This bug was fixed in the package openldap - 2.4.42+dfsg-2ubuntu1 --------------- openldap (2.4.42+dfsg-2ubuntu1) xenial; urgency=medium * Merge from Debian testing (LP: #1532648). Remaining changes: - Enable AppArmor support: - d/apparmor-profile: add AppArmor profile - d/rules: use dh_apparmor - d/control: Build-Depends on dh-apparmor - d/slapd.README.Debian: add note about AppArmor - Enable GSSAPI support: - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise): - Add --with-gssapi support - Make guess_service_principal() more robust when determining principal - d/configure.options: Configure with --with-gssapi - d/control: Added heimdal-dev as a build depend - Enable ufw support: - d/control: suggest ufw. - d/rules: install ufw profile. - d/slapd.ufw.profile: add ufw profile. - Enable nss overlay: - d/{patches/nssov-build,rules}: Apply, build and package the nss overlay. - d/{rules,slapd.py}: Add apport hook. - d/slapd.init.ldif: don't set olcRootDN since it's not defined in either the default DIT nor via an Authn mapping. - d/slapd.scripts-common: - add slapcat_opts to local variables. - Remove unused variable new_conf. - Fix backup directory naming for multiple reconfiguration. - d/{slapd.default,slapd.README.Debian}: use the new configuration style. - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support in the openldap library, as required by Likewise-Open - Show distribution in version: - d/control: added lsb-release - d/patches/fix-ldap-distribution.patch: show distribution in version * Drop CVE-2015-6908.patch, included in Debian. * Remove DEB_HOST_ARCH from debian/rules: left over from when mdb was disabled on ppc64el, no longer used, and missed in the previous merge. openldap (2.4.42+dfsg-2) unstable; urgency=medium [ Ryan Tandy ] * Change explicit Pre-Depends: multiarch-support to ${misc:Pre-Depends}, as recommended by lintian. * Omit slapd, slapd-dbg, and slapd-smbk5pwd from the stage1 build profile. This allows the dependency loop with heimdal to be broken for bootstrapping, and the dependency on libperl-dev to be avoided for cross-building. Thanks Daniel Schepler and Helmut Grohne. (Closes: #724518) * Apply wrap-and-sort to the Build-Depends field. * Drop libncurses5-dev from Build-Depends, no longer needed since the ud tool was removed in OpenLDAP 2.1.4. * Drop libltdl3-dev as an alternate Build-Depends, since that package was removed after lenny. * Annotate Build-Depends on perl with :any to allow running the system perl interpreter during cross builds. * Ensure CC is set correctly for cross builds. Thanks Helmut Grohne. * Build-Depend on dpkg-dev (>= 1.17.14) and debhelper (>= 9.20141010) for restriction formula support. * Override the 'dev-pkg-without-shlib-symlink' lintian tag. The symlink is actually in the form libldap_r.so -> libldap_r-2.4.so.xyz and the tag is a false positive; see #687022. * Include the smbk5pwd man page in the slapd-smbk5pwd package. * Allow anonymous read access to the shadowLastChange attribute by default, allowing nss-ldap/nss-ldapd to handle password expiry correctly even when bound anonymously. This was the only restricted shadow attribute, the others were already world-readable. (Closes: #669235) * Drop the redundant default ACL for dn.base="" from the database entry. It's already covered by the fallback case below. * Copy more comments from the slapd.conf template to slapd.init.ldif. Also comment the shadowLastChange access rule. * Import upstream patch to remove an unnecessary assert(0) that could be triggered remotely by an unauthenticated user by sending a malformed BER element. (ITS#8240) [ Peter Marschall ] * Add a manual page slapo-smbk5pwd.5 and update smbk5pwd's Makefile to install the new manual page. (Closes: #794998) openldap (2.4.42+dfsg-1) unstable; urgency=medium [ Peter Marschall ] * slapd.scripts-common: - Use update_permissions instead of direct calls to chown and chgrp. - Make variables only used within a function local to that function. - Restore databases ordered by increasing suffix path length. This should help configurations with databases glued together using the 'subordinate' keyword / 'olcSubordinate' attribute in slapd's configuration. (Closes: #794996) * Install slapo-lastbind.5 man page. (Closes: #794997) [ Ryan Tandy ] * slapd.scripts-common: Delete an outdated comment. * New upstream release. * Enable the MDB backend again on GNU/kFreeBSD. The new pthread library provides all the required interfaces, and the test suite now passes. Leave it disabled on the Hurd. LMDB requires POSIX semaphores, which have not yet been implemented. * Disable the BDB/HDB backends on the Hurd. BDB requires record locks (F_SETLK), which have not yet been implemented; see #693971. -- Ryan Tandy