Bug#765747: [Pkg-openldap-devel] Bug#765747: RFS: openldap/2.4.40-1 [RC]
On 19/10/14 12:10 PM, Luca Bruno wrote: I know very little about openldap, but git log seems ok and I see other people testing and reviewing your RFS, so if nobody steps up before, I'm willing to sponsor this in the coming week. That would be fantastic, thank you very much for offering! I just have a few questions related to this: * I see you addressed some comments from reviewers. Is the new package already on mentors? I answered the email, but still have to actually apply and test the changes. I will upload a new package either this evening or tomorrow. * should I wait for a fix for the new comment at #759597? The DB_CONFIG file? It's harmless, but I don't expect the fix to regress anything, so I will probably include it. * what happened to the slapd-contrib package? I'd be interested in a couple more modules (lastbind, pbkdf2) and was wondering what is the recommended way, currently. I had planned to post the branch for review again after rebasing on 2.4.40, which includes several related fixes, but that was released a lot later than expected and I haven't had time to revisit it, so look for it in jessie-backports after the release. For now, building contrib modules still involves unpacking and building the openldap source and patching the needed Makefiles, similar to smbk5pwd and autogroup. thanks, Ryan signature.asc Description: OpenPGP digital signature
Bug#765747: RFS: openldap/2.4.40-1 [RC]
Ryan Tandy r...@nardis.ca writes: - Invoke find, chmod, and chown with -H in case /var/lib/ldap is a symlink. (Closes: #742862) You mean chgrp, not chmod. * debian/slapd.README.Debian: Add a note about database format upgrades and the consequences of missing one. (Closes: #594711) HDB is the recommended database backend. Is this still so? Not MDB? Maybe the Logging section could mention rsyslog, which is the current default system log daemon. I personally use /etc/rsyslog.d/50-slapd.conf: # Globally turn off rate limiting on the unix socket (mostly slapd logs) $SystemLogRateLimitInterval 0 local4.* -/var/log/slapd.log ~ with a corresponding logrotate snippet, although it could be done another way as well (http://wiki.rsyslog.com/index.php/DailyLogRotation). * debian/slapd.init.ldif: Btw: why do you give rigths to the RootDN explicitly? Doesn't it skip all ACL processing anyway? I much hope to see OpenLDAP 2.4.40 in jessie! -- Regards, Feri. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#765747: RFS: openldap/2.4.40-1 [RC]
I backported your package to wheezy and upgraded a machine carrying a partial replica. The upgrade failed, so I added the -s option to the slapadd call in the postinst. Please consider using it. Btw. is the dump/restore necessary with MDB? I found no information about the format incompatibilities between the various versions. -- Thanks, Feri. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#765747: RFS: openldap/2.4.40-1 [RC]
Hi Ferenc, thank you very much for your comments!
On 18/10/14 02:26 AM, Ferenc Wagner wrote:
Ryan Tandy r...@nardis.ca writes:
- Invoke find, chmod, and chown with -H in case /var/lib/ldap is a
symlink. (Closes: #742862)
You mean chgrp, not chmod.
Right. Thanks.
* debian/slapd.README.Debian: Add a note about database format
upgrades and the consequences of missing one. (Closes: #594711)
HDB is the recommended database backend. Is this still so? Not MDB?
At the time I wrote that, the documentation still recommended hdb. Now
it has indeed changed to mdb. Personally I am still undecided as to
whether Debian should follow right now, or in the next release. It's
certainly the case that only mdb is likely to receive attention and
fixes going forward.
Maybe the Logging section could mention rsyslog, which is the current
default system log daemon. I personally use /etc/rsyslog.d/50-slapd.conf:
# Globally turn off rate limiting on the unix socket (mostly slapd logs)
$SystemLogRateLimitInterval 0
local4.* -/var/log/slapd.log
~
with a corresponding logrotate snippet, although it could be done
another way as well (http://wiki.rsyslog.com/index.php/DailyLogRotation).
Would you be willing to provide a patch against the README for that? I'd
be happy to git-am it.
* debian/slapd.init.ldif:
Btw: why do you give rigths to the RootDN explicitly? Doesn't it skip
all ACL processing anyway?
Good point, again; I hadn't noticed that. In debian/slapd.conf the
rootdn line is commented and we just have the explicit ACLs. I think I
would do the same with slapd.init.ldif, and drop olcRoot{DN,PW}.
I much hope to see OpenLDAP 2.4.40 in jessie!
Thanks for your support! :)
On 18/10/14 05:36 AM, Ferenc Wagner wrote:
I backported your package to wheezy and upgraded a machine carrying a
partial replica. The upgrade failed, so I added the -s option to the
slapadd call in the postinst. Please consider using it.
See #614569. I would like to fix it for jessie, but it might be in a
later upload. I only want to add -s in cases where it's strictly needed,
not in general.
Btw. is the dump/restore necessary with MDB? I found no information
about the format incompatibilities between the various versions.
It's not (details in #750022). I filed #759597 about that. Might or
might not get it fixed for jessie. #614569 and #761406 are both more
important to me; this is annoying but doesn't break anything (AFAIK).
thanks,
Ryan
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#765747: RFS: openldap/2.4.40-1 [RC]
Ryan Tandy r...@nardis.ca writes:
On 18/10/14 02:26 AM, Ferenc Wagner wrote:
Ryan Tandy r...@nardis.ca writes:
* debian/slapd.init.ldif:
Btw: why do you give rigths to the RootDN explicitly? Doesn't it skip
all ACL processing anyway?
Good point, again; I hadn't noticed that. In debian/slapd.conf the
rootdn line is commented and we just have the explicit ACLs. I think I
would do the same with slapd.init.ldif, and drop olcRoot{DN,PW}.
I'd go the other way, as a RootDN is good to have anyway (replication
needs it), while the explicit rules clutter up the ACLs. Or do you want
to differentiate between the write and manage access levels this way?
Maybe the Logging section could mention rsyslog [...]
Would you be willing to provide a patch against the README for that?
Probably yes, but not tonight. :)
I backported your package to wheezy and upgraded a machine carrying a
partial replica. The upgrade failed, so I added the -s option to the
slapadd call in the postinst. Please consider using it.
See #614569. I would like to fix it for jessie, but it might be in a
later upload. I only want to add -s in cases where it's strictly needed,
not in general.
That would certainly be more correct; I'm just not sure if it's worth
the trouble. Bringing up problems during upgrade isn't too useful.
Btw. is the dump/restore necessary with MDB?
It's not (details in #750022). I filed #759597 about that.
Cool. I added a note about the example DB_CONFIG being unnecessary
copied in.
--
Regards,
Feri.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#765747: RFS: openldap/2.4.40-1 [RC]
Package: sponsorship-requests Severity: important X-Debbugs-CC: pkg-openldap-de...@lists.alioth.debian.org Dear mentors, I am looking for a sponsor for my package openldap. Package name: openldap Version : 2.4.40-1 Upstream Author : The OpenLDAP Project http://www.openldap.org/project/ URL : http://www.openldap.org/ License : OpenLDAP Public License Section : net It builds these binary packages: ldap-utils - OpenLDAP utilities libldap-2.4-2 - OpenLDAP libraries libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries libldap2-dev - OpenLDAP development libraries slapd - OpenLDAP server (slapd) slapd-dbg - Debugging information for the OpenLDAP server (slapd) slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd. To access further information about this package, please visit the following URL: http://mentors.debian.net/package/openldap (what's with the does not belong to this package errors? AFAICS the bugs do all belong to binaries of src:openldap...) Alternatively, one can download the package with dget using this command: dget -x http://mentors.debian.net/debian/pool/main/o/openldap/openldap_2.4.40-1.dsc The package was built from my personal git repository, which can be found at: http://anonscm.debian.org/cgit/users/rtandy-guest/openldap.git/ I will push the changes to the team repository (in Vcs-Git) after someone reviews my merge of the upstream release. The amd64 binaries were built in a clean, up-to-date, unstable sbuild chroot. Upstream's test suite was run successfully during the build. The package is far from Lintian clean, but at least I don't believe I introduced any new warnings or errors. I would be happy to discuss the Lintian issues with a reviewer. Changes since the last upload: [ Ryan Tandy ] * New upstream release. - fixed ldap_get_dn(3) ldap_ava definition (ITS#7860) (Closes: #465024) - fixed slapcat with external schema (ITS#7895) (Closes: #599235) - fixed double free with invalid ciphersuite (ITS#7500) (Closes: #640384) - fixed modrdn crash on naming attr with no matching rule (ITS#7850) (Closes: #666515) - fixed slapacl causing unclean database (ITS#7827) (Closes: #741248) * slapd.scripts-common: - Anchor grep patterns to avoid matching commented lines in ldif files under cn=config. (Closes: #723957) - Don't silently ignore nonexistent directories that should be dumped. - Invoke find, chmod, and chown with -H in case /var/lib/ldap is a symlink. (Closes: #742862) - When upgrading a database, ignore extra nested directories as they might contain other databases. Patch from Kenny Millington. (LP: #1003854) - Fix dumping and reloading when multiple databases hold the same suffix, thanks Peder Stray. (Closes: #759596, LP: #1362481) - Remove trailing dot from slapd/domain. (Closes: #637996) * debian/rules: - Enable parallel building. - Copy libldap-2.4-2.shlibs into place manually, as a workaround for #676168. (Closes: #742841) * debian/slapd.README.Debian: Add a note about database format upgrades and the consequences of missing one. (Closes: #594711) * Build with GnuTLS 3 (Closes: #745231, #760559). * Drop debian/patches/fix-ftbfs-binutils-gold, no longer needed. * Drop debconf-utils from Build-Depends, no longer used (replaced by po-debconf). Thanks Johannes Schauer. * Acknowledge NMU fixing #729367, thanks to Michael Gilbert. * Offer the MDB backend as a choice during initial configuration. (Closes: #750022) * debian/slapd.init.ldif: - Disallow modifying one's own entry by default, except specific attributes. (Closes: #761406) - Index some more common search attributes by default. (Closes: #762111) * Introduce a symbols file for libldap-2.4-2. * debian/schema/pmi.schema: Add a copyright clarification. There does not appear to be any copyrighted text in this file, only ASN.1 assignments and LDAP schema definitions. Fixes a Lintian error on the original. * debian/schema/duaconf.schema: Strip Internet-Draft text from duaconf.schema. * Drop debian/patches/CVE-2013-4449.patch, applied upstream. * Update debian/patches/no-AM_INIT_AUTOMAKE with upstream changes. * debian/schema/ppolicy.schema: Update with ordering rules added in draft-behera-ldap-password-policy-11. * Suggest GSSAPI SASL modules. (Closes: #762424) * debian/patches/ITS6035-olcauthzregex-needs-restart.patch: Document in slapd-config.5 the fact that changes to olcAuthzRegexp only take effect after the server is restarted. (Closes: #761407) * Add myself to Uploaders. [ Jelmer Vernooij ] * Depend on heimdal-multidev rather than heimdal-dev. (Closes: #745356, #706123) [ Updated debconf translations ] * Turkish, thanks to Atila KOÇ
