Bug#765747: RFS: openldap/2.4.40-1 [RC]

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#765747: RFS: openldap/2.4.40-1 [RC]

Ryan Tandy-4
Package: sponsorship-requests
Severity: important
X-Debbugs-CC: [hidden email]

Dear mentors,

I am looking for a sponsor for my package "openldap".

   Package name    : openldap
   Version         : 2.4.40-1
   Upstream Author : The OpenLDAP Project <http://www.openldap.org/project/>
   URL             : http://www.openldap.org/
   License         : OpenLDAP Public License
   Section         : net

It builds these binary packages:

   ldap-utils - OpenLDAP utilities
   libldap-2.4-2 - OpenLDAP libraries
   libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
   libldap2-dev - OpenLDAP development libraries
   slapd - OpenLDAP server (slapd)
   slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
   slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.

To access further information about this package, please visit the
following URL:

   http://mentors.debian.net/package/openldap

(what's with the "does not belong to this package" errors? AFAICS the
bugs do all belong to binaries of src:openldap...)

Alternatively, one can download the package with dget using this command:

   dget -x
http://mentors.debian.net/debian/pool/main/o/openldap/openldap_2.4.40-1.dsc

The package was built from my personal git repository, which can be
found at:

   http://anonscm.debian.org/cgit/users/rtandy-guest/openldap.git/

I will push the changes to the team repository (in Vcs-Git) after
someone reviews my merge of the upstream release.

The amd64 binaries were built in a clean, up-to-date, unstable sbuild
chroot. Upstream's test suite was run successfully during the build.

The package is far from Lintian clean, but at least I don't believe I
introduced any new warnings or errors. I would be happy to discuss the
Lintian issues with a reviewer.

Changes since the last upload:

    [ Ryan Tandy ]
    * New upstream release.
      - fixed ldap_get_dn(3) ldap_ava definition (ITS#7860) (Closes:
#465024)
      - fixed slapcat with external schema (ITS#7895) (Closes: #599235)
      - fixed double free with invalid ciphersuite (ITS#7500) (Closes:
#640384)
      - fixed modrdn crash on naming attr with no matching rule (ITS#7850)
        (Closes: #666515)
      - fixed slapacl causing unclean database (ITS#7827) (Closes: #741248)
    * slapd.scripts-common:
      - Anchor grep patterns to avoid matching commented lines in ldif files
        under cn=config. (Closes: #723957)
      - Don't silently ignore nonexistent directories that should be dumped.
      - Invoke find, chmod, and chown with -H in case /var/lib/ldap is a
        symlink. (Closes: #742862)
      - When upgrading a database, ignore extra nested directories as
they might
        contain other databases. Patch from Kenny Millington. (LP: #1003854)
      - Fix dumping and reloading when multiple databases hold the same
suffix,
        thanks Peder Stray. (Closes: #759596, LP: #1362481)
      - Remove trailing dot from slapd/domain. (Closes: #637996)
    * debian/rules:
      - Enable parallel building.
      - Copy libldap-2.4-2.shlibs into place manually, as a workaround for
        #676168. (Closes: #742841)
    * debian/slapd.README.Debian: Add a note about database format
upgrades and
      the consequences of missing one. (Closes: #594711)
    * Build with GnuTLS 3 (Closes: #745231, #760559).
    * Drop debian/patches/fix-ftbfs-binutils-gold, no longer needed.
    * Drop debconf-utils from Build-Depends, no longer used (replaced by
      po-debconf). Thanks Johannes Schauer.
    * Acknowledge NMU fixing #729367, thanks to Michael Gilbert.
    * Offer the MDB backend as a choice during initial configuration.
(Closes:
      #750022)
    * debian/slapd.init.ldif:
      - Disallow modifying one's own entry by default, except specific
        attributes. (Closes: #761406)
      - Index some more common search attributes by default. (Closes:
#762111)
    * Introduce a symbols file for libldap-2.4-2.
    * debian/schema/pmi.schema: Add a copyright clarification. There
does not
      appear to be any copyrighted text in this file, only ASN.1
assignments and
      LDAP schema definitions. Fixes a Lintian error on the original.
    * debian/schema/duaconf.schema: Strip Internet-Draft text from
      duaconf.schema.
    * Drop debian/patches/CVE-2013-4449.patch, applied upstream.
    * Update debian/patches/no-AM_INIT_AUTOMAKE with upstream changes.
    * debian/schema/ppolicy.schema: Update with ordering rules added in
      draft-behera-ldap-password-policy-11.
    * Suggest GSSAPI SASL modules. (Closes: #762424)
    * debian/patches/ITS6035-olcauthzregex-needs-restart.patch: Document in
      slapd-config.5 the fact that changes to olcAuthzRegexp only take
effect
      after the server is restarted. (Closes: #761407)
    * Add myself to Uploaders.

    [ Jelmer Vernooij ]
    * Depend on heimdal-multidev rather than heimdal-dev. (Closes: #745356,
      #706123)

    [ Updated debconf translations ]
    * Turkish, thanks to Atila KOÇ <[hidden email]>.
      (Closes: #661641)

thanks,
Ryan


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Bug#765747: RFS: openldap/2.4.40-1 [RC]

wferi
Ryan Tandy <[hidden email]> writes:

>      - Invoke find, chmod, and chown with -H in case /var/lib/ldap is a
>        symlink. (Closes: #742862)

You mean chgrp, not chmod.

>    * debian/slapd.README.Debian: Add a note about database format
>      upgrades and the consequences of missing one. (Closes: #594711)

"HDB is the recommended database backend."  Is this still so?  Not MDB?

Maybe the Logging section could mention rsyslog, which is the current
default system log daemon.  I personally use /etc/rsyslog.d/50-slapd.conf:

  # Globally turn off rate limiting on the unix socket (mostly slapd logs)
  $SystemLogRateLimitInterval 0

  local4.* -/var/log/slapd.log
  & ~

with a corresponding logrotate snippet, although it could be done
another way as well (http://wiki.rsyslog.com/index.php/DailyLogRotation).

>    * debian/slapd.init.ldif:

Btw: why do you give rigths to the RootDN explicitly?  Doesn't it skip
all ACL processing anyway?

I much hope to see OpenLDAP 2.4.40 in jessie!
--
Regards,
Feri.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Bug#765747: RFS: openldap/2.4.40-1 [RC]

wferi
I backported your package to wheezy and upgraded a machine carrying a
partial replica.  The upgrade failed, so I added the -s option to the
slapadd call in the postinst.  Please consider using it.

Btw. is the dump/restore necessary with MDB?  I found no information
about the format incompatibilities between the various versions.
--
Thanks,
Feri.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Bug#765747: RFS: openldap/2.4.40-1 [RC]

Ryan Tandy-4
In reply to this post by wferi
Hi Ferenc, thank you very much for your comments!

On 18/10/14 02:26 AM, Ferenc Wagner wrote:
> Ryan Tandy <[hidden email]> writes:
>
>>      - Invoke find, chmod, and chown with -H in case /var/lib/ldap is a
>>        symlink. (Closes: #742862)
>
> You mean chgrp, not chmod.

Right. Thanks.

>>    * debian/slapd.README.Debian: Add a note about database format
>>      upgrades and the consequences of missing one. (Closes: #594711)
>
> "HDB is the recommended database backend."  Is this still so?  Not MDB?

At the time I wrote that, the documentation still recommended hdb. Now
it has indeed changed to mdb. Personally I am still undecided as to
whether Debian should follow right now, or in the next release. It's
certainly the case that only mdb is likely to receive attention and
fixes going forward.

> Maybe the Logging section could mention rsyslog, which is the current
> default system log daemon.  I personally use /etc/rsyslog.d/50-slapd.conf:
>
>   # Globally turn off rate limiting on the unix socket (mostly slapd logs)
>   $SystemLogRateLimitInterval 0
>
>   local4.* -/var/log/slapd.log
>   & ~
>
> with a corresponding logrotate snippet, although it could be done
> another way as well (http://wiki.rsyslog.com/index.php/DailyLogRotation).

Would you be willing to provide a patch against the README for that? I'd
be happy to git-am it.

>>    * debian/slapd.init.ldif:
>
> Btw: why do you give rigths to the RootDN explicitly?  Doesn't it skip
> all ACL processing anyway?

Good point, again; I hadn't noticed that. In debian/slapd.conf the
rootdn line is commented and we just have the explicit ACLs. I think I
would do the same with slapd.init.ldif, and drop olcRoot{DN,PW}.

> I much hope to see OpenLDAP 2.4.40 in jessie!

Thanks for your support! :)

On 18/10/14 05:36 AM, Ferenc Wagner wrote:
> I backported your package to wheezy and upgraded a machine carrying a
> partial replica.  The upgrade failed, so I added the -s option to the
> slapadd call in the postinst.  Please consider using it.

See #614569. I would like to fix it for jessie, but it might be in a
later upload. I only want to add -s in cases where it's strictly needed,
not in general.

> Btw. is the dump/restore necessary with MDB?  I found no information
> about the format incompatibilities between the various versions.

It's not (details in #750022). I filed #759597 about that. Might or
might not get it fixed for jessie. #614569 and #761406 are both more
important to me; this is annoying but doesn't break anything (AFAIK).

thanks,
Ryan


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Bug#765747: RFS: openldap/2.4.40-1 [RC]

wferi
Ryan Tandy <[hidden email]> writes:

> On 18/10/14 02:26 AM, Ferenc Wagner wrote:
>
>> Ryan Tandy <[hidden email]> writes:
>>
>>>    * debian/slapd.init.ldif:
>>
>> Btw: why do you give rigths to the RootDN explicitly?  Doesn't it skip
>> all ACL processing anyway?
>
> Good point, again; I hadn't noticed that. In debian/slapd.conf the
> rootdn line is commented and we just have the explicit ACLs. I think I
> would do the same with slapd.init.ldif, and drop olcRoot{DN,PW}.

I'd go the other way, as a RootDN is good to have anyway (replication
needs it), while the explicit rules clutter up the ACLs.  Or do you want
to differentiate between the write and manage access levels this way?

>> Maybe the Logging section could mention rsyslog [...]
>
> Would you be willing to provide a patch against the README for that?

Probably yes, but not tonight. :)

>> I backported your package to wheezy and upgraded a machine carrying a
>> partial replica.  The upgrade failed, so I added the -s option to the
>> slapadd call in the postinst.  Please consider using it.
>
> See #614569. I would like to fix it for jessie, but it might be in a
> later upload. I only want to add -s in cases where it's strictly needed,
> not in general.

That would certainly be more correct; I'm just not sure if it's worth
the trouble.  Bringing up problems during upgrade isn't too useful.

>> Btw. is the dump/restore necessary with MDB?
>
> It's not (details in #750022). I filed #759597 about that.

Cool.  I added a note about the example DB_CONFIG being unnecessary
copied in.
--
Regards,
Feri.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Bug#765747: [Pkg-openldap-devel] Bug#765747: RFS: openldap/2.4.40-1 [RC]

Ryan Tandy-4
In reply to this post by Ryan Tandy-4
On 19/10/14 12:10 PM, Luca Bruno wrote:
> I know very little about openldap, but git log seems ok and I see other people
> testing and reviewing your RFS, so if nobody steps up before, I'm willing to
> sponsor this in the coming week.

That would be fantastic, thank you very much for offering!

> I just have a few questions related to this:
>  * I see you addressed some comments from reviewers. Is the new package
>    already on mentors?

I answered the email, but still have to actually apply and test the
changes. I will upload a new package either this evening or tomorrow.

>  * should I wait for a fix for the new comment at #759597?

The DB_CONFIG file? It's harmless, but I don't expect the fix to regress
anything, so I will probably include it.

>  * what happened to the slapd-contrib package? I'd be interested in a
>    couple more modules (lastbind, pbkdf2) and was wondering what is the
>    recommended way, currently.

I had planned to post the branch for review again after rebasing on
2.4.40, which includes several related fixes, but that was released a
lot later than expected and I haven't had time to revisit it, so look
for it in jessie-backports after the release. For now, building contrib
modules still involves unpacking and building the openldap source and
patching the needed Makefiles, similar to smbk5pwd and autogroup.

thanks,
Ryan


signature.asc (915 bytes) Download Attachment