--- /dev/null
+usr/include/dirsrv/*
+usr/include/svrcore.h
+usr/lib/*/dirsrv/libldaputil.so
+usr/lib/*/dirsrv/libns-dshttpd.so
+usr/lib/*/dirsrv/librewriters.so
+usr/lib/*/dirsrv/libslapd.so
+usr/lib/*/libsvrcore.so
+usr/lib/*/pkgconfig/*
--- /dev/null
+usr/lib/*/dirsrv/lib/libjemalloc.so.*
+usr/lib/*/dirsrv/libldaputil.so.*
+usr/lib/*/dirsrv/libns-dshttpd.so.*
+usr/lib/*/dirsrv/librewriters.so.*
+usr/lib/*/dirsrv/libslapd.so.*
+usr/lib/*/libsvrcore.so.*
--- /dev/null
+custom-library-search-path
--- /dev/null
+# Defaults for dirsrv
+#
+# This is a POSIX shell fragment
+
+# Enable bindnow hardening
+LD_BIND_NOW=1
--- /dev/null
+var/log/dirsrv
+var/lib/dirsrv
--- /dev/null
+etc/dirsrv/config/
+etc/dirsrv/schema/*.ldif
+etc/systemd/
+lib/systemd/system/dirsrv-snmp.service
+lib/systemd/system/dirsrv.target
+lib/systemd/system/dirsrv@.service
+lib/systemd/system/dirsrv@.service.d/custom.conf
+usr/bin/dbscan
+usr/bin/ds-logpipe
+usr/bin/ds-replcheck
+usr/bin/ldclt
+usr/bin/logconv
+usr/bin/pwdhash
+usr/lib/*/dirsrv/plugins/*.so
+usr/lib/*/dirsrv/python/
+usr/libexec/dirsrv/dscontainer
+usr/libexec/ds_selinux_restorecon.sh
+usr/libexec/ds_systemd_ask_password_acl
+usr/lib/sysctl.d/70-dirsrv.conf
+usr/sbin/ldap-agent
+usr/sbin/ns-slapd
+usr/sbin/openldap_to_ds
+usr/share/dirsrv/data
+usr/share/dirsrv/inf
+usr/share/dirsrv/mibs
+usr/share/dirsrv/schema
+usr/share/gdb/auto-load/usr/sbin/ns-slapd-gdb.py
+usr/share/man/man1/dbscan.1
+usr/share/man/man1/ds-logpipe.1
+usr/share/man/man1/ds-replcheck.1
+usr/share/man/man1/ldap-agent.1
+usr/share/man/man1/ldclt.1
+usr/share/man/man1/logconv.1
+usr/share/man/man1/pwdhash.1
+usr/share/man/man5/*.5
+usr/share/man/man8/ns-slapd.8
+usr/share/man/man8/openldap_to_ds.8
--- /dev/null
+/dev/null lib/systemd/system/dirsrv.service
--- /dev/null
+# these are bogus warnings, no libs shipped in a public libdir
+unused-shlib-entry-in-control-file
+
+# plugins
+custom-library-search-path
--- /dev/null
+#!/bin/sh
+set -e
+
+. /usr/share/debconf/confmodule
+
+CONFIG_DIR=/etc/dirsrv
+OUT=/dev/null
+INSTANCES=`ls -d /etc/dirsrv/slapd-* 2>/dev/null | grep -v removed | sed 's/.*slapd-//'`
+
+if [ "$1" = configure ]; then
+ # lets give them a user/group in all cases.
+ if ! getent passwd dirsrv > $OUT; then
+ adduser --quiet --system --home /var/lib/dirsrv \
+ --disabled-password --group \
+ --gecos "389 Directory Server user" \
+ --no-create-home \
+ dirsrv > $OUT
+ fi
+
+ chown -R dirsrv:dirsrv /etc/dirsrv/ /var/log/dirsrv/ /var/lib/dirsrv/ > $OUT || true
+ chmod 750 /etc/dirsrv/ /var/log/dirsrv/ /var/lib/dirsrv/ > $OUT || true
+fi
+
+invoke_failure() {
+ # invoke-rc.d failed, likely because no instance has been configured yet
+ # but exit with an error if an instance is configured and the invoke failed
+ if [ -z $INSTANCES ]; then
+ echo "... because no instance has been configured yet."
+ else
+ exit 1
+ fi
+}
+
+
+#DEBHELPER#
--- /dev/null
+#!/bin/sh
+set -e
+
+. /usr/share/debconf/confmodule
+
+if [ "$1" = "purge" ]; then
+ if getent group dirsrv > /dev/null; then
+ deluser --system dirsrv || true
+ fi
+ rm -f /etc/systemd/system/dirsrv.target.wants/dirsrv@*.service
+ rm -rf /etc/dirsrv
+ rm -rf /var/lib/dirsrv
+ rm -rf /var/log/dirsrv
+fi
+
+#DEBHELPER#
--- /dev/null
+#!/bin/sh -e
+set -e
+
+#DEBHELPER#
+
+if [ "$1" = "purge" ]; then
+ # remove all installed instances
+ for FILE in `ls -d /etc/dirsrv/slapd-* 2>/dev/null | sed -n '/\.removed$/!$'`
+ do
+ if [ -d "$FILE" ] ; then
+ dsctl $FILE remove --do-it
+ fi
+ done
+fi
--- /dev/null
+To complete the 389 Directory Server installation just run /usr/sbin/setup-ds.
+
+If you experience problems accessing the Directory Server, check with
+"netstat -tapen |grep 389" and verify that the server is not listening only
+to ipv6 (check for ^tcp6). In such case you will need to tweak the cn=config
+DIT with something like the following:
+
+dn: cn=config
+changetype: modify
+add: nsslapd-listenhost
+nsslapd-listenhost: <youripv4>
+
--- /dev/null
+389-ds-base (2.0.14-1) unstable; urgency=medium
+
+ * New upstream release.
+ * install: Updated.
+ * control: Bump policy to 4.6.0.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Thu, 10 Feb 2022 20:00:45 +0200
+
+389-ds-base (2.0.11-2) unstable; urgency=medium
+
+ * Revert a commit that makes dscreate to fail.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 15 Dec 2021 23:23:15 +0200
+
+389-ds-base (2.0.11-1) unstable; urgency=medium
+
+ * New upstream release.
+ * missing-sources: Removed, all the minified javascript files were
+ removed upstream some time ago.
+ * install: Updated.
+ * control: Bump debhelper to 13.
+ * Override some lintian errors.
+ * watch: Update the url.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 15 Dec 2021 21:03:20 +0200
+
+389-ds-base (1.4.4.17-1) unstable; urgency=medium
+
+ * New upstream release.
+ - CVE-2021-3652 (Closes: #991405)
+ * tests: Add isolation-container to restrictions.
+ * Add a dependency to libjemalloc2, and add a symlink to it so the
+ preload works. (Closes: #992696)
+ * CVE-2017-15135.patch: Dropped, fixed by upstream issue #4817.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 18 Oct 2021 18:36:30 +0300
+
+389-ds-base (1.4.4.16-1) unstable; urgency=medium
+
+ * New upstream release.
+ * fix-s390x-failure.diff: Dropped, upstream.
+ * watch: Updated to use github.
+ * copyright: Fix 'globbing-patterns-out-of-order'.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 16 Aug 2021 09:54:52 +0300
+
+389-ds-base (1.4.4.11-1) unstable; urgency=medium
+
+ * New upstream release.
+ * fix-s390x-failure.diff: Fix a crash on big-endian architectures like
+ s390x.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Thu, 28 Jan 2021 13:03:32 +0200
+
+389-ds-base (1.4.4.10-1) unstable; urgency=medium
+
+ * New upstream release.
+ * CVE-2017-15135.patch: Refreshed.
+ * source: Update diff-ignore.
+ * install: Drop libsds which got removed.
+ * control: Add libnss3-tools to cockpit-389-ds Depends. (Closes:
+ #965004)
+ * control: Drop python3-six from depends.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Thu, 21 Jan 2021 22:16:28 +0200
+
+389-ds-base (1.4.4.9-1) unstable; urgency=medium
+
+ * New upstream release.
+ * fix-prlog-include.diff: Dropped, upstream.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Fri, 18 Dec 2020 15:29:20 +0200
+
+389-ds-base (1.4.4.8-1) unstable; urgency=medium
+
+ * New upstream release.
+ * fix-systemctl-path.diff, drop-old-man.diff: Dropped, obsolete.
+ * fix-prlog-include.diff: Fix build by dropping nspr4/ prefix.
+ * install, rules: Clean up perl cruft that got removed upstream.
+ * install: Add openldap_to_ds.
+ * watch: Follow 1.4.4.x.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Thu, 12 Nov 2020 15:57:11 +0200
+
+389-ds-base (1.4.4.4-1) unstable; urgency=medium
+
+ * New upstream release.
+ * watch: Update upstream git repo url.
+ * control: Add python3-dateutil to build-depends.
+ * copyright: Drop duplicate globbing patterns.
+ * lintian: Drop obsolete overrides.
+ * postinst: Drop obsolete rule to upgrade the instances.
+ * prerm: Use dsctl instead of remove-ds.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Tue, 22 Sep 2020 09:23:30 +0300
+
+389-ds-base (1.4.4.3-1) unstable; urgency=medium
+
+ * New upstream release.
+ * fix-db-home-dir.diff: Dropped, upstream.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Tue, 02 Jun 2020 11:33:44 +0300
+
+389-ds-base (1.4.3.6-2) unstable; urgency=medium
+
+ * fix-db-home-dir.diff: Set db_home_dir same as db_dir to fix an issue
+ starting a newly created instance.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Tue, 21 Apr 2020 20:19:06 +0300
+
+389-ds-base (1.4.3.6-1) unstable; urgency=medium
+
+ * New upstream release.
+ * install: Updated.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 20 Apr 2020 15:01:35 +0300
+
+389-ds-base (1.4.3.4-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Add debian/gitlab-ci.yml.
+ - allow blhc to fail
+ * control: Bump policy to 4.5.0.
+ * control: Use https url for upstream.
+ * control: Use canonical URL in Vcs-Browser.
+ * copyright: Use spaces rather than tabs to start continuation lines.
+ * Add lintian-overrides for the source, cockpit index.js has long lines.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 18 Mar 2020 08:47:32 +0200
+
+389-ds-base (1.4.3.2-1) unstable; urgency=medium
+
+ * New upstream release.
+ * prerm: Fix slapd install path. (Closes: #945583)
+ * install: Updated.
+ * control: Use debhelper-compat.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 12 Feb 2020 19:39:22 +0200
+
+389-ds-base (1.4.2.4-1) unstable; urgency=medium
+
+ * New upstream release.
+ - CVE-2019-14824 deref plugin displays restricted attributes
+ (Closes: #944150)
+ * fix-obsolete-target.diff: Dropped, obsolete
+ drop-old-man.diff: Refreshed
+ * control: Add python3-packaging to build-depends and python3-lib389 depends.
+ * dev,libs.install: Nunc-stans got dropped.
+ * source/local-options: Add some files to diff-ignore.
+ * rules: Refresh list of files to purge.
+ * rules: Update dh_auto_clean override.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 27 Nov 2019 00:00:59 +0200
+
+389-ds-base (1.4.1.6-4) unstable; urgency=medium
+
+ * tests: Redirect stderr to stdout.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Tue, 17 Sep 2019 01:37:39 +0300
+
+389-ds-base (1.4.1.6-3) unstable; urgency=medium
+
+ * control: Add openssl to python3-lib389 depends.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Fri, 13 Sep 2019 07:32:27 +0300
+
+389-ds-base (1.4.1.6-2) unstable; urgency=medium
+
+ * Restore perl build partly, setup-ds is still needed for upgrades
+ until Ubuntu 20.04 is released (for versions << 1.4.0.9).
+
+ -- Timo Aaltonen <tjaalton@debian.org> Thu, 12 Sep 2019 14:50:36 +0300
+
+389-ds-base (1.4.1.6-1) unstable; urgency=medium
+
+ * New upstream release.
+ * control: Drop direct depends on python from 389-ds-base. (Closes:
+ #936102)
+ * Drop -legacy-tools and other obsolete scripts.
+ * use-bash-instead-of-sh.diff, rename-online-scripts.diff, perl-use-
+ move-instead-of-rename.diff: Dropped, obsolete.
+ * rules: Fix dsconf/dscreate/dsctl/dsidm manpage section.
+ * tests/setup: Migrate to dscreate.
+ * control: Add libnss3-tools to python3-lib389 depends. (Closes: #920025)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 11 Sep 2019 17:01:03 +0300
+
+389-ds-base (1.4.1.5-1) unstable; urgency=medium
+
+ * New upstream release.
+ * watch: Use https.
+ * control: Bump policy to 4.4.0.
+ * Bump debhelper to 12.
+ * patches: fix-dsctl-remove.diff, fix-nss-path.diff, icu_pkg-config.patch
+ removed, upstream. Others refreshed.
+ * rules: Pass --enable-perl, we still need the perl tools.
+ * *.install: Updated.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 10 Jul 2019 10:05:31 +0300
+
+389-ds-base (1.4.0.22-1) unstable; urgency=medium
+
+ * New upstream bugfix release.
+ * control: Drop 389-ds-base from -legacy-tools Depends. (Closes:
+ #924265)
+ * fix-dsctl-remove.diff: Don't hardcode sysconfig. (Closes: #925221)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Sat, 06 Apr 2019 00:32:06 +0300
+
+389-ds-base (1.4.0.21-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Run offline upgrade only when upgrading from versions below 1.4.0.9,
+ ns-slapd itself handles upgrades in newer versions.
+ * rules: Actually install the minified javascript files. (Closes:
+ #913820)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Tue, 12 Feb 2019 16:28:15 +0200
+
+389-ds-base (1.4.0.20-3) unstable; urgency=medium
+
+ * control: 389-ds-base should depend on the legacy tools for now.
+ (Closes: #919420)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 16 Jan 2019 11:30:51 +0200
+
+389-ds-base (1.4.0.20-2) unstable; urgency=medium
+
+ * Upload to unstable.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 14 Jan 2019 20:03:58 +0200
+
+389-ds-base (1.4.0.20-1) experimental; urgency=medium
+
+ * New upstream release. (Closes: #913821)
+ * fix-nss-path.diff: Fix includes.
+ * Build ds* manpages, add missing build-depends.
+ * Move deprecated tools in a new subpackage.
+ * control: Add python3-lib389 to 389-ds-base depends.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Sun, 13 Jan 2019 21:13:22 +0200
+
+389-ds-base (1.4.0.19-3) unstable; urgency=medium
+
+ [ Jelmer Vernooij ]
+ * Use secure copyright file specification URI.
+ * Trim trailing whitespace.
+ * Use secure URI in Vcs control header.
+
+ [ Hugh McMaster ]
+ * control: Mark 389-ds-base-libs{,-dev} M-A: same, cockpit-389-ds M-A:
+ foreign and arch:all. (Closes: #916118)
+ * Use pkg-config to detect icu. (Closes: #916115)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 02 Jan 2019 12:43:23 +0200
+
+389-ds-base (1.4.0.19-2) unstable; urgency=medium
+
+ * rules: Add -latomic to LDFLAGS on archs failing to build. (Closes:
+ #910982)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Thu, 06 Dec 2018 01:06:37 +0200
+
+389-ds-base (1.4.0.19-1) unstable; urgency=medium
+
+ * New upstream release.
+ * control: Make C/R backports-compatible. (Closes: #910796)
+ * use-packaged-js.diff: Dropped, packaged versions don't work.
+ (Closes: #913820)
+ * Follow upstream, and drop python3-dirsrvtests.
+ * cockpit-389-ds.install: Updated.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 03 Dec 2018 15:56:40 +0200
+
+389-ds-base (1.4.0.18-1) unstable; urgency=medium
+
+ * New upstream release.
+ - CVE-2018-14624 (Closes: #907778)
+ - CVE-2018-14638 (Closes: #908859)
+ * control: Build on any arch again.
+ * perl-use-move-instead-of-rename.diff: Use copy instead of move,
+ except when restoring files in case of an error.
+ * Move the new utils (dsconf, dscreate, dsctl, dsidm) to python3-
+ lib389.
+ * control: Add python3-argcomplete to python3-lib389 depends. (Closes:
+ #910761)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Thu, 11 Oct 2018 00:56:02 +0300
+
+389-ds-base (1.4.0.16-1) unstable; urgency=medium
+
+ * New upstream release.
+ * control: 389-ds-base-dev provides libsvrcore-dev. (Closes: #907140)
+ * perl-use-move-instead-of-rename.diff: Fix upgrade on systems where
+ /var is on a separate partition: (Closes: #905184)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Thu, 27 Sep 2018 22:39:34 +0300
+
+389-ds-base (1.4.0.15-2) unstable; urgency=medium
+
+ * control: Build cockpit-389-ds only on 64bit and i386.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Thu, 23 Aug 2018 08:54:06 +0300
+
+389-ds-base (1.4.0.15-1) unstable; urgency=medium
+
+ * New upstream release
+ - CVE-2018-10935 (Closes: #906985)
+ * control: Add libcrack2-dev to build-depends.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Thu, 23 Aug 2018 00:46:45 +0300
+
+389-ds-base (1.4.0.13-1) experimental; urgency=medium
+
+ * New upstream release.
+ - CVE-2018-10850 (Closes: #903501)
+ * control: Update maintainer address.
+ * control: Upstream dropped support for non-64bit architectures, so
+ build only on supported 64bit archs (amd64, arm64, mips64el,
+ ppc64el, s390x).
+ * control: svrcore got merged here, drop it from build-depends.
+ * ftbs_lsoftotkn3.diff: Dropped, obsolete.
+ * control: Add rsync to build-depends.
+ * libs, dev, control: Add libsvrcore files, replace old package.
+ * base: Add new scripts, add python3-selinux, -semanage, -sepolicy to
+ depends.
+ * Add a package for cockpit-389-ds.
+ * rules: Clean up cruft left after build.
+ * control: Drop dh_systemd from build-depends, bump debhelper to 11.
+ * Add varions libjs packages to cockpit-389-ds Depends, add the rest
+ to d/missing-sources.
+ * copyright: Updated. (Closes: #904760)
+ * control: Modify 389-ds to depend on cockpit-389-ds and drop the old
+ GUI packages which are deprecated upstream.
+ * dont-build-new-manpages.diff: Debian doesn't have argparse-manpage,
+ so in order to not FTBFS don't build new manpages.
+ * base.install: Add man5/*.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Tue, 31 Jul 2018 23:46:17 +0300
+
+389-ds-base (1.3.8.2-1) unstable; urgency=medium
+
+ * New upstream release.
+ * fix-saslpath.diff: Updated to support ppc64el and s390x. (LP:
+ #1764744)
+ * CVE-2017-15135.patch: Refreshed
+
+ -- Timo Aaltonen <tjaalton@debian.org> Fri, 01 Jun 2018 11:21:19 +0300
+
+389-ds-base (1.3.7.10-1) unstable; urgency=medium
+
+ * New upstream release.
+ - fix CVE-2018-1054 (Closes: #892124)
+ * control: Update maintainer address, freeipa-team handles this from
+ now on. Drop kklimonda from uploaders.
+ * control: Update VCS urls.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Tue, 13 Mar 2018 11:32:29 +0200
+
+389-ds-base (1.3.7.9-1) unstable; urgency=medium
+
+ * New upstream release.
+ - CVE-2017-15134 (Closes: #888452)
+ * patches: Fix CVE-2017-15135. (Closes: #888451)
+ * tests: Add some debug output.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 05 Feb 2018 16:25:09 +0200
+
+389-ds-base (1.3.7.8-4) unstable; urgency=medium
+
+ * tests: Drop python3-lib389 from depends, it's not used currently
+ anyway.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Thu, 21 Dec 2017 15:42:04 +0200
+
+389-ds-base (1.3.7.8-3) unstable; urgency=medium
+
+ * tests/control: Depend on python3-lib389.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 20 Dec 2017 23:54:43 +0200
+
+389-ds-base (1.3.7.8-2) unstable; urgency=medium
+
+ * Fix autopkgtest to be robust in the face of changed iproute2 output.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 20 Dec 2017 15:57:26 +0200
+
+389-ds-base (1.3.7.8-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Package python3-lib389 and python3-dirsrvtests.
+ * control: Add python3 depends to 389-ds-base, since it ships a few
+ python scripts.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Tue, 12 Dec 2017 17:32:27 +0200
+
+389-ds-base (1.3.7.5-1) unstable; urgency=medium
+
+ * New upstream release.
+ * patches: ftbfs-fix.diff, reproducible-build.diff dropped (upstream)
+ others refreshed.
+ * *.install: Updated.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 04 Oct 2017 10:33:45 +0300
+
+389-ds-base (1.3.6.7-5) unstable; urgency=medium
+
+ * Move all libs from base to -libs, add B/R. (Closes: #874764)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Thu, 21 Sep 2017 16:44:13 +0300
+
+389-ds-base (1.3.6.7-4) unstable; urgency=medium
+
+ * control, install: Fix library/dev-link installs, add Breaks/Replaces
+ to fit, and drop obsolete B/R.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 30 Aug 2017 00:19:41 +0300
+
+389-ds-base (1.3.6.7-3) unstable; urgency=medium
+
+ * ftbfs-fix.diff: Fix build. (Closes: #873120)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 28 Aug 2017 15:09:02 +0300
+
+389-ds-base (1.3.6.7-2) unstable; urgency=medium
+
+ * control: Bump policy to 4.1.0, no changes.
+ * rules: Override dh_missing.
+ * control: Add libltdl-dev to build-depends. (Closes: #872979)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Thu, 24 Aug 2017 12:15:03 +0300
+
+389-ds-base (1.3.6.7-1) unstable; urgency=medium
+
+ * New upstream release
+ - fix CVE-2017-7551 (Closes: #870752)
+ * fix-tests.diff: Dropped, fixed upstream.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Tue, 22 Aug 2017 16:30:11 +0300
+
+389-ds-base (1.3.6.5-1) experimental; urgency=medium
+
+ * New upstream release.
+ - fix-bsd.patch, support-kfreebsd.patch, fix-48986-cve-2017-2591.diff:
+ Dropped, upstream.
+ * *.install: Updated.
+ * control: Add doxygen, libcmocka-dev, libevent-dev to build-deps.
+ * rules: Enable cmocka tests.
+ * fix-tests.diff: Fix building the tests.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 10 May 2017 09:38:30 +0300
+
+389-ds-base (1.3.5.17-2) unstable; urgency=medium
+
+ * fix-upstream-49245.diff: Pull commits from upstream 1.3.5.x, which
+ remove rest of the asm code. (Closes: #862194)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 10 May 2017 09:25:03 +0300
+
+389-ds-base (1.3.5.17-1) unstable; urgency=medium
+
+ * New upstream bugfix release.
+ - CVE-2017-2668 (Closes: #860125)
+ * watch: Updated.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Tue, 09 May 2017 11:06:14 +0300
+
+389-ds-base (1.3.5.15-2) unstable; urgency=medium
+
+ * fix-48986-cve-2017-2591.diff: Fix upstream ticket 48986,
+ CVE-2017-2591. (Closes: #851769)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Fri, 27 Jan 2017 00:01:53 +0200
+
+389-ds-base (1.3.5.15-1) unstable; urgency=medium
+
+ * New upstream release.
+ - CVE-2016-5405 (Closes: #842121)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 16 Nov 2016 11:01:00 +0200
+
+389-ds-base (1.3.5.14-1) unstable; urgency=medium
+
+ * New upstream release.
+ * postrm: Remove /etc/dirsrv, /var/lib/dirsrv and /var/log/dirsrv on
+ purge.
+ * control: Bump build-dep on libsvrcore-dev to ensure it has support
+ for systemd password agent.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Fri, 28 Oct 2016 01:42:27 +0300
+
+389-ds-base (1.3.5.13-1) unstable; urgency=medium
+
+ * New upstream release.
+ * control: Bump policy to 3.9.8, no changes.
+ * patches/default_user: Dropped, upstream.
+ * support-non-nss-libldap.diff: Dropped, upstream.
+ * fix-obsolete-target.diff: Updated.
+ * patches: Refreshed.
+ * control: Add libsystemd-dev to build-deps.
+ * control: Add acl to -base depends.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 12 Oct 2016 11:11:20 +0300
+
+389-ds-base (1.3.4.14-2) unstable; urgency=medium
+
+ * tests: Add simple autopkgtests.
+ * postinst: Start instances after offline update.
+ * control, rules: Drop -dbg packages.
+ * control: Drop conflicts on slapd. (Closes: #822532)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 03 Oct 2016 17:53:26 +0300
+
+389-ds-base (1.3.4.14-1) unstable; urgency=medium
+
+ * New upstream release.
+ * support-non-nss-libldap.diff: Refreshed.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 29 Aug 2016 10:17:41 +0300
+
+389-ds-base (1.3.4.9-1) unstable; urgency=medium
+
+ * New upstream release.
+ * support-non-nss-libldap.diff: Support libldap built against gnutls.
+ (LP: #1564179)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 18 Apr 2016 18:08:14 +0300
+
+389-ds-base (1.3.4.8-4) unstable; urgency=medium
+
+ * use-perl-move.diff: Dropped, 'rename' is more reliable.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 30 Mar 2016 08:38:24 +0300
+
+389-ds-base (1.3.4.8-3) unstable; urgency=medium
+
+ * use-perl-move.diff: Fix 60upgradeschemafiles.pl to use File::Copy.
+ (Closes: #818578)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Fri, 18 Mar 2016 11:15:23 +0200
+
+389-ds-base (1.3.4.8-2) unstable; urgency=medium
+
+ * postinst: Silence ls and adduser.
+ * Drop the init file, we depend on systemd anyway.
+ * rules: Don't enable dirsrv-snmp.service by default.
+ * postrm: Clean up /var/lib/dirsrv/scripts-* on purge.
+ * user-perl-move.diff: Use move instead of rename during upgrade.
+ (Closes: #775550)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Thu, 17 Mar 2016 08:13:38 +0200
+
+389-ds-base (1.3.4.8-1) unstable; urgency=medium
+
+ * New upstream release.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 22 Feb 2016 07:58:40 +0200
+
+389-ds-base (1.3.4.5-2) unstable; urgency=medium
+
+ * fix-systemctl-path.diff: Use correct path to /bin/systemctl.
+ (Closes: #779653)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 09 Dec 2015 08:31:20 +0200
+
+389-ds-base (1.3.4.5-1) unstable; urgency=medium
+
+ * New upstream release.
+ * patches: Refreshed.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 09 Dec 2015 08:14:56 +0200
+
+389-ds-base (1.3.3.13-1) unstable; urgency=medium
+
+ * New upstream release.
+ * control: Add systemd to 389-ds-base Depends. (Closes: #794301)
+ * postrm: Clean target.wants in postrm.
+ * reproducible-build.diff: Make builds reproducible. Thanks, Chris
+ Lamb! (Closes: #799010)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Tue, 20 Oct 2015 14:25:05 +0300
+
+389-ds-base (1.3.3.12-1) unstable; urgency=medium
+
+ * New upstream release
+ - fix CVE-2015-3230 (Closes: #789202)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Wed, 24 Jun 2015 11:47:50 +0300
+
+389-ds-base (1.3.3.10-1) unstable; urgency=medium
+
+ * New upstream release
+ - fix CVE-2015-1854 (Closes: #783923)
+ * postinst: Stop actual instances instead of 'dirsrv' on upgrade, and
+ use service(8) instead of invoke-rc.d.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Thu, 07 May 2015 07:58:35 +0300
+
+389-ds-base (1.3.3.9-1) experimental; urgency=medium
+
+ * New upstream bugfix release.
+ - Drop cve-2014-8*.diff, upstream.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Thu, 02 Apr 2015 14:47:20 +0300
+
+389-ds-base (1.3.3.5-4) unstable; urgency=medium
+
+ * Security fixes (Closes: #779909)
+ - cve-2014-8105.diff: Fix for CVE-2014-8105
+ - cve-2014-8112.diff: Fix for CVE-2014-8112
+
+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 09 Mar 2015 10:53:03 +0200
+
+389-ds-base (1.3.3.5-3) unstable; urgency=medium
+
+ * use-bash-instead-of-sh.diff: Drop admin_scripts.diff and patch the
+ scripts to use bash instead of trying to fix bashisms. (Closes:
+ #772195)
+
+ -- Timo Aaltonen <tjaalton@debian.org> Fri, 16 Jan 2015 15:40:23 +0200
+
+389-ds-base (1.3.3.5-2) unstable; urgency=medium
+
+ * fix-saslpath.diff: Fix SASL library path.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Sat, 25 Oct 2014 01:48:34 +0300
+
+389-ds-base (1.3.3.5-1) unstable; urgency=medium
+
+ * New upstream bugfix release.
+ * control: Bump policy, no changes.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 20 Oct 2014 09:57:14 +0300
+
+389-ds-base (1.3.3.3-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Dropped upstreamed patches, refresh others.
+ * control, rules, 389-ds-base.install: Add support for systemd.
+ * fix-obsolete-target.diff: Drop syslog.target from the service files.
+ * 389-ds-base.links: Mask the initscript so that it's not used with systemd.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 06 Oct 2014 17:13:01 +0300
+
+389-ds-base (1.3.2.23-2) unstable; urgency=medium
+
+ * Team upload.
+ * Add fix-bsd.patch and support-kfreebsd.patch to fix the build failure
+ on kFreeBSD.
+
+ -- Benjamin Drung <benjamin.drung@profitbricks.com> Wed, 03 Sep 2014 15:32:22 +0200
+
+389-ds-base (1.3.2.23-1) unstable; urgency=medium
+
+ * New bugfix release.
+ * watch: Update the url.
+ * control: Update Vcs-Browser url to use cgit.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 01 Sep 2014 13:32:59 +0300
+
+389-ds-base (1.3.2.21-1) unstable; urgency=medium
+
+ * New upstream release.
+ - CVE-2014-3562 (Closes: #757437)
+
+ -- Timo Aaltonen <tjaalton@ubuntu.com> Fri, 08 Aug 2014 10:48:55 +0300
+
+389-ds-base (1.3.2.19-1) unstable; urgency=medium
+
+ * New upstream release.
+ * admin_scripts.diff: Updated to fix more bashisms.
+ * watch: Update the url.
+ * Install failedbinds.py and logregex.py scripts.
+ * init: Use status from init-functions.
+ * control: Update my email.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Tue, 08 Jul 2014 15:50:11 +0300
+
+389-ds-base (1.3.2.9-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Apply fix for CVE-2014-0132, see like named patch (Closes: 741600)
+ * Fix m4-macro for libsrvcore and add missing B-D on libpci-dev
+ (Closes: #745821)
+
+ -- Tobias Frost <tobi@coldtobi.de> Fri, 25 Apr 2014 15:11:16 +0200
+
+389-ds-base (1.3.2.9-1) unstable; urgency=low
+
+ * New upstream release.
+ - fixes CVE-2013-0336 (Closes: #704077)
+ - fixes CVE-2013-1897 (Closes: #704421)
+ - fixes CVE-2013-2219 (Closes: #718325)
+ - fixes CVE-2013-4283 (Closes: #721222)
+ - fixes CVE-2013-4485 (Closes: #730115)
+ * Drop fix-CVE-2013-0312.diff, upstream.
+ * rules: Add new scripts to rename.
+ * fix-sasl-path.diff: Use a triplet path to find libsasl2. (LP:
+ #1088822)
+ * admin_scripts.diff: Add patch from upstream #47511 to fix bashisms.
+ * control: Add ldap-utils to -base depends.
+ * rules, rename-online-scripts.diff: Some scripts with .pl suffix are
+ meant for an online server, so instead of overwriting the offline
+ scripts use -online suffix.
+ * rules: Enable parallel build, but limit the jobs to 1 for
+ dh_auto_install.
+ * control: Bump policy to 3.9.5, no changes.
+ * rules: Add get-orig-source target.
+ * lintian-overrides: Drop obsolete entries, add comments for the rest.
+
+ -- Timo Aaltonen <tjaalton@ubuntu.com> Mon, 03 Feb 2014 11:08:50 +0200
+
+389-ds-base (1.3.0.3-1) unstable; urgency=low
+
+ * New upstream release.
+ * control: Bump the policy to 3.9.4, no changes.
+ * fix-CVE-2013-0312.diff: Patch to fix handling LDAPv3 control data.
+
+ -- Timo Aaltonen <tjaalton@ubuntu.com> Mon, 11 Mar 2013 14:23:20 +0200
+
+389-ds-base (1.2.11.17-1) UNRELEASED; urgency=low
+
+ * New upstream release.
+ * watch: Add a comment about the upstream git tree.
+ * fix-cve-2012-4450.diff: Remove, upstream.
+
+ -- Timo Aaltonen <tjaalton@ubuntu.com> Sat, 01 Dec 2012 14:22:13 +0200
+
+389-ds-base (1.2.11.15-1) unstable; urgency=low
+
+ * New upstream release.
+ * Add fix-cve-2012-4450.diff. (Closes: #688942)
+ * dirsrv.init: Fix stop() to remove the pidfile only when the process
+ is finished. (Closes: #689389)
+ * copyright: Update the source url.
+ * control: Drop quilt from build-depends, since using 3.0 (quilt)
+ * lintian-overrides: Add an override for hardening-no-fortify-
+ functions, since it's a false positive in this case.
+ * control: Drop dpkg-dev from build-depends, no need to specify it
+ directly.
+ * copyright: Add myself as a copyright holder for debian/*.
+ * 389-ds-base.prerm: Add 'set -e'.
+ * rules: drop DEB_HOST_MULTIARCH, dh9 handles it.
+
+ -- Timo Aaltonen <tjaalton@ubuntu.com> Wed, 03 Oct 2012 19:33:52 +0300
+
+389-ds-base (1.2.11.7-5) unstable; urgency=low
+
+ * control: Drop debconf-utils and po-debconf from build-depends.
+ * control: Add libnetaddr-ip-perl and libsocket-getaddrinfo-perl to
+ 389-ds-base Depends for ipv6 support. (Closes: #682847)
+
+ -- Timo Aaltonen <tjaalton@ubuntu.com> Mon, 30 Jul 2012 13:12:23 +0200
+
+389-ds-base (1.2.11.7-4) unstable; urgency=low
+
+ * debian/po: Remove, leftover from the template purge. (Closes: #681543)
+
+ -- Timo Aaltonen <tjaalton@ubuntu.com> Thu, 19 Jul 2012 23:12:01 +0300
+
+389-ds-base (1.2.11.7-3) unstable; urgency=low
+
+ * 389-ds-base.config: Removed, the debconf template is no more.
+ (Closes: #680351)
+ * control: Remove duplicate 'the' from the 389-ds description.
+
+ -- Timo Aaltonen <tjaalton@ubuntu.com> Wed, 11 Jul 2012 11:59:36 +0300
+
+389-ds-base (1.2.11.7-2) unstable; urgency=low
+
+ * control: Stop hardcoding libs to binary depends. (Closes: #679790)
+ * control: Add libnspr4-dev and libldap2-dev to 389-ds-base-dev
+ Depends. (Closes: #679742)
+ * l10n review (Closes: #679870) :
+ - Drop the debconf template, and rewrap README.Debian.
+ - control: Update the descriptions
+
+ -- Timo Aaltonen <tjaalton@ubuntu.com> Tue, 03 Jul 2012 17:58:20 +0300
+
+389-ds-base (1.2.11.7-1) unstable; urgency=low
+
+ [ Timo Aaltonen ]
+ * New upstream release.
+ * watch: Fix the url.
+ * patches/remove_license_prompt: Dropped, included upstream.
+ * patches/default_user: Refreshed.
+ * control: Change the VCS header to point to the git repository.
+ * control: Rename last remnants of Fedora to 389.
+ * changelog, control: Be consistent with the naming; renamed the source
+ to just '389-ds-base', which matches upstream tarball naming.
+ * control: Wrap Depends.
+ * compat, control: Bump compat to 9, and debhelper build-dep to (>= 9).
+ * rules: Switch to dh.
+ * Move dirsrv.lintian to dirsrv.lintian-overrides, adjust dirsrv.install.
+ * *.dirs: Clean up.
+ * control: Build-depend on dh-autoreconf, drop duplicate bdeps.
+ * Fold dirsrv-tools into the main package.
+ * Build against libldap2-dev (>= 2.4.28).
+ * Rename binary package to 389-ds-base.
+ * -dev.install: Install the pkgconfig file.
+ * rules: Enable PIE hardening.
+ * Add a default file, currently sets LD_BIND_NOW=1.
+ * control: 'dbgen' uses old perl libs, add libperl4-corelibs-perl
+ dependency to 389-ds-base.
+ * rules: Add --fail-missing for dh_install, remove files not needed
+ and make sure to install the rest.
+ * rules, control: Fix the installation name of ds-logpipe.py, add
+ python dependency to 389-ds-base..
+ * libns-dshttpd is internal to the server, ship it in 389-ds-base.
+ * Rename libdirsrv{-dev,0} -> 389-ds-base-{dev,libs}, includes only
+ libslapd and headers for external plugin development.
+ * control: Breaks/Replaces old libdirsrv-dev/libdirsrv0/dirsrv.
+ * Drop hyphen_used_as_minus, applied upstream.
+ * copyright: Use DEP5 format.
+ * Cherry-pick upstream commit ee320163c6 to get rid of unnecessary
+ and non-free MIB's from the tree, and build a dfsg compliant tarball.
+ * lintian-overrides: Update, create one for -libs.
+ * Fix the initscript to create the lockdir, and refactor code into separate
+ functions.
+ * Drop obsolete entries from copyright, and make it lintian clean.
+ * debian/po: Refer to the correct file after rename.
+ * control: Bump Standards-Version to 3.9.3, no changes.
+ * postinst: Drop unused 'lastversion'.
+ * patches: Add DEP3 compliant headers.
+ * rules, postinst: Add an error handler function for dh_installinit, so
+ that clean installs don't fail due to missing configuration.
+ * postinst: Run the update tool.
+ * dirsrv.init:
+ - Make the start and stop functions much simpler and LSB compliant
+ - Fix starting multiple instances
+ - Use '-b' for start-stop-daemon, since ns-slapd doesn't detach properly
+ * control: Add 389-ds metapackage.
+ * control: Change libdb4.8-dev build-depends to libdb-dev, since this version
+ supports db5.x.
+ * 389-ds-base.prerm: Add prerm script for removing installed instances on
+ purge.
+
+ [ Krzysztof Klimonda ]
+ * dirsrv.init:
+ - return 0 code if there are no instances configured and tweak message
+ so it doesn't indicate a failure.
+
+ -- Krzysztof Klimonda <kklimonda@syntaxhighlighted.com> Tue, 27 Mar 2012 14:26:16 +0200
+
+389-directory-server (1.2.6.1-5) unstable; urgency=low
+
+ * Removed db_stop from dirsrv.postinst
+ * Fix short description in libdirsrv0-dbg
+
+ -- Michele Baldessari <michele@acksyn.org> Wed, 20 Oct 2010 20:24:20 +0200
+
+389-directory-server (1.2.6.1-4) unstable; urgency=low
+
+ * Make libicu dep dependent on dpkg-vendor
+
+ -- Michele Baldessari <michele@acksyn.org> Mon, 18 Oct 2010 21:21:52 +0200
+
+389-directory-server (1.2.6.1-3) unstable; urgency=low
+
+ * Remove dirsrv user and group in postrm
+ * Clean up postrm and postinst
+
+ -- Michele Baldessari <michele@acksyn.org> Sun, 17 Oct 2010 21:54:08 +0200
+
+389-directory-server (1.2.6.1-2) unstable; urgency=low
+
+ * Fix QUILT_STAMPFN
+
+ -- Michele Baldessari <michele@acksyn.org> Sun, 17 Oct 2010 15:03:34 +0200
+
+389-directory-server (1.2.6.1-1) unstable; urgency=low
+
+ * New upstream
+
+ -- Michele Baldessari <michele@acksyn.org> Sat, 16 Oct 2010 23:08:09 +0200
+
+389-directory-server (1.2.6-2) unstable; urgency=low
+
+ * Update my email address
+
+ -- Michele Baldessari <michele@acksyn.org> Sat, 16 Oct 2010 22:34:19 +0200
+
+389-directory-server (1.2.6-1) unstable; urgency=low
+
+ * New upstream
+ * s/Fedora/389/g to clean up the branding
+ * Remove automatic configuration (breaks too often with every update)
+ * Remove dirsrv.config translation, no questions are asked anymore
+ * Fix old changelog versions with proper ~ on rc versions
+ * Update policy to 3.9.1
+ * Improve README.Debian
+ * Depend on libicu44
+ * Remove /var/run/dirsrv from the postinst scripts (managed by init script)
+
+ -- Michele Baldessari <michele@pupazzo.org> Sat, 04 Sep 2010 11:58:21 +0200
+
+389-directory-server (1.2.6~rc7-1) unstable; urgency=low
+
+ * New upstream
+
+ -- Michele Baldessari <michele@pupazzo.org> Fri, 03 Sep 2010 20:06:08 +0200
+
+389-directory-server (1.2.6~a3-1) unstable; urgency=low
+
+ * New upstream
+ * Rename man page remove-ds.pl in remove-ds
+ * Removed Debian.source
+
+ -- Michele Baldessari <michele@pupazzo.org> Sun, 23 May 2010 22:12:13 +0200
+
+389-directory-server (1.2.6~a2-1) unstable; urgency=low
+
+ * New upstream
+ * Removed speling_fixes patch, applied upstream
+
+ -- Michele Baldessari <michele@pupazzo.org> Sun, 23 May 2010 13:36:25 +0200
+
+389-directory-server (1.2.5-1) unstable; urgency=low
+
+ * New upstream
+ * Add libpcre3-dev Build-dep
+ * ldap-agent moved ti /usr/sbin
+ * Fix spelling errors in code and manpages
+ * Fix some lintian warnings
+ * Bump policy to 3.8.3
+ * Ignore lintian warning pkg-has-shlibs-control-file-but-no-actual-shared-libs
+ as the shlibs file is for dirsrv plugins
+ * Upgraded deps to libicu42 and libdb4.8
+ * Do create /var/lib/dirsrv as dirsrv user's home
+ * Added libsasl2-modules-gssapi-mit as a dependency for dirsrv (needed by
+ mandatory LDAP SASL mechs)
+ * Install all files of etc/dirsrv/config
+ * Add some missing start scripts in usr/sbin
+ * Fixed a bug in the dirsrv.init script
+ * Switch to dpkg-source 3.0 (quilt) format
+ * Bump policy to 3.8.4
+
+ -- Michele Baldessari <michele@pupazzo.org> Sun, 23 May 2010 12:31:24 +0200
+
+389-directory-server (1.2.1-0) unstable; urgency=low
+
+ * Rename of source package (note, since this is still staging work no
+ replace or upgrade is in place)
+ * Update watch file
+ * New Upstream
+
+ -- Michele Baldessari <michele@pupazzo.org> Fri, 12 Jun 2009 22:08:42 +0200
+
+fedora-directory-server (1.2.0-1) unstable; urgency=low
+
+ * New upstream release
+ * Add missing libkrb5-dev dependency
+ * Fix section of -dbg packages
+ * Fix all "dpatch-missing-description" lintian warnings
+
+ -- Michele Baldessari <michele@pupazzo.org> Wed, 22 Apr 2009 23:36:22 +0200
+
+fedora-directory-server (1.1.3-1) unstable; urgency=low
+
+ * New upstream
+ * Added watch file
+ * Make setup-ds use dirsrv:dirsrv user/group as defaults
+ * Added VCS-* fields
+ * --enable-autobind
+ * Add ldap/servers/plugins/replication/winsync-plugin.h to libdirsrv-dev
+
+ -- Michele Baldessari <michele@pupazzo.org> Mon, 24 Nov 2008 22:42:26 +0100
+
+fedora-directory-server (1.1.2-2) unstable; urgency=low
+
+ * Fixed build+configure twice issue
+ * Added Conflicts: slapd (thanks Alessandro)
+
+ -- Michele Baldessari <michele@pupazzo.org> Tue, 23 Sep 2008 21:12:44 +0200
+
+fedora-directory-server (1.1.2-1) unstable; urgency=low
+
+ * New upstream
+ * Removed /usr/sbin PATH from postinst script
+
+ -- Michele Baldessari <michele@pupazzo.org> Sat, 20 Sep 2008 20:10:52 +0000
+
+fedora-directory-server (1.1.1-0) unstable; urgency=low
+
+ * New upstream
+ * Don't apply patch for 439829, fixed upstream
+ * Bump to policy 3.8.0
+ * Added README.source
+
+ -- Michele Baldessari <michele@pupazzo.org> Fri, 22 Aug 2008 00:09:40 +0200
+
+fedora-directory-server (1.1.0-4) unstable; urgency=low
+
+ * dirsrv should depend on libmozilla-ldap-perl (thanks Mathias Kaufmann
+ <steiger@mmforces.de>)
+
+ -- Michele Baldessari <michele@pupazzo.org> Sun, 20 Jul 2008 18:41:58 +0200
+
+fedora-directory-server (1.1.0-3) unstable; urgency=low
+
+ * Fix up some descriptions
+
+ -- Michele Baldessari <michele@pupazzo.org> Sun, 25 May 2008 21:36:32 +0200
+
+fedora-directory-server (1.1.0-2) unstable; urgency=low
+
+ * Silenced init warning messages when chowning pid directory
+
+ -- Michele Baldessari <michele@pupazzo.org> Wed, 21 May 2008 23:08:32 +0200
+
+fedora-directory-server (1.1.0-1) unstable; urgency=low
+
+ * Removed template lintian warning
+ * Cleaned up manpages
+
+ -- Michele Baldessari <michele@pupazzo.org> Sun, 18 May 2008 13:39:58 +0200
+
+fedora-directory-server (1.1.0-0) unstable; urgency=low
+
+ * Initial release (Closes: #497098).
+ * Fixed postinst after renaming setup-ds.pl to setup-ds
+ * Applied patch from https://bugzilla.redhat.com/show_bug.cgi?id=439829 to
+ fix segfault against late NSS versions
+ * Switched to parseable copyright format
+ * Source package is lintian clean now
+ * Added initial manpage patch
+ * Switched to dh_install
+
+ -- Michele Baldessari <michele@pupazzo.org> Thu, 27 Mar 2008 23:56:17 +0200
--- /dev/null
+usr/share/cockpit/389-console/
+usr/share/metainfo/389-console/org.port389.cockpit_console.metainfo.xml
--- /dev/null
+Source: 389-ds-base
+Section: net
+Priority: optional
+Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>
+Uploaders:
+ Timo Aaltonen <tjaalton@debian.org>,
+Build-Depends:
+ libcmocka-dev,
+ debhelper-compat (= 13),
+ dh-python,
+ doxygen,
+ libbz2-dev,
+ libcrack2-dev,
+ libdb-dev,
+ libevent-dev,
+ libicu-dev,
+ libkrb5-dev,
+ libldap2-dev (>= 2.4.28),
+ libltdl-dev,
+ libnspr4-dev,
+ libnss3-dev,
+ libpam0g-dev,
+ libpci-dev,
+ libpcre3-dev,
+ libperl-dev,
+ libsasl2-dev,
+ libsnmp-dev,
+ libssl-dev,
+ libsystemd-dev,
+ pkg-config,
+ python3-all-dev,
+ python3-argcomplete,
+ python3-argparse-manpage,
+ python3-dateutil,
+ python3-ldap,
+ python3-packaging,
+ python3-selinux,
+ python3-sepolicy,
+ python3-setuptools,
+ rsync,
+ zlib1g-dev,
+Standards-Version: 4.6.0
+Vcs-Git: https://salsa.debian.org/freeipa-team/389-ds-base.git
+Vcs-Browser: https://salsa.debian.org/freeipa-team/389-ds-base
+Homepage: https://directory.fedoraproject.org
+
+Package: 389-ds
+Architecture: all
+Depends:
+ 389-ds-base,
+ cockpit-389-ds,
+ ${misc:Depends},
+Description: 389 Directory Server suite - metapackage
+ Based on the Lightweight Directory Access Protocol (LDAP), the 389
+ Directory Server is designed to manage large directories of users and
+ resources robustly and scalably.
+ .
+ This is a metapackage depending on the LDAPv3 server and a Cockpit UI plugin
+ for administration.
+
+Package: 389-ds-base-libs
+Section: libs
+Architecture: any
+Multi-Arch: same
+Pre-Depends: ${misc:Pre-Depends}
+Depends: ${misc:Depends}, ${shlibs:Depends},
+ libjemalloc2,
+Breaks: 389-ds-base (<< 1.3.6.7-5),
+ 389-ds-base-dev (<< 1.3.6.7-4),
+ libsvrcore0,
+Replaces: 389-ds-base (<< 1.3.6.7-5),
+ 389-ds-base-dev (<< 1.3.6.7-4),
+ libsvrcore0,
+Description: 389 Directory Server suite - libraries
+ Based on the Lightweight Directory Access Protocol (LDAP), the 389
+ Directory Server is designed to manage large directories of users and
+ resources robustly and scalably.
+ .
+ This package contains core libraries for the 389 Directory Server.
+
+Package: 389-ds-base-dev
+Section: libdevel
+Architecture: any
+Multi-Arch: same
+Depends:
+ 389-ds-base-libs (= ${binary:Version}),
+ libldap2-dev,
+ libnspr4-dev,
+ ${misc:Depends},
+ ${shlibs:Depends},
+Breaks: 389-ds-base (<< 1.3.6.7-4),
+ libsvrcore-dev,
+Replaces: 389-ds-base (<< 1.3.6.7-4),
+ libsvrcore-dev,
+Provides:
+ libsvrcore-dev,
+Description: 389 Directory Server suite - development files
+ Based on the Lightweight Directory Access Protocol (LDAP), the 389
+ Directory Server is designed to manage large directories of users and
+ resources robustly and scalably.
+ .
+ This package contains development headers for the core libraries
+ of the 389 Directory Server, useful for developing plugins without
+ having to install the server itself.
+
+Package: 389-ds-base
+Architecture: any
+Pre-Depends: debconf (>= 0.5) | debconf-2.0
+Depends:
+ 389-ds-base-libs (= ${binary:Version}),
+ adduser,
+ acl,
+ ldap-utils,
+ libmozilla-ldap-perl,
+ libnetaddr-ip-perl,
+ libsocket-getaddrinfo-perl,
+ libsasl2-modules-gssapi-mit,
+ perl,
+ python3-lib389,
+ python3-selinux,
+ python3-semanage,
+ python3-sepolicy,
+ systemd,
+ ${misc:Depends},
+ ${shlibs:Depends},
+ ${python3:Depends},
+Replaces: 389-ds-base-legacy-tools
+Description: 389 Directory Server suite - server
+ Based on the Lightweight Directory Access Protocol (LDAP), the 389
+ Directory Server is designed to manage large directories of users and
+ resources robustly and scalably.
+ .
+ Its key features include:
+ * four-way multi-master replication;
+ * great scalability;
+ * extensive documentation;
+ * Active Directory user and group synchronization;
+ * secure authentication and transport;
+ * support for LDAPv3;
+ * graphical management console;
+ * on-line, zero downtime update of schema, configuration, and
+ in-tree Access Control Information.
+
+Package: python3-lib389
+Architecture: all
+Depends: ${misc:Depends}, ${python3:Depends},
+ libnss3-tools,
+ openssl,
+ python3-argcomplete,
+ python3-dateutil,
+ python3-ldap,
+ python3-packaging,
+ python3-pyasn1,
+ python3-pyasn1-modules,
+ python3-pytest,
+Conflicts: python-lib389 (<< 1.3.7.8),
+ 389-ds-base (<< 1.4.0.18-1~),
+Replaces: python-lib389 (<< 1.3.7.8),
+ 389-ds-base (<< 1.4.0.18-1~),
+Description: Python3 module for accessing and configuring the 389 Directory Server
+ This Python3 module contains tools and libraries for accessing, testing,
+ and configuring the 389 Directory Server.
+
+Package: cockpit-389-ds
+Architecture: all
+Multi-Arch: foreign
+Depends: ${misc:Depends},
+ cockpit,
+ libjs-bootstrap,
+ libjs-c3,
+ libjs-d3,
+ libjs-jquery-datatables,
+ libjs-jquery-datatables-extensions,
+ libjs-jquery-jstree,
+ libjs-moment,
+ libnss3-tools,
+ python3,
+ python3-lib389,
+Description: Cockpit user interface for 389 Directory Server
+ This package includes a Cockpit UI plugin for configuring and administering
+ the 389 Directory Server.
--- /dev/null
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-name: 389-ds-base
+Source: http://directory.fedoraproject.org/wiki/Source
+
+Files: *
+Copyright: 2001 Sun Microsystems, Inc.
+ 2005 Red Hat, Inc.
+License: GPL-3+ and Other
+
+Files: ldap/libraries/libavl/*.[ch] ldap/servers/slapd/abandon.c
+ ldap/servers/slapd/add.c ldap/servers/slapd/bind.c
+ ldap/servers/slapd/bulk_import.c ldap/servers/slapd/compare.c
+ ldap/servers/slapd/delete.c ldap/servers/slapd/detach.c
+ ldap/servers/slapd/globals.c ldap/servers/slapd/modify.c
+ ldap/servers/slapd/modrdn.c ldap/servers/slapd/monitor.c
+ ldap/servers/slapd/search.c ldap/servers/slapd/unbind.c
+Copyright: 1993 Regents of the University of Michigan
+ 2001 Sun Microsystems, Inc.
+ 2005 Red Hat, Inc.
+License: GPL-3+ and Other
+
+Files: ldap/servers/slapd/tools/ldaptool.h
+Copyright: 1998 Netscape Communication Corporation
+License: GPL-2+ or LGPL-2.1 or MPL-1.1
+
+Files: ldap/servers/slapd/tools/ldaptool-sasl.c
+ ldap/servers/slapd/tools/ldaptool-sasl.h
+Copyright: 2005 Sun Microsystems, Inc.
+License: GPL-2+ or LGPL-2.1 or MPL-1.1
+
+Files: m4/*
+Copyright: 2006-2017 Red Hat, Inc.
+ 2016 William Brown <william at blackhats dot net dot au>
+License: GPL-3+
+
+Files: src/svrcore/*
+Copyright: 2016 Red Hat, Inc.
+License: MPL-2.0
+
+Files: debian/*
+Copyright: 2008 Michele Baldessari <michele@acksyn.org>
+ 2012 Timo Aaltonen <tjaalton@ubuntu.com>
+License: GPL-2+ or LGPL-2.1 or MPL-1.1
+
+License: Other
+ In addition, as a special exception, Red Hat, Inc. gives You the additional
+ right to link the code of this Program with code not covered under the GNU
+ General Public License ("Non-GPL Code") and to distribute linked combinations
+ including the two, subject to the limitations in this paragraph. Non-GPL Code
+ permitted under this exception must only link to the code of this Program
+ through those well defined interfaces identified in the file named EXCEPTION
+ found in the source code files (the "Approved Interfaces"). The files of
+ Non-GPL Code may instantiate templates or use macros or inline functions from
+ the Approved Interfaces without causing the resulting work to be covered by
+ the GNU General Public License. Only Red Hat, Inc. may make changes or
+ additions to the list of Approved Interfaces. You must obey the GNU General
+ Public License in all respects for all of the Program code and other code used
+ in conjunction with the Program except the Non-GPL Code covered by this
+ exception. If you modify this file, you may extend this exception to your
+ version of the file, but you are not obligated to do so. If you do not wish to
+ provide this exception without modification, you must delete this exception
+ statement from your version and license this file solely under the GPL without
+ exception.
+
+License: BSD-3-clause
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+ .
+ * Redistributions of source code must retain the above copyright notice, this
+ list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+ * Neither the name of the Dojo Foundation nor the names of its contributors
+ may be used to endorse or promote products derived from this software
+ without specific prior written permission.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+License: GPL-2 or GPL-2+
+ On Debian machines the full text of the GNU General Public License
+ can be found in the file /usr/share/common-licenses/GPL-2.
+
+License: GPL-3+
+ On Debian machines the full text of the GNU General Public License v3
+ can be found in the file /usr/share/common-licenses/GPL-3.
+
+License: LGPL-2.1
+ On Debian machines the full text of the GNU General Public License
+ can be found in the file /usr/share/common-licenses/LGPL-2.1.
+
+License: MPL-1.1
+ MOZILLA PUBLIC LICENSE
+ Version 1.1
+ .
+ ---------------
+ .
+ 1. Definitions.
+ .
+ 1.0.1. "Commercial Use" means distribution or otherwise making the
+ Covered Code available to a third party.
+ .
+ 1.1. "Contributor" means each entity that creates or contributes to
+ the creation of Modifications.
+ .
+ 1.2. "Contributor Version" means the combination of the Original
+ Code, prior Modifications used by a Contributor, and the Modifications
+ made by that particular Contributor.
+ .
+ 1.3. "Covered Code" means the Original Code or Modifications or the
+ combination of the Original Code and Modifications, in each case
+ including portions thereof.
+ .
+ 1.4. "Electronic Distribution Mechanism" means a mechanism generally
+ accepted in the software development community for the electronic
+ transfer of data.
+ .
+ 1.5. "Executable" means Covered Code in any form other than Source
+ Code.
+ .
+ 1.6. "Initial Developer" means the individual or entity identified
+ as the Initial Developer in the Source Code notice required by Exhibit
+ A.
+ .
+ 1.7. "Larger Work" means a work which combines Covered Code or
+ portions thereof with code not governed by the terms of this License.
+ .
+ 1.8. "License" means this document.
+ .
+ 1.8.1. "Licensable" means having the right to grant, to the maximum
+ extent possible, whether at the time of the initial grant or
+ subsequently acquired, any and all of the rights conveyed herein.
+ .
+ 1.9. "Modifications" means any addition to or deletion from the
+ substance or structure of either the Original Code or any previous
+ Modifications. When Covered Code is released as a series of files, a
+ Modification is:
+ A. Any addition to or deletion from the contents of a file
+ containing Original Code or previous Modifications.
+ .
+ B. Any new file that contains any part of the Original Code or
+ previous Modifications.
+ .
+ 1.10. "Original Code" means Source Code of computer software code
+ which is described in the Source Code notice required by Exhibit A as
+ Original Code, and which, at the time of its release under this
+ License is not already Covered Code governed by this License.
+ .
+ 1.10.1. "Patent Claims" means any patent claim(s), now owned or
+ hereafter acquired, including without limitation, method, process,
+ and apparatus claims, in any patent Licensable by grantor.
+ .
+ 1.11. "Source Code" means the preferred form of the Covered Code for
+ making modifications to it, including all modules it contains, plus
+ any associated interface definition files, scripts used to control
+ compilation and installation of an Executable, or source code
+ differential comparisons against either the Original Code or another
+ well known, available Covered Code of the Contributor's choice. The
+ Source Code can be in a compressed or archival form, provided the
+ appropriate decompression or de-archiving software is widely available
+ for no charge.
+ .
+ 1.12. "You" (or "Your") means an individual or a legal entity
+ exercising rights under, and complying with all of the terms of, this
+ License or a future version of this License issued under Section 6.1.
+ For legal entities, "You" includes any entity which controls, is
+ controlled by, or is under common control with You. For purposes of
+ this definition, "control" means (a) the power, direct or indirect,
+ to cause the direction or management of such entity, whether by
+ contract or otherwise, or (b) ownership of more than fifty percent
+ (50%) of the outstanding shares or beneficial ownership of such
+ entity.
+ .
+ 2. Source Code License.
+ .
+ 2.1. The Initial Developer Grant.
+ The Initial Developer hereby grants You a world-wide, royalty-free,
+ non-exclusive license, subject to third party intellectual property
+ claims:
+ (a) under intellectual property rights (other than patent or
+ trademark) Licensable by Initial Developer to use, reproduce,
+ modify, display, perform, sublicense and distribute the Original
+ Code (or portions thereof) with or without Modifications, and/or
+ as part of a Larger Work; and
+ .
+ (b) under Patents Claims infringed by the making, using or
+ selling of Original Code, to make, have made, use, practice,
+ sell, and offer for sale, and/or otherwise dispose of the
+ Original Code (or portions thereof).
+ .
+ (c) the licenses granted in this Section 2.1(a) and (b) are
+ effective on the date Initial Developer first distributes
+ Original Code under the terms of this License.
+ .
+ (d) Notwithstanding Section 2.1(b) above, no patent license is
+ granted: 1) for code that You delete from the Original Code; 2)
+ separate from the Original Code; or 3) for infringements caused
+ by: i) the modification of the Original Code or ii) the
+ combination of the Original Code with other software or devices.
+ .
+ 2.2. Contributor Grant.
+ Subject to third party intellectual property claims, each Contributor
+ hereby grants You a world-wide, royalty-free, non-exclusive license
+ .
+ (a) under intellectual property rights (other than patent or
+ trademark) Licensable by Contributor, to use, reproduce, modify,
+ display, perform, sublicense and distribute the Modifications
+ created by such Contributor (or portions thereof) either on an
+ unmodified basis, with other Modifications, as Covered Code
+ and/or as part of a Larger Work; and
+ .
+ (b) under Patent Claims infringed by the making, using, or
+ selling of Modifications made by that Contributor either alone
+ and/or in combination with its Contributor Version (or portions
+ of such combination), to make, use, sell, offer for sale, have
+ made, and/or otherwise dispose of: 1) Modifications made by that
+ Contributor (or portions thereof); and 2) the combination of
+ Modifications made by that Contributor with its Contributor
+ Version (or portions of such combination).
+ .
+ (c) the licenses granted in Sections 2.2(a) and 2.2(b) are
+ effective on the date Contributor first makes Commercial Use of
+ the Covered Code.
+ .
+ (d) Notwithstanding Section 2.2(b) above, no patent license is
+ granted: 1) for any code that Contributor has deleted from the
+ Contributor Version; 2) separate from the Contributor Version;
+ 3) for infringements caused by: i) third party modifications of
+ Contributor Version or ii) the combination of Modifications made
+ by that Contributor with other software (except as part of the
+ Contributor Version) or other devices; or 4) under Patent Claims
+ infringed by Covered Code in the absence of Modifications made by
+ that Contributor.
+ .
+ 3. Distribution Obligations.
+ .
+ 3.1. Application of License.
+ The Modifications which You create or to which You contribute are
+ governed by the terms of this License, including without limitation
+ Section 2.2. The Source Code version of Covered Code may be
+ distributed only under the terms of this License or a future version
+ of this License released under Section 6.1, and You must include a
+ copy of this License with every copy of the Source Code You
+ distribute. You may not offer or impose any terms on any Source Code
+ version that alters or restricts the applicable version of this
+ License or the recipients' rights hereunder. However, You may include
+ an additional document offering the additional rights described in
+ Section 3.5.
+ .
+ 3.2. Availability of Source Code.
+ Any Modification which You create or to which You contribute must be
+ made available in Source Code form under the terms of this License
+ either on the same media as an Executable version or via an accepted
+ Electronic Distribution Mechanism to anyone to whom you made an
+ Executable version available; and if made available via Electronic
+ Distribution Mechanism, must remain available for at least twelve (12)
+ months after the date it initially became available, or at least six
+ (6) months after a subsequent version of that particular Modification
+ has been made available to such recipients. You are responsible for
+ ensuring that the Source Code version remains available even if the
+ Electronic Distribution Mechanism is maintained by a third party.
+ .
+ 3.3. Description of Modifications.
+ You must cause all Covered Code to which You contribute to contain a
+ file documenting the changes You made to create that Covered Code and
+ the date of any change. You must include a prominent statement that
+ the Modification is derived, directly or indirectly, from Original
+ Code provided by the Initial Developer and including the name of the
+ Initial Developer in (a) the Source Code, and (b) in any notice in an
+ Executable version or related documentation in which You describe the
+ origin or ownership of the Covered Code.
+ .
+ 3.4. Intellectual Property Matters
+ (a) Third Party Claims.
+ If Contributor has knowledge that a license under a third party's
+ intellectual property rights is required to exercise the rights
+ granted by such Contributor under Sections 2.1 or 2.2,
+ Contributor must include a text file with the Source Code
+ distribution titled "LEGAL" which describes the claim and the
+ party making the claim in sufficient detail that a recipient will
+ know whom to contact. If Contributor obtains such knowledge after
+ the Modification is made available as described in Section 3.2,
+ Contributor shall promptly modify the LEGAL file in all copies
+ Contributor makes available thereafter and shall take other steps
+ (such as notifying appropriate mailing lists or newsgroups)
+ reasonably calculated to inform those who received the Covered
+ Code that new knowledge has been obtained.
+ .
+ (b) Contributor APIs.
+ If Contributor's Modifications include an application programming
+ interface and Contributor has knowledge of patent licenses which
+ are reasonably necessary to implement that API, Contributor must
+ also include this information in the LEGAL file.
+ .
+ (c) Representations.
+ Contributor represents that, except as disclosed pursuant to
+ Section 3.4(a) above, Contributor believes that Contributor's
+ Modifications are Contributor's original creation(s) and/or
+ Contributor has sufficient rights to grant the rights conveyed by
+ this License.
+ .
+ 3.5. Required Notices.
+ You must duplicate the notice in Exhibit A in each file of the Source
+ Code. If it is not possible to put such notice in a particular Source
+ Code file due to its structure, then You must include such notice in a
+ location (such as a relevant directory) where a user would be likely
+ to look for such a notice. If You created one or more Modification(s)
+ You may add your name as a Contributor to the notice described in
+ Exhibit A. You must also duplicate this License in any documentation
+ for the Source Code where You describe recipients' rights or ownership
+ rights relating to Covered Code. You may choose to offer, and to
+ charge a fee for, warranty, support, indemnity or liability
+ obligations to one or more recipients of Covered Code. However, You
+ may do so only on Your own behalf, and not on behalf of the Initial
+ Developer or any Contributor. You must make it absolutely clear than
+ any such warranty, support, indemnity or liability obligation is
+ offered by You alone, and You hereby agree to indemnify the Initial
+ Developer and every Contributor for any liability incurred by the
+ Initial Developer or such Contributor as a result of warranty,
+ support, indemnity or liability terms You offer.
+ .
+ 3.6. Distribution of Executable Versions.
+ You may distribute Covered Code in Executable form only if the
+ requirements of Section 3.1-3.5 have been met for that Covered Code,
+ and if You include a notice stating that the Source Code version of
+ the Covered Code is available under the terms of this License,
+ including a description of how and where You have fulfilled the
+ obligations of Section 3.2. The notice must be conspicuously included
+ in any notice in an Executable version, related documentation or
+ collateral in which You describe recipients' rights relating to the
+ Covered Code. You may distribute the Executable version of Covered
+ Code or ownership rights under a license of Your choice, which may
+ contain terms different from this License, provided that You are in
+ compliance with the terms of this License and that the license for the
+ Executable version does not attempt to limit or alter the recipient's
+ rights in the Source Code version from the rights set forth in this
+ License. If You distribute the Executable version under a different
+ license You must make it absolutely clear that any terms which differ
+ from this License are offered by You alone, not by the Initial
+ Developer or any Contributor. You hereby agree to indemnify the
+ Initial Developer and every Contributor for any liability incurred by
+ the Initial Developer or such Contributor as a result of any such
+ terms You offer.
+ .
+ 3.7. Larger Works.
+ You may create a Larger Work by combining Covered Code with other code
+ not governed by the terms of this License and distribute the Larger
+ Work as a single product. In such a case, You must make sure the
+ requirements of this License are fulfilled for the Covered Code.
+ .
+ 4. Inability to Comply Due to Statute or Regulation.
+ .
+ If it is impossible for You to comply with any of the terms of this
+ License with respect to some or all of the Covered Code due to
+ statute, judicial order, or regulation then You must: (a) comply with
+ the terms of this License to the maximum extent possible; and (b)
+ describe the limitations and the code they affect. Such description
+ must be included in the LEGAL file described in Section 3.4 and must
+ be included with all distributions of the Source Code. Except to the
+ extent prohibited by statute or regulation, such description must be
+ sufficiently detailed for a recipient of ordinary skill to be able to
+ understand it.
+ .
+ 5. Application of this License.
+ .
+ This License applies to code to which the Initial Developer has
+ attached the notice in Exhibit A and to related Covered Code.
+ .
+ 6. Versions of the License.
+ .
+ 6.1. New Versions.
+ Netscape Communications Corporation ("Netscape") may publish revised
+ and/or new versions of the License from time to time. Each version
+ will be given a distinguishing version number.
+ .
+ 6.2. Effect of New Versions.
+ Once Covered Code has been published under a particular version of the
+ License, You may always continue to use it under the terms of that
+ version. You may also choose to use such Covered Code under the terms
+ of any subsequent version of the License published by Netscape. No one
+ other than Netscape has the right to modify the terms applicable to
+ Covered Code created under this License.
+ .
+ 6.3. Derivative Works.
+ If You create or use a modified version of this License (which you may
+ only do in order to apply it to code which is not already Covered Code
+ governed by this License), You must (a) rename Your license so that
+ the phrases "Mozilla", "MOZILLAPL", "MOZPL", "Netscape",
+ "MPL", "NPL" or any confusingly similar phrase do not appear in your
+ license (except to note that your license differs from this License)
+ and (b) otherwise make it clear that Your version of the license
+ contains terms which differ from the Mozilla Public License and
+ Netscape Public License. (Filling in the name of the Initial
+ Developer, Original Code or Contributor in the notice described in
+ Exhibit A shall not of themselves be deemed to be modifications of
+ this License.)
+ .
+ 7. DISCLAIMER OF WARRANTY.
+ .
+ COVERED CODE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS" BASIS,
+ WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING,
+ WITHOUT LIMITATION, WARRANTIES THAT THE COVERED CODE IS FREE OF
+ DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING.
+ THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE COVERED CODE
+ IS WITH YOU. SHOULD ANY COVERED CODE PROVE DEFECTIVE IN ANY RESPECT,
+ YOU (NOT THE INITIAL DEVELOPER OR ANY OTHER CONTRIBUTOR) ASSUME THE
+ COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER
+ OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS LICENSE. NO USE OF
+ ANY COVERED CODE IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER.
+ .
+ 8. TERMINATION.
+ .
+ 8.1. This License and the rights granted hereunder will terminate
+ automatically if You fail to comply with terms herein and fail to cure
+ such breach within 30 days of becoming aware of the breach. All
+ sublicenses to the Covered Code which are properly granted shall
+ survive any termination of this License. Provisions which, by their
+ nature, must remain in effect beyond the termination of this License
+ shall survive.
+ .
+ 8.2. If You initiate litigation by asserting a patent infringement
+ claim (excluding declatory judgment actions) against Initial Developer
+ or a Contributor (the Initial Developer or Contributor against whom
+ You file such action is referred to as "Participant") alleging that:
+ .
+ (a) such Participant's Contributor Version directly or indirectly
+ infringes any patent, then any and all rights granted by such
+ Participant to You under Sections 2.1 and/or 2.2 of this License
+ shall, upon 60 days notice from Participant terminate prospectively,
+ unless if within 60 days after receipt of notice You either: (i)
+ agree in writing to pay Participant a mutually agreeable reasonable
+ royalty for Your past and future use of Modifications made by such
+ Participant, or (ii) withdraw Your litigation claim with respect to
+ the Contributor Version against such Participant. If within 60 days
+ of notice, a reasonable royalty and payment arrangement are not
+ mutually agreed upon in writing by the parties or the litigation claim
+ is not withdrawn, the rights granted by Participant to You under
+ Sections 2.1 and/or 2.2 automatically terminate at the expiration of
+ the 60 day notice period specified above.
+ .
+ (b) any software, hardware, or device, other than such Participant's
+ Contributor Version, directly or indirectly infringes any patent, then
+ any rights granted to You by such Participant under Sections 2.1(b)
+ and 2.2(b) are revoked effective as of the date You first made, used,
+ sold, distributed, or had made, Modifications made by that
+ Participant.
+ .
+ 8.3. If You assert a patent infringement claim against Participant
+ alleging that such Participant's Contributor Version directly or
+ indirectly infringes any patent where such claim is resolved (such as
+ by license or settlement) prior to the initiation of patent
+ infringement litigation, then the reasonable value of the licenses
+ granted by such Participant under Sections 2.1 or 2.2 shall be taken
+ into account in determining the amount or value of any payment or
+ license.
+ .
+ 8.4. In the event of termination under Sections 8.1 or 8.2 above,
+ all end user license agreements (excluding distributors and resellers)
+ which have been validly granted by You or any distributor hereunder
+ prior to termination shall survive termination.
+ .
+ 9. LIMITATION OF LIABILITY.
+ .
+ UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT
+ (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU, THE INITIAL
+ DEVELOPER, ANY OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED CODE,
+ OR ANY SUPPLIER OF ANY OF SUCH PARTIES, BE LIABLE TO ANY PERSON FOR
+ ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY
+ CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL,
+ WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER
+ COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN
+ INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF
+ LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY
+ RESULTING FROM SUCH PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW
+ PROHIBITS SUCH LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE
+ EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO
+ THIS EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU.
+ .
+ 10. U.S. GOVERNMENT END USERS.
+ .
+ The Covered Code is a "commercial item," as that term is defined in
+ 48 C.F.R. 2.101 (Oct. 1995), consisting of "commercial computer
+ software" and "commercial computer software documentation," as such
+ terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent with 48
+ C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 (June 1995),
+ all U.S. Government End Users acquire Covered Code with only those
+ rights set forth herein.
+ .
+ 11. MISCELLANEOUS.
+ .
+ This License represents the complete agreement concerning subject
+ matter hereof. If any provision of this License is held to be
+ unenforceable, such provision shall be reformed only to the extent
+ necessary to make it enforceable. This License shall be governed by
+ California law provisions (except to the extent applicable law, if
+ any, provides otherwise), excluding its conflict-of-law provisions.
+ With respect to disputes in which at least one party is a citizen of,
+ or an entity chartered or registered to do business in the United
+ States of America, any litigation relating to this License shall be
+ subject to the jurisdiction of the Federal Courts of the Northern
+ District of California, with venue lying in Santa Clara County,
+ California, with the losing party responsible for costs, including
+ without limitation, court costs and reasonable attorneys' fees and
+ expenses. The application of the United Nations Convention on
+ Contracts for the International Sale of Goods is expressly excluded.
+ Any law or regulation which provides that the language of a contract
+ shall be construed against the drafter shall not apply to this
+ License.
+ .
+ 12. RESPONSIBILITY FOR CLAIMS.
+ .
+ As between Initial Developer and the Contributors, each party is
+ responsible for claims and damages arising, directly or indirectly,
+ out of its utilization of rights under this License and You agree to
+ work with Initial Developer and Contributors to distribute such
+ responsibility on an equitable basis. Nothing herein is intended or
+ shall be deemed to constitute any admission of liability.
+ .
+ 13. MULTIPLE-LICENSED CODE.
+ .
+ Initial Developer may designate portions of the Covered Code as
+ "Multiple-Licensed". "Multiple-Licensed" means that the Initial
+ Developer permits you to utilize portions of the Covered Code under
+ Your choice of the NPL or the alternative licenses, if any, specified
+ by the Initial Developer in the file described in Exhibit A.
+ .
+ EXHIBIT A -Mozilla Public License.
+ .
+ ``The contents of this file are subject to the Mozilla Public License
+ Version 1.1 (the "License"); you may not use this file except in
+ compliance with the License. You may obtain a copy of the License at
+ http://www.mozilla.org/MPL/
+ .
+ Software distributed under the License is distributed on an "AS IS"
+ basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
+ License for the specific language governing rights and limitations
+ under the License.
+ .
+ The Original Code is ______________________________________.
+ .
+ The Initial Developer of the Original Code is ________________________.
+ Portions created by ______________________ are Copyright (C) ______
+ _______________________. All Rights Reserved.
+ .
+ Contributor(s): ______________________________________.
+ .
+ Alternatively, the contents of this file may be used under the terms
+ of the _____ license (the "[___] License"), in which case the
+ provisions of [______] License are applicable instead of those
+ above. If you wish to allow use of your version of this file only
+ under the terms of the [____] License and not to allow others to use
+ your version of this file under the MPL, indicate your decision by
+ deleting the provisions above and replace them with the notice and
+ other provisions required by the [___] License. If you do not delete
+ the provisions above, a recipient may use your version of this file
+ under either the MPL or the [___] License."
+ .
+ [NOTE: The text of this Exhibit A may differ slightly from the text of
+ the notices in the Source Code files of the Original Code. You should
+ use the text of this Exhibit A rather than the text found in the
+ Original Code Source Code for Your Modifications.]
+
+License: MPL-2.0
+ On Debian machines the full text of the Mozilla Public License version 2.0
+ can be found in the file /usr/share/common-licenses/MPL-2.0.
--- /dev/null
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+blhc:
+ allow_failure: true
--- /dev/null
+From 85d06aba6cb874958e9583d84bbd83ffe8bc40f6 Mon Sep 17 00:00:00 2001
+From: Timo Aaltonen <tjaalton@debian.org>
+Date: Wed, 15 Dec 2021 21:40:38 +0200
+Subject: [PATCH] Revert "Issue 3584 - Fix PBKDF2_SHA256 hashing in FIPS mode
+ (#4949)"
+
+This reverts commit b0d06615e1117799ec156d51489cd49c92635cca.
+---
+ .../healthcheck/health_security_test.py | 10 +++
+ ldap/ldif/template-dse-minimal.ldif.in | 52 ----------------
+ ldap/ldif/template-dse.ldif.in | 52 ----------------
+ ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c | 62 +++----------------
+ ldap/servers/slapd/main.c | 12 ----
+ src/lib389/lib389/__init__.py | 4 --
+ src/lib389/lib389/topologies.py | 6 +-
+ src/lib389/lib389/utils.py | 13 ----
+ 8 files changed, 21 insertions(+), 190 deletions(-)
+
+diff --git a/dirsrvtests/tests/suites/healthcheck/health_security_test.py b/dirsrvtests/tests/suites/healthcheck/health_security_test.py
+index fa3c28615..a07371e0e 100644
+--- a/dirsrvtests/tests/suites/healthcheck/health_security_test.py
++++ b/dirsrvtests/tests/suites/healthcheck/health_security_test.py
+@@ -31,6 +31,16 @@ libfaketime.reexec_if_needed()
+ log = logging.getLogger(__name__)
+
+
++def is_fips():
++ if os.path.exists('/proc/sys/crypto/fips_enabled'):
++ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
++ state = f.readline().strip()
++ if state == '1':
++ return True
++ else:
++ return False
++
++
+ def run_healthcheck_and_flush_log(topology, instance, searched_code, json, searched_code2=None):
+ args = FakeArgs()
+ args.instance = instance.serverid
+diff --git a/ldap/ldif/template-dse-minimal.ldif.in b/ldap/ldif/template-dse-minimal.ldif.in
+index a1700a2da..5d424fbf5 100644
+--- a/ldap/ldif/template-dse-minimal.ldif.in
++++ b/ldap/ldif/template-dse-minimal.ldif.in
+@@ -185,58 +185,6 @@ nsslapd-plugininitfunc: pbkdf2_sha256_pwd_storage_scheme_init
+ nsslapd-plugintype: pwdstoragescheme
+ nsslapd-pluginenabled: on
+
+-dn: cn=PBKDF2,cn=Password Storage Schemes,cn=plugins,cn=config
+-objectclass: top
+-objectclass: nsSlapdPlugin
+-cn: PBKDF2
+-nsslapd-pluginpath: libpwdchan-plugin
+-nsslapd-plugininitfunc: pwdchan_pbkdf2_plugin_init
+-nsslapd-plugintype: pwdstoragescheme
+-nsslapd-pluginenabled: on
+-nsslapd-pluginId: PBKDF2
+-nsslapd-pluginVersion: none
+-nsslapd-pluginVendor: 389 Project
+-nsslapd-pluginDescription: PBKDF2
+-
+-dn: cn=PBKDF2-SHA1,cn=Password Storage Schemes,cn=plugins,cn=config
+-objectclass: top
+-objectclass: nsSlapdPlugin
+-cn: PBKDF2-SHA1
+-nsslapd-pluginpath: libpwdchan-plugin
+-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha1_plugin_init
+-nsslapd-plugintype: pwdstoragescheme
+-nsslapd-pluginenabled: on
+-nsslapd-pluginId: PBKDF2-SHA1
+-nsslapd-pluginVersion: none
+-nsslapd-pluginVendor: 389 Project
+-nsslapd-pluginDescription: PBKDF2-SHA1\
+-
+-dn: cn=PBKDF2-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
+-objectclass: top
+-objectclass: nsSlapdPlugin
+-cn: PBKDF2-SHA256
+-nsslapd-pluginpath: libpwdchan-plugin
+-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha256_plugin_init
+-nsslapd-plugintype: pwdstoragescheme
+-nsslapd-pluginenabled: on
+-nsslapd-pluginId: PBKDF2-SHA256
+-nsslapd-pluginVersion: none
+-nsslapd-pluginVendor: 389 Project
+-nsslapd-pluginDescription: PBKDF2-SHA256\
+-
+-dn: cn=PBKDF2-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config
+-objectclass: top
+-objectclass: nsSlapdPlugin
+-cn: PBKDF2-SHA512
+-nsslapd-pluginpath: libpwdchan-plugin
+-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha512_plugin_init
+-nsslapd-plugintype: pwdstoragescheme
+-nsslapd-pluginenabled: on
+-nsslapd-pluginId: PBKDF2-SHA512
+-nsslapd-pluginVersion: none
+-nsslapd-pluginVendor: 389 Project
+-nsslapd-pluginDescription: PBKDF2-SHA512
+-
+ dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config
+ objectclass: top
+ objectclass: nsSlapdPlugin
+diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
+index 1456761e5..892f62c6b 100644
+--- a/ldap/ldif/template-dse.ldif.in
++++ b/ldap/ldif/template-dse.ldif.in
+@@ -232,58 +232,6 @@ nsslapd-plugininitfunc: pbkdf2_sha256_pwd_storage_scheme_init
+ nsslapd-plugintype: pwdstoragescheme
+ nsslapd-pluginenabled: on
+
+-dn: cn=PBKDF2,cn=Password Storage Schemes,cn=plugins,cn=config
+-objectclass: top
+-objectclass: nsSlapdPlugin
+-cn: PBKDF2
+-nsslapd-pluginpath: libpwdchan-plugin
+-nsslapd-plugininitfunc: pwdchan_pbkdf2_plugin_init
+-nsslapd-plugintype: pwdstoragescheme
+-nsslapd-pluginenabled: on
+-nsslapd-pluginId: PBKDF2
+-nsslapd-pluginVersion: none
+-nsslapd-pluginVendor: 389 Project
+-nsslapd-pluginDescription: PBKDF2
+-
+-dn: cn=PBKDF2-SHA1,cn=Password Storage Schemes,cn=plugins,cn=config
+-objectclass: top
+-objectclass: nsSlapdPlugin
+-cn: PBKDF2-SHA1
+-nsslapd-pluginpath: libpwdchan-plugin
+-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha1_plugin_init
+-nsslapd-plugintype: pwdstoragescheme
+-nsslapd-pluginenabled: on
+-nsslapd-pluginId: PBKDF2-SHA1
+-nsslapd-pluginVersion: none
+-nsslapd-pluginVendor: 389 Project
+-nsslapd-pluginDescription: PBKDF2-SHA1\
+-
+-dn: cn=PBKDF2-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
+-objectclass: top
+-objectclass: nsSlapdPlugin
+-cn: PBKDF2-SHA256
+-nsslapd-pluginpath: libpwdchan-plugin
+-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha256_plugin_init
+-nsslapd-plugintype: pwdstoragescheme
+-nsslapd-pluginenabled: on
+-nsslapd-pluginId: PBKDF2-SHA256
+-nsslapd-pluginVersion: none
+-nsslapd-pluginVendor: 389 Project
+-nsslapd-pluginDescription: PBKDF2-SHA256\
+-
+-dn: cn=PBKDF2-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config
+-objectclass: top
+-objectclass: nsSlapdPlugin
+-cn: PBKDF2-SHA512
+-nsslapd-pluginpath: libpwdchan-plugin
+-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha512_plugin_init
+-nsslapd-plugintype: pwdstoragescheme
+-nsslapd-pluginenabled: on
+-nsslapd-pluginId: PBKDF2-SHA512
+-nsslapd-pluginVersion: none
+-nsslapd-pluginVendor: 389 Project
+-nsslapd-pluginDescription: PBKDF2-SHA512
+-
+ dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config
+ objectclass: top
+ objectclass: nsSlapdPlugin
+diff --git a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
+index dcac4fcdd..d310dc792 100644
+--- a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
++++ b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
+@@ -91,11 +91,10 @@ pbkdf2_sha256_extract(char *hash_in, SECItem *salt, uint32_t *iterations)
+ SECStatus
+ pbkdf2_sha256_hash(char *hash_out, size_t hash_out_len, SECItem *pwd, SECItem *salt, uint32_t iterations)
+ {
++ SECItem *result = NULL;
+ SECAlgorithmID *algid = NULL;
+ PK11SlotInfo *slot = NULL;
+ PK11SymKey *symkey = NULL;
+- SECItem *wrapKeyData = NULL;
+- SECStatus rv = SECFailure;
+
+ /* We assume that NSS is already started. */
+ algid = PK11_CreatePBEV2AlgorithmID(SEC_OID_PKCS5_PBKDF2, SEC_OID_HMAC_SHA256, SEC_OID_HMAC_SHA256, hash_out_len, iterations, salt);
+@@ -105,6 +104,7 @@ pbkdf2_sha256_hash(char *hash_out, size_t hash_out_len, SECItem *pwd, SECItem *s
+ slot = PK11_GetBestSlotMultiple(mechanism_array, 2, NULL);
+ if (slot != NULL) {
+ symkey = PK11_PBEKeyGen(slot, algid, pwd, PR_FALSE, NULL);
++ PK11_FreeSlot(slot);
+ if (symkey == NULL) {
+ /* We try to get the Error here but NSS has two or more error interfaces, and sometimes it uses none of them. */
+ int32_t status = PORT_GetError();
+@@ -123,60 +123,18 @@ pbkdf2_sha256_hash(char *hash_out, size_t hash_out_len, SECItem *pwd, SECItem *s
+ return SECFailure;
+ }
+
+- /*
+- * First, we need to generate a wrapped key for PK11_Decrypt call:
+- * slot is the same slot we used in PK11_PBEKeyGen()
+- * 256 bits / 8 bit per byte
+- */
+- PK11SymKey *wrapKey = PK11_KeyGen(slot, CKM_AES_ECB, NULL, 256/8, NULL);
+- PK11_FreeSlot(slot);
+- if (wrapKey == NULL) {
+- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to generate a wrapped key.\n");
+- return SECFailure;
+- }
+-
+- wrapKeyData = (SECItem *)PORT_Alloc(sizeof(SECItem));
+- /* Align the wrapped key with 32 bytes. */
+- wrapKeyData->len = (PK11_GetKeyLength(symkey) + 31) & ~31;
+- /* Allocate the aligned space for pkc5PBE key plus AESKey block */
+- wrapKeyData->data = (unsigned char *)slapi_ch_calloc(wrapKeyData->len, sizeof(unsigned char));
+-
+- /* Get symkey wrapped with wrapKey - required for PK11_Decrypt call */
+- rv = PK11_WrapSymKey(CKM_AES_ECB, NULL, wrapKey, symkey, wrapKeyData);
+- if (rv != SECSuccess) {
+- PK11_FreeSymKey(symkey);
+- PK11_FreeSymKey(wrapKey);
+- SECITEM_FreeItem(wrapKeyData, PR_TRUE);
+- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to wrap the symkey. (%d)\n", rv);
+- return SECFailure;
+- }
+-
+- /* Allocate the space for our result */
+- void *result = (char *)slapi_ch_calloc(wrapKeyData->len, sizeof(char));
+- unsigned int result_len = 0;
+-
+- /* User wrapKey to decrypt the wrapped contents.
+- * result is the hash that we need;
+- * result_len is the actual lengh of the data;
+- * has_out_len is the maximum (the space we allocted for hash_out)
+- */
+- rv = PK11_Decrypt(wrapKey, CKM_AES_ECB, NULL, result, &result_len, hash_out_len, wrapKeyData->data, wrapKeyData->len);
+- PK11_FreeSymKey(symkey);
+- PK11_FreeSymKey(wrapKey);
+- SECITEM_FreeItem(wrapKeyData, PR_TRUE);
+-
+- if (rv == SECSuccess) {
+- if (result != NULL && result_len <= hash_out_len) {
+- memcpy(hash_out, result, result_len);
+- slapi_ch_free((void **)&result);
++ if (PK11_ExtractKeyValue(symkey) == SECSuccess) {
++ result = PK11_GetKeyData(symkey);
++ if (result != NULL && result->len <= hash_out_len) {
++ memcpy(hash_out, result->data, result->len);
++ PK11_FreeSymKey(symkey);
+ } else {
+- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to retrieve (get) hash output.\n");
+- slapi_ch_free((void **)&result);
++ PK11_FreeSymKey(symkey);
++ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to retrieve (get) hash output.\n");
+ return SECFailure;
+ }
+ } else {
+- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to extract hash output. (%d)\n", rv);
+- slapi_ch_free((void **)&result);
++ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to extract hash output.\n");
+ return SECFailure;
+ }
+
+diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
+index 7b3dc848f..9f99f6154 100644
+--- a/ldap/servers/slapd/main.c
++++ b/ldap/servers/slapd/main.c
+@@ -2931,21 +2931,9 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt, int s_por
+ * is enabled or not. We use NSS for random number generation and
+ * other things even if we are not going to accept SSL connections.
+ * We also need NSS for attribute encryption/decryption on import and export.
+- *
+- * It's important to remember that while in FIPS mode the administrator should always enable
+- * the security, otherwise we don't call slapd_pk11_authenticate which is a requirement for FIPS mode
+ */
+- PRBool isFIPS = slapd_pk11_isFIPS();
+ int init_ssl = config_get_security();
+
+- if (isFIPS && !init_ssl) {
+- slapi_log_err(SLAPI_LOG_WARNING, "slapd_do_all_nss_ssl_init",
+- "ERROR: TLS is not enabled, and the machine is in FIPS mode. "
+- "Some functionality won't work correctly (for example, "
+- "users with PBKDF2_SHA256 password scheme won't be able to log in). "
+- "It's highly advisable to enable TLS on this instance.\n");
+- }
+-
+ if (slapd_exemode == SLAPD_EXEMODE_SLAPD) {
+ init_ssl = init_ssl && (0 != s_port) && (s_port <= LDAP_PORT_MAX);
+ } else {
+diff --git a/src/lib389/lib389/__init__.py b/src/lib389/lib389/__init__.py
+index 15ac50b7d..d4473dfd1 100644
+--- a/src/lib389/lib389/__init__.py
++++ b/src/lib389/lib389/__init__.py
+@@ -1533,10 +1533,6 @@ class DirSrv(SimpleLDAPObject, object):
+ :param post_open: Open the server connection after restart.
+ :type post_open: bool
+ """
+- if self.config.get_attr_val_utf8_l("nsslapd-security") == 'on':
+- self.restart(post_open=post_open)
+- return
+-
+ # If it doesn't exist, create a cadb.
+ ssca = NssSsl(dbpath=self.get_ssca_dir())
+ if not ssca._db_exists():
+diff --git a/src/lib389/lib389/topologies.py b/src/lib389/lib389/topologies.py
+index 569818fc1..db505535f 100644
+--- a/src/lib389/lib389/topologies.py
++++ b/src/lib389/lib389/topologies.py
+@@ -11,7 +11,7 @@ import logging
+ import socket # For hostname detection for GSSAPI tests
+ import pytest
+ from lib389 import DirSrv
+-from lib389.utils import generate_ds_params, is_fips
++from lib389.utils import generate_ds_params
+ from lib389.mit_krb5 import MitKrb5
+ from lib389.saslmap import SaslMappings
+ from lib389.replica import ReplicationManager, Replicas
+@@ -103,10 +103,6 @@ def _create_instances(topo_dict, suffix):
+ if role == ReplicaRole.HUB:
+ hs[instance.serverid] = instance
+ instances.update(hs)
+- # We should always enable TLS while in FIPS mode because otherwise NSS database won't be
+- # configured in a FIPS compliant way
+- if is_fips():
+- instance.enable_tls()
+ if DEBUGGING:
+ instance.config.set('nsslapd-errorlog-level','8192')
+ instance.config.set('nsslapd-accesslog-level','260')
+diff --git a/src/lib389/lib389/utils.py b/src/lib389/lib389/utils.py
+index 5445aa7b0..37eeda273 100644
+--- a/src/lib389/lib389/utils.py
++++ b/src/lib389/lib389/utils.py
+@@ -1434,16 +1434,3 @@ def is_valid_hostname(hostname):
+ hostname = hostname[:-1] # strip exactly one dot from the right, if present
+ allowed = re.compile("(?!-)[A-Z\d-]{1,63}(?<!-)$", re.IGNORECASE)
+ return all(allowed.match(x) for x in hostname.split("."))
+-
+-
+-def is_fips():
+- if os.path.exists('/proc/sys/crypto/fips_enabled'):
+- with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+- state = f.readline().strip()
+- if state == '1':
+- return True
+- else:
+- return False
+- else:
+- return False
+-
+--
+2.32.0
+
--- /dev/null
+--- a/ldap/servers/slapd/ldaputil.c
++++ b/ldap/servers/slapd/ldaputil.c
+@@ -827,10 +827,14 @@ ldaputil_get_saslpath()
+ if (PR_SUCCESS != PR_Access(saslpath, PR_ACCESS_EXISTS)) {
+ #ifdef CPU_arm
+ /* the 64-bit ARMv8 architecture. */
+- saslpath = "/usr/lib/aarch64-linux-gnu";
++ saslpath = "/usr/lib/aarch64-linux-gnu/sasl2";
++#elif defined(CPU_powerpc64le)
++ saslpath = "/usr/lib/powerpc64le-linux-gnu/sasl2";
++#elif defined(CPU_s390x)
++ saslpath = "/usr/lib/s390x-linux-gnu/sasl2";
+ #else
+ /* Try x86_64 gnu triplet */
+- saslpath = "/usr/lib/x86_64-linux-gnu";
++ saslpath = "/usr/lib/x86_64-linux-gnu/sasl2";
+ #endif
+ }
+ #else
+@@ -838,14 +842,14 @@ ldaputil_get_saslpath()
+ if (PR_SUCCESS != PR_Access(saslpath, PR_ACCESS_EXISTS)) {
+ #ifdef CPU_arm
+ /* the latest 32 bit ARM architecture using the hard-float version of EABI. */
+- saslpath = "/usr/lib/arm-linux-gnueabihf";
++ saslpath = "/usr/lib/arm-linux-gnueabihf/sasl2";
+ if (PR_SUCCESS != PR_Access(saslpath, PR_ACCESS_EXISTS)) {
+ /* the 32 bit ARM architecture of EABI. */
+- saslpath = "/usr/lib/arm-linux-gnueabi";
++ saslpath = "/usr/lib/arm-linux-gnueabi/sasl2";
+ }
+ #else
+ /* Try i386 gnu triplet */
+- saslpath = "/usr/lib/i386-linux-gnu";
++ saslpath = "/usr/lib/i386-linux-gnu/sasl2";
+ #endif
+ }
+ #endif
+--- a/configure.ac
++++ b/configure.ac
+@@ -655,7 +655,8 @@ case $host in
+ arm-*-linux*)
+ AC_DEFINE([CPU_arm], [], [cpu type arm])
+ ;;
+- ppc64le-*-linux*)
++ powerpc64le-*-linux*)
++ AC_DEFINE([CPU_powerpc64le], [], [cpu type powerpc64le])
+ ;;
+ ppc64-*-linux*)
+ ;;
+@@ -664,6 +665,7 @@ case $host in
+ s390-*-linux*)
+ ;;
+ s390x-*-linux*)
++ AC_DEFINE([CPU_s390x], [], [cpu type s390x])
+ ;;
+ esac
+ # some programs use the native thread library directly
--- /dev/null
+fix-saslpath.diff
+0001-Revert-Issue-3584-Fix-PBKDF2_SHA256-hashing-in-FIPS-.patch
--- /dev/null
+usr/lib/python3/dist-packages/lib389-*
+usr/lib/python3/dist-packages/lib389/
+usr/sbin/dsconf
+usr/sbin/dscreate
+usr/sbin/dsctl
+usr/sbin/dsidm
+usr/share/man/man8/dsconf.8
+usr/share/man/man8/dscreate.8
+usr/share/man/man8/dsctl.8
+usr/share/man/man8/dsidm.8
--- /dev/null
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+pie
+
+
+ifneq (,$(filter $(DEB_HOST_ARCH), armel m68k mips mipsel powerpc powerpcspe sh4))
+ export DEB_LDFLAGS_MAINT_APPEND=-latomic
+endif
+
+REALFILE = \
+ bin/ds-logpipe.py \
+ bin/logconv.pl \
+ share/man/man1/ds-logpipe.py.1 \
+ share/man/man1/logconv.pl.1 \
+
+%:
+ dh $@ --with python3 --builddir build/
+
+override_dh_auto_clean:
+ dh_auto_clean
+ rm -f aclocal.m4 config.* ltmain.sh m4/libtool.m4 m4/lt*.m4
+ rm -f ldap/servers/snmp/ldap-agent.conf
+ rm -rf src/lib389/build src/lib389/lib389.egg-info
+ find src/lib389/ -name '__pycache__' -exec rm -rf '{}' ';'
+ rm -f src/lib389/man/*.8
+
+override_dh_auto_configure:
+ dh_auto_configure -- \
+ --with-openldap \
+ --with-systemd \
+ --with-systemdsystemunitdir=/lib/systemd/system \
+ --with-systemdsystemconfdir=/etc/systemd/system \
+ --with-systemdgroupname=dirsrv.target \
+ --with-tmpfiles-d=/etc/tmpfiles.d \
+ --enable-autobind \
+ --enable-cmocka \
+ --enable-icu \
+ --enable-perl
+
+override_dh_auto_build:
+ (cd src/lib389 && python3 setup.py build)
+ dh_auto_build
+
+override_dh_auto_install:
+ (cd src/lib389 && python3 setup.py install --install-layout=deb --root ../../debian/tmp)
+
+ dh_auto_install --max-parallel=1
+
+override_dh_install:
+ # lets do the renaming here afterall, instead of in 389-ds-base.install
+ for file in $(REALFILE); do mv -f $(CURDIR)/debian/tmp/usr/$$file \
+ $(CURDIR)/debian/tmp/usr/`echo $$file | \
+ sed -s 's/\.pl//;s/\.py//'`; \
+ done
+ # purge .la files
+ find $(CURDIR)/debian/tmp -name "*.la" -type f -exec rm -f "{}" \;
+
+ mkdir -p $(CURDIR)/debian/tmp/etc/systemd/system/dirsrv.target.wants
+
+ # fix the manpage section, argparse-manpage hardcodes it as 1
+ sed -i "1s/\"1\"/\"8\"/" debian/tmp/usr/share/man/man8/dsconf.8
+ sed -i "1s/\"1\"/\"8\"/" debian/tmp/usr/share/man/man8/dscreate.8
+ sed -i "1s/\"1\"/\"8\"/" debian/tmp/usr/share/man/man8/dsctl.8
+ sed -i "1s/\"1\"/\"8\"/" debian/tmp/usr/share/man/man8/dsidm.8
+
+ # link to jemalloc
+ mkdir -p $(CURDIR)/debian/tmp/usr/lib/$(DEB_BUILD_MULTIARCH)/dirsrv/lib/
+ ln -s /usr/lib/$(DEB_BUILD_MULTIARCH)/libjemalloc.so.2 \
+ $(CURDIR)/debian/tmp/usr/lib/$(DEB_BUILD_MULTIARCH)/dirsrv/lib/
+
+ dh_install
+
+override_dh_missing:
+ dh_missing --fail-missing
+
+override_dh_installsystemd:
+ dh_installsystemd -p389-ds-base --no-enable dirsrv-snmp.service
+
+override_dh_shlibdeps:
+ dh_shlibdeps -l"debian/389-ds-base/usr/lib/$(DEB_HOST_MULTIARCH)/dirsrv" -a
--- /dev/null
+3.0 (quilt)
--- /dev/null
+# it just has long lines
+389-ds-base source: source-is-missing src/cockpit/389-console/cockpit_dist/index.js line length is 312 characters (>256)
--- /dev/null
+Tests: setup
+Depends:
+ 389-ds-base,
+Restrictions:
+ isolation-container,
+ needs-root,
--- /dev/null
+#!/bin/sh
+
+# hack for lxc
+IP=`ip route get 1.1.1.1 | sed -n -e's/.*src //; s/ .*//; p; q'`
+echo "IP address is $IP"
+
+HOSTNAME=`cat /etc/hosts| grep '127.0.1.1' | awk '{print $NF; exit}'`
+echo "Hostname was: $HOSTNAME"
+
+if [ -z $HOSTNAME ]; then
+ HOSTNAME=autopkgtest
+ hostname $HOSTNAME
+ echo $HOSTNAME > /etc/hostname
+fi
+
+echo "$IP $HOSTNAME.debci $HOSTNAME" >> /etc/hosts
+
+echo "/etc/hosts now has:"
+cat /etc/hosts
+
+cat << EOF > /tmp/debci.inf
+[general]
+full_machine_name = $HOSTNAME.debci
+strict_host_checking = False
+[slapd]
+group = dirsrv
+instance_name = debci
+port = 1389
+root_dn = cn=Directory Manager
+root_password = Secret123
+user = dirsrv
+[backend-userroot]
+suffix = dc=example,dc=com
+EOF
+
+/usr/sbin/dscreate from-file /tmp/debci.inf 2>&1
--- /dev/null
+#git=https://github.com/389ds/389-ds-base
+version=3
+https://github.com/389ds/389-ds-base/tags/ (?:.*?/)?389-ds-base-@ANY_VERSION@\.tar\.gz
projects / 389-ds-base.git / commitdiff