+userdir-ldap (0.3.XX) Xnstable; urgency=low
+
+ * Role accounts may have dnsZoneEntry attributes.
+ * ud-generate: and export dns zones to the zonefile for roleaccounts.
+ * Remove a lie from welcome-message-60000 - not that it's the only one.
+ * Apply patch to welcome-message-800 provided by Sandro Tosi:
+ - some machines/services have been renamed
+ - point to http://wiki.debian.org/MigrateToDDAccount
+ * More tweaks on welcome-message-800.
+
+ -- Peter Palfrader <weasel@debian.org> Wed, 07 Jan 2009 17:12:58 +0100
+
+userdir-ldap (0.3.58) unstable; urgency=low
+
+ * ud-info: Fix regression from r493: When we log in as admin user and modify
+ another user we got shown that other user but all changes would be made
+ against our own record.
+
+ -- Peter Palfrader <weasel@debian.org> Fri, 19 Dec 2008 09:25:20 +0100
+
+userdir-ldap (0.3.57) unstable; urgency=low
+
+ * In ud-mailgate use an empty envelope from when sending error messages.
+
+ -- Peter Palfrader <weasel@debian.org> Thu, 18 Dec 2008 10:03:35 +0100
+
+userdir-ldap (0.3.56) unstable; urgency=low
+
+ * There is a deadlock situation when ud-mailgate gets a mail claiming
+ to be from itself:
+ - ud-mailgate opens and locks the replay cache
+ - verification of the mail fails for whatever reason
+ - a reply is sent (to itself)
+ - exim tries to deliver the mail by directly calling ud-mailgate
+ - ud-mailgate tries to acquire the lock -> deadlock
+ Fix this by changing when we open the replay cache, and unlock it
+ as soon as we are done.
+
+ -- Peter Palfrader <weasel@debian.org> Wed, 17 Dec 2008 12:54:10 +0100
+
+userdir-ldap (0.3.55) unstable; urgency=low
+
+ [ Joey Schulze ]
+ * Adjust boolean value detection code to use upper case letters in the
+ end. Enable it for all three boolean attributes. Widen tabular
+ display by one character so the description fits again.
+ [ Martin Zobel-Helas ]
+ * Copy new mailSpamOptOut to debianDeveloper accounts as well
+
+ -- Joey Schulze <joey@infodrom.org> Sun, 14 Dec 2008 02:55:41 +0100
+
+userdir-ldap (0.3.54) unstable; urgency=low
+
+ [ Martin Zobel-Helas ]
+ * Add new attribute mailSpamOptOut to turn on/off spam filtering
+ entirely.
+ [ Joey Schulze ]
+ * Add support for this attribute in ud-info taking into account that
+ only boolean values are acceptable.
+ [ Thomas Viehmann ]
+ * ud-generate: Add IPv6 addresses to debianhosts.
+ * ud-info, userdir_ldap.py: remove function getpass and use the one
+ from python standard library getpass.
+
+ -- Martin Zobel-Helas <zobel@debian.org> Sun, 14 Dec 2008 02:22:55 +0100
+
+userdir-ldap (0.3.53) unstable; urgency=low
+
+ * Properly show shadowlastchange and mail disabled message when
+ locking an account, but not disabling email. It was written to
+ ldap correctly, but we updated the data to display wrongly.
+ * Fix formatting of PGP fingerprints - the double space was always
+ one element too early.
+ * Do not call FinishConfirmSudopassword if we already decided to
+ not commit this change mail because of parse errors.
+
+ -- Peter Palfrader <weasel@debian.org> Mon, 08 Dec 2008 11:39:54 +0100
+
+userdir-ldap (0.3.52) unstable; urgency=low
+
+ * Remove cruft comment.
+ * Fix group does not exist warning (layout/spacing issues).
+ * call addGroups with the proper number of arguments, when doing so
+ recursively.
+ * Also do the subgroups/transitive stuff dance when considering
+ if a user is in a group for exporting them to a host in the
+ first place.
+
+ -- Peter Palfrader <weasel@debian.org> Sun, 23 Nov 2008 22:09:07 +0100
+
+userdir-ldap (0.3.51) unstable; urgency=low
+
+ * Update template/welcome-message-800 to match the actual template used
+ on db.debian.org.
+ * Add subgroup support: A group can now have subgroups. This means
+ that if a user is a member of a group he also becomes a member of
+ all its subgroups. E.g. members of a wb-all group will automatically
+ be members of wb-i386, wb-arm, wb-mips, etc. [Luk Claes]
+ * Extend that support so that subgroups work on a per host basis too,
+ so that for instance the debbugs group can be in group
+ maillog@rietz.debian.org.
+ * Add hostnames from the host purpose field to the ssh_known_hosts
+ file [Thomas Viehmann].
+
+ -- Peter Palfrader <weasel@debian.org> Sun, 23 Nov 2008 21:22:58 +0100
+
+userdir-ldap (0.3.50) unstable; urgency=low
+
+ * ud-generate: Support $gid@$host supplementary group entries for users.
+
+ -- Peter Palfrader <weasel@debian.org> Sat, 15 Nov 2008 11:20:09 +0100
+
+userdir-ldap (0.3.49) unstable; urgency=low
+
+ * ud-replicate: Only link ssh-rsa-shadow to var/lib/misc/$host and etc/ssh
+ if it exists. Else remove the symlink.
+
+ -- Peter Palfrader <weasel@debian.org> Fri, 14 Nov 2008 23:14:58 +0100
+
+userdir-ldap (0.3.48) unstable; urgency=low
+
+ * ud-generate: Remove support for single ssh key shadow file.
+ * ud-generate: Make ssh key tarballs the default.
+ * ud-generate: Move ssh tarball generation into its own function.
+ Currently it's part of the main loop.
+
+ -- Peter Palfrader <weasel@debian.org> Fri, 14 Nov 2008 23:04:21 +0100
+
+userdir-ldap (0.3.47) unstable; urgency=low
+
+ * Fix a typo on ud-mailgate.
+
+ -- Peter Palfrader <weasel@debian.org> Fri, 14 Nov 2008 20:40:19 +0100
+
+userdir-ldap (0.3.46) unstable; urgency=low
+
+ * Change the hmac that protect sudopassword entries to also
+ hash the purpose ("sudo") and the owning user's uid into
+ the mac.
+
+ -- Peter Palfrader <weasel@debian.org> Fri, 14 Nov 2008 20:27:38 +0100
+
+userdir-ldap (0.3.45) unstable; urgency=low
+
+ * ud-generate: Declare [UNTRSUTED] flag as obsolete.
+ * ud-generate: Add [NOMARKERS] flag to not push markers (gps coordinates) to host.
+ * ud-replicate: Use --delete-after with rsync. Previously we didn't delete
+ stuff ever.
+ * ud-replicate: Sync only ssh_known_hosts into chroots, not ssh*.
+ * ud-replicate: Clean up better, correcting some mistakes done by earlier
+ versions.
+
+ -- Peter Palfrader <weasel@debian.org> Sun, 26 Oct 2008 22:31:46 +0100
+
+userdir-ldap (0.3.44) unstable; urgency=low
+
+ * ud-mailgate: Do not support del requests for sshDSAAuthKey - there is no
+ such attribute.
+ * ud-generate: do not export sudopassword to untrusted or nopasswd hosts,
+ unless the password is explicitly added for this host and not just for '*'.
+
+ -- Peter Palfrader <weasel@debian.org> Fri, 03 Oct 2008 13:23:22 +0200
+
+userdir-ldap (0.3.43) unstable; urgency=low
+
+ * FQHNs sometimes, well always, include dots.
+
+ -- Peter Palfrader <weasel@debian.org> Tue, 16 Sep 2008 15:07:21 +0200
+
+userdir-ldap (0.3.42) unstable; urgency=low
+
+ * Export all accounts into sudo-passwd, even if they
+ do not have a sudo password set. Set their password to '*' then.
+ etc/pam.d/sudo should look like this then:
+ auth [authinfo_unavail=ignore success=done ignore=ignore default=die] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
+ auth required pam_unix.so nullok_secure try_first_pass
+ @include common-account
+
+ -- Peter Palfrader <weasel@debian.org> Tue, 16 Sep 2008 14:30:41 +0200
+
+userdir-ldap (0.3.41) unstable; urgency=low
+
+ * ud-generate: lower casing the sudopasswd ldap entry prior to parsing
+ and verifying it was a bad idea.
+
+ -- Peter Palfrader <weasel@debian.org> Mon, 15 Sep 2008 19:26:14 +0200
+
+userdir-ldap (0.3.40) unstable; urgency=low
+
+ * Reading the hmac key only once is too troublesome.
+
+ -- Peter Palfrader <weasel@debian.org> Mon, 15 Sep 2008 01:12:23 +0200
+
+userdir-ldap (0.3.39) unstable; urgency=low
+
+ * Lowercasing hashed sudo passwords in ud-mailgate not considered smart.
+
+ -- Peter Palfrader <weasel@debian.org> Mon, 15 Sep 2008 00:40:13 +0200
+
+userdir-ldap (0.3.38) unstable; urgency=low
+
+ * Fix order of some calls so stuff works again.
+ * And import pwd and os and the hmac crowed in userdir_ldap.py.
+ * Using the right variable name will also help.
+
+ -- Peter Palfrader <weasel@debian.org> Mon, 15 Sep 2008 00:18:37 +0200
+
+userdir-ldap (0.3.37) unstable; urgency=low
+
+ * ud-mailgate: Do not commit any changes if one of the requests is invalid
+ or could not be parsed or caused an error or anything.
+ * Add sudoPassword to schema, and the slapd.conf/ACL snippet
+ A sudoPassword entry in LDAP has the form of
+ "<uuid> unconfirmed <hostlist> <cryptedpassword>", or
+ "<uuid> confirmed:<hmac_sha1("password-is-confirmed:<uuid>:<hosts>:<cryptedpass>")> <hostlist> <cryptedpassword>"
+ * ud-mailgate: Implement confirmation of sudoPassword field:
+ A confirmationation is of the form
+ "confirm sudopassword <uuid> <hostlist> <hmac_sha1("confirm-new-password:<uuid>:<hosts>:<cryptedpass>")>"
+ * ud-generate: generate a sudo passwd file
+
+ -- Peter Palfrader <weasel@debian.org> Sun, 14 Sep 2008 23:45:36 +0200
+
+userdir-ldap (0.3.36) unstable; urgency=low
+
+ * Aha. Error is not some magic variable or exception, it's a
+ normal string that needs defining when we use it.
+
+ -- Peter Palfrader <weasel@debian.org> Sat, 19 Jul 2008 21:35:39 +0200
+
+userdir-ldap (0.3.35) unstable; urgency=low
+
+ * Check if a key has encryption capabilities and fail saying so when
+ trying to encrypt stuff (like passwords) to users. All this does is
+ give nicer error messages, it previously failed with just "gpg failed".
+
+ -- Peter Palfrader <weasel@debian.org> Sat, 19 Jul 2008 16:17:13 +0200
+
+userdir-ldap (0.3.34) unstable; urgency=low
+
+ * ud-info: fix changing of DD status/DD status comment -
+ we were missing prompt information so we got a backtrace.
+ * ud-info: Warn when we don't have a prompt string for
+ attributes on startup.
+ * ud-info: Change the "retired" status to "inactive".
+ inactive covers memorial, removed, expelled more clearly.
+ * userdir_gpg.py
+ - do not use SIGEXPIRED, it's deprecated
+ - use EXPKEYSIG to tell if a signature is made by an expired key.
+ - Check that the primary key is not expired, even if we get a
+ GOODSIG status from gnupg. Based on patch by Jeremy T. Bouse.
+
+ -- Peter Palfrader <weasel@debian.org> Tue, 08 Jul 2008 14:33:08 +0200
+
userdir-ldap (0.3.33) unstable; urgency=low
* add "security simple_bind=128" to sample slapd.conf.