1.2.6~a2-1) unstable; urgency=low
++
++ * New upstream
++ * Removed speling_fixes patch, applied upstream
++
++ -- Michele Baldessari <michele@pupazzo.org> Sun, 23 May 2010 13:36:25 +0200
++
++389-directory-server (1.2.5-1) unstable; urgency=low
++
++ * New upstream
++ * Add libpcre3-dev Build-dep
++ * ldap-agent moved ti /usr/sbin
++ * Fix spelling errors in code and manpages
++ * Fix some lintian warnings
++ * Bump policy to 3.8.3
++ * Ignore lintian warning pkg-has-shlibs-control-file-but-no-actual-shared-libs
++ as the shlibs file is for dirsrv plugins
++ * Upgraded deps to libicu42 and libdb4.8
++ * Do create /var/lib/dirsrv as dirsrv user's home
++ * Added libsasl2-modules-gssapi-mit as a dependency for dirsrv (needed by
++ mandatory LDAP SASL mechs)
++ * Install all files of etc/dirsrv/config
++ * Add some missing start scripts in usr/sbin
++ * Fixed a bug in the dirsrv.init script
++ * Switch to dpkg-source 3.0 (quilt) format
++ * Bump policy to 3.8.4
++
++ -- Michele Baldessari <michele@pupazzo.org> Sun, 23 May 2010 12:31:24 +0200
++
++389-directory-server (1.2.1-0) unstable; urgency=low
++
++ * Rename of source package (note, since this is still staging work no
++ replace or upgrade is in place)
++ * Update watch file
++ * New Upstream
++
++ -- Michele Baldessari <michele@pupazzo.org> Fri, 12 Jun 2009 22:08:42 +0200
++
++fedora-directory-server (1.2.0-1) unstable; urgency=low
++
++ * New upstream release
++ * Add missing libkrb5-dev dependency
++ * Fix section of -dbg packages
++ * Fix all "dpatch-missing-description" lintian warnings
++
++ -- Michele Baldessari <michele@pupazzo.org> Wed, 22 Apr 2009 23:36:22 +0200
++
++fedora-directory-server (1.1.3-1) unstable; urgency=low
++
++ * New upstream
++ * Added watch file
++ * Make setup-ds use dirsrv:dirsrv user/group as defaults
++ * Added VCS-* fields
++ * --enable-autobind
++ * Add ldap/servers/plugins/replication/winsync-plugin.h to libdirsrv-dev
++
++ -- Michele Baldessari <michele@pupazzo.org> Mon, 24 Nov 2008 22:42:26 +0100
++
++fedora-directory-server (1.1.2-2) unstable; urgency=low
++
++ * Fixed build+configure twice issue
++ * Added Conflicts: slapd (thanks Alessandro)
++
++ -- Michele Baldessari <michele@pupazzo.org> Tue, 23 Sep 2008 21:12:44 +0200
++
++fedora-directory-server (1.1.2-1) unstable; urgency=low
++
++ * New upstream
++ * Removed /usr/sbin PATH from postinst script
++
++ -- Michele Baldessari <michele@pupazzo.org> Sat, 20 Sep 2008 20:10:52 +0000
++
++fedora-directory-server (1.1.1-0) unstable; urgency=low
++
++ * New upstream
++ * Don't apply patch for 439829, fixed upstream
++ * Bump to policy 3.8.0
++ * Added README.source
++
++ -- Michele Baldessari <michele@pupazzo.org> Fri, 22 Aug 2008 00:09:40 +0200
++
++fedora-directory-server (1.1.0-4) unstable; urgency=low
++
++ * dirsrv should depend on libmozilla-ldap-perl (thanks Mathias Kaufmann
++ <steiger@mmforces.de>)
++
++ -- Michele Baldessari <michele@pupazzo.org> Sun, 20 Jul 2008 18:41:58 +0200
++
++fedora-directory-server (1.1.0-3) unstable; urgency=low
++
++ * Fix up some descriptions
++
++ -- Michele Baldessari <michele@pupazzo.org> Sun, 25 May 2008 21:36:32 +0200
++
++fedora-directory-server (1.1.0-2) unstable; urgency=low
++
++ * Silenced init warning messages when chowning pid directory
++
++ -- Michele Baldessari <michele@pupazzo.org> Wed, 21 May 2008 23:08:32 +0200
++
++fedora-directory-server (1.1.0-1) unstable; urgency=low
++
++ * Removed template lintian warning
++ * Cleaned up manpages
++
++ -- Michele Baldessari <michele@pupazzo.org> Sun, 18 May 2008 13:39:58 +0200
++
++fedora-directory-server (1.1.0-0) unstable; urgency=low
++
++ * Initial release (Closes: #497098).
++ * Fixed postinst after renaming setup-ds.pl to setup-ds
++ * Applied patch from https://bugzilla.redhat.com/show_bug.cgi?id=439829 to
++ fix segfault against late NSS versions
++ * Switched to parseable copyright format
++ * Source package is lintian clean now
++ * Added initial manpage patch
++ * Switched to dh_install
++
++ -- Michele Baldessari <michele@pupazzo.org> Thu, 27 Mar 2008 23:56:17 +0200
--- /dev/null
--- /dev/null
++usr/share/cockpit/389-console/
++usr/share/metainfo/389-console/org.port389.cockpit_console.metainfo.xml
--- /dev/null
--- /dev/null
++Source: 389-ds-base
++Section: net
++Priority: optional
++Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>
++Uploaders:
++ Timo Aaltonen <tjaalton@debian.org>,
++Build-Depends:
++ libcmocka-dev,
++ debhelper-compat (= 13),
++ dh-python,
++ doxygen,
++ libbz2-dev,
++ libcrack2-dev,
++ libdb-dev,
++ libevent-dev,
++ libicu-dev,
++ libkrb5-dev,
++ libldap2-dev (>= 2.4.28),
++ libltdl-dev,
++ libnspr4-dev,
++ libnss3-dev,
++ libpam0g-dev,
++ libpci-dev,
++ libpcre3-dev,
++ libperl-dev,
++ libsasl2-dev,
++ libsnmp-dev,
++ libssl-dev,
++ libsystemd-dev,
++ pkg-config,
++ python3-all-dev,
++ python3-argcomplete,
++ python3-argparse-manpage,
++ python3-dateutil,
++ python3-ldap,
++ python3-packaging,
++ python3-selinux,
++ python3-sepolicy,
++ python3-setuptools,
++ rsync,
++ zlib1g-dev,
++Standards-Version: 4.5.0
++Vcs-Git: https://salsa.debian.org/freeipa-team/389-ds-base.git
++Vcs-Browser: https://salsa.debian.org/freeipa-team/389-ds-base
++Homepage: https://directory.fedoraproject.org
++
++Package: 389-ds
++Architecture: all
++Depends:
++ 389-ds-base,
++ cockpit-389-ds,
++ ${misc:Depends},
++Description: 389 Directory Server suite - metapackage
++ Based on the Lightweight Directory Access Protocol (LDAP), the 389
++ Directory Server is designed to manage large directories of users and
++ resources robustly and scalably.
++ .
++ This is a metapackage depending on the LDAPv3 server and a Cockpit UI plugin
++ for administration.
++
++Package: 389-ds-base-libs
++Section: libs
++Architecture: any
++Multi-Arch: same
++Pre-Depends: ${misc:Pre-Depends}
++Depends: ${misc:Depends}, ${shlibs:Depends},
++ libjemalloc2,
++Breaks: 389-ds-base (<< 1.3.6.7-5),
++ 389-ds-base-dev (<< 1.3.6.7-4),
++ libsvrcore0,
++Replaces: 389-ds-base (<< 1.3.6.7-5),
++ 389-ds-base-dev (<< 1.3.6.7-4),
++ libsvrcore0,
++Description: 389 Directory Server suite - libraries
++ Based on the Lightweight Directory Access Protocol (LDAP), the 389
++ Directory Server is designed to manage large directories of users and
++ resources robustly and scalably.
++ .
++ This package contains core libraries for the 389 Directory Server.
++
++Package: 389-ds-base-dev
++Section: libdevel
++Architecture: any
++Multi-Arch: same
++Depends:
++ 389-ds-base-libs (= ${binary:Version}),
++ libldap2-dev,
++ libnspr4-dev,
++ ${misc:Depends},
++ ${shlibs:Depends},
++Breaks: 389-ds-base (<< 1.3.6.7-4),
++ libsvrcore-dev,
++Replaces: 389-ds-base (<< 1.3.6.7-4),
++ libsvrcore-dev,
++Provides:
++ libsvrcore-dev,
++Description: 389 Directory Server suite - development files
++ Based on the Lightweight Directory Access Protocol (LDAP), the 389
++ Directory Server is designed to manage large directories of users and
++ resources robustly and scalably.
++ .
++ This package contains development headers for the core libraries
++ of the 389 Directory Server, useful for developing plugins without
++ having to install the server itself.
++
++Package: 389-ds-base
++Architecture: any
++Pre-Depends: debconf (>= 0.5) | debconf-2.0
++Depends:
++ 389-ds-base-libs (= ${binary:Version}),
++ adduser,
++ acl,
++ ldap-utils,
++ libmozilla-ldap-perl,
++ libnetaddr-ip-perl,
++ libsocket-getaddrinfo-perl,
++ libsasl2-modules-gssapi-mit,
++ perl,
++ python3-lib389,
++ python3-selinux,
++ python3-semanage,
++ python3-sepolicy,
++ systemd,
++ ${misc:Depends},
++ ${shlibs:Depends},
++ ${python3:Depends},
++Replaces: 389-ds-base-legacy-tools
++Description: 389 Directory Server suite - server
++ Based on the Lightweight Directory Access Protocol (LDAP), the 389
++ Directory Server is designed to manage large directories of users and
++ resources robustly and scalably.
++ .
++ Its key features include:
++ * four-way multi-master replication;
++ * great scalability;
++ * extensive documentation;
++ * Active Directory user and group synchronization;
++ * secure authentication and transport;
++ * support for LDAPv3;
++ * graphical management console;
++ * on-line, zero downtime update of schema, configuration, and
++ in-tree Access Control Information.
++
++Package: python3-lib389
++Architecture: all
++Depends: ${misc:Depends}, ${python3:Depends},
++ libnss3-tools,
++ openssl,
++ python3-argcomplete,
++ python3-dateutil,
++ python3-ldap,
++ python3-packaging,
++ python3-pyasn1,
++ python3-pyasn1-modules,
++ python3-pytest,
++Conflicts: python-lib389 (<< 1.3.7.8),
++ 389-ds-base (<< 1.4.0.18-1~),
++Replaces: python-lib389 (<< 1.3.7.8),
++ 389-ds-base (<< 1.4.0.18-1~),
++Description: Python3 module for accessing and configuring the 389 Directory Server
++ This Python3 module contains tools and libraries for accessing, testing,
++ and configuring the 389 Directory Server.
++
++Package: cockpit-389-ds
++Architecture: all
++Multi-Arch: foreign
++Depends: ${misc:Depends},
++ cockpit,
++ libjs-bootstrap,
++ libjs-c3,
++ libjs-d3,
++ libjs-jquery-datatables,
++ libjs-jquery-datatables-extensions,
++ libjs-jquery-jstree,
++ libjs-moment,
++ libnss3-tools,
++ python3,
++ python3-lib389,
++Description: Cockpit user interface for 389 Directory Server
++ This package includes a Cockpit UI plugin for configuring and administering
++ the 389 Directory Server.
--- /dev/null
--- /dev/null
++Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
++Upstream-name: 389-ds-base
++Source: http://directory.fedoraproject.org/wiki/Source
++
++Files: *
++Copyright: 2001 Sun Microsystems, Inc.
++ 2005 Red Hat, Inc.
++License: GPL-3+ and Other
++
++Files: ldap/libraries/libavl/*.[ch] ldap/servers/slapd/abandon.c
++ ldap/servers/slapd/add.c ldap/servers/slapd/bind.c
++ ldap/servers/slapd/bulk_import.c ldap/servers/slapd/compare.c
++ ldap/servers/slapd/delete.c ldap/servers/slapd/detach.c
++ ldap/servers/slapd/globals.c ldap/servers/slapd/modify.c
++ ldap/servers/slapd/modrdn.c ldap/servers/slapd/monitor.c
++ ldap/servers/slapd/search.c ldap/servers/slapd/unbind.c
++Copyright: 1993 Regents of the University of Michigan
++ 2001 Sun Microsystems, Inc.
++ 2005 Red Hat, Inc.
++License: GPL-3+ and Other
++
++Files: ldap/servers/slapd/tools/ldaptool.h
++Copyright: 1998 Netscape Communication Corporation
++License: GPL-2+ or LGPL-2.1 or MPL-1.1
++
++Files: ldap/servers/slapd/tools/ldaptool-sasl.c
++ ldap/servers/slapd/tools/ldaptool-sasl.h
++Copyright: 2005 Sun Microsystems, Inc.
++License: GPL-2+ or LGPL-2.1 or MPL-1.1
++
++Files: m4/*
++Copyright: 2006-2017 Red Hat, Inc.
++ 2016 William Brown <william at blackhats dot net dot au>
++License: GPL-3+
++
++Files: src/svrcore/*
++Copyright: 2016 Red Hat, Inc.
++License: MPL-2.0
++
++Files: debian/*
++Copyright: 2008 Michele Baldessari <michele@acksyn.org>
++ 2012 Timo Aaltonen <tjaalton@ubuntu.com>
++License: GPL-2+ or LGPL-2.1 or MPL-1.1
++
++License: Other
++ In addition, as a special exception, Red Hat, Inc. gives You the additional
++ right to link the code of this Program with code not covered under the GNU
++ General Public License ("Non-GPL Code") and to distribute linked combinations
++ including the two, subject to the limitations in this paragraph. Non-GPL Code
++ permitted under this exception must only link to the code of this Program
++ through those well defined interfaces identified in the file named EXCEPTION
++ found in the source code files (the "Approved Interfaces"). The files of
++ Non-GPL Code may instantiate templates or use macros or inline functions from
++ the Approved Interfaces without causing the resulting work to be covered by
++ the GNU General Public License. Only Red Hat, Inc. may make changes or
++ additions to the list of Approved Interfaces. You must obey the GNU General
++ Public License in all respects for all of the Program code and other code used
++ in conjunction with the Program except the Non-GPL Code covered by this
++ exception. If you modify this file, you may extend this exception to your
++ version of the file, but you are not obligated to do so. If you do not wish to
++ provide this exception without modification, you must delete this exception
++ statement from your version and license this file solely under the GPL without
++ exception.
++
++License: BSD-3-clause
++ Redistribution and use in source and binary forms, with or without
++ modification, are permitted provided that the following conditions are met:
++ .
++ * Redistributions of source code must retain the above copyright notice, this
++ list of conditions and the following disclaimer.
++ * Redistributions in binary form must reproduce the above copyright notice,
++ this list of conditions and the following disclaimer in the documentation
++ and/or other materials provided with the distribution.
++ * Neither the name of the Dojo Foundation nor the names of its contributors
++ may be used to endorse or promote products derived from this software
++ without specific prior written permission.
++ .
++ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
++ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
++ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
++ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
++ CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
++ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++
++
++License: GPL-2 or GPL-2+
++ On Debian machines the full text of the GNU General Public License
++ can be found in the file /usr/share/common-licenses/GPL-2.
++
++License: GPL-3+
++ On Debian machines the full text of the GNU General Public License v3
++ can be found in the file /usr/share/common-licenses/GPL-3.
++
++License: LGPL-2.1
++ On Debian machines the full text of the GNU General Public License
++ can be found in the file /usr/share/common-licenses/LGPL-2.1.
++
++License: MPL-1.1
++ MOZILLA PUBLIC LICENSE
++ Version 1.1
++ .
++ ---------------
++ .
++ 1. Definitions.
++ .
++ 1.0.1. "Commercial Use" means distribution or otherwise making the
++ Covered Code available to a third party.
++ .
++ 1.1. "Contributor" means each entity that creates or contributes to
++ the creation of Modifications.
++ .
++ 1.2. "Contributor Version" means the combination of the Original
++ Code, prior Modifications used by a Contributor, and the Modifications
++ made by that particular Contributor.
++ .
++ 1.3. "Covered Code" means the Original Code or Modifications or the
++ combination of the Original Code and Modifications, in each case
++ including portions thereof.
++ .
++ 1.4. "Electronic Distribution Mechanism" means a mechanism generally
++ accepted in the software development community for the electronic
++ transfer of data.
++ .
++ 1.5. "Executable" means Covered Code in any form other than Source
++ Code.
++ .
++ 1.6. "Initial Developer" means the individual or entity identified
++ as the Initial Developer in the Source Code notice required by Exhibit
++ A.
++ .
++ 1.7. "Larger Work" means a work which combines Covered Code or
++ portions thereof with code not governed by the terms of this License.
++ .
++ 1.8. "License" means this document.
++ .
++ 1.8.1. "Licensable" means having the right to grant, to the maximum
++ extent possible, whether at the time of the initial grant or
++ subsequently acquired, any and all of the rights conveyed herein.
++ .
++ 1.9. "Modifications" means any addition to or deletion from the
++ substance or structure of either the Original Code or any previous
++ Modifications. When Covered Code is released as a series of files, a
++ Modification is:
++ A. Any addition to or deletion from the contents of a file
++ containing Original Code or previous Modifications.
++ .
++ B. Any new file that contains any part of the Original Code or
++ previous Modifications.
++ .
++ 1.10. "Original Code" means Source Code of computer software code
++ which is described in the Source Code notice required by Exhibit A as
++ Original Code, and which, at the time of its release under this
++ License is not already Covered Code governed by this License.
++ .
++ 1.10.1. "Patent Claims" means any patent claim(s), now owned or
++ hereafter acquired, including without limitation, method, process,
++ and apparatus claims, in any patent Licensable by grantor.
++ .
++ 1.11. "Source Code" means the preferred form of the Covered Code for
++ making modifications to it, including all modules it contains, plus
++ any associated interface definition files, scripts used to control
++ compilation and installation of an Executable, or source code
++ differential comparisons against either the Original Code or another
++ well known, available Covered Code of the Contributor's choice. The
++ Source Code can be in a compressed or archival form, provided the
++ appropriate decompression or de-archiving software is widely available
++ for no charge.
++ .
++ 1.12. "You" (or "Your") means an individual or a legal entity
++ exercising rights under, and complying with all of the terms of, this
++ License or a future version of this License issued under Section 6.1.
++ For legal entities, "You" includes any entity which controls, is
++ controlled by, or is under common control with You. For purposes of
++ this definition, "control" means (a) the power, direct or indirect,
++ to cause the direction or management of such entity, whether by
++ contract or otherwise, or (b) ownership of more than fifty percent
++ (50%) of the outstanding shares or beneficial ownership of such
++ entity.
++ .
++ 2. Source Code License.
++ .
++ 2.1. The Initial Developer Grant.
++ The Initial Developer hereby grants You a world-wide, royalty-free,
++ non-exclusive license, subject to third party intellectual property
++ claims:
++ (a) under intellectual property rights (other than patent or
++ trademark) Licensable by Initial Developer to use, reproduce,
++ modify, display, perform, sublicense and distribute the Original
++ Code (or portions thereof) with or without Modifications, and/or
++ as part of a Larger Work; and
++ .
++ (b) under Patents Claims infringed by the making, using or
++ selling of Original Code, to make, have made, use, practice,
++ sell, and offer for sale, and/or otherwise dispose of the
++ Original Code (or portions thereof).
++ .
++ (c) the licenses granted in this Section 2.1(a) and (b) are
++ effective on the date Initial Developer first distributes
++ Original Code under the terms of this License.
++ .
++ (d) Notwithstanding Section 2.1(b) above, no patent license is
++ granted: 1) for code that You delete from the Original Code; 2)
++ separate from the Original Code; or 3) for infringements caused
++ by: i) the modification of the Original Code or ii) the
++ combination of the Original Code with other software or devices.
++ .
++ 2.2. Contributor Grant.
++ Subject to third party intellectual property claims, each Contributor
++ hereby grants You a world-wide, royalty-free, non-exclusive license
++ .
++ (a) under intellectual property rights (other than patent or
++ trademark) Licensable by Contributor, to use, reproduce, modify,
++ display, perform, sublicense and distribute the Modifications
++ created by such Contributor (or portions thereof) either on an
++ unmodified basis, with other Modifications, as Covered Code
++ and/or as part of a Larger Work; and
++ .
++ (b) under Patent Claims infringed by the making, using, or
++ selling of Modifications made by that Contributor either alone
++ and/or in combination with its Contributor Version (or portions
++ of such combination), to make, use, sell, offer for sale, have
++ made, and/or otherwise dispose of: 1) Modifications made by that
++ Contributor (or portions thereof); and 2) the combination of
++ Modifications made by that Contributor with its Contributor
++ Version (or portions of such combination).
++ .
++ (c) the licenses granted in Sections 2.2(a) and 2.2(b) are
++ effective on the date Contributor first makes Commercial Use of
++ the Covered Code.
++ .
++ (d) Notwithstanding Section 2.2(b) above, no patent license is
++ granted: 1) for any code that Contributor has deleted from the
++ Contributor Version; 2) separate from the Contributor Version;
++ 3) for infringements caused by: i) third party modifications of
++ Contributor Version or ii) the combination of Modifications made
++ by that Contributor with other software (except as part of the
++ Contributor Version) or other devices; or 4) under Patent Claims
++ infringed by Covered Code in the absence of Modifications made by
++ that Contributor.
++ .
++ 3. Distribution Obligations.
++ .
++ 3.1. Application of License.
++ The Modifications which You create or to which You contribute are
++ governed by the terms of this License, including without limitation
++ Section 2.2. The Source Code version of Covered Code may be
++ distributed only under the terms of this License or a future version
++ of this License released under Section 6.1, and You must include a
++ copy of this License with every copy of the Source Code You
++ distribute. You may not offer or impose any terms on any Source Code
++ version that alters or restricts the applicable version of this
++ License or the recipients' rights hereunder. However, You may include
++ an additional document offering the additional rights described in
++ Section 3.5.
++ .
++ 3.2. Availability of Source Code.
++ Any Modification which You create or to which You contribute must be
++ made available in Source Code form under the terms of this License
++ either on the same media as an Executable version or via an accepted
++ Electronic Distribution Mechanism to anyone to whom you made an
++ Executable version available; and if made available via Electronic
++ Distribution Mechanism, must remain available for at least twelve (12)
++ months after the date it initially became available, or at least six
++ (6) months after a subsequent version of that particular Modification
++ has been made available to such recipients. You are responsible for
++ ensuring that the Source Code version remains available even if the
++ Electronic Distribution Mechanism is maintained by a third party.
++ .
++ 3.3. Description of Modifications.
++ You must cause all Covered Code to which You contribute to contain a
++ file documenting the changes You made to create that Covered Code and
++ the date of any change. You must include a prominent statement that
++ the Modification is derived, directly or indirectly, from Original
++ Code provided by the Initial Developer and including the name of the
++ Initial Developer in (a) the Source Code, and (b) in any notice in an
++ Executable version or related documentation in which You describe the
++ origin or ownership of the Covered Code.
++ .
++ 3.4. Intellectual Property Matters
++ (a) Third Party Claims.
++ If Contributor has knowledge that a license under a third party's
++ intellectual property rights is required to exercise the rights
++ granted by such Contributor under Sections 2.1 or 2.2,
++ Contributor must include a text file with the Source Code
++ distribution titled "LEGAL" which describes the claim and the
++ party making the claim in sufficient detail that a recipient will
++ know whom to contact. If Contributor obtains such knowledge after
++ the Modification is made available as described in Section 3.2,
++ Contributor shall promptly modify the LEGAL file in all copies
++ Contributor makes available thereafter and shall take other steps
++ (such as notifying appropriate mailing lists or newsgroups)
++ reasonably calculated to inform those who received the Covered
++ Code that new knowledge has been obtained.
++ .
++ (b) Contributor APIs.
++ If Contributor's Modifications include an application programming
++ interface and Contributor has knowledge of patent licenses which
++ are reasonably necessary to implement that API, Contributor must
++ also include this information in the LEGAL file.
++ .
++ (c) Representations.
++ Contributor represents that, except as disclosed pursuant to
++ Section 3.4(a) above, Contributor believes that Contributor's
++ Modifications are Contributor's original creation(s) and/or
++ Contributor has sufficient rights to grant the rights conveyed by
++ this License.
++ .
++ 3.5. Required Notices.
++ You must duplicate the notice in Exhibit A in each file of the Source
++ Code. If it is not possible to put such notice in a particular Source
++ Code file due to its structure, then You must include such notice in a
++ location (such as a relevant directory) where a user would be likely
++ to look for such a notice. If You created one or more Modification(s)
++ You may add your name as a Contributor to the notice described in
++ Exhibit A. You must also duplicate this License in any documentation
++ for the Source Code where You describe recipients' rights or ownership
++ rights relating to Covered Code. You may choose to offer, and to
++ charge a fee for, warranty, support, indemnity or liability
++ obligations to one or more recipients of Covered Code. However, You
++ may do so only on Your own behalf, and not on behalf of the Initial
++ Developer or any Contributor. You must make it absolutely clear than
++ any such warranty, support, indemnity or liability obligation is
++ offered by You alone, and You hereby agree to indemnify the Initial
++ Developer and every Contributor for any liability incurred by the
++ Initial Developer or such Contributor as a result of warranty,
++ support, indemnity or liability terms You offer.
++ .
++ 3.6. Distribution of Executable Versions.
++ You may distribute Covered Code in Executable form only if the
++ requirements of Section 3.1-3.5 have been met for that Covered Code,
++ and if You include a notice stating that the Source Code version of
++ the Covered Code is available under the terms of this License,
++ including a description of how and where You have fulfilled the
++ obligations of Section 3.2. The notice must be conspicuously included
++ in any notice in an Executable version, related documentation or
++ collateral in which You describe recipients' rights relating to the
++ Covered Code. You may distribute the Executable version of Covered
++ Code or ownership rights under a license of Your choice, which may
++ contain terms different from this License, provided that You are in
++ compliance with the terms of this License and that the license for the
++ Executable version does not attempt to limit or alter the recipient's
++ rights in the Source Code version from the rights set forth in this
++ License. If You distribute the Executable version under a different
++ license You must make it absolutely clear that any terms which differ
++ from this License are offered by You alone, not by the Initial
++ Developer or any Contributor. You hereby agree to indemnify the
++ Initial Developer and every Contributor for any liability incurred by
++ the Initial Developer or such Contributor as a result of any such
++ terms You offer.
++ .
++ 3.7. Larger Works.
++ You may create a Larger Work by combining Covered Code with other code
++ not governed by the terms of this License and distribute the Larger
++ Work as a single product. In such a case, You must make sure the
++ requirements of this License are fulfilled for the Covered Code.
++ .
++ 4. Inability to Comply Due to Statute or Regulation.
++ .
++ If it is impossible for You to comply with any of the terms of this
++ License with respect to some or all of the Covered Code due to
++ statute, judicial order, or regulation then You must: (a) comply with
++ the terms of this License to the maximum extent possible; and (b)
++ describe the limitations and the code they affect. Such description
++ must be included in the LEGAL file described in Section 3.4 and must
++ be included with all distributions of the Source Code. Except to the
++ extent prohibited by statute or regulation, such description must be
++ sufficiently detailed for a recipient of ordinary skill to be able to
++ understand it.
++ .
++ 5. Application of this License.
++ .
++ This License applies to code to which the Initial Developer has
++ attached the notice in Exhibit A and to related Covered Code.
++ .
++ 6. Versions of the License.
++ .
++ 6.1. New Versions.
++ Netscape Communications Corporation ("Netscape") may publish revised
++ and/or new versions of the License from time to time. Each version
++ will be given a distinguishing version number.
++ .
++ 6.2. Effect of New Versions.
++ Once Covered Code has been published under a particular version of the
++ License, You may always continue to use it under the terms of that
++ version. You may also choose to use such Covered Code under the terms
++ of any subsequent version of the License published by Netscape. No one
++ other than Netscape has the right to modify the terms applicable to
++ Covered Code created under this License.
++ .
++ 6.3. Derivative Works.
++ If You create or use a modified version of this License (which you may
++ only do in order to apply it to code which is not already Covered Code
++ governed by this License), You must (a) rename Your license so that
++ the phrases "Mozilla", "MOZILLAPL", "MOZPL", "Netscape",
++ "MPL", "NPL" or any confusingly similar phrase do not appear in your
++ license (except to note that your license differs from this License)
++ and (b) otherwise make it clear that Your version of the license
++ contains terms which differ from the Mozilla Public License and
++ Netscape Public License. (Filling in the name of the Initial
++ Developer, Original Code or Contributor in the notice described in
++ Exhibit A shall not of themselves be deemed to be modifications of
++ this License.)
++ .
++ 7. DISCLAIMER OF WARRANTY.
++ .
++ COVERED CODE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS" BASIS,
++ WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING,
++ WITHOUT LIMITATION, WARRANTIES THAT THE COVERED CODE IS FREE OF
++ DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING.
++ THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE COVERED CODE
++ IS WITH YOU. SHOULD ANY COVERED CODE PROVE DEFECTIVE IN ANY RESPECT,
++ YOU (NOT THE INITIAL DEVELOPER OR ANY OTHER CONTRIBUTOR) ASSUME THE
++ COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER
++ OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS LICENSE. NO USE OF
++ ANY COVERED CODE IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER.
++ .
++ 8. TERMINATION.
++ .
++ 8.1. This License and the rights granted hereunder will terminate
++ automatically if You fail to comply with terms herein and fail to cure
++ such breach within 30 days of becoming aware of the breach. All
++ sublicenses to the Covered Code which are properly granted shall
++ survive any termination of this License. Provisions which, by their
++ nature, must remain in effect beyond the termination of this License
++ shall survive.
++ .
++ 8.2. If You initiate litigation by asserting a patent infringement
++ claim (excluding declatory judgment actions) against Initial Developer
++ or a Contributor (the Initial Developer or Contributor against whom
++ You file such action is referred to as "Participant") alleging that:
++ .
++ (a) such Participant's Contributor Version directly or indirectly
++ infringes any patent, then any and all rights granted by such
++ Participant to You under Sections 2.1 and/or 2.2 of this License
++ shall, upon 60 days notice from Participant terminate prospectively,
++ unless if within 60 days after receipt of notice You either: (i)
++ agree in writing to pay Participant a mutually agreeable reasonable
++ royalty for Your past and future use of Modifications made by such
++ Participant, or (ii) withdraw Your litigation claim with respect to
++ the Contributor Version against such Participant. If within 60 days
++ of notice, a reasonable royalty and payment arrangement are not
++ mutually agreed upon in writing by the parties or the litigation claim
++ is not withdrawn, the rights granted by Participant to You under
++ Sections 2.1 and/or 2.2 automatically terminate at the expiration of
++ the 60 day notice period specified above.
++ .
++ (b) any software, hardware, or device, other than such Participant's
++ Contributor Version, directly or indirectly infringes any patent, then
++ any rights granted to You by such Participant under Sections 2.1(b)
++ and 2.2(b) are revoked effective as of the date You first made, used,
++ sold, distributed, or had made, Modifications made by that
++ Participant.
++ .
++ 8.3. If You assert a patent infringement claim against Participant
++ alleging that such Participant's Contributor Version directly or
++ indirectly infringes any patent where such claim is resolved (such as
++ by license or settlement) prior to the initiation of patent
++ infringement litigation, then the reasonable value of the licenses
++ granted by such Participant under Sections 2.1 or 2.2 shall be taken
++ into account in determining the amount or value of any payment or
++ license.
++ .
++ 8.4. In the event of termination under Sections 8.1 or 8.2 above,
++ all end user license agreements (excluding distributors and resellers)
++ which have been validly granted by You or any distributor hereunder
++ prior to termination shall survive termination.
++ .
++ 9. LIMITATION OF LIABILITY.
++ .
++ UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT
++ (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU, THE INITIAL
++ DEVELOPER, ANY OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED CODE,
++ OR ANY SUPPLIER OF ANY OF SUCH PARTIES, BE LIABLE TO ANY PERSON FOR
++ ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY
++ CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL,
++ WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER
++ COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN
++ INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF
++ LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY
++ RESULTING FROM SUCH PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW
++ PROHIBITS SUCH LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE
++ EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO
++ THIS EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU.
++ .
++ 10. U.S. GOVERNMENT END USERS.
++ .
++ The Covered Code is a "commercial item," as that term is defined in
++ 48 C.F.R. 2.101 (Oct. 1995), consisting of "commercial computer
++ software" and "commercial computer software documentation," as such
++ terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent with 48
++ C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 (June 1995),
++ all U.S. Government End Users acquire Covered Code with only those
++ rights set forth herein.
++ .
++ 11. MISCELLANEOUS.
++ .
++ This License represents the complete agreement concerning subject
++ matter hereof. If any provision of this License is held to be
++ unenforceable, such provision shall be reformed only to the extent
++ necessary to make it enforceable. This License shall be governed by
++ California law provisions (except to the extent applicable law, if
++ any, provides otherwise), excluding its conflict-of-law provisions.
++ With respect to disputes in which at least one party is a citizen of,
++ or an entity chartered or registered to do business in the United
++ States of America, any litigation relating to this License shall be
++ subject to the jurisdiction of the Federal Courts of the Northern
++ District of California, with venue lying in Santa Clara County,
++ California, with the losing party responsible for costs, including
++ without limitation, court costs and reasonable attorneys' fees and
++ expenses. The application of the United Nations Convention on
++ Contracts for the International Sale of Goods is expressly excluded.
++ Any law or regulation which provides that the language of a contract
++ shall be construed against the drafter shall not apply to this
++ License.
++ .
++ 12. RESPONSIBILITY FOR CLAIMS.
++ .
++ As between Initial Developer and the Contributors, each party is
++ responsible for claims and damages arising, directly or indirectly,
++ out of its utilization of rights under this License and You agree to
++ work with Initial Developer and Contributors to distribute such
++ responsibility on an equitable basis. Nothing herein is intended or
++ shall be deemed to constitute any admission of liability.
++ .
++ 13. MULTIPLE-LICENSED CODE.
++ .
++ Initial Developer may designate portions of the Covered Code as
++ "Multiple-Licensed". "Multiple-Licensed" means that the Initial
++ Developer permits you to utilize portions of the Covered Code under
++ Your choice of the NPL or the alternative licenses, if any, specified
++ by the Initial Developer in the file described in Exhibit A.
++ .
++ EXHIBIT A -Mozilla Public License.
++ .
++ ``The contents of this file are subject to the Mozilla Public License
++ Version 1.1 (the "License"); you may not use this file except in
++ compliance with the License. You may obtain a copy of the License at
++ http://www.mozilla.org/MPL/
++ .
++ Software distributed under the License is distributed on an "AS IS"
++ basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
++ License for the specific language governing rights and limitations
++ under the License.
++ .
++ The Original Code is ______________________________________.
++ .
++ The Initial Developer of the Original Code is ________________________.
++ Portions created by ______________________ are Copyright (C) ______
++ _______________________. All Rights Reserved.
++ .
++ Contributor(s): ______________________________________.
++ .
++ Alternatively, the contents of this file may be used under the terms
++ of the _____ license (the "[___] License"), in which case the
++ provisions of [______] License are applicable instead of those
++ above. If you wish to allow use of your version of this file only
++ under the terms of the [____] License and not to allow others to use
++ your version of this file under the MPL, indicate your decision by
++ deleting the provisions above and replace them with the notice and
++ other provisions required by the [___] License. If you do not delete
++ the provisions above, a recipient may use your version of this file
++ under either the MPL or the [___] License."
++ .
++ [NOTE: The text of this Exhibit A may differ slightly from the text of
++ the notices in the Source Code files of the Original Code. You should
++ use the text of this Exhibit A rather than the text found in the
++ Original Code Source Code for Your Modifications.]
++
++License: MPL-2.0
++ On Debian machines the full text of the Mozilla Public License version 2.0
++ can be found in the file /usr/share/common-licenses/MPL-2.0.
--- /dev/null
--- /dev/null
++include:
++ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
++ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
++
++blhc:
++ allow_failure: true
--- /dev/null
--- /dev/null
++From 85d06aba6cb874958e9583d84bbd83ffe8bc40f6 Mon Sep 17 00:00:00 2001
++From: Timo Aaltonen <tjaalton@debian.org>
++Date: Wed, 15 Dec 2021 21:40:38 +0200
++Subject: [PATCH] Revert "Issue 3584 - Fix PBKDF2_SHA256 hashing in FIPS mode
++ (#4949)"
++
++This reverts commit b0d06615e1117799ec156d51489cd49c92635cca.
++---
++ .../healthcheck/health_security_test.py | 10 +++
++ ldap/ldif/template-dse-minimal.ldif.in | 52 ----------------
++ ldap/ldif/template-dse.ldif.in | 52 ----------------
++ ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c | 62 +++----------------
++ ldap/servers/slapd/main.c | 12 ----
++ src/lib389/lib389/__init__.py | 4 --
++ src/lib389/lib389/topologies.py | 6 +-
++ src/lib389/lib389/utils.py | 13 ----
++ 8 files changed, 21 insertions(+), 190 deletions(-)
++
++diff --git a/dirsrvtests/tests/suites/healthcheck/health_security_test.py b/dirsrvtests/tests/suites/healthcheck/health_security_test.py
++index fa3c28615..a07371e0e 100644
++--- a/dirsrvtests/tests/suites/healthcheck/health_security_test.py
+++++ b/dirsrvtests/tests/suites/healthcheck/health_security_test.py
++@@ -31,6 +31,16 @@ libfaketime.reexec_if_needed()
++ log = logging.getLogger(__name__)
++
++
+++def is_fips():
+++ if os.path.exists('/proc/sys/crypto/fips_enabled'):
+++ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+++ state = f.readline().strip()
+++ if state == '1':
+++ return True
+++ else:
+++ return False
+++
+++
++ def run_healthcheck_and_flush_log(topology, instance, searched_code, json, searched_code2=None):
++ args = FakeArgs()
++ args.instance = instance.serverid
++diff --git a/ldap/ldif/template-dse-minimal.ldif.in b/ldap/ldif/template-dse-minimal.ldif.in
++index a1700a2da..5d424fbf5 100644
++--- a/ldap/ldif/template-dse-minimal.ldif.in
+++++ b/ldap/ldif/template-dse-minimal.ldif.in
++@@ -185,58 +185,6 @@ nsslapd-plugininitfunc: pbkdf2_sha256_pwd_storage_scheme_init
++ nsslapd-plugintype: pwdstoragescheme
++ nsslapd-pluginenabled: on
++
++-dn: cn=PBKDF2,cn=Password Storage Schemes,cn=plugins,cn=config
++-objectclass: top
++-objectclass: nsSlapdPlugin
++-cn: PBKDF2
++-nsslapd-pluginpath: libpwdchan-plugin
++-nsslapd-plugininitfunc: pwdchan_pbkdf2_plugin_init
++-nsslapd-plugintype: pwdstoragescheme
++-nsslapd-pluginenabled: on
++-nsslapd-pluginId: PBKDF2
++-nsslapd-pluginVersion: none
++-nsslapd-pluginVendor: 389 Project
++-nsslapd-pluginDescription: PBKDF2
++-
++-dn: cn=PBKDF2-SHA1,cn=Password Storage Schemes,cn=plugins,cn=config
++-objectclass: top
++-objectclass: nsSlapdPlugin
++-cn: PBKDF2-SHA1
++-nsslapd-pluginpath: libpwdchan-plugin
++-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha1_plugin_init
++-nsslapd-plugintype: pwdstoragescheme
++-nsslapd-pluginenabled: on
++-nsslapd-pluginId: PBKDF2-SHA1
++-nsslapd-pluginVersion: none
++-nsslapd-pluginVendor: 389 Project
++-nsslapd-pluginDescription: PBKDF2-SHA1\
++-
++-dn: cn=PBKDF2-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
++-objectclass: top
++-objectclass: nsSlapdPlugin
++-cn: PBKDF2-SHA256
++-nsslapd-pluginpath: libpwdchan-plugin
++-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha256_plugin_init
++-nsslapd-plugintype: pwdstoragescheme
++-nsslapd-pluginenabled: on
++-nsslapd-pluginId: PBKDF2-SHA256
++-nsslapd-pluginVersion: none
++-nsslapd-pluginVendor: 389 Project
++-nsslapd-pluginDescription: PBKDF2-SHA256\
++-
++-dn: cn=PBKDF2-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config
++-objectclass: top
++-objectclass: nsSlapdPlugin
++-cn: PBKDF2-SHA512
++-nsslapd-pluginpath: libpwdchan-plugin
++-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha512_plugin_init
++-nsslapd-plugintype: pwdstoragescheme
++-nsslapd-pluginenabled: on
++-nsslapd-pluginId: PBKDF2-SHA512
++-nsslapd-pluginVersion: none
++-nsslapd-pluginVendor: 389 Project
++-nsslapd-pluginDescription: PBKDF2-SHA512
++-
++ dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config
++ objectclass: top
++ objectclass: nsSlapdPlugin
++diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
++index 1456761e5..892f62c6b 100644
++--- a/ldap/ldif/template-dse.ldif.in
+++++ b/ldap/ldif/template-dse.ldif.in
++@@ -232,58 +232,6 @@ nsslapd-plugininitfunc: pbkdf2_sha256_pwd_storage_scheme_init
++ nsslapd-plugintype: pwdstoragescheme
++ nsslapd-pluginenabled: on
++
++-dn: cn=PBKDF2,cn=Password Storage Schemes,cn=plugins,cn=config
++-objectclass: top
++-objectclass: nsSlapdPlugin
++-cn: PBKDF2
++-nsslapd-pluginpath: libpwdchan-plugin
++-nsslapd-plugininitfunc: pwdchan_pbkdf2_plugin_init
++-nsslapd-plugintype: pwdstoragescheme
++-nsslapd-pluginenabled: on
++-nsslapd-pluginId: PBKDF2
++-nsslapd-pluginVersion: none
++-nsslapd-pluginVendor: 389 Project
++-nsslapd-pluginDescription: PBKDF2
++-
++-dn: cn=PBKDF2-SHA1,cn=Password Storage Schemes,cn=plugins,cn=config
++-objectclass: top
++-objectclass: nsSlapdPlugin
++-cn: PBKDF2-SHA1
++-nsslapd-pluginpath: libpwdchan-plugin
++-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha1_plugin_init
++-nsslapd-plugintype: pwdstoragescheme
++-nsslapd-pluginenabled: on
++-nsslapd-pluginId: PBKDF2-SHA1
++-nsslapd-pluginVersion: none
++-nsslapd-pluginVendor: 389 Project
++-nsslapd-pluginDescription: PBKDF2-SHA1\
++-
++-dn: cn=PBKDF2-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
++-objectclass: top
++-objectclass: nsSlapdPlugin
++-cn: PBKDF2-SHA256
++-nsslapd-pluginpath: libpwdchan-plugin
++-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha256_plugin_init
++-nsslapd-plugintype: pwdstoragescheme
++-nsslapd-pluginenabled: on
++-nsslapd-pluginId: PBKDF2-SHA256
++-nsslapd-pluginVersion: none
++-nsslapd-pluginVendor: 389 Project
++-nsslapd-pluginDescription: PBKDF2-SHA256\
++-
++-dn: cn=PBKDF2-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config
++-objectclass: top
++-objectclass: nsSlapdPlugin
++-cn: PBKDF2-SHA512
++-nsslapd-pluginpath: libpwdchan-plugin
++-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha512_plugin_init
++-nsslapd-plugintype: pwdstoragescheme
++-nsslapd-pluginenabled: on
++-nsslapd-pluginId: PBKDF2-SHA512
++-nsslapd-pluginVersion: none
++-nsslapd-pluginVendor: 389 Project
++-nsslapd-pluginDescription: PBKDF2-SHA512
++-
++ dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config
++ objectclass: top
++ objectclass: nsSlapdPlugin
++diff --git a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
++index dcac4fcdd..d310dc792 100644
++--- a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
+++++ b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
++@@ -91,11 +91,10 @@ pbkdf2_sha256_extract(char *hash_in, SECItem *salt, uint32_t *iterations)
++ SECStatus
++ pbkdf2_sha256_hash(char *hash_out, size_t hash_out_len, SECItem *pwd, SECItem *salt, uint32_t iterations)
++ {
+++ SECItem *result = NULL;
++ SECAlgorithmID *algid = NULL;
++ PK11SlotInfo *slot = NULL;
++ PK11SymKey *symkey = NULL;
++- SECItem *wrapKeyData = NULL;
++- SECStatus rv = SECFailure;
++
++ /* We assume that NSS is already started. */
++ algid = PK11_CreatePBEV2AlgorithmID(SEC_OID_PKCS5_PBKDF2, SEC_OID_HMAC_SHA256, SEC_OID_HMAC_SHA256, hash_out_len, iterations, salt);
++@@ -105,6 +104,7 @@ pbkdf2_sha256_hash(char *hash_out, size_t hash_out_len, SECItem *pwd, SECItem *s
++ slot = PK11_GetBestSlotMultiple(mechanism_array, 2, NULL);
++ if (slot != NULL) {
++ symkey = PK11_PBEKeyGen(slot, algid, pwd, PR_FALSE, NULL);
+++ PK11_FreeSlot(slot);
++ if (symkey == NULL) {
++ /* We try to get the Error here but NSS has two or more error interfaces, and sometimes it uses none of them. */
++ int32_t status = PORT_GetError();
++@@ -123,60 +123,18 @@ pbkdf2_sha256_hash(char *hash_out, size_t hash_out_len, SECItem *pwd, SECItem *s
++ return SECFailure;
++ }
++
++- /*
++- * First, we need to generate a wrapped key for PK11_Decrypt call:
++- * slot is the same slot we used in PK11_PBEKeyGen()
++- * 256 bits / 8 bit per byte
++- */
++- PK11SymKey *wrapKey = PK11_KeyGen(slot, CKM_AES_ECB, NULL, 256/8, NULL);
++- PK11_FreeSlot(slot);
++- if (wrapKey == NULL) {
++- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to generate a wrapped key.\n");
++- return SECFailure;
++- }
++-
++- wrapKeyData = (SECItem *)PORT_Alloc(sizeof(SECItem));
++- /* Align the wrapped key with 32 bytes. */
++- wrapKeyData->len = (PK11_GetKeyLength(symkey) + 31) & ~31;
++- /* Allocate the aligned space for pkc5PBE key plus AESKey block */
++- wrapKeyData->data = (unsigned char *)slapi_ch_calloc(wrapKeyData->len, sizeof(unsigned char));
++-
++- /* Get symkey wrapped with wrapKey - required for PK11_Decrypt call */
++- rv = PK11_WrapSymKey(CKM_AES_ECB, NULL, wrapKey, symkey, wrapKeyData);
++- if (rv != SECSuccess) {
++- PK11_FreeSymKey(symkey);
++- PK11_FreeSymKey(wrapKey);
++- SECITEM_FreeItem(wrapKeyData, PR_TRUE);
++- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to wrap the symkey. (%d)\n", rv);
++- return SECFailure;
++- }
++-
++- /* Allocate the space for our result */
++- void *result = (char *)slapi_ch_calloc(wrapKeyData->len, sizeof(char));
++- unsigned int result_len = 0;
++-
++- /* User wrapKey to decrypt the wrapped contents.
++- * result is the hash that we need;
++- * result_len is the actual lengh of the data;
++- * has_out_len is the maximum (the space we allocted for hash_out)
++- */
++- rv = PK11_Decrypt(wrapKey, CKM_AES_ECB, NULL, result, &result_len, hash_out_len, wrapKeyData->data, wrapKeyData->len);
++- PK11_FreeSymKey(symkey);
++- PK11_FreeSymKey(wrapKey);
++- SECITEM_FreeItem(wrapKeyData, PR_TRUE);
++-
++- if (rv == SECSuccess) {
++- if (result != NULL && result_len <= hash_out_len) {
++- memcpy(hash_out, result, result_len);
++- slapi_ch_free((void **)&result);
+++ if (PK11_ExtractKeyValue(symkey) == SECSuccess) {
+++ result = PK11_GetKeyData(symkey);
+++ if (result != NULL && result->len <= hash_out_len) {
+++ memcpy(hash_out, result->data, result->len);
+++ PK11_FreeSymKey(symkey);
++ } else {
++- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to retrieve (get) hash output.\n");
++- slapi_ch_free((void **)&result);
+++ PK11_FreeSymKey(symkey);
+++ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to retrieve (get) hash output.\n");
++ return SECFailure;
++ }
++ } else {
++- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to extract hash output. (%d)\n", rv);
++- slapi_ch_free((void **)&result);
+++ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to extract hash output.\n");
++ return SECFailure;
++ }
++
++diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
++index 7b3dc848f..9f99f6154 100644
++--- a/ldap/servers/slapd/main.c
+++++ b/ldap/servers/slapd/main.c
++@@ -2931,21 +2931,9 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt, int s_por
++ * is enabled or not. We use NSS for random number generation and
++ * other things even if we are not going to accept SSL connections.
++ * We also need NSS for attribute encryption/decryption on import and export.
++- *
++- * It's important to remember that while in FIPS mode the administrator should always enable
++- * the security, otherwise we don't call slapd_pk11_authenticate which is a requirement for FIPS mode
++ */
++- PRBool isFIPS = slapd_pk11_isFIPS();
++ int init_ssl = config_get_security();
++
++- if (isFIPS && !init_ssl) {
++- slapi_log_err(SLAPI_LOG_WARNING, "slapd_do_all_nss_ssl_init",
++- "ERROR: TLS is not enabled, and the machine is in FIPS mode. "
++- "Some functionality won't work correctly (for example, "
++- "users with PBKDF2_SHA256 password scheme won't be able to log in). "
++- "It's highly advisable to enable TLS on this instance.\n");
++- }
++-
++ if (slapd_exemode == SLAPD_EXEMODE_SLAPD) {
++ init_ssl = init_ssl && (0 != s_port) && (s_port <= LDAP_PORT_MAX);
++ } else {
++diff --git a/src/lib389/lib389/__init__.py b/src/lib389/lib389/__init__.py
++index 15ac50b7d..d4473dfd1 100644
++--- a/src/lib389/lib389/__init__.py
+++++ b/src/lib389/lib389/__init__.py
++@@ -1533,10 +1533,6 @@ class DirSrv(SimpleLDAPObject, object):
++ :param post_open: Open the server connection after restart.
++ :type post_open: bool
++ """
++- if self.config.get_attr_val_utf8_l("nsslapd-security") == 'on':
++- self.restart(post_open=post_open)
++- return
++-
++ # If it doesn't exist, create a cadb.
++ ssca = NssSsl(dbpath=self.get_ssca_dir())
++ if not ssca._db_exists():
++diff --git a/src/lib389/lib389/topologies.py b/src/lib389/lib389/topologies.py
++index 569818fc1..db505535f 100644
++--- a/src/lib389/lib389/topologies.py
+++++ b/src/lib389/lib389/topologies.py
++@@ -11,7 +11,7 @@ import logging
++ import socket # For hostname detection for GSSAPI tests
++ import pytest
++ from lib389 import DirSrv
++-from lib389.utils import generate_ds_params, is_fips
+++from lib389.utils import generate_ds_params
++ from lib389.mit_krb5 import MitKrb5
++ from lib389.saslmap import SaslMappings
++ from lib389.replica import ReplicationManager, Replicas
++@@ -103,10 +103,6 @@ def _create_instances(topo_dict, suffix):
++ if role == ReplicaRole.HUB:
++ hs[instance.serverid] = instance
++ instances.update(hs)
++- # We should always enable TLS while in FIPS mode because otherwise NSS database won't be
++- # configured in a FIPS compliant way
++- if is_fips():
++- instance.enable_tls()
++ if DEBUGGING:
++ instance.config.set('nsslapd-errorlog-level','8192')
++ instance.config.set('nsslapd-accesslog-level','260')
++diff --git a/src/lib389/lib389/utils.py b/src/lib389/lib389/utils.py
++index 5445aa7b0..37eeda273 100644
++--- a/src/lib389/lib389/utils.py
+++++ b/src/lib389/lib389/utils.py
++@@ -1434,16 +1434,3 @@ def is_valid_hostname(hostname):
++ hostname = hostname[:-1] # strip exactly one dot from the right, if present
++ allowed = re.compile("(?!-)[A-Z\d-]{1,63}(?<!-)$", re.IGNORECASE)
++ return all(allowed.match(x) for x in hostname.split("."))
++-
++-
++-def is_fips():
++- if os.path.exists('/proc/sys/crypto/fips_enabled'):
++- with open('/proc/sys/crypto/fips_enabled', 'r') as f:
++- state = f.readline().strip()
++- if state == '1':
++- return True
++- else:
++- return False
++- else:
++- return False
++-
++--
++2.32.0
++
--- /dev/null
--- /dev/null
++--- a/ldap/servers/slapd/ldaputil.c
+++++ b/ldap/servers/slapd/ldaputil.c
++@@ -827,10 +827,14 @@ ldaputil_get_saslpath()
++ if (PR_SUCCESS != PR_Access(saslpath, PR_ACCESS_EXISTS)) {
++ #ifdef CPU_arm
++ /* the 64-bit ARMv8 architecture. */
++- saslpath = "/usr/lib/aarch64-linux-gnu";
+++ saslpath = "/usr/lib/aarch64-linux-gnu/sasl2";
+++#elif defined(CPU_powerpc64le)
+++ saslpath = "/usr/lib/powerpc64le-linux-gnu/sasl2";
+++#elif defined(CPU_s390x)
+++ saslpath = "/usr/lib/s390x-linux-gnu/sasl2";
++ #else
++ /* Try x86_64 gnu triplet */
++- saslpath = "/usr/lib/x86_64-linux-gnu";
+++ saslpath = "/usr/lib/x86_64-linux-gnu/sasl2";
++ #endif
++ }
++ #else
++@@ -838,14 +842,14 @@ ldaputil_get_saslpath()
++ if (PR_SUCCESS != PR_Access(saslpath, PR_ACCESS_EXISTS)) {
++ #ifdef CPU_arm
++ /* the latest 32 bit ARM architecture using the hard-float version of EABI. */
++- saslpath = "/usr/lib/arm-linux-gnueabihf";
+++ saslpath = "/usr/lib/arm-linux-gnueabihf/sasl2";
++ if (PR_SUCCESS != PR_Access(saslpath, PR_ACCESS_EXISTS)) {
++ /* the 32 bit ARM architecture of EABI. */
++- saslpath = "/usr/lib/arm-linux-gnueabi";
+++ saslpath = "/usr/lib/arm-linux-gnueabi/sasl2";
++ }
++ #else
++ /* Try i386 gnu triplet */
++- saslpath = "/usr/lib/i386-linux-gnu";
+++ saslpath = "/usr/lib/i386-linux-gnu/sasl2";
++ #endif
++ }
++ #endif
++--- a/configure.ac
+++++ b/configure.ac
++@@ -655,7 +655,8 @@ case $host in
++ arm-*-linux*)
++ AC_DEFINE([CPU_arm], [], [cpu type arm])
++ ;;
++- ppc64le-*-linux*)
+++ powerpc64le-*-linux*)
+++ AC_DEFINE([CPU_powerpc64le], [], [cpu type powerpc64le])
++ ;;
++ ppc64-*-linux*)
++ ;;
++@@ -664,6 +665,7 @@ case $host in
++ s390-*-linux*)
++ ;;
++ s390x-*-linux*)
+++ AC_DEFINE([CPU_s390x], [], [cpu type s390x])
++ ;;
++ esac
++ # some programs use the native thread library directly
--- /dev/null
--- /dev/null
++fix-saslpath.diff
++0001-Revert-Issue-3584-Fix-PBKDF2_SHA256-hashing-in-FIPS-.patch
--- /dev/null
--- /dev/null
++usr/lib/python3/dist-packages/lib389-*
++usr/lib/python3/dist-packages/lib389/
++usr/sbin/dsconf
++usr/sbin/dscreate
++usr/sbin/dsctl
++usr/sbin/dsidm
++usr/share/man/man8/dsconf.8
++usr/share/man/man8/dscreate.8
++usr/share/man/man8/dsctl.8
++usr/share/man/man8/dsidm.8
--- /dev/null
--- /dev/null
++#!/usr/bin/make -f
++# -*- makefile -*-
++
++export DEB_BUILD_MAINT_OPTIONS = hardening=+pie
++
++
++ifneq (,$(filter $(DEB_HOST_ARCH), armel m68k mips mipsel powerpc powerpcspe sh4))
++ export DEB_LDFLAGS_MAINT_APPEND=-latomic
++endif
++
++REALFILE = \
++ bin/ds-logpipe.py \
++ bin/logconv.pl \
++ share/man/man1/ds-logpipe.py.1 \
++ share/man/man1/logconv.pl.1 \
++
++%:
++ dh $@ --with python3 --builddir build/
++
++override_dh_auto_clean:
++ dh_auto_clean
++ rm -f aclocal.m4 config.* ltmain.sh m4/libtool.m4 m4/lt*.m4
++ rm -f ldap/servers/snmp/ldap-agent.conf
++ rm -rf src/lib389/build src/lib389/lib389.egg-info
++ find src/lib389/ -name '__pycache__' -exec rm -rf '{}' ';'
++ rm -f src/lib389/man/*.8
++
++override_dh_auto_configure:
++ dh_auto_configure -- \
++ --with-openldap \
++ --with-systemd \
++ --with-systemdsystemunitdir=/lib/systemd/system \
++ --with-systemdsystemconfdir=/etc/systemd/system \
++ --with-systemdgroupname=dirsrv.target \
++ --with-tmpfiles-d=/etc/tmpfiles.d \
++ --enable-autobind \
++ --enable-cmocka \
++ --enable-icu \
++ --enable-perl
++
++override_dh_auto_build:
++ (cd src/lib389 && python3 setup.py build)
++ dh_auto_build
++
++override_dh_auto_install:
++ (cd src/lib389 && python3 setup.py install --install-layout=deb --root ../../debian/tmp)
++
++ dh_auto_install --max-parallel=1
++
++override_dh_install:
++ # lets do the renaming here afterall, instead of in 389-ds-base.install
++ for file in $(REALFILE); do mv -f $(CURDIR)/debian/tmp/usr/$$file \
++ $(CURDIR)/debian/tmp/usr/`echo $$file | \
++ sed -s 's/\.pl//;s/\.py//'`; \
++ done
++ # purge .la files
++ find $(CURDIR)/debian/tmp -name "*.la" -type f -exec rm -f "{}" \;
++
++ mkdir -p $(CURDIR)/debian/tmp/etc/systemd/system/dirsrv.target.wants
++
++ # fix the manpage section, argparse-manpage hardcodes it as 1
++ sed -i "1s/\"1\"/\"8\"/" debian/tmp/usr/share/man/man8/dsconf.8
++ sed -i "1s/\"1\"/\"8\"/" debian/tmp/usr/share/man/man8/dscreate.8
++ sed -i "1s/\"1\"/\"8\"/" debian/tmp/usr/share/man/man8/dsctl.8
++ sed -i "1s/\"1\"/\"8\"/" debian/tmp/usr/share/man/man8/dsidm.8
++
++ # link to jemalloc
++ mkdir -p $(CURDIR)/debian/tmp/usr/lib/$(DEB_BUILD_MULTIARCH)/dirsrv/lib/
++ ln -s /usr/lib/$(DEB_BUILD_MULTIARCH)/libjemalloc.so.2 \
++ $(CURDIR)/debian/tmp/usr/lib/$(DEB_BUILD_MULTIARCH)/dirsrv/lib/
++
++ dh_install
++
++override_dh_missing:
++ dh_missing --fail-missing
++
++override_dh_installsystemd:
++ dh_installsystemd -p389-ds-base --no-enable dirsrv-snmp.service
++
++override_dh_shlibdeps:
++ dh_shlibdeps -l"debian/389-ds-base/usr/lib/$(DEB_HOST_MULTIARCH)/dirsrv" -a
--- /dev/null
--- /dev/null
++3.0 (quilt)
--- /dev/null
--- /dev/null
++# it just has long lines
++389-ds-base source: source-is-missing src/cockpit/389-console/cockpit_dist/index.js line length is 312 characters (>256)
--- /dev/null
--- /dev/null
++Tests: setup
++Depends:
++ 389-ds-base,
++Restrictions:
++ isolation-container,
++ needs-root,
--- /dev/null
--- /dev/null
++#!/bin/sh
++
++# hack for lxc
++IP=`ip route get 1.1.1.1 | sed -n -e's/.*src //; s/ .*//; p; q'`
++echo "IP address is $IP"
++
++HOSTNAME=`cat /etc/hosts| grep '127.0.1.1' | awk '{print $NF; exit}'`
++echo "Hostname was: $HOSTNAME"
++
++if [ -z $HOSTNAME ]; then
++ HOSTNAME=autopkgtest
++ hostname $HOSTNAME
++ echo $HOSTNAME > /etc/hostname
++fi
++
++echo "$IP $HOSTNAME.debci $HOSTNAME" >> /etc/hosts
++
++echo "/etc/hosts now has:"
++cat /etc/hosts
++
++cat << EOF > /tmp/debci.inf
++[general]
++full_machine_name = $HOSTNAME.debci
++strict_host_checking = False
++[slapd]
++group = dirsrv
++instance_name = debci
++port = 1389
++root_dn = cn=Directory Manager
++root_password = Secret123
++user = dirsrv
++[backend-userroot]
++suffix = dc=example,dc=com
++EOF
++
++/usr/sbin/dscreate from-file /tmp/debci.inf 2>&1
--- /dev/null
--- /dev/null
++#git=https://github.com/389ds/389-ds-base
++version=3
++https://github.com/389ds/389-ds-base/tags/ (?:.*?/)?389-ds-base-@ANY_VERSION@\.tar\.gz
projects / 389-ds-base.git / commitdiff