+ [ Peter Palfrader ]
+ * some ud-echelon fixes,
+ * userdir_gpg.py: GetClearSig: add lax_multipart to deal
+ with random multipart mails.
+ * naming your variable like a module is unsmart.
+ * ud-generate:
+ - filter on shadowAccount.
+ - fix breaking old ud-generate locks.
+ * ud-mailgate: only run ldapmodfiy if we actually have attributes to modify.
+ * ud-replicate:
+ - do not hard-code 'debian.org' in the 'write-zonefile debian.org' call,
+ but instead re-use the domain from email-append.
+ - now preserve server side modifcation times when rsyncing data.
+ * userdir_ldap.py: read auth password from environment if set.
+ * Introduce BaseBaseDN which is the real base dn. BaseDN itself
+ has historically been used as the root of the user tree.
+ * Allow a set of users to be ignored for picking UIDs.
+ * When picking uid/gid numbers try to pick the same number for both.
+ * Merge from torproject.org:
+ - Allow sshRSAAuthKey for role accounts.
+ - Support ssh key attributes for gitolite export.
+ - Add ssh-gitolite support.
+ * debianGroups may have cn attribute (helpful when putting samba stuff into
+ ldap).
+ * ud-mailgate: Do not try to do an ldap modify with no changes - now show
+ command to changes@ should work again.
+ * ud-generate: No longer expand $ in dnsZoneEntry data to a \n\t.
+ * ud-generate: Move code into getLastBuildTime() and getLastLDAPChangeTime()
+ functions.
+ * ud-generate: Add -f option to build even if cache is current.
+ * ud-generate: Move main code into a ud_generate()
+ * ud-generate: speed improvements:
+ - cut down on calls to IsInGroup by doing it once in generate_host()
+ and not having the individual generators run it.
+ o side effect: Up until now we exported empty groups to a host, if
+ that group had a user with that group as their primary group - even
+ if that particular user was not exported to this this. No we no
+ longer export empty groups.
+ - speed up ssh tarball generation: No longer write indidividual user's ssh
+ authorized_keys to disk, only to read them later. Directly create a
+ TarInfo object without referring to any on-disk files.
+ - get rid of global state variable CurrentHost. This will enable upcoming
+ changes.
+ - UDLdap.py: make a cache for __getitem__() decisions.
+ - wrap cdbmake calls in eatmydata. Nothing else does any fsync stuff,
+ so doing it here just costs a lot.
+ * ud-generate: Use a flock() lock instead of python's lockfile class.
+ * ud-generate: The ssh authorized_keys file for the sshdist user now wraps
+ the rsync call in an flock wrapper that acquires a shared lock on
+ ud-generate's lock. This prevents syncing while ud-generate runs.
+ * ud-lock: support supplying a status to set instead of 'retiring'.
+ * ud-generate: Also rebuild if one of our keyrings has changed, even if
+ ldap has not.
+
+ [ Stephen Gran ]
+ * Fix deprecation warnings for sha module by using hashlib module instead
+ * ud-fingerserv: update Net::LDAP import
+ * Implement audit logging for ldap
+ * stop running ud-generate if nothing has changed, based on audit logs
+
+ [ Martin Zobel-Helas ]
+ * ud-generate: generate webPasswords
+ * ud-replicate: set correct permissions for web-passwords
+ * add freecdb to depends
+ * userdir-ldap.schema
+ - add webPasswords
+ - add mailPreserveSuffixSeperator
+
+ [ Peter Palfrader ]
+ * userdir-ldap-slapd.conf.in: explicitly list readable attributes.
+ End with 'by * none'.
+
+ -- Peter Palfrader <weasel@debian.org> Mon, 14 May 2012 18:45:07 +0200
+
+userdir-ldap (0.3.79) unstable; urgency=low
+
+ * Add ud-sync-accounts-to-afs, a script to sync accounts to an
+ AFS protection database.
+ * ud-generate:
+ - support host ACLs that expire.
+ - lock output directory when generating.
+ - support sync keyring dirs now too.
+ * ud-useradd: A new -g switch for adding guest accounts, with
+ proper setting hostacls and shadowexpire and picking the
+ right keyring.
+ * Remove .pgp (v3 pgp key) keyrings from config.
+ * Update guest welcome template.
+ * ud-gpgimport: handle guest keyrings.
+ * ud-mailgate:
+ - Make updating of gender actually work.
+ - Do not mess with sudo passwords if nothing changed.
+ * templates/change-reply: say a word about subjects in mail to admin@db.
+ * move gpgwrapper to unmaintained/ - it is now using obsolete interfaces.
+ * try to properly handle some more mime stuff.
+ - use email module instead of deprecated mimetools and multifile modules
+ - changes: sigcheck ud-echelon ud-mailgate userdir_gpg.py
+ * move ud-echelon and sigcheck to GPGCheckSig2 interface.
+
+ -- Peter Palfrader <weasel@debian.org> Sat, 21 May 2011 14:53:18 +0200
+
+userdir-ldap (0.3.78) unstable; urgency=low
+
+ * Start refactoring ud-generate:
+ - If environment variables UD_CREDENTIALS, UD_GENERATEDIR, UD_HMAC_KEY
+ are set, use their respective value instead of the default. This
+ makes it possible to run ud-generate as a non-privileged user for
+ testing purposes.
+ - Start wrapping ldap search results in classes. For now we have done
+ this with just an ldap account.
+ - Also got rid of the global PasswdAttrs variable. Now functions
+ get the account list (now a list of Account classes instead of
+ ldap result array of tuples of hashes) passed to them like well-behaved
+ functions.
+ * userdir-ldap-slapd.conf: Fix ACL rule for keyring maintainers
+ (we want group=..., not dn=...).
+ * Add ud-krb-reset, and make ud-mailgate call it when
+ receiving a mail at chpasswd@ saying
+ 'Please change my Kerberos password'.
+ * ud-generate: Add an extra output file called all-users.json that
+ can be used on one of the AFS hosts to create afs users.
+
+ -- Peter Palfrader <weasel@debian.org> Mon, 13 Sep 2010 19:08:34 +0200
+
+userdir-ldap (0.3.77) unstable; urgency=low
+
+ [ Peter Palfrader ]