From: Timo Aaltonen Date: Thu, 10 Feb 2022 18:00:45 +0000 (+0000) Subject: 389-ds-base (2.0.14-1) unstable; urgency=medium X-Git-Tag: archive/raspbian/2.0.14-1+rpi1^2~3 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=23ee1d55b875d93b5c8f8d4cd61fe18726adbfd2;p=389-ds-base.git 389-ds-base (2.0.14-1) unstable; urgency=medium * New upstream release. * install: Updated. * control: Bump policy to 4.6.0. [dgit import unpatched 389-ds-base 2.0.14-1] --- 23ee1d55b875d93b5c8f8d4cd61fe18726adbfd2 diff --cc debian/389-ds-base-dev.install index 0000000,0000000..6f305f1 new file mode 100644 --- /dev/null +++ b/debian/389-ds-base-dev.install @@@ -1,0 -1,0 +1,8 @@@ ++usr/include/dirsrv/* ++usr/include/svrcore.h ++usr/lib/*/dirsrv/libldaputil.so ++usr/lib/*/dirsrv/libns-dshttpd.so ++usr/lib/*/dirsrv/librewriters.so ++usr/lib/*/dirsrv/libslapd.so ++usr/lib/*/libsvrcore.so ++usr/lib/*/pkgconfig/* diff --cc debian/389-ds-base-libs.install index 0000000,0000000..d072a44 new file mode 100644 --- /dev/null +++ b/debian/389-ds-base-libs.install @@@ -1,0 -1,0 +1,6 @@@ ++usr/lib/*/dirsrv/lib/libjemalloc.so.* ++usr/lib/*/dirsrv/libldaputil.so.* ++usr/lib/*/dirsrv/libns-dshttpd.so.* ++usr/lib/*/dirsrv/librewriters.so.* ++usr/lib/*/dirsrv/libslapd.so.* ++usr/lib/*/libsvrcore.so.* diff --cc debian/389-ds-base-libs.lintian-overrides index 0000000,0000000..e4a0c15 new file mode 100644 --- /dev/null +++ b/debian/389-ds-base-libs.lintian-overrides @@@ -1,0 -1,0 +1,1 @@@ ++custom-library-search-path diff --cc debian/389-ds-base.default index 0000000,0000000..14beb77 new file mode 100644 --- /dev/null +++ b/debian/389-ds-base.default @@@ -1,0 -1,0 +1,6 @@@ ++# Defaults for dirsrv ++# ++# This is a POSIX shell fragment ++ ++# Enable bindnow hardening ++LD_BIND_NOW=1 diff --cc debian/389-ds-base.dirs index 0000000,0000000..f12d71e new file mode 100644 --- /dev/null +++ b/debian/389-ds-base.dirs @@@ -1,0 -1,0 +1,2 @@@ ++var/log/dirsrv ++var/lib/dirsrv diff --cc debian/389-ds-base.install index 0000000,0000000..3f91867 new file mode 100644 --- /dev/null +++ b/debian/389-ds-base.install @@@ -1,0 -1,0 +1,37 @@@ ++etc/dirsrv/config/ ++etc/dirsrv/schema/*.ldif ++etc/systemd/ ++lib/systemd/system/dirsrv-snmp.service ++lib/systemd/system/dirsrv.target ++lib/systemd/system/dirsrv@.service ++lib/systemd/system/dirsrv@.service.d/custom.conf ++usr/bin/dbscan ++usr/bin/ds-logpipe ++usr/bin/ds-replcheck ++usr/bin/ldclt ++usr/bin/logconv ++usr/bin/pwdhash ++usr/lib/*/dirsrv/plugins/*.so ++usr/lib/*/dirsrv/python/ ++usr/libexec/dirsrv/dscontainer ++usr/libexec/ds_selinux_restorecon.sh ++usr/libexec/ds_systemd_ask_password_acl ++usr/lib/sysctl.d/70-dirsrv.conf ++usr/sbin/ldap-agent ++usr/sbin/ns-slapd ++usr/sbin/openldap_to_ds ++usr/share/dirsrv/data ++usr/share/dirsrv/inf ++usr/share/dirsrv/mibs ++usr/share/dirsrv/schema ++usr/share/gdb/auto-load/usr/sbin/ns-slapd-gdb.py ++usr/share/man/man1/dbscan.1 ++usr/share/man/man1/ds-logpipe.1 ++usr/share/man/man1/ds-replcheck.1 ++usr/share/man/man1/ldap-agent.1 ++usr/share/man/man1/ldclt.1 ++usr/share/man/man1/logconv.1 ++usr/share/man/man1/pwdhash.1 ++usr/share/man/man5/*.5 ++usr/share/man/man8/ns-slapd.8 ++usr/share/man/man8/openldap_to_ds.8 diff --cc debian/389-ds-base.links index 0000000,0000000..2f83bc6 new file mode 100644 --- /dev/null +++ b/debian/389-ds-base.links @@@ -1,0 -1,0 +1,1 @@@ ++/dev/null lib/systemd/system/dirsrv.service diff --cc debian/389-ds-base.lintian-overrides index 0000000,0000000..693de7c new file mode 100644 --- /dev/null +++ b/debian/389-ds-base.lintian-overrides @@@ -1,0 -1,0 +1,5 @@@ ++# these are bogus warnings, no libs shipped in a public libdir ++unused-shlib-entry-in-control-file ++ ++# plugins ++custom-library-search-path diff --cc debian/389-ds-base.postinst index 0000000,0000000..413fb60 new file mode 100644 --- /dev/null +++ b/debian/389-ds-base.postinst @@@ -1,0 -1,0 +1,35 @@@ ++#!/bin/sh ++set -e ++ ++. /usr/share/debconf/confmodule ++ ++CONFIG_DIR=/etc/dirsrv ++OUT=/dev/null ++INSTANCES=`ls -d /etc/dirsrv/slapd-* 2>/dev/null | grep -v removed | sed 's/.*slapd-//'` ++ ++if [ "$1" = configure ]; then ++ # lets give them a user/group in all cases. ++ if ! getent passwd dirsrv > $OUT; then ++ adduser --quiet --system --home /var/lib/dirsrv \ ++ --disabled-password --group \ ++ --gecos "389 Directory Server user" \ ++ --no-create-home \ ++ dirsrv > $OUT ++ fi ++ ++ chown -R dirsrv:dirsrv /etc/dirsrv/ /var/log/dirsrv/ /var/lib/dirsrv/ > $OUT || true ++ chmod 750 /etc/dirsrv/ /var/log/dirsrv/ /var/lib/dirsrv/ > $OUT || true ++fi ++ ++invoke_failure() { ++ # invoke-rc.d failed, likely because no instance has been configured yet ++ # but exit with an error if an instance is configured and the invoke failed ++ if [ -z $INSTANCES ]; then ++ echo "... because no instance has been configured yet." ++ else ++ exit 1 ++ fi ++} ++ ++ ++#DEBHELPER# diff --cc debian/389-ds-base.postrm index 0000000,0000000..0a70e0e new file mode 100644 --- /dev/null +++ b/debian/389-ds-base.postrm @@@ -1,0 -1,0 +1,16 @@@ ++#!/bin/sh ++set -e ++ ++. /usr/share/debconf/confmodule ++ ++if [ "$1" = "purge" ]; then ++ if getent group dirsrv > /dev/null; then ++ deluser --system dirsrv || true ++ fi ++ rm -f /etc/systemd/system/dirsrv.target.wants/dirsrv@*.service ++ rm -rf /etc/dirsrv ++ rm -rf /var/lib/dirsrv ++ rm -rf /var/log/dirsrv ++fi ++ ++#DEBHELPER# diff --cc debian/389-ds-base.prerm index 0000000,0000000..bfa9c61 new file mode 100644 --- /dev/null +++ b/debian/389-ds-base.prerm @@@ -1,0 -1,0 +1,14 @@@ ++#!/bin/sh -e ++set -e ++ ++#DEBHELPER# ++ ++if [ "$1" = "purge" ]; then ++ # remove all installed instances ++ for FILE in `ls -d /etc/dirsrv/slapd-* 2>/dev/null | sed -n '/\.removed$/!$'` ++ do ++ if [ -d "$FILE" ] ; then ++ dsctl $FILE remove --do-it ++ fi ++ done ++fi diff --cc debian/README.Debian index 0000000,0000000..eba838e new file mode 100644 --- /dev/null +++ b/debian/README.Debian @@@ -1,0 -1,0 +1,12 @@@ ++To complete the 389 Directory Server installation just run /usr/sbin/setup-ds. ++ ++If you experience problems accessing the Directory Server, check with ++"netstat -tapen |grep 389" and verify that the server is not listening only ++to ipv6 (check for ^tcp6). In such case you will need to tweak the cn=config ++DIT with something like the following: ++ ++dn: cn=config ++changetype: modify ++add: nsslapd-listenhost ++nsslapd-listenhost: ++ diff --cc debian/changelog index 0000000,0000000..6a90790 new file mode 100644 --- /dev/null +++ b/debian/changelog @@@ -1,0 -1,0 +1,1029 @@@ ++389-ds-base (2.0.14-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * install: Updated. ++ * control: Bump policy to 4.6.0. ++ ++ -- Timo Aaltonen Thu, 10 Feb 2022 20:00:45 +0200 ++ ++389-ds-base (2.0.11-2) unstable; urgency=medium ++ ++ * Revert a commit that makes dscreate to fail. ++ ++ -- Timo Aaltonen Wed, 15 Dec 2021 23:23:15 +0200 ++ ++389-ds-base (2.0.11-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * missing-sources: Removed, all the minified javascript files were ++ removed upstream some time ago. ++ * install: Updated. ++ * control: Bump debhelper to 13. ++ * Override some lintian errors. ++ * watch: Update the url. ++ ++ -- Timo Aaltonen Wed, 15 Dec 2021 21:03:20 +0200 ++ ++389-ds-base (1.4.4.17-1) unstable; urgency=medium ++ ++ * New upstream release. ++ - CVE-2021-3652 (Closes: #991405) ++ * tests: Add isolation-container to restrictions. ++ * Add a dependency to libjemalloc2, and add a symlink to it so the ++ preload works. (Closes: #992696) ++ * CVE-2017-15135.patch: Dropped, fixed by upstream issue #4817. ++ ++ -- Timo Aaltonen Mon, 18 Oct 2021 18:36:30 +0300 ++ ++389-ds-base (1.4.4.16-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * fix-s390x-failure.diff: Dropped, upstream. ++ * watch: Updated to use github. ++ * copyright: Fix 'globbing-patterns-out-of-order'. ++ ++ -- Timo Aaltonen Mon, 16 Aug 2021 09:54:52 +0300 ++ ++389-ds-base (1.4.4.11-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * fix-s390x-failure.diff: Fix a crash on big-endian architectures like ++ s390x. ++ ++ -- Timo Aaltonen Thu, 28 Jan 2021 13:03:32 +0200 ++ ++389-ds-base (1.4.4.10-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * CVE-2017-15135.patch: Refreshed. ++ * source: Update diff-ignore. ++ * install: Drop libsds which got removed. ++ * control: Add libnss3-tools to cockpit-389-ds Depends. (Closes: ++ #965004) ++ * control: Drop python3-six from depends. ++ ++ -- Timo Aaltonen Thu, 21 Jan 2021 22:16:28 +0200 ++ ++389-ds-base (1.4.4.9-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * fix-prlog-include.diff: Dropped, upstream. ++ ++ -- Timo Aaltonen Fri, 18 Dec 2020 15:29:20 +0200 ++ ++389-ds-base (1.4.4.8-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * fix-systemctl-path.diff, drop-old-man.diff: Dropped, obsolete. ++ * fix-prlog-include.diff: Fix build by dropping nspr4/ prefix. ++ * install, rules: Clean up perl cruft that got removed upstream. ++ * install: Add openldap_to_ds. ++ * watch: Follow 1.4.4.x. ++ ++ -- Timo Aaltonen Thu, 12 Nov 2020 15:57:11 +0200 ++ ++389-ds-base (1.4.4.4-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * watch: Update upstream git repo url. ++ * control: Add python3-dateutil to build-depends. ++ * copyright: Drop duplicate globbing patterns. ++ * lintian: Drop obsolete overrides. ++ * postinst: Drop obsolete rule to upgrade the instances. ++ * prerm: Use dsctl instead of remove-ds. ++ ++ -- Timo Aaltonen Tue, 22 Sep 2020 09:23:30 +0300 ++ ++389-ds-base (1.4.4.3-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * fix-db-home-dir.diff: Dropped, upstream. ++ ++ -- Timo Aaltonen Tue, 02 Jun 2020 11:33:44 +0300 ++ ++389-ds-base (1.4.3.6-2) unstable; urgency=medium ++ ++ * fix-db-home-dir.diff: Set db_home_dir same as db_dir to fix an issue ++ starting a newly created instance. ++ ++ -- Timo Aaltonen Tue, 21 Apr 2020 20:19:06 +0300 ++ ++389-ds-base (1.4.3.6-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * install: Updated. ++ ++ -- Timo Aaltonen Mon, 20 Apr 2020 15:01:35 +0300 ++ ++389-ds-base (1.4.3.4-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * Add debian/gitlab-ci.yml. ++ - allow blhc to fail ++ * control: Bump policy to 4.5.0. ++ * control: Use https url for upstream. ++ * control: Use canonical URL in Vcs-Browser. ++ * copyright: Use spaces rather than tabs to start continuation lines. ++ * Add lintian-overrides for the source, cockpit index.js has long lines. ++ ++ -- Timo Aaltonen Wed, 18 Mar 2020 08:47:32 +0200 ++ ++389-ds-base (1.4.3.2-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * prerm: Fix slapd install path. (Closes: #945583) ++ * install: Updated. ++ * control: Use debhelper-compat. ++ ++ -- Timo Aaltonen Wed, 12 Feb 2020 19:39:22 +0200 ++ ++389-ds-base (1.4.2.4-1) unstable; urgency=medium ++ ++ * New upstream release. ++ - CVE-2019-14824 deref plugin displays restricted attributes ++ (Closes: #944150) ++ * fix-obsolete-target.diff: Dropped, obsolete ++ drop-old-man.diff: Refreshed ++ * control: Add python3-packaging to build-depends and python3-lib389 depends. ++ * dev,libs.install: Nunc-stans got dropped. ++ * source/local-options: Add some files to diff-ignore. ++ * rules: Refresh list of files to purge. ++ * rules: Update dh_auto_clean override. ++ ++ -- Timo Aaltonen Wed, 27 Nov 2019 00:00:59 +0200 ++ ++389-ds-base (1.4.1.6-4) unstable; urgency=medium ++ ++ * tests: Redirect stderr to stdout. ++ ++ -- Timo Aaltonen Tue, 17 Sep 2019 01:37:39 +0300 ++ ++389-ds-base (1.4.1.6-3) unstable; urgency=medium ++ ++ * control: Add openssl to python3-lib389 depends. ++ ++ -- Timo Aaltonen Fri, 13 Sep 2019 07:32:27 +0300 ++ ++389-ds-base (1.4.1.6-2) unstable; urgency=medium ++ ++ * Restore perl build partly, setup-ds is still needed for upgrades ++ until Ubuntu 20.04 is released (for versions << 1.4.0.9). ++ ++ -- Timo Aaltonen Thu, 12 Sep 2019 14:50:36 +0300 ++ ++389-ds-base (1.4.1.6-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * control: Drop direct depends on python from 389-ds-base. (Closes: ++ #936102) ++ * Drop -legacy-tools and other obsolete scripts. ++ * use-bash-instead-of-sh.diff, rename-online-scripts.diff, perl-use- ++ move-instead-of-rename.diff: Dropped, obsolete. ++ * rules: Fix dsconf/dscreate/dsctl/dsidm manpage section. ++ * tests/setup: Migrate to dscreate. ++ * control: Add libnss3-tools to python3-lib389 depends. (Closes: #920025) ++ ++ -- Timo Aaltonen Wed, 11 Sep 2019 17:01:03 +0300 ++ ++389-ds-base (1.4.1.5-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * watch: Use https. ++ * control: Bump policy to 4.4.0. ++ * Bump debhelper to 12. ++ * patches: fix-dsctl-remove.diff, fix-nss-path.diff, icu_pkg-config.patch ++ removed, upstream. Others refreshed. ++ * rules: Pass --enable-perl, we still need the perl tools. ++ * *.install: Updated. ++ ++ -- Timo Aaltonen Wed, 10 Jul 2019 10:05:31 +0300 ++ ++389-ds-base (1.4.0.22-1) unstable; urgency=medium ++ ++ * New upstream bugfix release. ++ * control: Drop 389-ds-base from -legacy-tools Depends. (Closes: ++ #924265) ++ * fix-dsctl-remove.diff: Don't hardcode sysconfig. (Closes: #925221) ++ ++ -- Timo Aaltonen Sat, 06 Apr 2019 00:32:06 +0300 ++ ++389-ds-base (1.4.0.21-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * Run offline upgrade only when upgrading from versions below 1.4.0.9, ++ ns-slapd itself handles upgrades in newer versions. ++ * rules: Actually install the minified javascript files. (Closes: ++ #913820) ++ ++ -- Timo Aaltonen Tue, 12 Feb 2019 16:28:15 +0200 ++ ++389-ds-base (1.4.0.20-3) unstable; urgency=medium ++ ++ * control: 389-ds-base should depend on the legacy tools for now. ++ (Closes: #919420) ++ ++ -- Timo Aaltonen Wed, 16 Jan 2019 11:30:51 +0200 ++ ++389-ds-base (1.4.0.20-2) unstable; urgency=medium ++ ++ * Upload to unstable. ++ ++ -- Timo Aaltonen Mon, 14 Jan 2019 20:03:58 +0200 ++ ++389-ds-base (1.4.0.20-1) experimental; urgency=medium ++ ++ * New upstream release. (Closes: #913821) ++ * fix-nss-path.diff: Fix includes. ++ * Build ds* manpages, add missing build-depends. ++ * Move deprecated tools in a new subpackage. ++ * control: Add python3-lib389 to 389-ds-base depends. ++ ++ -- Timo Aaltonen Sun, 13 Jan 2019 21:13:22 +0200 ++ ++389-ds-base (1.4.0.19-3) unstable; urgency=medium ++ ++ [ Jelmer Vernooij ] ++ * Use secure copyright file specification URI. ++ * Trim trailing whitespace. ++ * Use secure URI in Vcs control header. ++ ++ [ Hugh McMaster ] ++ * control: Mark 389-ds-base-libs{,-dev} M-A: same, cockpit-389-ds M-A: ++ foreign and arch:all. (Closes: #916118) ++ * Use pkg-config to detect icu. (Closes: #916115) ++ ++ -- Timo Aaltonen Wed, 02 Jan 2019 12:43:23 +0200 ++ ++389-ds-base (1.4.0.19-2) unstable; urgency=medium ++ ++ * rules: Add -latomic to LDFLAGS on archs failing to build. (Closes: ++ #910982) ++ ++ -- Timo Aaltonen Thu, 06 Dec 2018 01:06:37 +0200 ++ ++389-ds-base (1.4.0.19-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * control: Make C/R backports-compatible. (Closes: #910796) ++ * use-packaged-js.diff: Dropped, packaged versions don't work. ++ (Closes: #913820) ++ * Follow upstream, and drop python3-dirsrvtests. ++ * cockpit-389-ds.install: Updated. ++ ++ -- Timo Aaltonen Mon, 03 Dec 2018 15:56:40 +0200 ++ ++389-ds-base (1.4.0.18-1) unstable; urgency=medium ++ ++ * New upstream release. ++ - CVE-2018-14624 (Closes: #907778) ++ - CVE-2018-14638 (Closes: #908859) ++ * control: Build on any arch again. ++ * perl-use-move-instead-of-rename.diff: Use copy instead of move, ++ except when restoring files in case of an error. ++ * Move the new utils (dsconf, dscreate, dsctl, dsidm) to python3- ++ lib389. ++ * control: Add python3-argcomplete to python3-lib389 depends. (Closes: ++ #910761) ++ ++ -- Timo Aaltonen Thu, 11 Oct 2018 00:56:02 +0300 ++ ++389-ds-base (1.4.0.16-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * control: 389-ds-base-dev provides libsvrcore-dev. (Closes: #907140) ++ * perl-use-move-instead-of-rename.diff: Fix upgrade on systems where ++ /var is on a separate partition: (Closes: #905184) ++ ++ -- Timo Aaltonen Thu, 27 Sep 2018 22:39:34 +0300 ++ ++389-ds-base (1.4.0.15-2) unstable; urgency=medium ++ ++ * control: Build cockpit-389-ds only on 64bit and i386. ++ ++ -- Timo Aaltonen Thu, 23 Aug 2018 08:54:06 +0300 ++ ++389-ds-base (1.4.0.15-1) unstable; urgency=medium ++ ++ * New upstream release ++ - CVE-2018-10935 (Closes: #906985) ++ * control: Add libcrack2-dev to build-depends. ++ ++ -- Timo Aaltonen Thu, 23 Aug 2018 00:46:45 +0300 ++ ++389-ds-base (1.4.0.13-1) experimental; urgency=medium ++ ++ * New upstream release. ++ - CVE-2018-10850 (Closes: #903501) ++ * control: Update maintainer address. ++ * control: Upstream dropped support for non-64bit architectures, so ++ build only on supported 64bit archs (amd64, arm64, mips64el, ++ ppc64el, s390x). ++ * control: svrcore got merged here, drop it from build-depends. ++ * ftbs_lsoftotkn3.diff: Dropped, obsolete. ++ * control: Add rsync to build-depends. ++ * libs, dev, control: Add libsvrcore files, replace old package. ++ * base: Add new scripts, add python3-selinux, -semanage, -sepolicy to ++ depends. ++ * Add a package for cockpit-389-ds. ++ * rules: Clean up cruft left after build. ++ * control: Drop dh_systemd from build-depends, bump debhelper to 11. ++ * Add varions libjs packages to cockpit-389-ds Depends, add the rest ++ to d/missing-sources. ++ * copyright: Updated. (Closes: #904760) ++ * control: Modify 389-ds to depend on cockpit-389-ds and drop the old ++ GUI packages which are deprecated upstream. ++ * dont-build-new-manpages.diff: Debian doesn't have argparse-manpage, ++ so in order to not FTBFS don't build new manpages. ++ * base.install: Add man5/*. ++ ++ -- Timo Aaltonen Tue, 31 Jul 2018 23:46:17 +0300 ++ ++389-ds-base (1.3.8.2-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * fix-saslpath.diff: Updated to support ppc64el and s390x. (LP: ++ #1764744) ++ * CVE-2017-15135.patch: Refreshed ++ ++ -- Timo Aaltonen Fri, 01 Jun 2018 11:21:19 +0300 ++ ++389-ds-base (1.3.7.10-1) unstable; urgency=medium ++ ++ * New upstream release. ++ - fix CVE-2018-1054 (Closes: #892124) ++ * control: Update maintainer address, freeipa-team handles this from ++ now on. Drop kklimonda from uploaders. ++ * control: Update VCS urls. ++ ++ -- Timo Aaltonen Tue, 13 Mar 2018 11:32:29 +0200 ++ ++389-ds-base (1.3.7.9-1) unstable; urgency=medium ++ ++ * New upstream release. ++ - CVE-2017-15134 (Closes: #888452) ++ * patches: Fix CVE-2017-15135. (Closes: #888451) ++ * tests: Add some debug output. ++ ++ -- Timo Aaltonen Mon, 05 Feb 2018 16:25:09 +0200 ++ ++389-ds-base (1.3.7.8-4) unstable; urgency=medium ++ ++ * tests: Drop python3-lib389 from depends, it's not used currently ++ anyway. ++ ++ -- Timo Aaltonen Thu, 21 Dec 2017 15:42:04 +0200 ++ ++389-ds-base (1.3.7.8-3) unstable; urgency=medium ++ ++ * tests/control: Depend on python3-lib389. ++ ++ -- Timo Aaltonen Wed, 20 Dec 2017 23:54:43 +0200 ++ ++389-ds-base (1.3.7.8-2) unstable; urgency=medium ++ ++ * Fix autopkgtest to be robust in the face of changed iproute2 output. ++ ++ -- Timo Aaltonen Wed, 20 Dec 2017 15:57:26 +0200 ++ ++389-ds-base (1.3.7.8-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * Package python3-lib389 and python3-dirsrvtests. ++ * control: Add python3 depends to 389-ds-base, since it ships a few ++ python scripts. ++ ++ -- Timo Aaltonen Tue, 12 Dec 2017 17:32:27 +0200 ++ ++389-ds-base (1.3.7.5-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * patches: ftbfs-fix.diff, reproducible-build.diff dropped (upstream) ++ others refreshed. ++ * *.install: Updated. ++ ++ -- Timo Aaltonen Wed, 04 Oct 2017 10:33:45 +0300 ++ ++389-ds-base (1.3.6.7-5) unstable; urgency=medium ++ ++ * Move all libs from base to -libs, add B/R. (Closes: #874764) ++ ++ -- Timo Aaltonen Thu, 21 Sep 2017 16:44:13 +0300 ++ ++389-ds-base (1.3.6.7-4) unstable; urgency=medium ++ ++ * control, install: Fix library/dev-link installs, add Breaks/Replaces ++ to fit, and drop obsolete B/R. ++ ++ -- Timo Aaltonen Wed, 30 Aug 2017 00:19:41 +0300 ++ ++389-ds-base (1.3.6.7-3) unstable; urgency=medium ++ ++ * ftbfs-fix.diff: Fix build. (Closes: #873120) ++ ++ -- Timo Aaltonen Mon, 28 Aug 2017 15:09:02 +0300 ++ ++389-ds-base (1.3.6.7-2) unstable; urgency=medium ++ ++ * control: Bump policy to 4.1.0, no changes. ++ * rules: Override dh_missing. ++ * control: Add libltdl-dev to build-depends. (Closes: #872979) ++ ++ -- Timo Aaltonen Thu, 24 Aug 2017 12:15:03 +0300 ++ ++389-ds-base (1.3.6.7-1) unstable; urgency=medium ++ ++ * New upstream release ++ - fix CVE-2017-7551 (Closes: #870752) ++ * fix-tests.diff: Dropped, fixed upstream. ++ ++ -- Timo Aaltonen Tue, 22 Aug 2017 16:30:11 +0300 ++ ++389-ds-base (1.3.6.5-1) experimental; urgency=medium ++ ++ * New upstream release. ++ - fix-bsd.patch, support-kfreebsd.patch, fix-48986-cve-2017-2591.diff: ++ Dropped, upstream. ++ * *.install: Updated. ++ * control: Add doxygen, libcmocka-dev, libevent-dev to build-deps. ++ * rules: Enable cmocka tests. ++ * fix-tests.diff: Fix building the tests. ++ ++ -- Timo Aaltonen Wed, 10 May 2017 09:38:30 +0300 ++ ++389-ds-base (1.3.5.17-2) unstable; urgency=medium ++ ++ * fix-upstream-49245.diff: Pull commits from upstream 1.3.5.x, which ++ remove rest of the asm code. (Closes: #862194) ++ ++ -- Timo Aaltonen Wed, 10 May 2017 09:25:03 +0300 ++ ++389-ds-base (1.3.5.17-1) unstable; urgency=medium ++ ++ * New upstream bugfix release. ++ - CVE-2017-2668 (Closes: #860125) ++ * watch: Updated. ++ ++ -- Timo Aaltonen Tue, 09 May 2017 11:06:14 +0300 ++ ++389-ds-base (1.3.5.15-2) unstable; urgency=medium ++ ++ * fix-48986-cve-2017-2591.diff: Fix upstream ticket 48986, ++ CVE-2017-2591. (Closes: #851769) ++ ++ -- Timo Aaltonen Fri, 27 Jan 2017 00:01:53 +0200 ++ ++389-ds-base (1.3.5.15-1) unstable; urgency=medium ++ ++ * New upstream release. ++ - CVE-2016-5405 (Closes: #842121) ++ ++ -- Timo Aaltonen Wed, 16 Nov 2016 11:01:00 +0200 ++ ++389-ds-base (1.3.5.14-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * postrm: Remove /etc/dirsrv, /var/lib/dirsrv and /var/log/dirsrv on ++ purge. ++ * control: Bump build-dep on libsvrcore-dev to ensure it has support ++ for systemd password agent. ++ ++ -- Timo Aaltonen Fri, 28 Oct 2016 01:42:27 +0300 ++ ++389-ds-base (1.3.5.13-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * control: Bump policy to 3.9.8, no changes. ++ * patches/default_user: Dropped, upstream. ++ * support-non-nss-libldap.diff: Dropped, upstream. ++ * fix-obsolete-target.diff: Updated. ++ * patches: Refreshed. ++ * control: Add libsystemd-dev to build-deps. ++ * control: Add acl to -base depends. ++ ++ -- Timo Aaltonen Wed, 12 Oct 2016 11:11:20 +0300 ++ ++389-ds-base (1.3.4.14-2) unstable; urgency=medium ++ ++ * tests: Add simple autopkgtests. ++ * postinst: Start instances after offline update. ++ * control, rules: Drop -dbg packages. ++ * control: Drop conflicts on slapd. (Closes: #822532) ++ ++ -- Timo Aaltonen Mon, 03 Oct 2016 17:53:26 +0300 ++ ++389-ds-base (1.3.4.14-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * support-non-nss-libldap.diff: Refreshed. ++ ++ -- Timo Aaltonen Mon, 29 Aug 2016 10:17:41 +0300 ++ ++389-ds-base (1.3.4.9-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * support-non-nss-libldap.diff: Support libldap built against gnutls. ++ (LP: #1564179) ++ ++ -- Timo Aaltonen Mon, 18 Apr 2016 18:08:14 +0300 ++ ++389-ds-base (1.3.4.8-4) unstable; urgency=medium ++ ++ * use-perl-move.diff: Dropped, 'rename' is more reliable. ++ ++ -- Timo Aaltonen Wed, 30 Mar 2016 08:38:24 +0300 ++ ++389-ds-base (1.3.4.8-3) unstable; urgency=medium ++ ++ * use-perl-move.diff: Fix 60upgradeschemafiles.pl to use File::Copy. ++ (Closes: #818578) ++ ++ -- Timo Aaltonen Fri, 18 Mar 2016 11:15:23 +0200 ++ ++389-ds-base (1.3.4.8-2) unstable; urgency=medium ++ ++ * postinst: Silence ls and adduser. ++ * Drop the init file, we depend on systemd anyway. ++ * rules: Don't enable dirsrv-snmp.service by default. ++ * postrm: Clean up /var/lib/dirsrv/scripts-* on purge. ++ * user-perl-move.diff: Use move instead of rename during upgrade. ++ (Closes: #775550) ++ ++ -- Timo Aaltonen Thu, 17 Mar 2016 08:13:38 +0200 ++ ++389-ds-base (1.3.4.8-1) unstable; urgency=medium ++ ++ * New upstream release. ++ ++ -- Timo Aaltonen Mon, 22 Feb 2016 07:58:40 +0200 ++ ++389-ds-base (1.3.4.5-2) unstable; urgency=medium ++ ++ * fix-systemctl-path.diff: Use correct path to /bin/systemctl. ++ (Closes: #779653) ++ ++ -- Timo Aaltonen Wed, 09 Dec 2015 08:31:20 +0200 ++ ++389-ds-base (1.3.4.5-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * patches: Refreshed. ++ ++ -- Timo Aaltonen Wed, 09 Dec 2015 08:14:56 +0200 ++ ++389-ds-base (1.3.3.13-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * control: Add systemd to 389-ds-base Depends. (Closes: #794301) ++ * postrm: Clean target.wants in postrm. ++ * reproducible-build.diff: Make builds reproducible. Thanks, Chris ++ Lamb! (Closes: #799010) ++ ++ -- Timo Aaltonen Tue, 20 Oct 2015 14:25:05 +0300 ++ ++389-ds-base (1.3.3.12-1) unstable; urgency=medium ++ ++ * New upstream release ++ - fix CVE-2015-3230 (Closes: #789202) ++ ++ -- Timo Aaltonen Wed, 24 Jun 2015 11:47:50 +0300 ++ ++389-ds-base (1.3.3.10-1) unstable; urgency=medium ++ ++ * New upstream release ++ - fix CVE-2015-1854 (Closes: #783923) ++ * postinst: Stop actual instances instead of 'dirsrv' on upgrade, and ++ use service(8) instead of invoke-rc.d. ++ ++ -- Timo Aaltonen Thu, 07 May 2015 07:58:35 +0300 ++ ++389-ds-base (1.3.3.9-1) experimental; urgency=medium ++ ++ * New upstream bugfix release. ++ - Drop cve-2014-8*.diff, upstream. ++ ++ -- Timo Aaltonen Thu, 02 Apr 2015 14:47:20 +0300 ++ ++389-ds-base (1.3.3.5-4) unstable; urgency=medium ++ ++ * Security fixes (Closes: #779909) ++ - cve-2014-8105.diff: Fix for CVE-2014-8105 ++ - cve-2014-8112.diff: Fix for CVE-2014-8112 ++ ++ -- Timo Aaltonen Mon, 09 Mar 2015 10:53:03 +0200 ++ ++389-ds-base (1.3.3.5-3) unstable; urgency=medium ++ ++ * use-bash-instead-of-sh.diff: Drop admin_scripts.diff and patch the ++ scripts to use bash instead of trying to fix bashisms. (Closes: ++ #772195) ++ ++ -- Timo Aaltonen Fri, 16 Jan 2015 15:40:23 +0200 ++ ++389-ds-base (1.3.3.5-2) unstable; urgency=medium ++ ++ * fix-saslpath.diff: Fix SASL library path. ++ ++ -- Timo Aaltonen Sat, 25 Oct 2014 01:48:34 +0300 ++ ++389-ds-base (1.3.3.5-1) unstable; urgency=medium ++ ++ * New upstream bugfix release. ++ * control: Bump policy, no changes. ++ ++ -- Timo Aaltonen Mon, 20 Oct 2014 09:57:14 +0300 ++ ++389-ds-base (1.3.3.3-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * Dropped upstreamed patches, refresh others. ++ * control, rules, 389-ds-base.install: Add support for systemd. ++ * fix-obsolete-target.diff: Drop syslog.target from the service files. ++ * 389-ds-base.links: Mask the initscript so that it's not used with systemd. ++ ++ -- Timo Aaltonen Mon, 06 Oct 2014 17:13:01 +0300 ++ ++389-ds-base (1.3.2.23-2) unstable; urgency=medium ++ ++ * Team upload. ++ * Add fix-bsd.patch and support-kfreebsd.patch to fix the build failure ++ on kFreeBSD. ++ ++ -- Benjamin Drung Wed, 03 Sep 2014 15:32:22 +0200 ++ ++389-ds-base (1.3.2.23-1) unstable; urgency=medium ++ ++ * New bugfix release. ++ * watch: Update the url. ++ * control: Update Vcs-Browser url to use cgit. ++ ++ -- Timo Aaltonen Mon, 01 Sep 2014 13:32:59 +0300 ++ ++389-ds-base (1.3.2.21-1) unstable; urgency=medium ++ ++ * New upstream release. ++ - CVE-2014-3562 (Closes: #757437) ++ ++ -- Timo Aaltonen Fri, 08 Aug 2014 10:48:55 +0300 ++ ++389-ds-base (1.3.2.19-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * admin_scripts.diff: Updated to fix more bashisms. ++ * watch: Update the url. ++ * Install failedbinds.py and logregex.py scripts. ++ * init: Use status from init-functions. ++ * control: Update my email. ++ ++ -- Timo Aaltonen Tue, 08 Jul 2014 15:50:11 +0300 ++ ++389-ds-base (1.3.2.9-1.1) unstable; urgency=medium ++ ++ * Non-maintainer upload. ++ * Apply fix for CVE-2014-0132, see like named patch (Closes: 741600) ++ * Fix m4-macro for libsrvcore and add missing B-D on libpci-dev ++ (Closes: #745821) ++ ++ -- Tobias Frost Fri, 25 Apr 2014 15:11:16 +0200 ++ ++389-ds-base (1.3.2.9-1) unstable; urgency=low ++ ++ * New upstream release. ++ - fixes CVE-2013-0336 (Closes: #704077) ++ - fixes CVE-2013-1897 (Closes: #704421) ++ - fixes CVE-2013-2219 (Closes: #718325) ++ - fixes CVE-2013-4283 (Closes: #721222) ++ - fixes CVE-2013-4485 (Closes: #730115) ++ * Drop fix-CVE-2013-0312.diff, upstream. ++ * rules: Add new scripts to rename. ++ * fix-sasl-path.diff: Use a triplet path to find libsasl2. (LP: ++ #1088822) ++ * admin_scripts.diff: Add patch from upstream #47511 to fix bashisms. ++ * control: Add ldap-utils to -base depends. ++ * rules, rename-online-scripts.diff: Some scripts with .pl suffix are ++ meant for an online server, so instead of overwriting the offline ++ scripts use -online suffix. ++ * rules: Enable parallel build, but limit the jobs to 1 for ++ dh_auto_install. ++ * control: Bump policy to 3.9.5, no changes. ++ * rules: Add get-orig-source target. ++ * lintian-overrides: Drop obsolete entries, add comments for the rest. ++ ++ -- Timo Aaltonen Mon, 03 Feb 2014 11:08:50 +0200 ++ ++389-ds-base (1.3.0.3-1) unstable; urgency=low ++ ++ * New upstream release. ++ * control: Bump the policy to 3.9.4, no changes. ++ * fix-CVE-2013-0312.diff: Patch to fix handling LDAPv3 control data. ++ ++ -- Timo Aaltonen Mon, 11 Mar 2013 14:23:20 +0200 ++ ++389-ds-base (1.2.11.17-1) UNRELEASED; urgency=low ++ ++ * New upstream release. ++ * watch: Add a comment about the upstream git tree. ++ * fix-cve-2012-4450.diff: Remove, upstream. ++ ++ -- Timo Aaltonen Sat, 01 Dec 2012 14:22:13 +0200 ++ ++389-ds-base (1.2.11.15-1) unstable; urgency=low ++ ++ * New upstream release. ++ * Add fix-cve-2012-4450.diff. (Closes: #688942) ++ * dirsrv.init: Fix stop() to remove the pidfile only when the process ++ is finished. (Closes: #689389) ++ * copyright: Update the source url. ++ * control: Drop quilt from build-depends, since using 3.0 (quilt) ++ * lintian-overrides: Add an override for hardening-no-fortify- ++ functions, since it's a false positive in this case. ++ * control: Drop dpkg-dev from build-depends, no need to specify it ++ directly. ++ * copyright: Add myself as a copyright holder for debian/*. ++ * 389-ds-base.prerm: Add 'set -e'. ++ * rules: drop DEB_HOST_MULTIARCH, dh9 handles it. ++ ++ -- Timo Aaltonen Wed, 03 Oct 2012 19:33:52 +0300 ++ ++389-ds-base (1.2.11.7-5) unstable; urgency=low ++ ++ * control: Drop debconf-utils and po-debconf from build-depends. ++ * control: Add libnetaddr-ip-perl and libsocket-getaddrinfo-perl to ++ 389-ds-base Depends for ipv6 support. (Closes: #682847) ++ ++ -- Timo Aaltonen Mon, 30 Jul 2012 13:12:23 +0200 ++ ++389-ds-base (1.2.11.7-4) unstable; urgency=low ++ ++ * debian/po: Remove, leftover from the template purge. (Closes: #681543) ++ ++ -- Timo Aaltonen Thu, 19 Jul 2012 23:12:01 +0300 ++ ++389-ds-base (1.2.11.7-3) unstable; urgency=low ++ ++ * 389-ds-base.config: Removed, the debconf template is no more. ++ (Closes: #680351) ++ * control: Remove duplicate 'the' from the 389-ds description. ++ ++ -- Timo Aaltonen Wed, 11 Jul 2012 11:59:36 +0300 ++ ++389-ds-base (1.2.11.7-2) unstable; urgency=low ++ ++ * control: Stop hardcoding libs to binary depends. (Closes: #679790) ++ * control: Add libnspr4-dev and libldap2-dev to 389-ds-base-dev ++ Depends. (Closes: #679742) ++ * l10n review (Closes: #679870) : ++ - Drop the debconf template, and rewrap README.Debian. ++ - control: Update the descriptions ++ ++ -- Timo Aaltonen Tue, 03 Jul 2012 17:58:20 +0300 ++ ++389-ds-base (1.2.11.7-1) unstable; urgency=low ++ ++ [ Timo Aaltonen ] ++ * New upstream release. ++ * watch: Fix the url. ++ * patches/remove_license_prompt: Dropped, included upstream. ++ * patches/default_user: Refreshed. ++ * control: Change the VCS header to point to the git repository. ++ * control: Rename last remnants of Fedora to 389. ++ * changelog, control: Be consistent with the naming; renamed the source ++ to just '389-ds-base', which matches upstream tarball naming. ++ * control: Wrap Depends. ++ * compat, control: Bump compat to 9, and debhelper build-dep to (>= 9). ++ * rules: Switch to dh. ++ * Move dirsrv.lintian to dirsrv.lintian-overrides, adjust dirsrv.install. ++ * *.dirs: Clean up. ++ * control: Build-depend on dh-autoreconf, drop duplicate bdeps. ++ * Fold dirsrv-tools into the main package. ++ * Build against libldap2-dev (>= 2.4.28). ++ * Rename binary package to 389-ds-base. ++ * -dev.install: Install the pkgconfig file. ++ * rules: Enable PIE hardening. ++ * Add a default file, currently sets LD_BIND_NOW=1. ++ * control: 'dbgen' uses old perl libs, add libperl4-corelibs-perl ++ dependency to 389-ds-base. ++ * rules: Add --fail-missing for dh_install, remove files not needed ++ and make sure to install the rest. ++ * rules, control: Fix the installation name of ds-logpipe.py, add ++ python dependency to 389-ds-base.. ++ * libns-dshttpd is internal to the server, ship it in 389-ds-base. ++ * Rename libdirsrv{-dev,0} -> 389-ds-base-{dev,libs}, includes only ++ libslapd and headers for external plugin development. ++ * control: Breaks/Replaces old libdirsrv-dev/libdirsrv0/dirsrv. ++ * Drop hyphen_used_as_minus, applied upstream. ++ * copyright: Use DEP5 format. ++ * Cherry-pick upstream commit ee320163c6 to get rid of unnecessary ++ and non-free MIB's from the tree, and build a dfsg compliant tarball. ++ * lintian-overrides: Update, create one for -libs. ++ * Fix the initscript to create the lockdir, and refactor code into separate ++ functions. ++ * Drop obsolete entries from copyright, and make it lintian clean. ++ * debian/po: Refer to the correct file after rename. ++ * control: Bump Standards-Version to 3.9.3, no changes. ++ * postinst: Drop unused 'lastversion'. ++ * patches: Add DEP3 compliant headers. ++ * rules, postinst: Add an error handler function for dh_installinit, so ++ that clean installs don't fail due to missing configuration. ++ * postinst: Run the update tool. ++ * dirsrv.init: ++ - Make the start and stop functions much simpler and LSB compliant ++ - Fix starting multiple instances ++ - Use '-b' for start-stop-daemon, since ns-slapd doesn't detach properly ++ * control: Add 389-ds metapackage. ++ * control: Change libdb4.8-dev build-depends to libdb-dev, since this version ++ supports db5.x. ++ * 389-ds-base.prerm: Add prerm script for removing installed instances on ++ purge. ++ ++ [ Krzysztof Klimonda ] ++ * dirsrv.init: ++ - return 0 code if there are no instances configured and tweak message ++ so it doesn't indicate a failure. ++ ++ -- Krzysztof Klimonda Tue, 27 Mar 2012 14:26:16 +0200 ++ ++389-directory-server (1.2.6.1-5) unstable; urgency=low ++ ++ * Removed db_stop from dirsrv.postinst ++ * Fix short description in libdirsrv0-dbg ++ ++ -- Michele Baldessari Wed, 20 Oct 2010 20:24:20 +0200 ++ ++389-directory-server (1.2.6.1-4) unstable; urgency=low ++ ++ * Make libicu dep dependent on dpkg-vendor ++ ++ -- Michele Baldessari Mon, 18 Oct 2010 21:21:52 +0200 ++ ++389-directory-server (1.2.6.1-3) unstable; urgency=low ++ ++ * Remove dirsrv user and group in postrm ++ * Clean up postrm and postinst ++ ++ -- Michele Baldessari Sun, 17 Oct 2010 21:54:08 +0200 ++ ++389-directory-server (1.2.6.1-2) unstable; urgency=low ++ ++ * Fix QUILT_STAMPFN ++ ++ -- Michele Baldessari Sun, 17 Oct 2010 15:03:34 +0200 ++ ++389-directory-server (1.2.6.1-1) unstable; urgency=low ++ ++ * New upstream ++ ++ -- Michele Baldessari Sat, 16 Oct 2010 23:08:09 +0200 ++ ++389-directory-server (1.2.6-2) unstable; urgency=low ++ ++ * Update my email address ++ ++ -- Michele Baldessari Sat, 16 Oct 2010 22:34:19 +0200 ++ ++389-directory-server (1.2.6-1) unstable; urgency=low ++ ++ * New upstream ++ * s/Fedora/389/g to clean up the branding ++ * Remove automatic configuration (breaks too often with every update) ++ * Remove dirsrv.config translation, no questions are asked anymore ++ * Fix old changelog versions with proper ~ on rc versions ++ * Update policy to 3.9.1 ++ * Improve README.Debian ++ * Depend on libicu44 ++ * Remove /var/run/dirsrv from the postinst scripts (managed by init script) ++ ++ -- Michele Baldessari Sat, 04 Sep 2010 11:58:21 +0200 ++ ++389-directory-server (1.2.6~rc7-1) unstable; urgency=low ++ ++ * New upstream ++ ++ -- Michele Baldessari Fri, 03 Sep 2010 20:06:08 +0200 ++ ++389-directory-server (1.2.6~a3-1) unstable; urgency=low ++ ++ * New upstream ++ * Rename man page remove-ds.pl in remove-ds ++ * Removed Debian.source ++ ++ -- Michele Baldessari Sun, 23 May 2010 22:12:13 +0200 ++ ++389-directory-server (1.2.6~a2-1) unstable; urgency=low ++ ++ * New upstream ++ * Removed speling_fixes patch, applied upstream ++ ++ -- Michele Baldessari Sun, 23 May 2010 13:36:25 +0200 ++ ++389-directory-server (1.2.5-1) unstable; urgency=low ++ ++ * New upstream ++ * Add libpcre3-dev Build-dep ++ * ldap-agent moved ti /usr/sbin ++ * Fix spelling errors in code and manpages ++ * Fix some lintian warnings ++ * Bump policy to 3.8.3 ++ * Ignore lintian warning pkg-has-shlibs-control-file-but-no-actual-shared-libs ++ as the shlibs file is for dirsrv plugins ++ * Upgraded deps to libicu42 and libdb4.8 ++ * Do create /var/lib/dirsrv as dirsrv user's home ++ * Added libsasl2-modules-gssapi-mit as a dependency for dirsrv (needed by ++ mandatory LDAP SASL mechs) ++ * Install all files of etc/dirsrv/config ++ * Add some missing start scripts in usr/sbin ++ * Fixed a bug in the dirsrv.init script ++ * Switch to dpkg-source 3.0 (quilt) format ++ * Bump policy to 3.8.4 ++ ++ -- Michele Baldessari Sun, 23 May 2010 12:31:24 +0200 ++ ++389-directory-server (1.2.1-0) unstable; urgency=low ++ ++ * Rename of source package (note, since this is still staging work no ++ replace or upgrade is in place) ++ * Update watch file ++ * New Upstream ++ ++ -- Michele Baldessari Fri, 12 Jun 2009 22:08:42 +0200 ++ ++fedora-directory-server (1.2.0-1) unstable; urgency=low ++ ++ * New upstream release ++ * Add missing libkrb5-dev dependency ++ * Fix section of -dbg packages ++ * Fix all "dpatch-missing-description" lintian warnings ++ ++ -- Michele Baldessari Wed, 22 Apr 2009 23:36:22 +0200 ++ ++fedora-directory-server (1.1.3-1) unstable; urgency=low ++ ++ * New upstream ++ * Added watch file ++ * Make setup-ds use dirsrv:dirsrv user/group as defaults ++ * Added VCS-* fields ++ * --enable-autobind ++ * Add ldap/servers/plugins/replication/winsync-plugin.h to libdirsrv-dev ++ ++ -- Michele Baldessari Mon, 24 Nov 2008 22:42:26 +0100 ++ ++fedora-directory-server (1.1.2-2) unstable; urgency=low ++ ++ * Fixed build+configure twice issue ++ * Added Conflicts: slapd (thanks Alessandro) ++ ++ -- Michele Baldessari Tue, 23 Sep 2008 21:12:44 +0200 ++ ++fedora-directory-server (1.1.2-1) unstable; urgency=low ++ ++ * New upstream ++ * Removed /usr/sbin PATH from postinst script ++ ++ -- Michele Baldessari Sat, 20 Sep 2008 20:10:52 +0000 ++ ++fedora-directory-server (1.1.1-0) unstable; urgency=low ++ ++ * New upstream ++ * Don't apply patch for 439829, fixed upstream ++ * Bump to policy 3.8.0 ++ * Added README.source ++ ++ -- Michele Baldessari Fri, 22 Aug 2008 00:09:40 +0200 ++ ++fedora-directory-server (1.1.0-4) unstable; urgency=low ++ ++ * dirsrv should depend on libmozilla-ldap-perl (thanks Mathias Kaufmann ++ ) ++ ++ -- Michele Baldessari Sun, 20 Jul 2008 18:41:58 +0200 ++ ++fedora-directory-server (1.1.0-3) unstable; urgency=low ++ ++ * Fix up some descriptions ++ ++ -- Michele Baldessari Sun, 25 May 2008 21:36:32 +0200 ++ ++fedora-directory-server (1.1.0-2) unstable; urgency=low ++ ++ * Silenced init warning messages when chowning pid directory ++ ++ -- Michele Baldessari Wed, 21 May 2008 23:08:32 +0200 ++ ++fedora-directory-server (1.1.0-1) unstable; urgency=low ++ ++ * Removed template lintian warning ++ * Cleaned up manpages ++ ++ -- Michele Baldessari Sun, 18 May 2008 13:39:58 +0200 ++ ++fedora-directory-server (1.1.0-0) unstable; urgency=low ++ ++ * Initial release (Closes: #497098). ++ * Fixed postinst after renaming setup-ds.pl to setup-ds ++ * Applied patch from https://bugzilla.redhat.com/show_bug.cgi?id=439829 to ++ fix segfault against late NSS versions ++ * Switched to parseable copyright format ++ * Source package is lintian clean now ++ * Added initial manpage patch ++ * Switched to dh_install ++ ++ -- Michele Baldessari Thu, 27 Mar 2008 23:56:17 +0200 diff --cc debian/cockpit-389-ds.install index 0000000,0000000..d3f77dc new file mode 100644 --- /dev/null +++ b/debian/cockpit-389-ds.install @@@ -1,0 -1,0 +1,2 @@@ ++usr/share/cockpit/389-console/ ++usr/share/metainfo/389-console/org.port389.cockpit_console.metainfo.xml diff --cc debian/control index 0000000,0000000..e9597ba new file mode 100644 --- /dev/null +++ b/debian/control @@@ -1,0 -1,0 +1,181 @@@ ++Source: 389-ds-base ++Section: net ++Priority: optional ++Maintainer: Debian FreeIPA Team ++Uploaders: ++ Timo Aaltonen , ++Build-Depends: ++ libcmocka-dev, ++ debhelper-compat (= 13), ++ dh-python, ++ doxygen, ++ libbz2-dev, ++ libcrack2-dev, ++ libdb-dev, ++ libevent-dev, ++ libicu-dev, ++ libkrb5-dev, ++ libldap2-dev (>= 2.4.28), ++ libltdl-dev, ++ libnspr4-dev, ++ libnss3-dev, ++ libpam0g-dev, ++ libpci-dev, ++ libpcre3-dev, ++ libperl-dev, ++ libsasl2-dev, ++ libsnmp-dev, ++ libssl-dev, ++ libsystemd-dev, ++ pkg-config, ++ python3-all-dev, ++ python3-argcomplete, ++ python3-argparse-manpage, ++ python3-dateutil, ++ python3-ldap, ++ python3-packaging, ++ python3-selinux, ++ python3-sepolicy, ++ python3-setuptools, ++ rsync, ++ zlib1g-dev, ++Standards-Version: 4.6.0 ++Vcs-Git: https://salsa.debian.org/freeipa-team/389-ds-base.git ++Vcs-Browser: https://salsa.debian.org/freeipa-team/389-ds-base ++Homepage: https://directory.fedoraproject.org ++ ++Package: 389-ds ++Architecture: all ++Depends: ++ 389-ds-base, ++ cockpit-389-ds, ++ ${misc:Depends}, ++Description: 389 Directory Server suite - metapackage ++ Based on the Lightweight Directory Access Protocol (LDAP), the 389 ++ Directory Server is designed to manage large directories of users and ++ resources robustly and scalably. ++ . ++ This is a metapackage depending on the LDAPv3 server and a Cockpit UI plugin ++ for administration. ++ ++Package: 389-ds-base-libs ++Section: libs ++Architecture: any ++Multi-Arch: same ++Pre-Depends: ${misc:Pre-Depends} ++Depends: ${misc:Depends}, ${shlibs:Depends}, ++ libjemalloc2, ++Breaks: 389-ds-base (<< 1.3.6.7-5), ++ 389-ds-base-dev (<< 1.3.6.7-4), ++ libsvrcore0, ++Replaces: 389-ds-base (<< 1.3.6.7-5), ++ 389-ds-base-dev (<< 1.3.6.7-4), ++ libsvrcore0, ++Description: 389 Directory Server suite - libraries ++ Based on the Lightweight Directory Access Protocol (LDAP), the 389 ++ Directory Server is designed to manage large directories of users and ++ resources robustly and scalably. ++ . ++ This package contains core libraries for the 389 Directory Server. ++ ++Package: 389-ds-base-dev ++Section: libdevel ++Architecture: any ++Multi-Arch: same ++Depends: ++ 389-ds-base-libs (= ${binary:Version}), ++ libldap2-dev, ++ libnspr4-dev, ++ ${misc:Depends}, ++ ${shlibs:Depends}, ++Breaks: 389-ds-base (<< 1.3.6.7-4), ++ libsvrcore-dev, ++Replaces: 389-ds-base (<< 1.3.6.7-4), ++ libsvrcore-dev, ++Provides: ++ libsvrcore-dev, ++Description: 389 Directory Server suite - development files ++ Based on the Lightweight Directory Access Protocol (LDAP), the 389 ++ Directory Server is designed to manage large directories of users and ++ resources robustly and scalably. ++ . ++ This package contains development headers for the core libraries ++ of the 389 Directory Server, useful for developing plugins without ++ having to install the server itself. ++ ++Package: 389-ds-base ++Architecture: any ++Pre-Depends: debconf (>= 0.5) | debconf-2.0 ++Depends: ++ 389-ds-base-libs (= ${binary:Version}), ++ adduser, ++ acl, ++ ldap-utils, ++ libmozilla-ldap-perl, ++ libnetaddr-ip-perl, ++ libsocket-getaddrinfo-perl, ++ libsasl2-modules-gssapi-mit, ++ perl, ++ python3-lib389, ++ python3-selinux, ++ python3-semanage, ++ python3-sepolicy, ++ systemd, ++ ${misc:Depends}, ++ ${shlibs:Depends}, ++ ${python3:Depends}, ++Replaces: 389-ds-base-legacy-tools ++Description: 389 Directory Server suite - server ++ Based on the Lightweight Directory Access Protocol (LDAP), the 389 ++ Directory Server is designed to manage large directories of users and ++ resources robustly and scalably. ++ . ++ Its key features include: ++ * four-way multi-master replication; ++ * great scalability; ++ * extensive documentation; ++ * Active Directory user and group synchronization; ++ * secure authentication and transport; ++ * support for LDAPv3; ++ * graphical management console; ++ * on-line, zero downtime update of schema, configuration, and ++ in-tree Access Control Information. ++ ++Package: python3-lib389 ++Architecture: all ++Depends: ${misc:Depends}, ${python3:Depends}, ++ libnss3-tools, ++ openssl, ++ python3-argcomplete, ++ python3-dateutil, ++ python3-ldap, ++ python3-packaging, ++ python3-pyasn1, ++ python3-pyasn1-modules, ++ python3-pytest, ++Conflicts: python-lib389 (<< 1.3.7.8), ++ 389-ds-base (<< 1.4.0.18-1~), ++Replaces: python-lib389 (<< 1.3.7.8), ++ 389-ds-base (<< 1.4.0.18-1~), ++Description: Python3 module for accessing and configuring the 389 Directory Server ++ This Python3 module contains tools and libraries for accessing, testing, ++ and configuring the 389 Directory Server. ++ ++Package: cockpit-389-ds ++Architecture: all ++Multi-Arch: foreign ++Depends: ${misc:Depends}, ++ cockpit, ++ libjs-bootstrap, ++ libjs-c3, ++ libjs-d3, ++ libjs-jquery-datatables, ++ libjs-jquery-datatables-extensions, ++ libjs-jquery-jstree, ++ libjs-moment, ++ libnss3-tools, ++ python3, ++ python3-lib389, ++Description: Cockpit user interface for 389 Directory Server ++ This package includes a Cockpit UI plugin for configuring and administering ++ the 389 Directory Server. diff --cc debian/copyright index 0000000,0000000..87df3aa new file mode 100644 --- /dev/null +++ b/debian/copyright @@@ -1,0 -1,0 +1,575 @@@ ++Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ ++Upstream-name: 389-ds-base ++Source: http://directory.fedoraproject.org/wiki/Source ++ ++Files: * ++Copyright: 2001 Sun Microsystems, Inc. ++ 2005 Red Hat, Inc. ++License: GPL-3+ and Other ++ ++Files: ldap/libraries/libavl/*.[ch] ldap/servers/slapd/abandon.c ++ ldap/servers/slapd/add.c ldap/servers/slapd/bind.c ++ ldap/servers/slapd/bulk_import.c ldap/servers/slapd/compare.c ++ ldap/servers/slapd/delete.c ldap/servers/slapd/detach.c ++ ldap/servers/slapd/globals.c ldap/servers/slapd/modify.c ++ ldap/servers/slapd/modrdn.c ldap/servers/slapd/monitor.c ++ ldap/servers/slapd/search.c ldap/servers/slapd/unbind.c ++Copyright: 1993 Regents of the University of Michigan ++ 2001 Sun Microsystems, Inc. ++ 2005 Red Hat, Inc. ++License: GPL-3+ and Other ++ ++Files: ldap/servers/slapd/tools/ldaptool.h ++Copyright: 1998 Netscape Communication Corporation ++License: GPL-2+ or LGPL-2.1 or MPL-1.1 ++ ++Files: ldap/servers/slapd/tools/ldaptool-sasl.c ++ ldap/servers/slapd/tools/ldaptool-sasl.h ++Copyright: 2005 Sun Microsystems, Inc. ++License: GPL-2+ or LGPL-2.1 or MPL-1.1 ++ ++Files: m4/* ++Copyright: 2006-2017 Red Hat, Inc. ++ 2016 William Brown ++License: GPL-3+ ++ ++Files: src/svrcore/* ++Copyright: 2016 Red Hat, Inc. ++License: MPL-2.0 ++ ++Files: debian/* ++Copyright: 2008 Michele Baldessari ++ 2012 Timo Aaltonen ++License: GPL-2+ or LGPL-2.1 or MPL-1.1 ++ ++License: Other ++ In addition, as a special exception, Red Hat, Inc. gives You the additional ++ right to link the code of this Program with code not covered under the GNU ++ General Public License ("Non-GPL Code") and to distribute linked combinations ++ including the two, subject to the limitations in this paragraph. Non-GPL Code ++ permitted under this exception must only link to the code of this Program ++ through those well defined interfaces identified in the file named EXCEPTION ++ found in the source code files (the "Approved Interfaces"). The files of ++ Non-GPL Code may instantiate templates or use macros or inline functions from ++ the Approved Interfaces without causing the resulting work to be covered by ++ the GNU General Public License. Only Red Hat, Inc. may make changes or ++ additions to the list of Approved Interfaces. You must obey the GNU General ++ Public License in all respects for all of the Program code and other code used ++ in conjunction with the Program except the Non-GPL Code covered by this ++ exception. If you modify this file, you may extend this exception to your ++ version of the file, but you are not obligated to do so. If you do not wish to ++ provide this exception without modification, you must delete this exception ++ statement from your version and license this file solely under the GPL without ++ exception. ++ ++License: BSD-3-clause ++ Redistribution and use in source and binary forms, with or without ++ modification, are permitted provided that the following conditions are met: ++ . ++ * Redistributions of source code must retain the above copyright notice, this ++ list of conditions and the following disclaimer. ++ * Redistributions in binary form must reproduce the above copyright notice, ++ this list of conditions and the following disclaimer in the documentation ++ and/or other materials provided with the distribution. ++ * Neither the name of the Dojo Foundation nor the names of its contributors ++ may be used to endorse or promote products derived from this software ++ without specific prior written permission. ++ . ++ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ++ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED ++ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE ++ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER ++ CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, ++ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ++ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ ++ ++License: GPL-2 or GPL-2+ ++ On Debian machines the full text of the GNU General Public License ++ can be found in the file /usr/share/common-licenses/GPL-2. ++ ++License: GPL-3+ ++ On Debian machines the full text of the GNU General Public License v3 ++ can be found in the file /usr/share/common-licenses/GPL-3. ++ ++License: LGPL-2.1 ++ On Debian machines the full text of the GNU General Public License ++ can be found in the file /usr/share/common-licenses/LGPL-2.1. ++ ++License: MPL-1.1 ++ MOZILLA PUBLIC LICENSE ++ Version 1.1 ++ . ++ --------------- ++ . ++ 1. Definitions. ++ . ++ 1.0.1. "Commercial Use" means distribution or otherwise making the ++ Covered Code available to a third party. ++ . ++ 1.1. "Contributor" means each entity that creates or contributes to ++ the creation of Modifications. ++ . ++ 1.2. "Contributor Version" means the combination of the Original ++ Code, prior Modifications used by a Contributor, and the Modifications ++ made by that particular Contributor. ++ . ++ 1.3. "Covered Code" means the Original Code or Modifications or the ++ combination of the Original Code and Modifications, in each case ++ including portions thereof. ++ . ++ 1.4. "Electronic Distribution Mechanism" means a mechanism generally ++ accepted in the software development community for the electronic ++ transfer of data. ++ . ++ 1.5. "Executable" means Covered Code in any form other than Source ++ Code. ++ . ++ 1.6. "Initial Developer" means the individual or entity identified ++ as the Initial Developer in the Source Code notice required by Exhibit ++ A. ++ . ++ 1.7. "Larger Work" means a work which combines Covered Code or ++ portions thereof with code not governed by the terms of this License. ++ . ++ 1.8. "License" means this document. ++ . ++ 1.8.1. "Licensable" means having the right to grant, to the maximum ++ extent possible, whether at the time of the initial grant or ++ subsequently acquired, any and all of the rights conveyed herein. ++ . ++ 1.9. "Modifications" means any addition to or deletion from the ++ substance or structure of either the Original Code or any previous ++ Modifications. When Covered Code is released as a series of files, a ++ Modification is: ++ A. Any addition to or deletion from the contents of a file ++ containing Original Code or previous Modifications. ++ . ++ B. Any new file that contains any part of the Original Code or ++ previous Modifications. ++ . ++ 1.10. "Original Code" means Source Code of computer software code ++ which is described in the Source Code notice required by Exhibit A as ++ Original Code, and which, at the time of its release under this ++ License is not already Covered Code governed by this License. ++ . ++ 1.10.1. "Patent Claims" means any patent claim(s), now owned or ++ hereafter acquired, including without limitation, method, process, ++ and apparatus claims, in any patent Licensable by grantor. ++ . ++ 1.11. "Source Code" means the preferred form of the Covered Code for ++ making modifications to it, including all modules it contains, plus ++ any associated interface definition files, scripts used to control ++ compilation and installation of an Executable, or source code ++ differential comparisons against either the Original Code or another ++ well known, available Covered Code of the Contributor's choice. The ++ Source Code can be in a compressed or archival form, provided the ++ appropriate decompression or de-archiving software is widely available ++ for no charge. ++ . ++ 1.12. "You" (or "Your") means an individual or a legal entity ++ exercising rights under, and complying with all of the terms of, this ++ License or a future version of this License issued under Section 6.1. ++ For legal entities, "You" includes any entity which controls, is ++ controlled by, or is under common control with You. For purposes of ++ this definition, "control" means (a) the power, direct or indirect, ++ to cause the direction or management of such entity, whether by ++ contract or otherwise, or (b) ownership of more than fifty percent ++ (50%) of the outstanding shares or beneficial ownership of such ++ entity. ++ . ++ 2. Source Code License. ++ . ++ 2.1. The Initial Developer Grant. ++ The Initial Developer hereby grants You a world-wide, royalty-free, ++ non-exclusive license, subject to third party intellectual property ++ claims: ++ (a) under intellectual property rights (other than patent or ++ trademark) Licensable by Initial Developer to use, reproduce, ++ modify, display, perform, sublicense and distribute the Original ++ Code (or portions thereof) with or without Modifications, and/or ++ as part of a Larger Work; and ++ . ++ (b) under Patents Claims infringed by the making, using or ++ selling of Original Code, to make, have made, use, practice, ++ sell, and offer for sale, and/or otherwise dispose of the ++ Original Code (or portions thereof). ++ . ++ (c) the licenses granted in this Section 2.1(a) and (b) are ++ effective on the date Initial Developer first distributes ++ Original Code under the terms of this License. ++ . ++ (d) Notwithstanding Section 2.1(b) above, no patent license is ++ granted: 1) for code that You delete from the Original Code; 2) ++ separate from the Original Code; or 3) for infringements caused ++ by: i) the modification of the Original Code or ii) the ++ combination of the Original Code with other software or devices. ++ . ++ 2.2. Contributor Grant. ++ Subject to third party intellectual property claims, each Contributor ++ hereby grants You a world-wide, royalty-free, non-exclusive license ++ . ++ (a) under intellectual property rights (other than patent or ++ trademark) Licensable by Contributor, to use, reproduce, modify, ++ display, perform, sublicense and distribute the Modifications ++ created by such Contributor (or portions thereof) either on an ++ unmodified basis, with other Modifications, as Covered Code ++ and/or as part of a Larger Work; and ++ . ++ (b) under Patent Claims infringed by the making, using, or ++ selling of Modifications made by that Contributor either alone ++ and/or in combination with its Contributor Version (or portions ++ of such combination), to make, use, sell, offer for sale, have ++ made, and/or otherwise dispose of: 1) Modifications made by that ++ Contributor (or portions thereof); and 2) the combination of ++ Modifications made by that Contributor with its Contributor ++ Version (or portions of such combination). ++ . ++ (c) the licenses granted in Sections 2.2(a) and 2.2(b) are ++ effective on the date Contributor first makes Commercial Use of ++ the Covered Code. ++ . ++ (d) Notwithstanding Section 2.2(b) above, no patent license is ++ granted: 1) for any code that Contributor has deleted from the ++ Contributor Version; 2) separate from the Contributor Version; ++ 3) for infringements caused by: i) third party modifications of ++ Contributor Version or ii) the combination of Modifications made ++ by that Contributor with other software (except as part of the ++ Contributor Version) or other devices; or 4) under Patent Claims ++ infringed by Covered Code in the absence of Modifications made by ++ that Contributor. ++ . ++ 3. Distribution Obligations. ++ . ++ 3.1. Application of License. ++ The Modifications which You create or to which You contribute are ++ governed by the terms of this License, including without limitation ++ Section 2.2. The Source Code version of Covered Code may be ++ distributed only under the terms of this License or a future version ++ of this License released under Section 6.1, and You must include a ++ copy of this License with every copy of the Source Code You ++ distribute. You may not offer or impose any terms on any Source Code ++ version that alters or restricts the applicable version of this ++ License or the recipients' rights hereunder. However, You may include ++ an additional document offering the additional rights described in ++ Section 3.5. ++ . ++ 3.2. Availability of Source Code. ++ Any Modification which You create or to which You contribute must be ++ made available in Source Code form under the terms of this License ++ either on the same media as an Executable version or via an accepted ++ Electronic Distribution Mechanism to anyone to whom you made an ++ Executable version available; and if made available via Electronic ++ Distribution Mechanism, must remain available for at least twelve (12) ++ months after the date it initially became available, or at least six ++ (6) months after a subsequent version of that particular Modification ++ has been made available to such recipients. You are responsible for ++ ensuring that the Source Code version remains available even if the ++ Electronic Distribution Mechanism is maintained by a third party. ++ . ++ 3.3. Description of Modifications. ++ You must cause all Covered Code to which You contribute to contain a ++ file documenting the changes You made to create that Covered Code and ++ the date of any change. You must include a prominent statement that ++ the Modification is derived, directly or indirectly, from Original ++ Code provided by the Initial Developer and including the name of the ++ Initial Developer in (a) the Source Code, and (b) in any notice in an ++ Executable version or related documentation in which You describe the ++ origin or ownership of the Covered Code. ++ . ++ 3.4. Intellectual Property Matters ++ (a) Third Party Claims. ++ If Contributor has knowledge that a license under a third party's ++ intellectual property rights is required to exercise the rights ++ granted by such Contributor under Sections 2.1 or 2.2, ++ Contributor must include a text file with the Source Code ++ distribution titled "LEGAL" which describes the claim and the ++ party making the claim in sufficient detail that a recipient will ++ know whom to contact. If Contributor obtains such knowledge after ++ the Modification is made available as described in Section 3.2, ++ Contributor shall promptly modify the LEGAL file in all copies ++ Contributor makes available thereafter and shall take other steps ++ (such as notifying appropriate mailing lists or newsgroups) ++ reasonably calculated to inform those who received the Covered ++ Code that new knowledge has been obtained. ++ . ++ (b) Contributor APIs. ++ If Contributor's Modifications include an application programming ++ interface and Contributor has knowledge of patent licenses which ++ are reasonably necessary to implement that API, Contributor must ++ also include this information in the LEGAL file. ++ . ++ (c) Representations. ++ Contributor represents that, except as disclosed pursuant to ++ Section 3.4(a) above, Contributor believes that Contributor's ++ Modifications are Contributor's original creation(s) and/or ++ Contributor has sufficient rights to grant the rights conveyed by ++ this License. ++ . ++ 3.5. Required Notices. ++ You must duplicate the notice in Exhibit A in each file of the Source ++ Code. If it is not possible to put such notice in a particular Source ++ Code file due to its structure, then You must include such notice in a ++ location (such as a relevant directory) where a user would be likely ++ to look for such a notice. If You created one or more Modification(s) ++ You may add your name as a Contributor to the notice described in ++ Exhibit A. You must also duplicate this License in any documentation ++ for the Source Code where You describe recipients' rights or ownership ++ rights relating to Covered Code. You may choose to offer, and to ++ charge a fee for, warranty, support, indemnity or liability ++ obligations to one or more recipients of Covered Code. However, You ++ may do so only on Your own behalf, and not on behalf of the Initial ++ Developer or any Contributor. You must make it absolutely clear than ++ any such warranty, support, indemnity or liability obligation is ++ offered by You alone, and You hereby agree to indemnify the Initial ++ Developer and every Contributor for any liability incurred by the ++ Initial Developer or such Contributor as a result of warranty, ++ support, indemnity or liability terms You offer. ++ . ++ 3.6. Distribution of Executable Versions. ++ You may distribute Covered Code in Executable form only if the ++ requirements of Section 3.1-3.5 have been met for that Covered Code, ++ and if You include a notice stating that the Source Code version of ++ the Covered Code is available under the terms of this License, ++ including a description of how and where You have fulfilled the ++ obligations of Section 3.2. The notice must be conspicuously included ++ in any notice in an Executable version, related documentation or ++ collateral in which You describe recipients' rights relating to the ++ Covered Code. You may distribute the Executable version of Covered ++ Code or ownership rights under a license of Your choice, which may ++ contain terms different from this License, provided that You are in ++ compliance with the terms of this License and that the license for the ++ Executable version does not attempt to limit or alter the recipient's ++ rights in the Source Code version from the rights set forth in this ++ License. If You distribute the Executable version under a different ++ license You must make it absolutely clear that any terms which differ ++ from this License are offered by You alone, not by the Initial ++ Developer or any Contributor. You hereby agree to indemnify the ++ Initial Developer and every Contributor for any liability incurred by ++ the Initial Developer or such Contributor as a result of any such ++ terms You offer. ++ . ++ 3.7. Larger Works. ++ You may create a Larger Work by combining Covered Code with other code ++ not governed by the terms of this License and distribute the Larger ++ Work as a single product. In such a case, You must make sure the ++ requirements of this License are fulfilled for the Covered Code. ++ . ++ 4. Inability to Comply Due to Statute or Regulation. ++ . ++ If it is impossible for You to comply with any of the terms of this ++ License with respect to some or all of the Covered Code due to ++ statute, judicial order, or regulation then You must: (a) comply with ++ the terms of this License to the maximum extent possible; and (b) ++ describe the limitations and the code they affect. Such description ++ must be included in the LEGAL file described in Section 3.4 and must ++ be included with all distributions of the Source Code. Except to the ++ extent prohibited by statute or regulation, such description must be ++ sufficiently detailed for a recipient of ordinary skill to be able to ++ understand it. ++ . ++ 5. Application of this License. ++ . ++ This License applies to code to which the Initial Developer has ++ attached the notice in Exhibit A and to related Covered Code. ++ . ++ 6. Versions of the License. ++ . ++ 6.1. New Versions. ++ Netscape Communications Corporation ("Netscape") may publish revised ++ and/or new versions of the License from time to time. Each version ++ will be given a distinguishing version number. ++ . ++ 6.2. Effect of New Versions. ++ Once Covered Code has been published under a particular version of the ++ License, You may always continue to use it under the terms of that ++ version. You may also choose to use such Covered Code under the terms ++ of any subsequent version of the License published by Netscape. No one ++ other than Netscape has the right to modify the terms applicable to ++ Covered Code created under this License. ++ . ++ 6.3. Derivative Works. ++ If You create or use a modified version of this License (which you may ++ only do in order to apply it to code which is not already Covered Code ++ governed by this License), You must (a) rename Your license so that ++ the phrases "Mozilla", "MOZILLAPL", "MOZPL", "Netscape", ++ "MPL", "NPL" or any confusingly similar phrase do not appear in your ++ license (except to note that your license differs from this License) ++ and (b) otherwise make it clear that Your version of the license ++ contains terms which differ from the Mozilla Public License and ++ Netscape Public License. (Filling in the name of the Initial ++ Developer, Original Code or Contributor in the notice described in ++ Exhibit A shall not of themselves be deemed to be modifications of ++ this License.) ++ . ++ 7. DISCLAIMER OF WARRANTY. ++ . ++ COVERED CODE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS" BASIS, ++ WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, ++ WITHOUT LIMITATION, WARRANTIES THAT THE COVERED CODE IS FREE OF ++ DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. ++ THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE COVERED CODE ++ IS WITH YOU. SHOULD ANY COVERED CODE PROVE DEFECTIVE IN ANY RESPECT, ++ YOU (NOT THE INITIAL DEVELOPER OR ANY OTHER CONTRIBUTOR) ASSUME THE ++ COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER ++ OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS LICENSE. NO USE OF ++ ANY COVERED CODE IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER. ++ . ++ 8. TERMINATION. ++ . ++ 8.1. This License and the rights granted hereunder will terminate ++ automatically if You fail to comply with terms herein and fail to cure ++ such breach within 30 days of becoming aware of the breach. All ++ sublicenses to the Covered Code which are properly granted shall ++ survive any termination of this License. Provisions which, by their ++ nature, must remain in effect beyond the termination of this License ++ shall survive. ++ . ++ 8.2. If You initiate litigation by asserting a patent infringement ++ claim (excluding declatory judgment actions) against Initial Developer ++ or a Contributor (the Initial Developer or Contributor against whom ++ You file such action is referred to as "Participant") alleging that: ++ . ++ (a) such Participant's Contributor Version directly or indirectly ++ infringes any patent, then any and all rights granted by such ++ Participant to You under Sections 2.1 and/or 2.2 of this License ++ shall, upon 60 days notice from Participant terminate prospectively, ++ unless if within 60 days after receipt of notice You either: (i) ++ agree in writing to pay Participant a mutually agreeable reasonable ++ royalty for Your past and future use of Modifications made by such ++ Participant, or (ii) withdraw Your litigation claim with respect to ++ the Contributor Version against such Participant. If within 60 days ++ of notice, a reasonable royalty and payment arrangement are not ++ mutually agreed upon in writing by the parties or the litigation claim ++ is not withdrawn, the rights granted by Participant to You under ++ Sections 2.1 and/or 2.2 automatically terminate at the expiration of ++ the 60 day notice period specified above. ++ . ++ (b) any software, hardware, or device, other than such Participant's ++ Contributor Version, directly or indirectly infringes any patent, then ++ any rights granted to You by such Participant under Sections 2.1(b) ++ and 2.2(b) are revoked effective as of the date You first made, used, ++ sold, distributed, or had made, Modifications made by that ++ Participant. ++ . ++ 8.3. If You assert a patent infringement claim against Participant ++ alleging that such Participant's Contributor Version directly or ++ indirectly infringes any patent where such claim is resolved (such as ++ by license or settlement) prior to the initiation of patent ++ infringement litigation, then the reasonable value of the licenses ++ granted by such Participant under Sections 2.1 or 2.2 shall be taken ++ into account in determining the amount or value of any payment or ++ license. ++ . ++ 8.4. In the event of termination under Sections 8.1 or 8.2 above, ++ all end user license agreements (excluding distributors and resellers) ++ which have been validly granted by You or any distributor hereunder ++ prior to termination shall survive termination. ++ . ++ 9. LIMITATION OF LIABILITY. ++ . ++ UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT ++ (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU, THE INITIAL ++ DEVELOPER, ANY OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED CODE, ++ OR ANY SUPPLIER OF ANY OF SUCH PARTIES, BE LIABLE TO ANY PERSON FOR ++ ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY ++ CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, ++ WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER ++ COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN ++ INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF ++ LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY ++ RESULTING FROM SUCH PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW ++ PROHIBITS SUCH LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE ++ EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO ++ THIS EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. ++ . ++ 10. U.S. GOVERNMENT END USERS. ++ . ++ The Covered Code is a "commercial item," as that term is defined in ++ 48 C.F.R. 2.101 (Oct. 1995), consisting of "commercial computer ++ software" and "commercial computer software documentation," as such ++ terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent with 48 ++ C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 (June 1995), ++ all U.S. Government End Users acquire Covered Code with only those ++ rights set forth herein. ++ . ++ 11. MISCELLANEOUS. ++ . ++ This License represents the complete agreement concerning subject ++ matter hereof. If any provision of this License is held to be ++ unenforceable, such provision shall be reformed only to the extent ++ necessary to make it enforceable. This License shall be governed by ++ California law provisions (except to the extent applicable law, if ++ any, provides otherwise), excluding its conflict-of-law provisions. ++ With respect to disputes in which at least one party is a citizen of, ++ or an entity chartered or registered to do business in the United ++ States of America, any litigation relating to this License shall be ++ subject to the jurisdiction of the Federal Courts of the Northern ++ District of California, with venue lying in Santa Clara County, ++ California, with the losing party responsible for costs, including ++ without limitation, court costs and reasonable attorneys' fees and ++ expenses. The application of the United Nations Convention on ++ Contracts for the International Sale of Goods is expressly excluded. ++ Any law or regulation which provides that the language of a contract ++ shall be construed against the drafter shall not apply to this ++ License. ++ . ++ 12. RESPONSIBILITY FOR CLAIMS. ++ . ++ As between Initial Developer and the Contributors, each party is ++ responsible for claims and damages arising, directly or indirectly, ++ out of its utilization of rights under this License and You agree to ++ work with Initial Developer and Contributors to distribute such ++ responsibility on an equitable basis. Nothing herein is intended or ++ shall be deemed to constitute any admission of liability. ++ . ++ 13. MULTIPLE-LICENSED CODE. ++ . ++ Initial Developer may designate portions of the Covered Code as ++ "Multiple-Licensed". "Multiple-Licensed" means that the Initial ++ Developer permits you to utilize portions of the Covered Code under ++ Your choice of the NPL or the alternative licenses, if any, specified ++ by the Initial Developer in the file described in Exhibit A. ++ . ++ EXHIBIT A -Mozilla Public License. ++ . ++ ``The contents of this file are subject to the Mozilla Public License ++ Version 1.1 (the "License"); you may not use this file except in ++ compliance with the License. You may obtain a copy of the License at ++ http://www.mozilla.org/MPL/ ++ . ++ Software distributed under the License is distributed on an "AS IS" ++ basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the ++ License for the specific language governing rights and limitations ++ under the License. ++ . ++ The Original Code is ______________________________________. ++ . ++ The Initial Developer of the Original Code is ________________________. ++ Portions created by ______________________ are Copyright (C) ______ ++ _______________________. All Rights Reserved. ++ . ++ Contributor(s): ______________________________________. ++ . ++ Alternatively, the contents of this file may be used under the terms ++ of the _____ license (the "[___] License"), in which case the ++ provisions of [______] License are applicable instead of those ++ above. If you wish to allow use of your version of this file only ++ under the terms of the [____] License and not to allow others to use ++ your version of this file under the MPL, indicate your decision by ++ deleting the provisions above and replace them with the notice and ++ other provisions required by the [___] License. If you do not delete ++ the provisions above, a recipient may use your version of this file ++ under either the MPL or the [___] License." ++ . ++ [NOTE: The text of this Exhibit A may differ slightly from the text of ++ the notices in the Source Code files of the Original Code. You should ++ use the text of this Exhibit A rather than the text found in the ++ Original Code Source Code for Your Modifications.] ++ ++License: MPL-2.0 ++ On Debian machines the full text of the Mozilla Public License version 2.0 ++ can be found in the file /usr/share/common-licenses/MPL-2.0. diff --cc debian/gitlab-ci.yml index 0000000,0000000..4545f3e new file mode 100644 --- /dev/null +++ b/debian/gitlab-ci.yml @@@ -1,0 -1,0 +1,6 @@@ ++include: ++ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml ++ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml ++ ++blhc: ++ allow_failure: true diff --cc debian/patches/0001-Revert-Issue-3584-Fix-PBKDF2_SHA256-hashing-in-FIPS-.patch index 0000000,0000000..351c1e9 new file mode 100644 --- /dev/null +++ b/debian/patches/0001-Revert-Issue-3584-Fix-PBKDF2_SHA256-hashing-in-FIPS-.patch @@@ -1,0 -1,0 +1,348 @@@ ++From 85d06aba6cb874958e9583d84bbd83ffe8bc40f6 Mon Sep 17 00:00:00 2001 ++From: Timo Aaltonen ++Date: Wed, 15 Dec 2021 21:40:38 +0200 ++Subject: [PATCH] Revert "Issue 3584 - Fix PBKDF2_SHA256 hashing in FIPS mode ++ (#4949)" ++ ++This reverts commit b0d06615e1117799ec156d51489cd49c92635cca. ++--- ++ .../healthcheck/health_security_test.py | 10 +++ ++ ldap/ldif/template-dse-minimal.ldif.in | 52 ---------------- ++ ldap/ldif/template-dse.ldif.in | 52 ---------------- ++ ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c | 62 +++---------------- ++ ldap/servers/slapd/main.c | 12 ---- ++ src/lib389/lib389/__init__.py | 4 -- ++ src/lib389/lib389/topologies.py | 6 +- ++ src/lib389/lib389/utils.py | 13 ---- ++ 8 files changed, 21 insertions(+), 190 deletions(-) ++ ++diff --git a/dirsrvtests/tests/suites/healthcheck/health_security_test.py b/dirsrvtests/tests/suites/healthcheck/health_security_test.py ++index fa3c28615..a07371e0e 100644 ++--- a/dirsrvtests/tests/suites/healthcheck/health_security_test.py +++++ b/dirsrvtests/tests/suites/healthcheck/health_security_test.py ++@@ -31,6 +31,16 @@ libfaketime.reexec_if_needed() ++ log = logging.getLogger(__name__) ++ ++ +++def is_fips(): +++ if os.path.exists('/proc/sys/crypto/fips_enabled'): +++ with open('/proc/sys/crypto/fips_enabled', 'r') as f: +++ state = f.readline().strip() +++ if state == '1': +++ return True +++ else: +++ return False +++ +++ ++ def run_healthcheck_and_flush_log(topology, instance, searched_code, json, searched_code2=None): ++ args = FakeArgs() ++ args.instance = instance.serverid ++diff --git a/ldap/ldif/template-dse-minimal.ldif.in b/ldap/ldif/template-dse-minimal.ldif.in ++index a1700a2da..5d424fbf5 100644 ++--- a/ldap/ldif/template-dse-minimal.ldif.in +++++ b/ldap/ldif/template-dse-minimal.ldif.in ++@@ -185,58 +185,6 @@ nsslapd-plugininitfunc: pbkdf2_sha256_pwd_storage_scheme_init ++ nsslapd-plugintype: pwdstoragescheme ++ nsslapd-pluginenabled: on ++ ++-dn: cn=PBKDF2,cn=Password Storage Schemes,cn=plugins,cn=config ++-objectclass: top ++-objectclass: nsSlapdPlugin ++-cn: PBKDF2 ++-nsslapd-pluginpath: libpwdchan-plugin ++-nsslapd-plugininitfunc: pwdchan_pbkdf2_plugin_init ++-nsslapd-plugintype: pwdstoragescheme ++-nsslapd-pluginenabled: on ++-nsslapd-pluginId: PBKDF2 ++-nsslapd-pluginVersion: none ++-nsslapd-pluginVendor: 389 Project ++-nsslapd-pluginDescription: PBKDF2 ++- ++-dn: cn=PBKDF2-SHA1,cn=Password Storage Schemes,cn=plugins,cn=config ++-objectclass: top ++-objectclass: nsSlapdPlugin ++-cn: PBKDF2-SHA1 ++-nsslapd-pluginpath: libpwdchan-plugin ++-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha1_plugin_init ++-nsslapd-plugintype: pwdstoragescheme ++-nsslapd-pluginenabled: on ++-nsslapd-pluginId: PBKDF2-SHA1 ++-nsslapd-pluginVersion: none ++-nsslapd-pluginVendor: 389 Project ++-nsslapd-pluginDescription: PBKDF2-SHA1\ ++- ++-dn: cn=PBKDF2-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config ++-objectclass: top ++-objectclass: nsSlapdPlugin ++-cn: PBKDF2-SHA256 ++-nsslapd-pluginpath: libpwdchan-plugin ++-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha256_plugin_init ++-nsslapd-plugintype: pwdstoragescheme ++-nsslapd-pluginenabled: on ++-nsslapd-pluginId: PBKDF2-SHA256 ++-nsslapd-pluginVersion: none ++-nsslapd-pluginVendor: 389 Project ++-nsslapd-pluginDescription: PBKDF2-SHA256\ ++- ++-dn: cn=PBKDF2-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config ++-objectclass: top ++-objectclass: nsSlapdPlugin ++-cn: PBKDF2-SHA512 ++-nsslapd-pluginpath: libpwdchan-plugin ++-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha512_plugin_init ++-nsslapd-plugintype: pwdstoragescheme ++-nsslapd-pluginenabled: on ++-nsslapd-pluginId: PBKDF2-SHA512 ++-nsslapd-pluginVersion: none ++-nsslapd-pluginVendor: 389 Project ++-nsslapd-pluginDescription: PBKDF2-SHA512 ++- ++ dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config ++ objectclass: top ++ objectclass: nsSlapdPlugin ++diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in ++index 1456761e5..892f62c6b 100644 ++--- a/ldap/ldif/template-dse.ldif.in +++++ b/ldap/ldif/template-dse.ldif.in ++@@ -232,58 +232,6 @@ nsslapd-plugininitfunc: pbkdf2_sha256_pwd_storage_scheme_init ++ nsslapd-plugintype: pwdstoragescheme ++ nsslapd-pluginenabled: on ++ ++-dn: cn=PBKDF2,cn=Password Storage Schemes,cn=plugins,cn=config ++-objectclass: top ++-objectclass: nsSlapdPlugin ++-cn: PBKDF2 ++-nsslapd-pluginpath: libpwdchan-plugin ++-nsslapd-plugininitfunc: pwdchan_pbkdf2_plugin_init ++-nsslapd-plugintype: pwdstoragescheme ++-nsslapd-pluginenabled: on ++-nsslapd-pluginId: PBKDF2 ++-nsslapd-pluginVersion: none ++-nsslapd-pluginVendor: 389 Project ++-nsslapd-pluginDescription: PBKDF2 ++- ++-dn: cn=PBKDF2-SHA1,cn=Password Storage Schemes,cn=plugins,cn=config ++-objectclass: top ++-objectclass: nsSlapdPlugin ++-cn: PBKDF2-SHA1 ++-nsslapd-pluginpath: libpwdchan-plugin ++-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha1_plugin_init ++-nsslapd-plugintype: pwdstoragescheme ++-nsslapd-pluginenabled: on ++-nsslapd-pluginId: PBKDF2-SHA1 ++-nsslapd-pluginVersion: none ++-nsslapd-pluginVendor: 389 Project ++-nsslapd-pluginDescription: PBKDF2-SHA1\ ++- ++-dn: cn=PBKDF2-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config ++-objectclass: top ++-objectclass: nsSlapdPlugin ++-cn: PBKDF2-SHA256 ++-nsslapd-pluginpath: libpwdchan-plugin ++-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha256_plugin_init ++-nsslapd-plugintype: pwdstoragescheme ++-nsslapd-pluginenabled: on ++-nsslapd-pluginId: PBKDF2-SHA256 ++-nsslapd-pluginVersion: none ++-nsslapd-pluginVendor: 389 Project ++-nsslapd-pluginDescription: PBKDF2-SHA256\ ++- ++-dn: cn=PBKDF2-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config ++-objectclass: top ++-objectclass: nsSlapdPlugin ++-cn: PBKDF2-SHA512 ++-nsslapd-pluginpath: libpwdchan-plugin ++-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha512_plugin_init ++-nsslapd-plugintype: pwdstoragescheme ++-nsslapd-pluginenabled: on ++-nsslapd-pluginId: PBKDF2-SHA512 ++-nsslapd-pluginVersion: none ++-nsslapd-pluginVendor: 389 Project ++-nsslapd-pluginDescription: PBKDF2-SHA512 ++- ++ dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config ++ objectclass: top ++ objectclass: nsSlapdPlugin ++diff --git a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c ++index dcac4fcdd..d310dc792 100644 ++--- a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c +++++ b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c ++@@ -91,11 +91,10 @@ pbkdf2_sha256_extract(char *hash_in, SECItem *salt, uint32_t *iterations) ++ SECStatus ++ pbkdf2_sha256_hash(char *hash_out, size_t hash_out_len, SECItem *pwd, SECItem *salt, uint32_t iterations) ++ { +++ SECItem *result = NULL; ++ SECAlgorithmID *algid = NULL; ++ PK11SlotInfo *slot = NULL; ++ PK11SymKey *symkey = NULL; ++- SECItem *wrapKeyData = NULL; ++- SECStatus rv = SECFailure; ++ ++ /* We assume that NSS is already started. */ ++ algid = PK11_CreatePBEV2AlgorithmID(SEC_OID_PKCS5_PBKDF2, SEC_OID_HMAC_SHA256, SEC_OID_HMAC_SHA256, hash_out_len, iterations, salt); ++@@ -105,6 +104,7 @@ pbkdf2_sha256_hash(char *hash_out, size_t hash_out_len, SECItem *pwd, SECItem *s ++ slot = PK11_GetBestSlotMultiple(mechanism_array, 2, NULL); ++ if (slot != NULL) { ++ symkey = PK11_PBEKeyGen(slot, algid, pwd, PR_FALSE, NULL); +++ PK11_FreeSlot(slot); ++ if (symkey == NULL) { ++ /* We try to get the Error here but NSS has two or more error interfaces, and sometimes it uses none of them. */ ++ int32_t status = PORT_GetError(); ++@@ -123,60 +123,18 @@ pbkdf2_sha256_hash(char *hash_out, size_t hash_out_len, SECItem *pwd, SECItem *s ++ return SECFailure; ++ } ++ ++- /* ++- * First, we need to generate a wrapped key for PK11_Decrypt call: ++- * slot is the same slot we used in PK11_PBEKeyGen() ++- * 256 bits / 8 bit per byte ++- */ ++- PK11SymKey *wrapKey = PK11_KeyGen(slot, CKM_AES_ECB, NULL, 256/8, NULL); ++- PK11_FreeSlot(slot); ++- if (wrapKey == NULL) { ++- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to generate a wrapped key.\n"); ++- return SECFailure; ++- } ++- ++- wrapKeyData = (SECItem *)PORT_Alloc(sizeof(SECItem)); ++- /* Align the wrapped key with 32 bytes. */ ++- wrapKeyData->len = (PK11_GetKeyLength(symkey) + 31) & ~31; ++- /* Allocate the aligned space for pkc5PBE key plus AESKey block */ ++- wrapKeyData->data = (unsigned char *)slapi_ch_calloc(wrapKeyData->len, sizeof(unsigned char)); ++- ++- /* Get symkey wrapped with wrapKey - required for PK11_Decrypt call */ ++- rv = PK11_WrapSymKey(CKM_AES_ECB, NULL, wrapKey, symkey, wrapKeyData); ++- if (rv != SECSuccess) { ++- PK11_FreeSymKey(symkey); ++- PK11_FreeSymKey(wrapKey); ++- SECITEM_FreeItem(wrapKeyData, PR_TRUE); ++- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to wrap the symkey. (%d)\n", rv); ++- return SECFailure; ++- } ++- ++- /* Allocate the space for our result */ ++- void *result = (char *)slapi_ch_calloc(wrapKeyData->len, sizeof(char)); ++- unsigned int result_len = 0; ++- ++- /* User wrapKey to decrypt the wrapped contents. ++- * result is the hash that we need; ++- * result_len is the actual lengh of the data; ++- * has_out_len is the maximum (the space we allocted for hash_out) ++- */ ++- rv = PK11_Decrypt(wrapKey, CKM_AES_ECB, NULL, result, &result_len, hash_out_len, wrapKeyData->data, wrapKeyData->len); ++- PK11_FreeSymKey(symkey); ++- PK11_FreeSymKey(wrapKey); ++- SECITEM_FreeItem(wrapKeyData, PR_TRUE); ++- ++- if (rv == SECSuccess) { ++- if (result != NULL && result_len <= hash_out_len) { ++- memcpy(hash_out, result, result_len); ++- slapi_ch_free((void **)&result); +++ if (PK11_ExtractKeyValue(symkey) == SECSuccess) { +++ result = PK11_GetKeyData(symkey); +++ if (result != NULL && result->len <= hash_out_len) { +++ memcpy(hash_out, result->data, result->len); +++ PK11_FreeSymKey(symkey); ++ } else { ++- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to retrieve (get) hash output.\n"); ++- slapi_ch_free((void **)&result); +++ PK11_FreeSymKey(symkey); +++ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to retrieve (get) hash output.\n"); ++ return SECFailure; ++ } ++ } else { ++- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to extract hash output. (%d)\n", rv); ++- slapi_ch_free((void **)&result); +++ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to extract hash output.\n"); ++ return SECFailure; ++ } ++ ++diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c ++index 7b3dc848f..9f99f6154 100644 ++--- a/ldap/servers/slapd/main.c +++++ b/ldap/servers/slapd/main.c ++@@ -2931,21 +2931,9 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt, int s_por ++ * is enabled or not. We use NSS for random number generation and ++ * other things even if we are not going to accept SSL connections. ++ * We also need NSS for attribute encryption/decryption on import and export. ++- * ++- * It's important to remember that while in FIPS mode the administrator should always enable ++- * the security, otherwise we don't call slapd_pk11_authenticate which is a requirement for FIPS mode ++ */ ++- PRBool isFIPS = slapd_pk11_isFIPS(); ++ int init_ssl = config_get_security(); ++ ++- if (isFIPS && !init_ssl) { ++- slapi_log_err(SLAPI_LOG_WARNING, "slapd_do_all_nss_ssl_init", ++- "ERROR: TLS is not enabled, and the machine is in FIPS mode. " ++- "Some functionality won't work correctly (for example, " ++- "users with PBKDF2_SHA256 password scheme won't be able to log in). " ++- "It's highly advisable to enable TLS on this instance.\n"); ++- } ++- ++ if (slapd_exemode == SLAPD_EXEMODE_SLAPD) { ++ init_ssl = init_ssl && (0 != s_port) && (s_port <= LDAP_PORT_MAX); ++ } else { ++diff --git a/src/lib389/lib389/__init__.py b/src/lib389/lib389/__init__.py ++index 15ac50b7d..d4473dfd1 100644 ++--- a/src/lib389/lib389/__init__.py +++++ b/src/lib389/lib389/__init__.py ++@@ -1533,10 +1533,6 @@ class DirSrv(SimpleLDAPObject, object): ++ :param post_open: Open the server connection after restart. ++ :type post_open: bool ++ """ ++- if self.config.get_attr_val_utf8_l("nsslapd-security") == 'on': ++- self.restart(post_open=post_open) ++- return ++- ++ # If it doesn't exist, create a cadb. ++ ssca = NssSsl(dbpath=self.get_ssca_dir()) ++ if not ssca._db_exists(): ++diff --git a/src/lib389/lib389/topologies.py b/src/lib389/lib389/topologies.py ++index 569818fc1..db505535f 100644 ++--- a/src/lib389/lib389/topologies.py +++++ b/src/lib389/lib389/topologies.py ++@@ -11,7 +11,7 @@ import logging ++ import socket # For hostname detection for GSSAPI tests ++ import pytest ++ from lib389 import DirSrv ++-from lib389.utils import generate_ds_params, is_fips +++from lib389.utils import generate_ds_params ++ from lib389.mit_krb5 import MitKrb5 ++ from lib389.saslmap import SaslMappings ++ from lib389.replica import ReplicationManager, Replicas ++@@ -103,10 +103,6 @@ def _create_instances(topo_dict, suffix): ++ if role == ReplicaRole.HUB: ++ hs[instance.serverid] = instance ++ instances.update(hs) ++- # We should always enable TLS while in FIPS mode because otherwise NSS database won't be ++- # configured in a FIPS compliant way ++- if is_fips(): ++- instance.enable_tls() ++ if DEBUGGING: ++ instance.config.set('nsslapd-errorlog-level','8192') ++ instance.config.set('nsslapd-accesslog-level','260') ++diff --git a/src/lib389/lib389/utils.py b/src/lib389/lib389/utils.py ++index 5445aa7b0..37eeda273 100644 ++--- a/src/lib389/lib389/utils.py +++++ b/src/lib389/lib389/utils.py ++@@ -1434,16 +1434,3 @@ def is_valid_hostname(hostname): ++ hostname = hostname[:-1] # strip exactly one dot from the right, if present ++ allowed = re.compile("(?!-)[A-Z\d-]{1,63}(?256) diff --cc debian/tests/control index 0000000,0000000..dc84954 new file mode 100644 --- /dev/null +++ b/debian/tests/control @@@ -1,0 -1,0 +1,6 @@@ ++Tests: setup ++Depends: ++ 389-ds-base, ++Restrictions: ++ isolation-container, ++ needs-root, diff --cc debian/tests/setup index 0000000,0000000..0ffa366 new file mode 100644 --- /dev/null +++ b/debian/tests/setup @@@ -1,0 -1,0 +1,36 @@@ ++#!/bin/sh ++ ++# hack for lxc ++IP=`ip route get 1.1.1.1 | sed -n -e's/.*src //; s/ .*//; p; q'` ++echo "IP address is $IP" ++ ++HOSTNAME=`cat /etc/hosts| grep '127.0.1.1' | awk '{print $NF; exit}'` ++echo "Hostname was: $HOSTNAME" ++ ++if [ -z $HOSTNAME ]; then ++ HOSTNAME=autopkgtest ++ hostname $HOSTNAME ++ echo $HOSTNAME > /etc/hostname ++fi ++ ++echo "$IP $HOSTNAME.debci $HOSTNAME" >> /etc/hosts ++ ++echo "/etc/hosts now has:" ++cat /etc/hosts ++ ++cat << EOF > /tmp/debci.inf ++[general] ++full_machine_name = $HOSTNAME.debci ++strict_host_checking = False ++[slapd] ++group = dirsrv ++instance_name = debci ++port = 1389 ++root_dn = cn=Directory Manager ++root_password = Secret123 ++user = dirsrv ++[backend-userroot] ++suffix = dc=example,dc=com ++EOF ++ ++/usr/sbin/dscreate from-file /tmp/debci.inf 2>&1 diff --cc debian/watch index 0000000,0000000..aceba88 new file mode 100644 --- /dev/null +++ b/debian/watch @@@ -1,0 -1,0 +1,3 @@@ ++#git=https://github.com/389ds/389-ds-base ++version=3 ++https://github.com/389ds/389-ds-base/tags/ (?:.*?/)?389-ds-base-@ANY_VERSION@\.tar\.gz