Debian Bug report logs - #510346
new TLS_CIPHER_SUITE underdocumented

version graph

Package: libldap-2.4-2; Maintainer for libldap-2.4-2 is Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>; Source for libldap-2.4-2 is src:openldap.

Reported by: Neil Spring <nspring@gmail.com>

Date: Wed, 31 Dec 2008 18:18:01 UTC

Severity: normal

Tags: patch

Found in versions openldap/2.4.11-1, 2.4.21-0pm1

Fixed in version openldap/2.4.21-1

Done: Matthijs Mohlmann <matthijs@cacholong.nl>

Bug is archived. No further changes may be made.

Forwarded to http://www.openldap.org/its/index.cgi?selectid=6525

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#510346; Package libldap-2.4-2. (Wed, 31 Dec 2008 18:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Neil Spring <nspring@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Wed, 31 Dec 2008 18:18:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Neil Spring <nspring@gmail.com>
To: submit@bugs.debian.org
Subject: new TLS_CIPHER_SUITE underdocumented
Date: Wed, 31 Dec 2008 13:11:26 -0500
Package: libldap-2.4-2
Version: 2.4.11-1
Severity: normal


Please feel free to retitle; I don't know if this is a
documentation problem or a feature problem.

I'm trying my absolute hardest to get libldap to talk
ssl to ldaps://directory.umd.edu:636/ and haven't figured
it out.  I believe my inability to get it to work is just
documentation, but it works in old ldap (2.3.30-5+etch1)
presumably because openssl negotiates differently.

The problem I'm trying to solve:

% openssl s_client -connect directory.umd.edu:636

works.  (and thus, old libldap works fine, because openssl
can negotiate with the server.)

% gnutls-cli-debug -p 636 directory.umd.edu

works, and describes many features that the server doesn't
support.  e.g., TLS1.1 support.

% gnutls-cli -p 636 directory.umd.edu

fails; wireshark shows gnutls sending a TLS1.1 client hello
and the server dropping the connection.

% gnutls-cli --protocols SSL3.0 -p 636 directory.umd.edu

works; oddly, TLS1.0 does not.

With that knowledge, I can then:

% gnutls-cli --priority 'NORMAL:\!VERS-TLS1.1:\!VERS-TLS1.0' -p 636  
directory.umd.edu

So I'm confident that even if there's a bug in gnutls ability
to negotiate with this server, there should be a way for
me to configure gnutls through ldap.conf.

However, after putting that string into TLS_CIPHER_SUITE
(without escaping the !'s)

% ldapsearch -d 12 -H ldaps://directory.umd.edu/ uid=nspring
ldap_build_search_req ATTRS: supportedSASLMechanisms
TLS: could not set cipher list NORMAL:!VERS-TLS1.1:!VERS-TLS1.0.
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

So that doesn't work; I then try setting TLS_CIPHER_SUITE
to TLS_DHE_RSA_3DES_EDE_CBC_SHA1 , which has alongside
it in gnutls-cli --list the note SSL3.0; unfortunately,
the client still sends a TLS1.1 client hello message that
the server does not care for.

What the heck am I doing wrong?

I'm certain that ldap.conf(5) must be updated in Debian
to no longer say:

       TLS_CIPHER_SUITE <cipher-suite-spec>
              Specifies  acceptable cipher suite and
              preference order.  <cipher-suite-spec> should
              be a cipher specification for OpenSSL,
              e.g., HIGH:MEDIUM:+SSLv2.

It would be cool if README.Debian had a small note about
this relatively debian-specific configuration. (which I'm
in favor of, don't get me wrong; that's just where I look
for help when I know there's a Debian-ism to deal with.)

After writing this up, I found #466477, which describes
a configuration TLSCipherSuite, which seems to be part of
slapd.conf, which I don't think I have, and asserts that
openldap "supports cipher priority strings", which it
doesn't appear to.   I checked upstream 2.4.13; it doesn't
appear to have anything better.

Listing the ciphers to support is not sufficient to get
gnutls to talk to servers like this one.

Thanks for your hard work.  I'd be happy to test a
pre-release if there's a patch for passing a priority
string to the gnutls library.  I could try to write one,
or better yet test one out, but I don't know that I
understand the problem enough to know someone else doesn't
have a different plan.

thanks,
-neil


-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libldap-2.4-2 depends on:
ii  libc6                    2.7-16          GNU C Library: Shared  
libraries
ii  libgnutls26              2.4.2-4         the GNU TLS library -  
runtime libr
ii  libsasl2-2               2.1.22.dfsg1-23 Cyrus SASL -  
authentication abstra

libldap-2.4-2 recommends no packages.

libldap-2.4-2 suggests no packages.

-- no debconf information





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#510346; Package libldap-2.4-2. (Wed, 14 Jan 2009 14:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon Josefsson <simon@josefsson.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Wed, 14 Jan 2009 14:06:03 GMT) Full text and rfc822 format available.

Message #10 received at 510346@bugs.debian.org (full text, mbox):

From: Simon Josefsson <simon@josefsson.org>
To: 510346@bugs.debian.org, Neil Spring <nspring@gmail.com>
Subject: Re: new TLS_CIPHER_SUITE underdocumented
Date: Wed, 14 Jan 2009 15:03:32 +0100
You wrote:

> Please feel free to retitle; I don't know if this is a
> documentation problem or a feature problem.

It is a feature problem.

> I'm trying my absolute hardest to get libldap to talk
> ssl to ldaps://directory.umd.edu:636/ and haven't figured
> it out.

The server is buggy and refuses to talk with clients that

1) Mentions support for TLS 1.1,
OR
2) Tries to negotiate any extensions.

OpenSSL does not support TLS 1.1 (I think?), but you can reproduce 2)
with OpenSSL by adding a servername:

jas@mocca:~$ openssl s_client -connect directory.umd.edu:636 -servername foo
CONNECTED(00000003)
19698:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
jas@mocca:~$ 

To talk with your server using GnuTLS, you will have to 

1) Disable TLS 1.1
2) Disable OpenPGP (it sends an extension)
3) Disable server name extension

For example:

jas@mocca:~$ gnutls-cli -p 636 directory.umd.edu --priority 'NORMAL:!VERS-TLS1.1:-CTYPE-OPENPGP' --disable-extensions

> However, after putting that string into TLS_CIPHER_SUITE

Your mistake is that you assume that OpenLDAP passes the
TLS_CIPHER_SUITE string to GnuTLS' priority string functions.  Alas, it
doesn't.  Thus, your problem is a feature request really, for OpenLDAP
to support GnuTLS priority strings.

You could experiment with a patch like this to see if you manage to
connect to the server:

--- tls.c.orig	2009-01-14 14:54:33.000000000 +0100
+++ tls.c	2009-01-14 14:56:55.000000000 +0100
@@ -255,6 +255,9 @@
 		gnutls_cipher_set_priority( session->session, ctx->cipher_list );
 		gnutls_mac_set_priority( session->session, ctx->mac_list );
 	}
+
+	gnutls_priority_set_direct( session->session, "NORMAL:!VERS-TLS1.1:-CTYPE-OPENPGP", NULL);
+
 	if ( ctx->cred )
 		gnutls_credentials_set( session->session, GNUTLS_CRD_CERTIFICATE, ctx->cred );
 	

A proper fix requires co-ordination with the OpenLDAP people.  Either
they 1) remove all strange code for parsing ciphers for GnuTLS and only
use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2)
they introduce a new configuration keyword TLS_PRIORITY that is is sent
to GnuTLS's priority functions.  Given that TLS_CIPHER_SUITE accepts
OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS
priority strings, so I would recommend 1).  And improve the
documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS
manual in the OpenLDAP documentation.

/Simon




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#510346; Package libldap-2.4-2. (Wed, 14 Jan 2009 16:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Wed, 14 Jan 2009 16:09:03 GMT) Full text and rfc822 format available.

Message #15 received at 510346@bugs.debian.org (full text, mbox):

From: Quanah Gibson-Mount <quanah@zimbra.com>
To: Simon Josefsson <simon@josefsson.org>, 510346@bugs.debian.org, Neil Spring <nspring@gmail.com>
Subject: Re: [Pkg-openldap-devel] Bug#510346: new TLS_CIPHER_SUITE underdocumented
Date: Wed, 14 Jan 2009 08:07:12 -0800
--On Wednesday, January 14, 2009 3:03 PM +0100 Simon Josefsson 
<simon@josefsson.org> wrote:

> A proper fix requires co-ordination with the OpenLDAP people.  Either
> they 1) remove all strange code for parsing ciphers for GnuTLS and only
> use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2)
> they introduce a new configuration keyword TLS_PRIORITY that is is sent
> to GnuTLS's priority functions.  Given that TLS_CIPHER_SUITE accepts
> OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS
> priority strings, so I would recommend 1).  And improve the
> documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS
> manual in the OpenLDAP documentation.


Filed upstream:

<http://www.openldap.org/its/index.cgi/?findid=5887>

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#510346; Package libldap-2.4-2. (Thu, 15 Jan 2009 03:54:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Thu, 15 Jan 2009 03:54:03 GMT) Full text and rfc822 format available.

Message #20 received at 510346@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Simon Josefsson <simon@josefsson.org>, 510346@bugs.debian.org
Cc: Neil Spring <nspring@gmail.com>
Subject: Re: [Pkg-openldap-devel] Bug#510346: new TLS_CIPHER_SUITE underdocumented
Date: Wed, 14 Jan 2009 19:52:12 -0800
Hi Simon,

On Wed, Jan 14, 2009 at 03:03:32PM +0100, Simon Josefsson wrote:

> > However, after putting that string into TLS_CIPHER_SUITE

> Your mistake is that you assume that OpenLDAP passes the
> TLS_CIPHER_SUITE string to GnuTLS' priority string functions.  Alas, it
> doesn't.  Thus, your problem is a feature request really, for OpenLDAP
> to support GnuTLS priority strings.

> A proper fix requires co-ordination with the OpenLDAP people.  Either
> they 1) remove all strange code for parsing ciphers for GnuTLS and only
> use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2)
> they introduce a new configuration keyword TLS_PRIORITY that is is sent
> to GnuTLS's priority functions.  Given that TLS_CIPHER_SUITE accepts
> OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS
> priority strings, so I would recommend 1).  And improve the
> documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS
> manual in the OpenLDAP documentation.

Hmm, does this mean Debian bug #464625 is fixed?  The syntax you're
describing certainly includes a lot more overlap with OpenSSL syntax than
what I recall from the last time this came up, but perhaps the compatibility
isn't good enough that we would want to revert the changes from bug #462588
if openldap were patched to call gnutls_priority_set_direct()?

I would have been happy to pursue this sooner if I had known this might be
an option, but bug #464625 has seen no activity since May.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#510346; Package libldap-2.4-2. (Thu, 15 Jan 2009 08:00:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon Josefsson <simon@josefsson.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Thu, 15 Jan 2009 08:00:02 GMT) Full text and rfc822 format available.

Message #25 received at 510346@bugs.debian.org (full text, mbox):

From: Simon Josefsson <simon@josefsson.org>
To: Steve Langasek <vorlon@debian.org>
Cc: 510346@bugs.debian.org, Neil Spring <nspring@gmail.com>
Subject: Re: [Pkg-openldap-devel] Bug#510346: new TLS_CIPHER_SUITE underdocumented
Date: Thu, 15 Jan 2009 08:59:03 +0100
Steve Langasek <vorlon@debian.org> writes:

> Hi Simon,
>
> On Wed, Jan 14, 2009 at 03:03:32PM +0100, Simon Josefsson wrote:
>
>> > However, after putting that string into TLS_CIPHER_SUITE
>
>> Your mistake is that you assume that OpenLDAP passes the
>> TLS_CIPHER_SUITE string to GnuTLS' priority string functions.  Alas, it
>> doesn't.  Thus, your problem is a feature request really, for OpenLDAP
>> to support GnuTLS priority strings.
>
>> A proper fix requires co-ordination with the OpenLDAP people.  Either
>> they 1) remove all strange code for parsing ciphers for GnuTLS and only
>> use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2)
>> they introduce a new configuration keyword TLS_PRIORITY that is is sent
>> to GnuTLS's priority functions.  Given that TLS_CIPHER_SUITE accepts
>> OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS
>> priority strings, so I would recommend 1).  And improve the
>> documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS
>> manual in the OpenLDAP documentation.
>
> Hmm, does this mean Debian bug #464625 is fixed?

Alas, no.  The syntax is still different.

> The syntax you're describing certainly includes a lot more overlap
> with OpenSSL syntax than what I recall from the last time this came
> up, but perhaps the compatibility isn't good enough that we would want
> to revert the changes from bug #462588 if openldap were patched to
> call gnutls_priority_set_direct()?

That bug seems to fix several issues, so I'm not sure what you refer to.

> I would have been happy to pursue this sooner if I had known this might be
> an option, but bug #464625 has seen no activity since May.

To avoid configuration file compatibility, maybe there should be a new
keyword GNUTLS_CIPHER_SUITE instead that is documented to only be for
gnutls priority strings, and let TLS_CIPHER_SUITE be documented for only
OpenSSL strings.  If openldap is linked with GnuTLS, it would refuse to
start if TLS_CIPHER_SUITE is defined, and vice versa.  But maybe this
just complicates the issue further..

I guess the simplest is to let TLS_CIPHER_SUITE result in calling
gnutls_priority_* on the string, and document that the syntax of that
configuration keyword depends on whether you use GnuTLS or OpenSSL.

/Simon




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#510346; Package libldap-2.4-2. (Thu, 15 Apr 2010 07:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Peter Marschall <peter@adpm.de>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Thu, 15 Apr 2010 07:48:04 GMT) Full text and rfc822 format available.

Message #30 received at 510346@bugs.debian.org (full text, mbox):

From: Peter Marschall <peter@adpm.de>
To: Debian Bug Tracking System <510346@bugs.debian.org>
Subject: libldap-2.4-2: ldap.conf(5) man page update patch
Date: Thu, 15 Apr 2010 09:26:13 +0200
[Message part 1 (text/plain, inline)]
Package: libldap-2.4-2
Version: 2.4.21-0pm1
Severity: normal

Hi,

I wrote a small patch for the ldap.conf(5) man page.
Please find it attached.

Best regards
Peter


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libldap-2.4-2 depends on:
ii  libc6                     2.10.2-6       Embedded GNU C Library: Shared lib
ii  libgnutls26               2.8.6-1        the GNU TLS library - runtime libr
ii  libsasl2-2                2.1.23.dfsg1-5 Cyrus SASL - authentication abstra

libldap-2.4-2 recommends no packages.

libldap-2.4-2 suggests no packages.

-- no debconf information
[openldap-2.4.21-ldap.conf_TLS_CIPHER_SUITE.patch (text/plain, attachment)]

Added tag(s) patch. Request was from Peter Marschall <peter@adpm.de> to control@bugs.debian.org. (Thu, 15 Apr 2010 15:48:07 GMT) Full text and rfc822 format available.

Set Bug forwarded-to-address to 'http://www.openldap.org/its/index.cgi?selectid=6525'. Request was from Peter Marschall <peter@adpm.de> to control@bugs.debian.org. (Sat, 17 Apr 2010 13:03:09 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from matthijs@alioth.debian.org to control@bugs.debian.org. (Sat, 17 Apr 2010 20:18:03 GMT) Full text and rfc822 format available.

Reply sent to Matthijs Mohlmann <matthijs@cacholong.nl>:
You have taken responsibility. (Fri, 23 Apr 2010 19:36:25 GMT) Full text and rfc822 format available.

Notification sent to Neil Spring <nspring@gmail.com>:
Bug acknowledged by developer. (Fri, 23 Apr 2010 19:36:26 GMT) Full text and rfc822 format available.

Message #41 received at 510346-close@bugs.debian.org (full text, mbox):

From: Matthijs Mohlmann <matthijs@cacholong.nl>
To: 510346-close@bugs.debian.org
Subject: Bug#510346: fixed in openldap 2.4.21-1
Date: Fri, 23 Apr 2010 19:32:27 +0000
Source: openldap
Source-Version: 2.4.21-1

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive:

ldap-utils_2.4.21-1_amd64.deb
  to main/o/openldap/ldap-utils_2.4.21-1_amd64.deb
libldap-2.4-2-dbg_2.4.21-1_amd64.deb
  to main/o/openldap/libldap-2.4-2-dbg_2.4.21-1_amd64.deb
libldap-2.4-2_2.4.21-1_amd64.deb
  to main/o/openldap/libldap-2.4-2_2.4.21-1_amd64.deb
libldap2-dev_2.4.21-1_amd64.deb
  to main/o/openldap/libldap2-dev_2.4.21-1_amd64.deb
openldap_2.4.21-1.diff.gz
  to main/o/openldap/openldap_2.4.21-1.diff.gz
openldap_2.4.21-1.dsc
  to main/o/openldap/openldap_2.4.21-1.dsc
openldap_2.4.21.orig.tar.gz
  to main/o/openldap/openldap_2.4.21.orig.tar.gz
slapd-dbg_2.4.21-1_amd64.deb
  to main/o/openldap/slapd-dbg_2.4.21-1_amd64.deb
slapd-smbk5pwd_2.4.21-1_amd64.deb
  to main/o/openldap/slapd-smbk5pwd_2.4.21-1_amd64.deb
slapd_2.4.21-1_amd64.deb
  to main/o/openldap/slapd_2.4.21-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510346@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthijs Mohlmann <matthijs@cacholong.nl> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 22 Apr 2010 23:40:30 +0200
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source amd64
Version: 2.4.21-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Matthijs Mohlmann <matthijs@cacholong.nl>
Description: 
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
 slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 226090 231950 385898 443073 452834 465024 490930 502769 504728 510346 518657 518660 528695 549291 549642 553432 561144 563113 564686 575900
Changes: 
 openldap (2.4.21-1) unstable; urgency=low
 .
   [ Steve Langasek ]
   * New upstream version
     (Closes: #561144, #465024, #502769, #528695, #564686, #504728)
   * Add upstream manpage for ldapexop; thanks to Peter Marschall
     <peter@adpm.de>.  Closes: #549291.
 .
   [ Matthijs Mohlmann ]
   * Ack NMU (Closes: #553432)
   * Update Standards-Version to 3.8.4
   * Fix NEWS entry to have the correct version number
   * Improve the wording for the slapd/invalid_config question (Closes: #452834)
   * Make lintian a bit more happy (Closes: #518660)
   * Fix bashism (Closes: #518657)
   * Refresh all patches
   * Add patch from upstream (Closes: #549642)
   * Reworked the configure.options a bit to include some more options
   * Enable dynamic acls
   * Use slappasswd to create a secure password (Closes: #490930)
   * Set a rootdn and rootpw if no password is given by debconf (Closes: #231950)
   * Better document the TLSCipherSuite in slapd.conf manpage (Closes: #563113)
   * Better document the TLS_CIPHER_SUITE in ldap.conf manpage (Closes: #510346)
   * Add smbk5pwd slapd module, used patch from Mark Hymers (Closes: #443073)
   * Add autogroup slapd module, used patch from Mathieu Parent (Closes: #575900)
   * Add lsb logging, used patch from David Härdeman (Closes: #385898)
   * Use dh_lintian to install the lintian-overrides
   * Added critical error report when slapcat fails (Closes: #226090)
Checksums-Sha1: 
 cacc47d1d3e1f497a42c7f2d4a9737d0f3c5726a 1862 openldap_2.4.21-1.dsc
 8ae276ae3df3230106268ad8169a1b0a08bbc545 4714249 openldap_2.4.21.orig.tar.gz
 2f505cdc246e5aa7fe34679d10f2abb569ed6666 150990 openldap_2.4.21-1.diff.gz
 4a585e7d2711cf39670f04e93ade9b755a6a3976 1585160 slapd_2.4.21-1_amd64.deb
 7b2fa9975e01473ca792c60a1042b55d882d3ca2 56116 slapd-smbk5pwd_2.4.21-1_amd64.deb
 11d80f417d731b738ccfe27e8027745b5a653321 327632 ldap-utils_2.4.21-1_amd64.deb
 b965ff2c1fe23474e045affe31f10a01a765e00f 207368 libldap-2.4-2_2.4.21-1_amd64.deb
 bbfc56e1411084229b6367f3de3ae5d193a10a69 303498 libldap-2.4-2-dbg_2.4.21-1_amd64.deb
 88d32d11594c8167b77e47485da907c814b86b4d 908974 libldap2-dev_2.4.21-1_amd64.deb
 b91ed83b500c6b7f24382be1d0cff6e32c83c79e 3963684 slapd-dbg_2.4.21-1_amd64.deb
Checksums-Sha256: 
 56232c0a5f551b5074f16bd8368727e007866069896b1b90433d34a3fe440fd3 1862 openldap_2.4.21-1.dsc
 86f92f299cec257c6a721e4dd69a8f1c7257caae454c16e807f97a1c2caa029a 4714249 openldap_2.4.21.orig.tar.gz
 0523bfdb635d140124310b4efc4c50e3a0002ab289f93ee96636fbd8158a4a0d 150990 openldap_2.4.21-1.diff.gz
 e272f580471a851bcce5d54f01b131b6301fbc9276f92a288028cb3ad5f5ee43 1585160 slapd_2.4.21-1_amd64.deb
 f49d75ed42b117a7b5d107525bbc68bd58860ed5a50a7c8c403b18581c26fd12 56116 slapd-smbk5pwd_2.4.21-1_amd64.deb
 8e5dc0fd324389f7a1b51a31ce6b127563797ea9ac13342449e7403d37ea3845 327632 ldap-utils_2.4.21-1_amd64.deb
 1035872f19e03c1e8c23dc8469e9a62a621bd65e86361d6310f544573c2046e9 207368 libldap-2.4-2_2.4.21-1_amd64.deb
 97765ca48942b0b5ca82bd7caa09708358d6111bc3212f57ac7af3e728975257 303498 libldap-2.4-2-dbg_2.4.21-1_amd64.deb
 fb95448d1a4a6e5697c83d3e73c264034d39ee2c9e760188076227948677be9c 908974 libldap2-dev_2.4.21-1_amd64.deb
 7728a33af98bdca8de42849e97ce7fd2bcf63b9d21bd32b8befd537725ac760f 3963684 slapd-dbg_2.4.21-1_amd64.deb
Files: 
 2e2436bac8eac1eae8549191951e123f 1862 net optional openldap_2.4.21-1.dsc
 74320e5744d58116a618986be204b1bc 4714249 net optional openldap_2.4.21.orig.tar.gz
 eafb9eb02c83688ba5fb97c195f21846 150990 net optional openldap_2.4.21-1.diff.gz
 74856a387aceefac2d87d816ce2d8677 1585160 net optional slapd_2.4.21-1_amd64.deb
 5fde31a7da08b9351432139b7392a431 56116 net extra slapd-smbk5pwd_2.4.21-1_amd64.deb
 389285994f60a418a08c215de45e21d6 327632 net optional ldap-utils_2.4.21-1_amd64.deb
 e9b831f40bb3bcbb2f2fc258765926ad 207368 libs standard libldap-2.4-2_2.4.21-1_amd64.deb
 ca488f5aad11f1c090ed9d51a86ca421 303498 debug extra libldap-2.4-2-dbg_2.4.21-1_amd64.deb
 a66ff0d308a9202f00b6657669f3abc4 908974 libdevel extra libldap2-dev_2.4.21-1_amd64.deb
 42c8f8bbf7e0f839f1abe8c3c85b8e98 3963684 debug extra slapd-dbg_2.4.21-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkvR0A8ACgkQ2n1ROIkXqbD9mwCfVfQZsFs1fD1KT6TNATFYPt0Y
J2AAn3C9sNji1k3++RVWCFvIDxx6czgd
=TThi
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 11 May 2011 07:36:38 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 07:24:20 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.