From 552a762a58f011ad56da11f9409c59b2ae2f8d42 Mon Sep 17 00:00:00 2001 From: Valera V Harseko Date: Fri, 26 Jun 2026 20:19:25 +0300 Subject: [PATCH 1/5] Modernize Debian and RPM packaging (systemd, dedicated user, CI tests) Bring the opendj-deb/opendj-rpm packages up to current Linux packaging practice. The packaging had drifted from the ForgeRock era: jdeb 1.3 (2016), SysV-init only with direct update-rc.d/chkconfig calls, no Standards-Version, a 2015 changelog, and the server running as root. Service management: - Ship a native systemd unit (resources/systemd/opendj.service, Type=simple, start-ds --nodetach), kept alongside the SysV init script as a fallback for non-systemd hosts. - Register/enable/start via deb-systemd-helper / systemctl with an update-rc.d / chkconfig fallback; stop the service on removal. Dedicated service account: - Create an "opendj" system user/group and chown /opt/opendj to it; this also migrates previously root-owned installs on upgrade. - Run start-ds/stop-ds/upgrade as "opendj" from systemd, the maintainer scripts, and the SysV init script (new run_as helper, falls back to the current user when the account is absent). Build tooling and metadata: - jdeb 1.3 -> 1.14; ship the systemd unit from both deb and rpm. - control: add Standards-Version 4.7.3, Section net, a Debian revision in Version, Pre-Depends: adduser, and a newest-first JRE fallback list (default-jre-headless | ... | java25 | java21 | java17 | java11). - rpm: add Requires java-headless >= 1:11 and Requires(pre) shadow-utils. - Maintainer scripts hardened: set -e, fix invalid "exit -1", /var/run -> /run, idempotent guards. Changelog: - Generate the deb and rpm changelogs from the GitHub Releases via a new release-time helper (resources/generate-changelog.sh); committed output keeps the Maven build offline and reproducible. CI: - Add test-deb and test-rpm jobs (needs: build-maven) that install the built package, assert the opendj user and ownership, run setup, and start/stop the service (systemd on the runner; SysV in a Rocky Linux 9 container) with an ldapsearch liveness check. --- .github/workflows/build.yml | 95 +++ .../opendj-deb/opendj-deb-standard/pom.xml | 2 + opendj-packages/opendj-deb/pom.xml | 16 +- .../opendj-deb/resources/changelog | 748 +++++++++++++++++- .../opendj-deb/resources/control/control | 8 +- .../opendj-deb/resources/control/postinst | 82 +- .../opendj-deb/resources/control/postrm | 26 +- .../opendj-deb/resources/control/preinst | 19 +- .../opendj-deb/resources/control/prerm | 25 +- .../opendj-rpm/opendj-rpm-standard/pom.xml | 2 + opendj-packages/opendj-rpm/pom.xml | 21 +- .../opendj-rpm/resources/changelog | 498 +++++++++++- .../opendj-rpm/resources/specs/postinstall.sh | 73 +- .../resources/specs/postuninstall.sh | 13 +- .../opendj-rpm/resources/specs/preinstall.sh | 22 +- .../resources/specs/preuninstall.sh | 29 +- .../resources/generate-changelog.sh | 142 ++++ .../resources/systemd/opendj.service | 36 + opendj-packages/resources/sysv/opendj | 23 +- 19 files changed, 1721 insertions(+), 159 deletions(-) create mode 100755 opendj-packages/resources/generate-changelog.sh create mode 100644 opendj-packages/resources/systemd/opendj.service diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 58927fe9e8..0501537943 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -441,3 +441,98 @@ jobs: timeout 3m bash -c 'until docker inspect --format="{{json .State.Health.Status}}" test_custom | grep -q \"healthy\"; do sleep 10; done' docker exec test_custom 'sh' '-c' '/opt/opendj/bin/ldapsearch --hostname localhost --port 1636 --bindDN "cn=Directory Manager" --bindPassword custom_password --useSsl --trustAll --baseDN "dc=example,dc=com" --searchScope base "(objectClass=*)" 1.1' docker kill test_custom + + test-deb: + needs: build-maven + runs-on: 'ubuntu-latest' + steps: + - name: Download artifacts + uses: actions/download-artifact@v8 + with: + name: ubuntu-latest-11 + - name: Locate .deb + shell: bash + run: | + DEB=$(ls opendj-packages/opendj-deb/opendj-deb-standard/target/*.deb | head -1) + echo "DEB=$PWD/$DEB" >> "$GITHUB_ENV" + echo "Found $DEB" + - name: Lint and inspect + shell: bash + run: | + sudo apt-get update + sudo apt-get install -y lintian + lintian --info --no-tag-display-limit "$DEB" || true + dpkg-deb -I "$DEB" + dpkg-deb -c "$DEB" | grep -E 'lib/systemd/system/opendj\.service|etc/init\.d/opendj' + systemd-analyze verify opendj-packages/resources/systemd/opendj.service || true + sh -n opendj-packages/resources/sysv/opendj + - name: Install + shell: bash + run: | + sudo apt-get install -y "$DEB" + getent passwd opendj + test "$(stat -c '%U' /opt/opendj)" = opendj + - name: Setup OpenDJ (configured, not started) + shell: bash + run: | + sudo runuser -u opendj -- /opt/opendj/setup --cli --no-prompt --acceptLicense --doNotStart \ + --rootUserDN "cn=Directory Manager" --rootUserPassword password \ + --hostname localhost --ldapPort 1389 --adminConnectorPort 4444 \ + --baseDN dc=example,dc=com --addBaseEntry + - name: Start via systemd and verify + shell: bash + run: | + sudo systemctl enable --now opendj + OK=0 + for i in $(seq 1 20); do + if /opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b "dc=example,dc=com" -s base "(objectClass=*)" 1.1 >/dev/null 2>&1; then OK=1; break; fi + sleep 3 + done + sudo systemctl is-active --quiet opendj + test "$OK" = 1 + echo "OpenDJ is active under systemd" + - name: Stop via systemd and verify + shell: bash + run: | + sudo systemctl stop opendj + sleep 3 + if sudo systemctl is-active --quiet opendj; then echo "still active"; exit 1; fi + echo "OpenDJ stopped" + - name: Purge + shell: bash + run: sudo apt-get purge -y opendj + + test-rpm: + needs: build-maven + runs-on: 'ubuntu-latest' + steps: + - name: Download artifacts + uses: actions/download-artifact@v8 + with: + name: ubuntu-latest-11 + - name: Install and start/stop in Rocky Linux 9 + shell: bash + run: | + docker run --rm -v "$PWD:/work" -w /work rockylinux:9 bash -c ' + set -e + RPM=$(ls opendj-packages/opendj-rpm/opendj-rpm-standard/target/rpm/opendj/RPMS/noarch/*.rpm | head -1) + echo "Found $RPM" + dnf install -y java-21-openjdk-headless util-linux initscripts >/dev/null + dnf install -y "$RPM" + id opendj + test "$(stat -c %U /opt/opendj)" = opendj + runuser -u opendj -- /opt/opendj/setup --cli --no-prompt --acceptLicense --doNotStart \ + --rootUserDN "cn=Directory Manager" --rootUserPassword password \ + --hostname localhost --ldapPort 1389 --adminConnectorPort 4444 \ + --baseDN dc=example,dc=com --addBaseEntry + /etc/init.d/opendj start + OK=0 + for i in $(seq 1 20); do + if /opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b "dc=example,dc=com" -s base "(objectClass=*)" 1.1 >/dev/null 2>&1; then OK=1; break; fi + sleep 3 + done + /etc/init.d/opendj status + test "$OK" = 1 + /etc/init.d/opendj stop + rpm -e opendj + ' diff --git a/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml b/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml index 6e2a7f18e4..ebb19445c9 100644 --- a/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml +++ b/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml @@ -13,6 +13,7 @@ information: "Portions Copyright [year] [name of copyright owner]". Copyright 2015 ForgeRock AS. + Portions Copyright 2018-2026 3A Systems, LLC --> 4.0.0 @@ -33,6 +34,7 @@ ${project.parent.parent.basedir}/resources/sysv/opendj + ${project.parent.parent.basedir}/resources/systemd/opendj.service ${product.name} ${product.name.lowercase} This OpenDJ package includes the Berkeley JE Backend and cannot be redistributed without a suitable license diff --git a/opendj-packages/opendj-deb/pom.xml b/opendj-packages/opendj-deb/pom.xml index c3a487e00c..5cba979d2d 100644 --- a/opendj-packages/opendj-deb/pom.xml +++ b/opendj-packages/opendj-deb/pom.xml @@ -13,6 +13,7 @@ information: "Portions Copyright [year] [name of copyright owner]". Copyright 2015-2016 ForgeRock AS. + Portions Copyright 2018-2026 3A Systems, LLC --> 4.0.0 @@ -146,7 +147,7 @@ org.vafer jdeb - 1.3 + 1.14 generate-deb-package @@ -158,7 +159,7 @@ ${project.build.directory}/${deb.product.name.lowercase}_${project.version}-${deb.release}_all.deb ${project.build.directory}/deb/control - + ${sysv.file.location} file @@ -169,6 +170,17 @@ + + + ${systemd.file.location} + file + + perm + /lib/systemd/system + 644 + + + ${basedir}/resources/copyright diff --git a/opendj-packages/opendj-deb/resources/changelog b/opendj-packages/opendj-deb/resources/changelog index c45ffce275..73b97032c2 100644 --- a/opendj-packages/opendj-deb/resources/changelog +++ b/opendj-packages/opendj-deb/resources/changelog @@ -1,17 +1,747 @@ - opendj (3.0.0) unstable; urgency=low +opendj (5.1.1) unstable; urgency=medium - * init.d service script now generates and removes a lockfile. + * CVE-2026-46495 OpenDJ Unauthenticated RCE via Java Deserialization in JMX + RMI + * CVE-2026-42198 pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication + allows CPU exhaustion DoS + * [#648] slow DN.valueOf / AVA normalization for nested DN-syntax values + * chore: bump Bouncy Castle FIPS deps to latest 2.1.x patch releases + * Fix grizzly log level is always FINE + * Fix shell script issues in opendj-docker/run.sh + * Fix Windows CI: use ilammy/msvc-dev-cmd to set up MSVC env + * Add native access JVM flag for Bouncy Castle FIPS on newer Java releases + * Docker base DN entry creation opt-in and improves bootstrap LDIF loading + resilience + * Fix BasicRequestsTest.testReadSelectPartial for nesting-preserving field + projection + * Update org.openidentityplatform.commons to 3.1.1 + * Fix JMX RMI connector startup failure introduced by CVE-2026-46495 + hardening - -- ForgeRock Wed, 9 Dec 2015 16:24:00 +0100 + -- Open Identity Platform Community Thu, 11 Jun 2026 19:19:48 +0000 - opendj (3.0.0) unstable; urgency=low +opendj (5.1.0) unstable; urgency=medium - * Package is now build using maven. + * [#72] Fix infinite loop in doStopApplication() on Windows service stop + * [#259] fix: retry loop for Windows Service start race condition (issue + #259) + * [#566] Fix AttributeValuePasswordValidator: inverted substring logic and + missing reversed-password substring check + * [#579] Fix ReferentialIntegrityPlugin silently bypassing check-references + on modify operations + * [#601] Fix server crash when File-Based Debug Logger is enabled + * Update build.yml add JDK 26 support + * Docs: set neutral version for the docs + * ci: add Windows service start/stop test to CI workflow + * CI: Build and upload Windows native executables (winlauncher, + opendj_service, launcher_administrator) + * fix: use 127.0.0.1 instead of localIP in LockdownModeTaskTestCase + * Filter branches to build workflow triggers (on push) + * Fix intermittent testMultiRS failure by doubling waitForStableGenerationId + timeout + * Fix race condition in ChangelogBackendTestCase flaky test + * Fix flaky testMultiRS: replace fixed sleep with deterministic domain-ready + wait + * increase replication connection timeout to fix Socket Timeout error on Mac + in integration test + * chore: bump GitHub Actions to latest major versions + * Fix snapshot version format + * Fix intermittent GenerationIdTest.testMultiRS race condition on RS-to-RS + topology + * [OpenIdentityPlatform/OpenAM#980] OpenDJ slim maven artifact + * Upgrade local Docker registry from registry:2 to registry:3 in CI + * status CLI: allow --hostname, --port, and --trustAll arguments + * Fix status CLI to accept --hostname, --port, and --trustAll arguments, and + add them to all status command invocations in build.yml + * Remove ENV ROOT_PASSWORD from Dockerfiles, fix HEALTHCHECK default, add + CDDL headers + * Update commons.version to 3.1.0 - -- ForgeRock Tue, 10 Mar 2015 14:24:00 +0100 + -- Open Identity Platform Community Wed, 15 Apr 2026 08:40:44 +0000 - opendj (2.7.0) unstable; urgency=low +opendj (5.0.4) unstable; urgency=medium - * Added changelog to /usr/share/doc/opendj/ + * CVE-2025-24970 SslHandler doesn't correctly validate packets which can + lead to native crash when using native SSLEngine + * CVE‐2025‐12194 While the situation with the JVM garbage collector overrun + for Java 17 and Java 21 greatly improved with the changes in 2.1.1, we’ve + still had some reports that can only be related to the use of the disposal + daemon + * [#590] Fallback to $HOME/tmp dir as a temp if instance root is mounted as + noexec + * Bump logback to 1.5.32 + * Migrate to caffeine 3 + * Update commons.version from 3.0.2 to 3.0.4 + * Docs: fix short version in the upgrade guide - -- ForgeRock Thu, 22 Aug 2013 15:47:00 +0100 \ No newline at end of file + -- Open Identity Platform Community Mon, 23 Mar 2026 20:24:28 +0000 + +opendj (5.0.3) unstable; urgency=medium + + * CVE-2026-1225 Logback allows an attacker to instantiate classes already + present on the class path + * Fix three and more nodes replication process stuck error + * Update org.openidentityplatform.commons to 3.0.2 + * Docs: update supported Java version + + -- Open Identity Platform Community Wed, 04 Feb 2026 06:46:31 +0000 + +opendj (5.0.2) unstable; urgency=medium + + * [#575] FIX unable to install: UnsatisfiedLinkError: /tmp/bc-fips + * [#577] Windows upgrading with Upgrade.bat: an error with "" unexpected + * [#573] Added the SAMPLE_DATA Docker environment variable to generate + sample data during setup. + + -- Open Identity Platform Community Tue, 25 Nov 2025 08:39:22 +0000 + +opendj (5.0.1) unstable; urgency=medium + + * Update target JDK to 11 and move to JakartaEE 9 + * Add support LTS JDK 25 + * Update base docker image Java version to 25 LTS + * CVE-2025-12194 Bouncy Castle Vulnerable to Uncontrolled Resource + Consumption + * CVE-2025-59250 JDBC Driver for SQL Server has improper input validation + issue + * CVE-2025-11226 logback-core is vulnerable to Arbitrary Code Execution + through file processing + * Switch from sun.security.x509 to Bouncy Castle API + * Update OpenDMK external library to fix SNMP monitoring + * Build & deploy: add branch sustaining/4.10.x + * Make GrizzlyLDAPListener close in a synchronous fasion to prevent test + race conditions + * [#141] Test large replication pending changes + * FIX bindFreePort Bind Unable to bind to a free port + * Fix unavailable monitoring attributes over JMX + * Bump org.openidentityplatform.commons to 3.0.1 + * Improve ReplicationDomainTest stability + + -- Open Identity Platform Community Sat, 08 Nov 2025 19:43:23 +0000 + +opendj (4.10.2) unstable; urgency=medium + + * CVE-2025-9092 CVE-2025-9340 CVE-2025-9341 Uncontrolled Resource + Consumption vulnerability + * [#545] Add GroupManager writeLock performance + * [#540] Fix OnDiskMergeImporter::PhaseOneWriteableTransaction: update over + put (referral attr) + * [#544] Add requires-admin-action component-restart for max-request-size + * Update Java minimum version number in the setup UI + * Update README.md: add backers and sponsors + * ISSUE_TEMPLATE: add "Vote to raise the priority" + * Bump commons.version 2.4.1 + + -- Open Identity Platform Community Thu, 04 Sep 2025 15:49:55 +0000 + +opendj (4.10.1) unstable; urgency=medium + + * [#529] FIX jdbc connection deadlock + * [#530] Fixed error when creating a backend for BASE_DN with OU in Docker + * Docker: Fix issues with quoting params + + -- Open Identity Platform Community Tue, 05 Aug 2025 16:47:18 +0000 + +opendj (4.10.0) unstable; urgency=medium + + * [#462] RFC5805 Lightweight Directory Access Protocol (LDAP) Transactions + * CVE-2025-49146 pgjdbc Client Allows Fallback to Insecure Authentication + Despite channelBinding=require Configuration + * Bump io.reactivex.rxjava to 3.x + * Bump various dependencies + * Bump commons to 2.2.5 + * Take Glassfish Grizzly version from commons + * Bump bc.fips to 2.1.x + * Bump commons.version 2.3.0 + * Deploy: migrating from Legacy OSSRH to Central Portal + * Fix OSGI bundle excluded package error for rxjava3 + * Exclude BouncyCastle from OSGI Import-Package + * Fix makeldif templates: add objectClass to baseDN + * Bump org.openidentityplatform.commons 2.4.0 + + -- Open Identity Platform Community Tue, 15 Jul 2025 14:28:53 +0000 + +opendj (4.9.4) unstable; urgency=medium + + * Configure backend type for Docker + * Docs: update OpenDJ release version to 4.9.3 + * Add OpenDJ Docker tests to the build process + * Fix docker env variables + add VERSION autodetect + * Set isRunning later (EmbeddedServer check) + * Bump org.openidentityplatform.commons to 2.2.4 + * [#498] FIX warning output from export-ldif: "grep: warning: stray \ before + -" + * move Java args to java.properties, upgrade docker alpine + * [#497] Set the same indexes for a new backend as for the initial backend + * Add support Java SE 24 + * Bump test containers & cassandra driver + * [#496] FIX MySQL truncate PK default to 64 len + * [#496] FIX JDBC storage update concurrency + * FIX Replication IT tests unstable result + * made their first contribution + * made their first contribution + + -- Open Identity Platform Community Wed, 23 Apr 2025 14:31:19 +0000 + +opendj (4.9.3) unstable; urgency=medium + + * CVE-2025-27497 Fix Denial of Service (Dos) using alias loop () + * [#477] Change permission config.ldif.startok to owner () + * [#208] FIX The definition for the attribute type declared that it should + use the syntax which is not defined in the schema + * Documentation update + * Docs: Generate and publish javadoc + + -- Open Identity Platform Community Wed, 05 Mar 2025 10:11:22 +0000 + +opendj (4.9.2) unstable; urgency=medium + + * [#465] Fix custom library loading when put to the lib directory + * [#463] Disable warning message on downstream closed + * [#471] Fix table name truncate: make jdbc table 63 charter + * [#466] JDBC: added tests for Oracle, MySQL, MSSQL + * [#466] FIX compatibility jdbc backend: Postgres, Oracle, MySQL, MSSQL + * [#471] PluggableBackendImplTestCase: add duplicate mail test + * IT ReplicationDomainTest upper waitEndExport timeout + * Update year in generated documentation templates + * Update documentation issues and update links + + -- Open Identity Platform Community Tue, 04 Feb 2025 16:21:39 +0000 + +opendj (4.9.1) unstable; urgency=medium + + * [#460] Clear unused path info after backupConfig (memory pleasure) + * jdbc: make connection short-lived + * Replace import-ldif with ldapmodify in Postgres IT test + + -- Open Identity Platform Community Mon, 20 Jan 2025 08:49:34 +0000 + +opendj (4.9.0) unstable; urgency=medium + + * Store LDAPv3 database in SQL JDBC database + * CVE-2024-12798 CVE-2024-12801 logback-core Expression Language Injection, + Server-Side Request Forgery vulnerability + * FIX NoSuchMethodError: java.nio.MappedByteBuffer.duplicate + * FIX Unable to locate package winehq-stable + + -- Open Identity Platform Community Thu, 26 Dec 2024 08:36:50 +0000 + +opendj (4.8.2) unstable; urgency=medium + + * [#438] FIX import-ldif --offline "import has been aborted because the + entry does not have a parent entry" + * 00-core.ldif: X.501, cl. 14.2.2: 2.5.15.16 subentryNameForm OC subentry + MUST cn + * FIX makeldif -c suffix=dc=example: Unable to parse a constant argument + expecting name=value + * Bump commons.version 2.2.3 + * Fix MAC OS build failure + * Actions: get ubuntu source from $(lsb_release -c -s) + * depoloy.yml: Fix documents deploy + + -- Open Identity Platform Community Tue, 12 Nov 2024 09:02:28 +0000 + +opendj (4.8.1) unstable; urgency=medium + + * [#393] FIX DIT SUP delimiter + * [#392] FIX RootDSE Entry allow user objectClass + * Addresses #397, #398, #399, #404 + * Docs in asciidoc & deploy antora docs after build + * [#402] Change default SSL HandshakeTimeout -1 -> 10s (see #146) + * [#401] Change "Object class violation (65)" -> "Naming violation (64)" + LDAP result code for DIT Structure Rule violation + * [#394] FIX dsconfig --help- + * [#400] Reduce character escaping in example, add note + * Added missing documentation attachments + * Generate man pages in the AsciiDoc format + * Reduce character escaping in example, add note + * minor docs glitches fix + * Add JDK 23 build support + * Bump org.openidentityplatform.commons 2.2.2 + * Docker: Use tail instead of sleep to allow the container to be stopped + with SIGTERM + * [#423] Eliminate asciidoctor warning messages when generating + documentation + * [#426] ADD maven.compiler.release=8 for cross compile compatibility + * Remove legacy files + * [#90, #432] FIX delete entries in overlapping backends + * [#425] Add option + -Dorg.openidentityplatform.opendj.ERR_ENTRY_SCHEMA_VIOLATES_PARENT_DSR for + force control "Entry is invalid according to the server schema because + there is no DIT structure rule that applies to that entry, but there is a + DIT structure rule for the parent entry". Default: warning level + * [#425] Workaround: Entry is invalid according to the server schema because + there is no DIT structure rule that applies to that entry, but there is a + DIT structure rule for the parent entry + * [#431] Update importldiff --offline and --clearBacked flags descriptions + * made their first contribution + * made their first contribution + + -- Open Identity Platform Community Thu, 17 Oct 2024 14:55:25 +0000 + +opendj (4.8.0) unstable; urgency=medium + + * Switch docker to last LTS JRE 21 + * Add JDK 22 support + * [#376] JMX fix docs with "Allow insecure authentication" + * [#376] FIX SNMP monitoring config + * [#383] FIX docs: import-ldif and export-ldif binaries should be shown + using the --offline option + * [#384] FIX Control Panel: empty help URL values + * FIX do not check DIT structure parent/child on same ObjectClass (thanks + for the research ) + * Bump org.openidentityplatform.commons 2.2.0 + + -- Open Identity Platform Community Mon, 09 Sep 2024 11:26:09 +0000 + +opendj (4.7.0) unstable; urgency=medium + + * [#204] ADD LDAP Relax Rules Control + * [#287] ADD alias dereferencing for search requests + * [#187] FIX RFC3671: collective attribute values should be merged. Virtuals + with other virtuals and real values. + * [#84] FIX incorrect entry-Based ACIs is defined with only "deny" + permission without "allow" + * [#250] Add Overlapping Backend TestSuite + * [#294] Dont send client notification on IOException + * [#368] CASSANDRA ADD property -Dkeyspace=ldap_opendj + * Bump commons.version 2.1.6 + * Publish docs to + * Fix documentation version + + -- Open Identity Platform Community Thu, 08 Aug 2024 08:24:48 +0000 + +opendj (4.6.5) unstable; urgency=medium + + * compress webhelp, xhtml and html docs after build + * add missing docs + * Update README.md + * [#354] FIX "OpenDJ fails to upgrade from version 3->4: An error occurred + while attempting to perform index rebuild: Unable to decode the provided + object class set because it used an undefined token" + * [#167] FIX control-panel ResetUserPasswordTask unpredictable result (wait + async result) + * Add rest operations modifyPassword, resetPassword to docs from + * [#148,#261,#282] FIX control-panel schema errors in remote mode + + -- Open Identity Platform Community Tue, 16 Jul 2024 17:31:29 +0000 + +opendj (4.6.4) unstable; urgency=medium + + * Embedded OpenDJ module initial commit + * Bump ch.qos.logback:logback-core from 1.2.11 to 1.2.13 in /opendj-embedded + * Bump ch.qos.logback:logback-classic from 1.2.9 to 1.2.13 in /opendj- + embedded + * update opendj-parent version + * Bump org.bouncycastle:bc-fips from 1.0.2.3 to 1.0.2.5 in /opendj-core + * Bump org.bouncycastle:bctls-fips from 1.0.13 to 1.0.19 in /opendj-core + * Bump org.openidentityplatform.commons 2.1.4 + * move commons version to property & fix doc-maven-plugin version + * made their first contribution + + -- Open Identity Platform Community Wed, 26 Jun 2024 07:56:13 +0000 + +opendj (4.6.3) unstable; urgency=medium + + * ADD build test with memory pressure + * Update Docker jre 17->19 + * org.openidentityplatform.commons 2.1.3-SNAPSHOT + * FIX OpenIDM compatibility + * [#329] make posixGroup AUXILIARY by default + * [#331] Allow downgrade version without upgrade task + * Bump org.openidentityplatform.commons 2.1.3 + * Add Build test on MacOS M1 arm64 + * Restore macos-latest build strategy + + -- Open Identity Platform Community Tue, 07 May 2024 17:54:49 +0000 + +opendj (4.6.2) unstable; urgency=medium + + * FIX CLIENT_SIDE_NO_RESULTS_RETURNED in hasNext() + * update org.openidentityplatform.commons to 2.1.2-SNAPSHOT + * FIX performance java.util.TimeZone.getTimeZone(TimeZone.java:516) is + synchronized + * [#317] sendUnsolicitedNotification can fail on client disconnect with + OnErrorNotImplementedException + * org.openidentityplatform.commons 2.1.2 + + -- Open Identity Platform Community Wed, 17 Jan 2024 12:17:40 +0000 + +opendj (4.6.1) unstable; urgency=medium + + * Allow store LDAP catalog data in CASSANDRA noSQL cluster --backendType cas + (ldapv3 to cassandra) + * ADD IT test for wars + * Add TestContainers to test Apache Cassandra backend + * Bump org.openidentityplatform.commons 2.0.19-SNAPSHOT + * Update README.md: allow store LDAPv3 database in Cassandra/Scylla cluster + * Bump org.openidentityplatform.commons 2.1.1 + * Add JDK 21 support + * CASSANDRA storage: cursor performance + * FIX newHeapBufferPool calculation (import OOM error) + + -- Open Identity Platform Community Thu, 26 Oct 2023 09:46:54 +0000 + +opendj (4.5.9) unstable; urgency=medium + + * Generate SHA256WithRSA certificate as default + * convert JMX metrics to appropriate type #293 + * Fix attribute value. bean should return native object #293 + * Remove TLSv1 as default protocol FIX + * nexus-staging-maven-plugin 1.6.13 + disable auto release + * made their first contribution + + -- Open Identity Platform Community Fri, 22 Sep 2023 07:10:00 +0000 + +opendj (4.5.6) unstable; urgency=medium + + * FIX unused trailing bytes in ASN.1 SEQUENCE + + -- Open Identity Platform Community Wed, 30 Aug 2023 09:28:52 +0000 + +opendj (4.5.5) unstable; urgency=medium + + * FIX build with Installation failure for grub-efi-amd64-signed on ubuntu- + latest + * FIX add-source for generate-sources + * Restore IT test for server-legacy and fix many errors + * change posixGroup type to structural. and add cn + * FIX argument listBackups is incompatible with use of this tool to interact + * PBKDF2-HMAC-SHA256 and PBKDF-HMAC-SHA512 password storage not configured + by default + * FIX Setup Issue - Error Creating Base Entry + * Extend admin port connection limits + * Restore TLSv1.3 support + * Bump org.openidentityplatform.commons 2.0.18 + + -- Open Identity Platform Community Thu, 20 Jul 2023 09:50:13 +0000 + +opendj (4.5.4) unstable; urgency=medium + + * BUILD java: [ '8','11','17','19'] + fix install wine32:i386 without + conflicts + * FIX build allow fail for remove deb.sury.org + * Docker add jdk17 platforms: linux/amd64, linux/arm64/8, linux/arm/v7, + + -- Open Identity Platform Community Fri, 09 Dec 2022 10:41:35 +0000 + +opendj (4.5.3) unstable; urgency=medium + + * Create target directory before copying custom schema + * Copy ldif configs to the correct template directory + * UPDATE build process + * FIX DSML servlet can't find JAX-B runtime + + -- Open Identity Platform Community Wed, 30 Nov 2022 09:40:42 +0000 + +opendj (4.5.1) unstable; urgency=medium + + * update commons version to 2.0.16-SNAPSHOT + * 'find' command is missing in the 4.5.0 docker image #242 + * FIX wine32 install (from ppa:ondrej/php so that we will be able to install + wine32:i386 without conflicts) + * Don't clone buffer in ldap codec + * Add BCFKS FIPS key store type support + * fix FipsStaticUtils code formatting + * made their first contribution + + -- Open Identity Platform Community Tue, 02 Aug 2022 11:04:58 +0000 + +opendj (4.5.0) unstable; urgency=medium + + * Switch base docker image to Java 17 + + -- Open Identity Platform Community Wed, 01 Jun 2022 10:54:55 +0000 + +opendj (4.4.15) unstable; urgency=medium + + * Add alpine platforms linux/s390x, linux/386, linux/arm/v7, linux/arm/v6, + linux/ppc64le + * Implement PBKDF2-HMAC-SHA256 and PBKDF-HMAC-SHA512 password encoding + schemes + * Docker refactoring + * FIX tamil (ta.6) matching rule schema has typo in definition + * FIX Failed to delete entries under multiple backends + * Add support jdk '16','17','18' + * support AD attributes userAccountControl, msDS-UserAccountDisabled and + pwdLastSet + * Test + Run on jdk15+ + * FIX OpenDJ is not logging errors to logfile #128 + * FIX Windows install to path with spaces + * made their first contribution + + -- Open Identity Platform Community Wed, 01 Jun 2022 06:49:30 +0000 + +opendj (4.4.14) unstable; urgency=medium + + * add docker test + * Release multi-platform Docker images + * Support to load plain ldif files during container setup + * made their first contribution + + -- Open Identity Platform Community Mon, 02 May 2022 19:11:25 +0000 + +opendj (4.4.13) unstable; urgency=medium + + * FIX OpenDJ setup failure + * Add FIPS support + * GithubAction build + * Github action deploy + * actions: separate deploy + * Update opendj_service.exe + * Switch org.openidentityplatform.commons 2.0.13-SNAPSHOT + * Fix rebuild-index in FIPS mode + * ADD JSONEntryWriter JSONEntryReader + * FIX DN escape 'Equal sign': + * FIX JSONEntryWriter escape DN values + * move fips functions to separate class + * do not use fips when bc-fips classes not found + * Update pom.xml nexus-staging-maven-plugin 1.6.11 + * Refactor Dockerfile debian and alpine + * Migrate release from Travis to GitHub + * FIX Deployment of external dependency failed. Failed to deploy artifacts: + Could not transfer artifact openidentityplatform.org:wixtoolset:zip + * made their first contribution + * made their first contribution + * made their first contribution + * made their first contribution + + -- Open Identity Platform Community Fri, 22 Apr 2022 21:42:56 +0000 + +opendj (4.4.11) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.11 + + -- Open Identity Platform Community Mon, 21 Jun 2021 12:11:50 +0000 + +opendj (4.4.10) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.10 + + -- Open Identity Platform Community Mon, 08 Feb 2021 12:09:47 +0000 + +opendj (4.4.9) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.9 + + -- Open Identity Platform Community Wed, 30 Dec 2020 13:11:33 +0000 + +opendj (4.4.8) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.8 + + -- Open Identity Platform Community Tue, 10 Nov 2020 15:01:48 +0000 + +opendj (4.4.7) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.7 + + -- Open Identity Platform Community Wed, 09 Sep 2020 18:41:03 +0000 + +opendj (4.4.6) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.6 + + -- Open Identity Platform Community Thu, 11 Jun 2020 10:34:37 +0000 + +opendj (4.4.5) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.5 + + -- Open Identity Platform Community Tue, 10 Mar 2020 18:32:09 +0000 + +opendj (4.4.4) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.4 + + -- Open Identity Platform Community Fri, 21 Feb 2020 10:07:17 +0000 + +opendj (4.4.3) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.3 + + -- Open Identity Platform Community Mon, 29 Jul 2019 12:46:28 +0000 + +opendj (4.4.2) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.2 + + -- Open Identity Platform Community Mon, 29 Apr 2019 18:00:35 +0000 + +opendj (4.4.1) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.1 + + -- Open Identity Platform Community Sun, 10 Mar 2019 17:15:42 +0000 + +opendj (4.3.5) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.5 + + -- Open Identity Platform Community Mon, 04 Mar 2019 19:44:44 +0000 + +opendj (4.3.4) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.4 + + -- Open Identity Platform Community Sun, 17 Feb 2019 18:38:19 +0000 + +opendj (4.3.3) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.3 + + -- Open Identity Platform Community Fri, 08 Feb 2019 09:15:48 +0000 + +opendj (4.3.2) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.2 + + -- Open Identity Platform Community Tue, 29 Jan 2019 16:23:25 +0000 + +opendj (4.3.1) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.1 + + -- Open Identity Platform Community Mon, 10 Dec 2018 13:19:19 +0000 + +opendj (4.2.5) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.5 + + -- Open Identity Platform Community Fri, 26 Oct 2018 20:44:31 +0000 + +opendj (4.2.4) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.4 + + -- Open Identity Platform Community Thu, 18 Oct 2018 11:54:57 +0000 + +opendj (4.2.3) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.3 + + -- Open Identity Platform Community Wed, 17 Oct 2018 09:17:53 +0000 + +opendj (4.2.2) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.2 + + -- Open Identity Platform Community Mon, 08 Oct 2018 14:04:29 +0000 + +opendj (4.2.1) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.1 + + -- Open Identity Platform Community Fri, 05 Oct 2018 20:50:10 +0000 + +opendj (4.1.10) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.10 + + -- Open Identity Platform Community Wed, 30 May 2018 21:12:00 +0000 + +opendj (4.1.9) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.9 + + -- Open Identity Platform Community Fri, 25 May 2018 05:03:41 +0000 + +opendj (4.1.8) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.8 + + -- Open Identity Platform Community Sat, 12 May 2018 03:36:28 +0000 + +opendj (4.1.7) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.7 + + -- Open Identity Platform Community Tue, 01 May 2018 09:49:37 +0000 + +opendj (4.1.6) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.6 + + -- Open Identity Platform Community Tue, 10 Apr 2018 15:40:59 +0000 + +opendj (4.1.5) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.5 + + -- Open Identity Platform Community Tue, 06 Mar 2018 18:34:23 +0000 + +opendj (4.1.4) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.4 + + -- Open Identity Platform Community Sat, 03 Mar 2018 09:32:59 +0000 + +opendj (4.1.3) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.3 + + -- Open Identity Platform Community Wed, 28 Feb 2018 11:55:36 +0000 + +opendj (4.1.2) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.2 + + -- Open Identity Platform Community Wed, 28 Feb 2018 10:44:28 +0000 + +opendj (4.1.1) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.1 + + -- Open Identity Platform Community Fri, 23 Feb 2018 11:58:58 +0000 + +opendj (4.0.3) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.0.3 + + -- Open Identity Platform Community Tue, 20 Feb 2018 14:19:55 +0000 + +opendj (4.0.2) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.0.2 + + -- Open Identity Platform Community Fri, 16 Feb 2018 16:56:23 +0000 + +opendj (4.0.1) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.0.1 + + -- Open Identity Platform Community Fri, 16 Feb 2018 16:10:46 +0000 diff --git a/opendj-packages/opendj-deb/resources/control/control b/opendj-packages/opendj-deb/resources/control/control index 4e372a188c..06875b4429 100644 --- a/opendj-packages/opendj-deb/resources/control/control +++ b/opendj-packages/opendj-deb/resources/control/control @@ -1,9 +1,11 @@ Package: [[deb.product.name.lowercase]] -Version: [[parsedVersion.majorVersion]].[[parsedVersion.minorVersion]].[[parsedVersion.incrementalVersion]] -Section: misc +Version: [[parsedVersion.majorVersion]].[[parsedVersion.minorVersion]].[[parsedVersion.incrementalVersion]]-[[deb.release]] +Section: net Priority: optional Architecture: all -Depends: default-jre-headless | default-jre | java11-runtime | java17-runtime | java21-runtime +Standards-Version: 4.7.3 +Depends: default-jre-headless | default-jre | java25-runtime | java21-runtime | java17-runtime | java11-runtime +Pre-Depends: adduser Homepage: [[deb.doc.homepage.url]] Maintainer: [[deb.maintainer]] Description: [[deb.product.name]] diff --git a/opendj-packages/opendj-deb/resources/control/postinst b/opendj-packages/opendj-deb/resources/control/postinst index 5cfd125250..49ace6a6eb 100644 --- a/opendj-packages/opendj-deb/resources/control/postinst +++ b/opendj-packages/opendj-deb/resources/control/postinst @@ -13,59 +13,71 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2026 3A Systems, LLC -# Post install script -# Install is launched with an empty second arg. -# If the package is already installed, the second arg. is not empty. +# Post install script. +# On a fresh install the second argument is empty; on upgrade it holds the +# previously-installed version. -# Registers the service -update-rc.d opendj defaults +set -e -# Symlinks to process ID -test -h "/var/run/opendj.pid" || ln -s ${deb.prefix}/logs/server.pid /var/run/opendj.pid +# Create the dedicated system user/group that runs the service. +if ! getent group opendj >/dev/null; then + addgroup --system opendj +fi +if ! getent passwd opendj >/dev/null; then + adduser --system --no-create-home --ingroup opendj \ + --home ${deb.prefix} --shell /usr/sbin/nologin \ + --gecos "OpenDJ Directory Server" opendj +fi -# In this case, we are in upgrade mode. -if [ "$1" = "configure" ] && [ ! -z "$2" ] ; then - # For being secure, we check the buildinfo file too. - if [ -f ${deb.prefix}/config/buildinfo ] ; then - echo *Starting upgrade... - ${deb.prefix}/./upgrade -n --force --acceptLicense - echo +# Own the installation tree with the service account. On upgrade this also +# migrates installations that were previously owned by root. +chown -R opendj:opendj ${deb.prefix} + +# Register the service: prefer systemd, fall back to SysV init. +if [ -d /run/systemd/system ] ; then + systemctl --system daemon-reload >/dev/null 2>&1 || true + deb-systemd-helper enable opendj.service >/dev/null 2>&1 || true +else + update-rc.d opendj defaults >/dev/null 2>&1 || true +fi - if [ "$?" -eq 0 ] ; then - # Restarts the service if needed. - # If server is stopped by upgrade process, the server will restart after upgrade. - # If server is stopped before the upgrade process (eg. upgrade the new package), the server will not restart. - # Uses the flag for determining server status at this point. +# Upgrade mode. +if [ "$1" = "configure" ] && [ -n "$2" ] ; then + # For safety, check the buildinfo file too. + if [ -f ${deb.prefix}/config/buildinfo ] ; then + echo "*Starting upgrade..." + if runuser -u opendj -- ${deb.prefix}/upgrade -n --force --acceptLicense ; then + # Restart only if the server was running before the upgrade + # (preinst recorded this via the status flag). if [ -f ${deb.prefix}/logs/status ] ; then - echo echo "*Restarting server..." - ${deb.prefix}/./bin/start-ds - if [ "$?" -eq 0 ] ; then - rm -f ${deb.prefix}/logs/status + if [ -d /run/systemd/system ] ; then + deb-systemd-invoke start opendj.service || true else - echo "start-ds failed with return code $?. Please read ${deb.prefix}/logs/status for more details." + runuser -u opendj -- ${deb.prefix}/bin/start-ds || true fi + rm -f ${deb.prefix}/logs/status fi else - # Upgrade fails - Requires mandatory user interaction. - # Nevertheless, exits successfully of the pkg process. - echo "upgrade failed with return code $?. Please read the installation guide for more information on the upgrade process." + # Upgrade failed - may require manual user interaction. Do not fail + # the package transaction. + echo "upgrade failed. Please read the installation guide for more information on the upgrade process." exit 0 fi else echo "Invalid installation, could not find the build info file." - exit -1 + exit 1 fi fi - -# Add OpenDJ man pages to MANPATH +# Add OpenDJ man pages to MANPATH. MAN_CONFIG_FILE=/etc/manpath.config -MANPATH_DIRECTIVE=MANDATORY_MANPATH -grep -q "$MANPATH_DIRECTIVE.*opendj" $MAN_CONFIG_FILE 2> /dev/null -if [ $? -ne 0 ]; then - echo "$MANPATH_DIRECTIVE ${deb.prefix}/share/man" >> $MAN_CONFIG_FILE +if [ -f "$MAN_CONFIG_FILE" ] && ! grep -q "MANDATORY_MANPATH.*opendj" "$MAN_CONFIG_FILE" 2>/dev/null ; then + echo "MANDATORY_MANPATH ${deb.prefix}/share/man" >> "$MAN_CONFIG_FILE" fi -# End post install script + echo +exit 0 +# End post install script diff --git a/opendj-packages/opendj-deb/resources/control/postrm b/opendj-packages/opendj-deb/resources/control/postrm index 1d7c033b4f..c9c8630520 100644 --- a/opendj-packages/opendj-deb/resources/control/postrm +++ b/opendj-packages/opendj-deb/resources/control/postrm @@ -13,15 +13,27 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2026 3A Systems, LLC set -e -# Post rm script -# Files are removed automatically by pm. -if [ "$1" = "remove" ] ; then - # Deletes the service. - update-rc.d -f opendj remove - echo - echo *OpenDJ successfully removed +# Post rm script. Package files are removed automatically by the package manager. + +if [ "$1" = "remove" ] || [ "$1" = "purge" ] ; then + if [ -d /run/systemd/system ] ; then + systemctl --system daemon-reload >/dev/null 2>&1 || true + else + update-rc.d opendj remove >/dev/null 2>&1 || true + fi +fi + +if [ "$1" = "purge" ] ; then + if command -v deb-systemd-helper >/dev/null 2>&1 ; then + deb-systemd-helper purge opendj.service >/dev/null 2>&1 || true + deb-systemd-helper unmask opendj.service >/dev/null 2>&1 || true + fi + echo "*OpenDJ successfully removed" fi + echo +exit 0 # End of the post rm script diff --git a/opendj-packages/opendj-deb/resources/control/preinst b/opendj-packages/opendj-deb/resources/control/preinst index 6956d8ff27..39df571bb6 100644 --- a/opendj-packages/opendj-deb/resources/control/preinst +++ b/opendj-packages/opendj-deb/resources/control/preinst @@ -13,22 +13,23 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2026 3A Systems, LLC set -e -# Pre installation script +# Pre installation script. if [ "$1" = "upgrade" ] ; then - # Only if the instance has been configured - if [ -f ${deb.prefix}/config/buildinfo ] && [ "$(ls -A ${deb.prefix}/config/archived-configs)" ] ; then - # If the server is running before upgrade, creates a flag. + # Only act if the instance has been configured. + if [ -f ${deb.prefix}/config/buildinfo ] && [ "$(ls -A ${deb.prefix}/config/archived-configs 2>/dev/null)" ] ; then + # If the server is running before the upgrade, record it so postinst can restart it. if [ -f ${deb.prefix}/logs/server.pid ] ; then touch ${deb.prefix}/logs/status fi - echo *Stopping OpenDJ server... - ${deb.prefix}/bin/./stop-ds - else - echo "Instance is not configured. Upgrade aborted." - exit -1 + echo "*Stopping OpenDJ server..." + if [ -d /run/systemd/system ] ; then + deb-systemd-invoke stop opendj.service || true + fi + [ -x ${deb.prefix}/bin/stop-ds ] && ${deb.prefix}/bin/stop-ds || true fi fi echo diff --git a/opendj-packages/opendj-deb/resources/control/prerm b/opendj-packages/opendj-deb/resources/control/prerm index 69e3eeed89..77b10b9765 100644 --- a/opendj-packages/opendj-deb/resources/control/prerm +++ b/opendj-packages/opendj-deb/resources/control/prerm @@ -13,14 +13,25 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2026 3A Systems, LLC set -e -# Pre rm script -# Unlink the symlink to the process ID if it exists. -test -h "/var/run/opendj.pid" && unlink /var/run/opendj.pid +# Pre rm script. -# Stops the server if the instance has been configured -if [ "$1" = "remove" ] && ( [ -f ${deb.prefix}/config/buildinfo ] && [ "$(ls -A ${deb.prefix}/config/archived-configs)" ] ) ; then - ${deb.prefix}/bin/./stop-ds +# Stop the service before the package files are removed. +if [ "$1" = "remove" ] || [ "$1" = "deconfigure" ] ; then + if [ -d /run/systemd/system ] ; then + deb-systemd-invoke stop opendj.service || true + fi + if [ -x ${deb.prefix}/bin/stop-ds ] && [ -f ${deb.prefix}/config/buildinfo ] \ + && [ "$(ls -A ${deb.prefix}/config/archived-configs 2>/dev/null)" ] ; then + ${deb.prefix}/bin/stop-ds || true + fi fi -# End prem script + +# Clean up the legacy PID symlink created by the SysV init script. +[ -h /run/opendj.pid ] && rm -f /run/opendj.pid || true +[ -h /var/run/opendj.pid ] && rm -f /var/run/opendj.pid || true + +exit 0 +# End prerm script diff --git a/opendj-packages/opendj-rpm/opendj-rpm-standard/pom.xml b/opendj-packages/opendj-rpm/opendj-rpm-standard/pom.xml index 12b4e6fec3..341a5fde35 100644 --- a/opendj-packages/opendj-rpm/opendj-rpm-standard/pom.xml +++ b/opendj-packages/opendj-rpm/opendj-rpm-standard/pom.xml @@ -13,6 +13,7 @@ information: "Portions Copyright [year] [name of copyright owner]". Copyright 2015 ForgeRock AS. + Portions Copyright 2018-2026 3A Systems, LLC --> 4.0.0 @@ -33,6 +34,7 @@ ${project.parent.parent.basedir}/resources/sysv/opendj + ${project.parent.parent.basedir}/resources/systemd/opendj.service ${product.name} ${product.name.lowercase} ${project.parent.basedir}/resources diff --git a/opendj-packages/opendj-rpm/pom.xml b/opendj-packages/opendj-rpm/pom.xml index 213e8b7f71..e89e0889d0 100644 --- a/opendj-packages/opendj-rpm/pom.xml +++ b/opendj-packages/opendj-rpm/pom.xml @@ -13,6 +13,7 @@ information: "Portions Copyright [year] [name of copyright owner]". Copyright 2015-2016 ForgeRock AS. + Portions Copyright 2018-2026 3A Systems, LLC --> 4.0.0 @@ -151,6 +152,12 @@ ${doc.homepage.url} noarch linux + + java-headless >= 1:11 + + + shadow-utils + ${rpm.description.header} OpenDJ is an LDAPv3 compliant directory service, developed for the Java @@ -219,7 +226,7 @@ ${rpm.prefix}/snmp/mib - + /etc/init.d false @@ -231,6 +238,18 @@ + + + /usr/lib/systemd/system + false + 644 + + + ${systemd.file.location} + + + + ${rpm.prefix} diff --git a/opendj-packages/opendj-rpm/resources/changelog b/opendj-packages/opendj-rpm/resources/changelog index 21db726dc5..302076bf57 100644 --- a/opendj-packages/opendj-rpm/resources/changelog +++ b/opendj-packages/opendj-rpm/resources/changelog @@ -11,31 +11,485 @@ # Header, with the fields enclosed by brackets [] replaced by your own identifying # information: "Portions Copyright [year] [name of copyright owner]". # -# Copyright 2013-2015 ForgeRock AS. +# Copyright 2013-2015 ForgeRock AS +# Portions Copyright 2026 3A Systems, LLC # ============================= # opendj rpm package changelog # ============================= %changelog -* Wed Dec 9 2015 ForgeRock -- init.d service script now generates and removes a lockfile. - -* Thu Mar 5 2015 ForgeRock -- Package is now build using maven. - -* Thu Aug 22 2013 ForgeRock -- Modified init.d script. - -* Tue Aug 6 2013 ForgeRock -- Added init.d service script. - -* Wed Jul 31 2013 ForgeRock -- Fixed the doc's section. -- Target no longer fails when build path contains spaces. - -* Thu Jul 18 2013 ForgeRock -- Fixed the sections' order and added a new "clean" section. -- Added '%doc' section. -- Added '%changelog' at the end of the file. -- Added license to header's files. +* Thu Jun 11 2026 Open Identity Platform Community - 5.1.1 +- CVE-2026-46495 OpenDJ Unauthenticated RCE via Java Deserialization in JMX + RMI +- CVE-2026-42198 pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication + allows CPU exhaustion DoS +- [#648] slow DN.valueOf / AVA normalization for nested DN-syntax values +- chore: bump Bouncy Castle FIPS deps to latest 2.1.x patch releases +- Fix grizzly log level is always FINE +- Fix shell script issues in opendj-docker/run.sh +- Fix Windows CI: use ilammy/msvc-dev-cmd to set up MSVC env +- Add native access JVM flag for Bouncy Castle FIPS on newer Java releases +- Docker base DN entry creation opt-in and improves bootstrap LDIF loading + resilience +- Fix BasicRequestsTest.testReadSelectPartial for nesting-preserving field + projection +- Update org.openidentityplatform.commons to 3.1.1 +- Fix JMX RMI connector startup failure introduced by CVE-2026-46495 hardening +* Wed Apr 15 2026 Open Identity Platform Community - 5.1.0 +- [#72] Fix infinite loop in doStopApplication() on Windows service stop +- [#259] fix: retry loop for Windows Service start race condition (issue #259) +- [#566] Fix AttributeValuePasswordValidator: inverted substring logic and + missing reversed-password substring check +- [#579] Fix ReferentialIntegrityPlugin silently bypassing check-references on + modify operations +- [#601] Fix server crash when File-Based Debug Logger is enabled +- Update build.yml add JDK 26 support +- Docs: set neutral version for the docs +- ci: add Windows service start/stop test to CI workflow +- CI: Build and upload Windows native executables (winlauncher, + opendj_service, launcher_administrator) +- fix: use 127.0.0.1 instead of localIP in LockdownModeTaskTestCase +- Filter branches to build workflow triggers (on push) +- Fix intermittent testMultiRS failure by doubling waitForStableGenerationId + timeout +- Fix race condition in ChangelogBackendTestCase flaky test +- Fix flaky testMultiRS: replace fixed sleep with deterministic domain-ready + wait +- increase replication connection timeout to fix Socket Timeout error on Mac + in integration test +- chore: bump GitHub Actions to latest major versions +- Fix snapshot version format +- Fix intermittent GenerationIdTest.testMultiRS race condition on RS-to-RS + topology +- [OpenIdentityPlatform/OpenAM#980] OpenDJ slim maven artifact +- Upgrade local Docker registry from registry:2 to registry:3 in CI +- status CLI: allow --hostname, --port, and --trustAll arguments +- Fix status CLI to accept --hostname, --port, and --trustAll arguments, and + add them to all status command invocations in build.yml +- Remove ENV ROOT_PASSWORD from Dockerfiles, fix HEALTHCHECK default, add CDDL + headers +- Update commons.version to 3.1.0 +* Mon Mar 23 2026 Open Identity Platform Community - 5.0.4 +- CVE-2025-24970 SslHandler doesn't correctly validate packets which can lead + to native crash when using native SSLEngine +- CVE‐2025‐12194 While the situation with the JVM garbage collector overrun + for Java 17 and Java 21 greatly improved with the changes in 2.1.1, we’ve + still had some reports that can only be related to the use of the disposal + daemon +- [#590] Fallback to $HOME/tmp dir as a temp if instance root is mounted as + noexec +- Bump logback to 1.5.32 +- Migrate to caffeine 3 +- Update commons.version from 3.0.2 to 3.0.4 +- Docs: fix short version in the upgrade guide +* Wed Feb 4 2026 Open Identity Platform Community - 5.0.3 +- CVE-2026-1225 Logback allows an attacker to instantiate classes already + present on the class path +- Fix three and more nodes replication process stuck error +- Update org.openidentityplatform.commons to 3.0.2 +- Docs: update supported Java version +* Tue Nov 25 2025 Open Identity Platform Community - 5.0.2 +- [#575] FIX unable to install: UnsatisfiedLinkError: /tmp/bc-fips +- [#577] Windows upgrading with Upgrade.bat: an error with "" unexpected +- [#573] Added the SAMPLE_DATA Docker environment variable to generate sample + data during setup. +* Sat Nov 8 2025 Open Identity Platform Community - 5.0.1 +- Update target JDK to 11 and move to JakartaEE 9 +- Add support LTS JDK 25 +- Update base docker image Java version to 25 LTS +- CVE-2025-12194 Bouncy Castle Vulnerable to Uncontrolled Resource Consumption +- CVE-2025-59250 JDBC Driver for SQL Server has improper input validation + issue +- CVE-2025-11226 logback-core is vulnerable to Arbitrary Code Execution + through file processing +- Switch from sun.security.x509 to Bouncy Castle API +- Update OpenDMK external library to fix SNMP monitoring +- Build & deploy: add branch sustaining/4.10.x +- Make GrizzlyLDAPListener close in a synchronous fasion to prevent test race + conditions +- [#141] Test large replication pending changes +- FIX bindFreePort Bind Unable to bind to a free port +- Fix unavailable monitoring attributes over JMX +- Bump org.openidentityplatform.commons to 3.0.1 +- Improve ReplicationDomainTest stability +* Thu Sep 4 2025 Open Identity Platform Community - 4.10.2 +- CVE-2025-9092 CVE-2025-9340 CVE-2025-9341 Uncontrolled Resource Consumption + vulnerability +- [#545] Add GroupManager writeLock performance +- [#540] Fix OnDiskMergeImporter::PhaseOneWriteableTransaction: update over + put (referral attr) +- [#544] Add requires-admin-action component-restart for max-request-size +- Update Java minimum version number in the setup UI +- Update README.md: add backers and sponsors +- ISSUE_TEMPLATE: add "Vote to raise the priority" +- Bump commons.version 2.4.1 +* Tue Aug 5 2025 Open Identity Platform Community - 4.10.1 +- [#529] FIX jdbc connection deadlock +- [#530] Fixed error when creating a backend for BASE_DN with OU in Docker +- Docker: Fix issues with quoting params +* Tue Jul 15 2025 Open Identity Platform Community - 4.10.0 +- [#462] RFC5805 Lightweight Directory Access Protocol (LDAP) Transactions +- CVE-2025-49146 pgjdbc Client Allows Fallback to Insecure Authentication + Despite channelBinding=require Configuration +- Bump io.reactivex.rxjava to 3.x +- Bump various dependencies +- Bump commons to 2.2.5 +- Take Glassfish Grizzly version from commons +- Bump bc.fips to 2.1.x +- Bump commons.version 2.3.0 +- Deploy: migrating from Legacy OSSRH to Central Portal +- Fix OSGI bundle excluded package error for rxjava3 +- Exclude BouncyCastle from OSGI Import-Package +- Fix makeldif templates: add objectClass to baseDN +- Bump org.openidentityplatform.commons 2.4.0 +* Wed Apr 23 2025 Open Identity Platform Community - 4.9.4 +- Configure backend type for Docker +- Docs: update OpenDJ release version to 4.9.3 +- Add OpenDJ Docker tests to the build process +- Fix docker env variables + add VERSION autodetect +- Set isRunning later (EmbeddedServer check) +- Bump org.openidentityplatform.commons to 2.2.4 +- [#498] FIX warning output from export-ldif: "grep: warning: stray \ before + -" +- move Java args to java.properties, upgrade docker alpine +- [#497] Set the same indexes for a new backend as for the initial backend +- Add support Java SE 24 +- Bump test containers & cassandra driver +- [#496] FIX MySQL truncate PK default to 64 len +- [#496] FIX JDBC storage update concurrency +- FIX Replication IT tests unstable result +- made their first contribution +- made their first contribution +* Wed Mar 5 2025 Open Identity Platform Community - 4.9.3 +- CVE-2025-27497 Fix Denial of Service (Dos) using alias loop () +- [#477] Change permission config.ldif.startok to owner () +- [#208] FIX The definition for the attribute type declared that it should use + the syntax which is not defined in the schema +- Documentation update +- Docs: Generate and publish javadoc +* Tue Feb 4 2025 Open Identity Platform Community - 4.9.2 +- [#465] Fix custom library loading when put to the lib directory +- [#463] Disable warning message on downstream closed +- [#471] Fix table name truncate: make jdbc table 63 charter +- [#466] JDBC: added tests for Oracle, MySQL, MSSQL +- [#466] FIX compatibility jdbc backend: Postgres, Oracle, MySQL, MSSQL +- [#471] PluggableBackendImplTestCase: add duplicate mail test +- IT ReplicationDomainTest upper waitEndExport timeout +- Update year in generated documentation templates +- Update documentation issues and update links +* Mon Jan 20 2025 Open Identity Platform Community - 4.9.1 +- [#460] Clear unused path info after backupConfig (memory pleasure) +- jdbc: make connection short-lived +- Replace import-ldif with ldapmodify in Postgres IT test +* Thu Dec 26 2024 Open Identity Platform Community - 4.9.0 +- Store LDAPv3 database in SQL JDBC database +- CVE-2024-12798 CVE-2024-12801 logback-core Expression Language Injection, + Server-Side Request Forgery vulnerability +- FIX NoSuchMethodError: java.nio.MappedByteBuffer.duplicate +- FIX Unable to locate package winehq-stable +* Tue Nov 12 2024 Open Identity Platform Community - 4.8.2 +- [#438] FIX import-ldif --offline "import has been aborted because the entry + does not have a parent entry" +- 00-core.ldif: X.501, cl. 14.2.2: 2.5.15.16 subentryNameForm OC subentry MUST + cn +- FIX makeldif -c suffix=dc=example: Unable to parse a constant argument + expecting name=value +- Bump commons.version 2.2.3 +- Fix MAC OS build failure +- Actions: get ubuntu source from $(lsb_release -c -s) +- depoloy.yml: Fix documents deploy +* Thu Oct 17 2024 Open Identity Platform Community - 4.8.1 +- [#393] FIX DIT SUP delimiter +- [#392] FIX RootDSE Entry allow user objectClass +- Addresses #397, #398, #399, #404 +- Docs in asciidoc & deploy antora docs after build +- [#402] Change default SSL HandshakeTimeout -1 -> 10s (see #146) +- [#401] Change "Object class violation (65)" -> "Naming violation (64)" LDAP + result code for DIT Structure Rule violation +- [#394] FIX dsconfig --help- +- [#400] Reduce character escaping in example, add note +- Added missing documentation attachments +- Generate man pages in the AsciiDoc format +- Reduce character escaping in example, add note +- minor docs glitches fix +- Add JDK 23 build support +- Bump org.openidentityplatform.commons 2.2.2 +- Docker: Use tail instead of sleep to allow the container to be stopped with + SIGTERM +- [#423] Eliminate asciidoctor warning messages when generating documentation +- [#426] ADD maven.compiler.release=8 for cross compile compatibility +- Remove legacy files +- [#90, #432] FIX delete entries in overlapping backends +- [#425] Add option + -Dorg.openidentityplatform.opendj.ERR_ENTRY_SCHEMA_VIOLATES_PARENT_DSR for + force control "Entry is invalid according to the server schema because there + is no DIT structure rule that applies to that entry, but there is a DIT + structure rule for the parent entry". Default: warning level +- [#425] Workaround: Entry is invalid according to the server schema because + there is no DIT structure rule that applies to that entry, but there is a + DIT structure rule for the parent entry +- [#431] Update importldiff --offline and --clearBacked flags descriptions +- made their first contribution +- made their first contribution +* Mon Sep 9 2024 Open Identity Platform Community - 4.8.0 +- Switch docker to last LTS JRE 21 +- Add JDK 22 support +- [#376] JMX fix docs with "Allow insecure authentication" +- [#376] FIX SNMP monitoring config +- [#383] FIX docs: import-ldif and export-ldif binaries should be shown using + the --offline option +- [#384] FIX Control Panel: empty help URL values +- FIX do not check DIT structure parent/child on same ObjectClass (thanks for + the research ) +- Bump org.openidentityplatform.commons 2.2.0 +* Thu Aug 8 2024 Open Identity Platform Community - 4.7.0 +- [#204] ADD LDAP Relax Rules Control +- [#287] ADD alias dereferencing for search requests +- [#187] FIX RFC3671: collective attribute values should be merged. Virtuals + with other virtuals and real values. +- [#84] FIX incorrect entry-Based ACIs is defined with only "deny" permission + without "allow" +- [#250] Add Overlapping Backend TestSuite +- [#294] Dont send client notification on IOException +- [#368] CASSANDRA ADD property -Dkeyspace=ldap_opendj +- Bump commons.version 2.1.6 +- Publish docs to +- Fix documentation version +* Tue Jul 16 2024 Open Identity Platform Community - 4.6.5 +- compress webhelp, xhtml and html docs after build +- add missing docs +- Update README.md +- [#354] FIX "OpenDJ fails to upgrade from version 3->4: An error occurred + while attempting to perform index rebuild: Unable to decode the provided + object class set because it used an undefined token" +- [#167] FIX control-panel ResetUserPasswordTask unpredictable result (wait + async result) +- Add rest operations modifyPassword, resetPassword to docs from +- [#148,#261,#282] FIX control-panel schema errors in remote mode +* Wed Jun 26 2024 Open Identity Platform Community - 4.6.4 +- Embedded OpenDJ module initial commit +- Bump ch.qos.logback:logback-core from 1.2.11 to 1.2.13 in /opendj-embedded +- Bump ch.qos.logback:logback-classic from 1.2.9 to 1.2.13 in /opendj-embedded +- update opendj-parent version +- Bump org.bouncycastle:bc-fips from 1.0.2.3 to 1.0.2.5 in /opendj-core +- Bump org.bouncycastle:bctls-fips from 1.0.13 to 1.0.19 in /opendj-core +- Bump org.openidentityplatform.commons 2.1.4 +- move commons version to property & fix doc-maven-plugin version +- made their first contribution +* Tue May 7 2024 Open Identity Platform Community - 4.6.3 +- ADD build test with memory pressure +- Update Docker jre 17->19 +- org.openidentityplatform.commons 2.1.3-SNAPSHOT +- FIX OpenIDM compatibility +- [#329] make posixGroup AUXILIARY by default +- [#331] Allow downgrade version without upgrade task +- Bump org.openidentityplatform.commons 2.1.3 +- Add Build test on MacOS M1 arm64 +- Restore macos-latest build strategy +* Wed Jan 17 2024 Open Identity Platform Community - 4.6.2 +- FIX CLIENT_SIDE_NO_RESULTS_RETURNED in hasNext() +- update org.openidentityplatform.commons to 2.1.2-SNAPSHOT +- FIX performance java.util.TimeZone.getTimeZone(TimeZone.java:516) is + synchronized +- [#317] sendUnsolicitedNotification can fail on client disconnect with + OnErrorNotImplementedException +- org.openidentityplatform.commons 2.1.2 +* Thu Oct 26 2023 Open Identity Platform Community - 4.6.1 +- Allow store LDAP catalog data in CASSANDRA noSQL cluster --backendType cas + (ldapv3 to cassandra) +- ADD IT test for wars +- Add TestContainers to test Apache Cassandra backend +- Bump org.openidentityplatform.commons 2.0.19-SNAPSHOT +- Update README.md: allow store LDAPv3 database in Cassandra/Scylla cluster +- Bump org.openidentityplatform.commons 2.1.1 +- Add JDK 21 support +- CASSANDRA storage: cursor performance +- FIX newHeapBufferPool calculation (import OOM error) +* Fri Sep 22 2023 Open Identity Platform Community - 4.5.9 +- Generate SHA256WithRSA certificate as default +- convert JMX metrics to appropriate type #293 +- Fix attribute value. bean should return native object #293 +- Remove TLSv1 as default protocol FIX +- nexus-staging-maven-plugin 1.6.13 + disable auto release +- made their first contribution +* Wed Aug 30 2023 Open Identity Platform Community - 4.5.6 +- FIX unused trailing bytes in ASN.1 SEQUENCE +* Thu Jul 20 2023 Open Identity Platform Community - 4.5.5 +- FIX build with Installation failure for grub-efi-amd64-signed on ubuntu- + latest +- FIX add-source for generate-sources +- Restore IT test for server-legacy and fix many errors +- change posixGroup type to structural. and add cn +- FIX argument listBackups is incompatible with use of this tool to interact +- PBKDF2-HMAC-SHA256 and PBKDF-HMAC-SHA512 password storage not configured by + default +- FIX Setup Issue - Error Creating Base Entry +- Extend admin port connection limits +- Restore TLSv1.3 support +- Bump org.openidentityplatform.commons 2.0.18 +* Fri Dec 9 2022 Open Identity Platform Community - 4.5.4 +- BUILD java: [ '8','11','17','19'] + fix install wine32:i386 without + conflicts +- FIX build allow fail for remove deb.sury.org +- Docker add jdk17 platforms: linux/amd64, linux/arm64/8, linux/arm/v7, +* Wed Nov 30 2022 Open Identity Platform Community - 4.5.3 +- Create target directory before copying custom schema +- Copy ldif configs to the correct template directory +- UPDATE build process +- FIX DSML servlet can't find JAX-B runtime +* Tue Aug 2 2022 Open Identity Platform Community - 4.5.1 +- update commons version to 2.0.16-SNAPSHOT +- 'find' command is missing in the 4.5.0 docker image #242 +- FIX wine32 install (from ppa:ondrej/php so that we will be able to install + wine32:i386 without conflicts) +- Don't clone buffer in ldap codec +- Add BCFKS FIPS key store type support +- fix FipsStaticUtils code formatting +- made their first contribution +* Wed Jun 1 2022 Open Identity Platform Community - 4.5.0 +- Switch base docker image to Java 17 +* Wed Jun 1 2022 Open Identity Platform Community - 4.4.15 +- Add alpine platforms linux/s390x, linux/386, linux/arm/v7, linux/arm/v6, + linux/ppc64le +- Implement PBKDF2-HMAC-SHA256 and PBKDF-HMAC-SHA512 password encoding schemes +- Docker refactoring +- FIX tamil (ta.6) matching rule schema has typo in definition +- FIX Failed to delete entries under multiple backends +- Add support jdk '16','17','18' +- support AD attributes userAccountControl, msDS-UserAccountDisabled and + pwdLastSet +- Test + Run on jdk15+ +- FIX OpenDJ is not logging errors to logfile #128 +- FIX Windows install to path with spaces +- made their first contribution +* Mon May 2 2022 Open Identity Platform Community - 4.4.14 +- add docker test +- Release multi-platform Docker images +- Support to load plain ldif files during container setup +- made their first contribution +* Fri Apr 22 2022 Open Identity Platform Community - 4.4.13 +- FIX OpenDJ setup failure +- Add FIPS support +- GithubAction build +- Github action deploy +- actions: separate deploy +- Update opendj_service.exe +- Switch org.openidentityplatform.commons 2.0.13-SNAPSHOT +- Fix rebuild-index in FIPS mode +- ADD JSONEntryWriter JSONEntryReader +- FIX DN escape 'Equal sign': +- FIX JSONEntryWriter escape DN values +- move fips functions to separate class +- do not use fips when bc-fips classes not found +- Update pom.xml nexus-staging-maven-plugin 1.6.11 +- Refactor Dockerfile debian and alpine +- Migrate release from Travis to GitHub +- FIX Deployment of external dependency failed. Failed to deploy artifacts: + Could not transfer artifact openidentityplatform.org:wixtoolset:zip +- made their first contribution +- made their first contribution +- made their first contribution +- made their first contribution +* Mon Jun 21 2021 Open Identity Platform Community - 4.4.11 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.11 +* Mon Feb 8 2021 Open Identity Platform Community - 4.4.10 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.10 +* Wed Dec 30 2020 Open Identity Platform Community - 4.4.9 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.9 +* Tue Nov 10 2020 Open Identity Platform Community - 4.4.8 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.8 +* Wed Sep 9 2020 Open Identity Platform Community - 4.4.7 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.7 +* Thu Jun 11 2020 Open Identity Platform Community - 4.4.6 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.6 +* Tue Mar 10 2020 Open Identity Platform Community - 4.4.5 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.5 +* Fri Feb 21 2020 Open Identity Platform Community - 4.4.4 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.4 +* Mon Jul 29 2019 Open Identity Platform Community - 4.4.3 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.3 +* Mon Apr 29 2019 Open Identity Platform Community - 4.4.2 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.2 +* Sun Mar 10 2019 Open Identity Platform Community - 4.4.1 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.1 +* Mon Mar 4 2019 Open Identity Platform Community - 4.3.5 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.5 +* Sun Feb 17 2019 Open Identity Platform Community - 4.3.4 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.4 +* Fri Feb 8 2019 Open Identity Platform Community - 4.3.3 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.3 +* Tue Jan 29 2019 Open Identity Platform Community - 4.3.2 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.2 +* Mon Dec 10 2018 Open Identity Platform Community - 4.3.1 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.1 +* Fri Oct 26 2018 Open Identity Platform Community - 4.2.5 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.5 +* Thu Oct 18 2018 Open Identity Platform Community - 4.2.4 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.4 +* Wed Oct 17 2018 Open Identity Platform Community - 4.2.3 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.3 +* Mon Oct 8 2018 Open Identity Platform Community - 4.2.2 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.2 +* Fri Oct 5 2018 Open Identity Platform Community - 4.2.1 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.1 +* Wed May 30 2018 Open Identity Platform Community - 4.1.10 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.10 +* Fri May 25 2018 Open Identity Platform Community - 4.1.9 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.9 +* Sat May 12 2018 Open Identity Platform Community - 4.1.8 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.8 +* Tue May 1 2018 Open Identity Platform Community - 4.1.7 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.7 +* Tue Apr 10 2018 Open Identity Platform Community - 4.1.6 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.6 +* Tue Mar 6 2018 Open Identity Platform Community - 4.1.5 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.5 +* Sat Mar 3 2018 Open Identity Platform Community - 4.1.4 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.4 +* Wed Feb 28 2018 Open Identity Platform Community - 4.1.3 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.3 +* Wed Feb 28 2018 Open Identity Platform Community - 4.1.2 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.2 +* Fri Feb 23 2018 Open Identity Platform Community - 4.1.1 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.1 +* Tue Feb 20 2018 Open Identity Platform Community - 4.0.3 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.0.3 +* Fri Feb 16 2018 Open Identity Platform Community - 4.0.2 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.0.2 +* Fri Feb 16 2018 Open Identity Platform Community - 4.0.1 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.0.1 diff --git a/opendj-packages/opendj-rpm/resources/specs/postinstall.sh b/opendj-packages/opendj-rpm/resources/specs/postinstall.sh index 5b62246047..d2ed6ea03b 100644 --- a/opendj-packages/opendj-rpm/resources/specs/postinstall.sh +++ b/opendj-packages/opendj-rpm/resources/specs/postinstall.sh @@ -13,50 +13,58 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2026 3A Systems, LLC # =============================== # RPM Post Install Script (%post) # =============================== -# The arguments to a %post are 1 and 2 for a new installation -# and upgrade, respectively. (%pre and %post aren't executed during -# an uninstallation.) +# $1 is 1 for an initial installation and 2 for an upgrade. -# Registers the service -/sbin/chkconfig --add opendj +# Ensure the service account exists and owns the install tree (also migrates +# installations that were previously owned by root on upgrade). +getent group opendj >/dev/null || groupadd -r opendj +getent passwd opendj >/dev/null || \ + useradd -r -g opendj -d "%{_prefix}" -s /sbin/nologin -c "OpenDJ Directory Server" opendj +chown -R opendj:opendj "%{_prefix}" || true -# Symlinks to process ID -test -h "/var/run/opendj.pid" || ln -s /opt/opendj/logs/server.pid /var/run/opendj.pid +# Register the service: prefer systemd, fall back to chkconfig/SysV. +if [ -d /run/systemd/system ] ; then + systemctl daemon-reload >/dev/null 2>&1 || true + systemctl enable opendj.service >/dev/null 2>&1 || true +else + /sbin/chkconfig --add opendj || true +fi -if [ "$1" == "1" ] ; then - echo "Post Install - initial install" -else if [ "$1" == "2" ] ; then +if [ "$1" = "2" ] ; then echo "Post Install - upgrade install" - # Only if the instance has been configured - if [ -e "%{_prefix}"/config/buildinfo ] && [ "$(ls -A "%{_prefix}"/config/archived-configs)" ] ; then - "%{_prefix}"/./upgrade -n --force --acceptLicense - # If upgrade is ok, checks the server status flag for restart - if [ "$?" == "0" ] && [ -f "%{_prefix}"/logs/status ] ; then - echo "" - echo "Restarting server..." - "%{_prefix}"/./bin/start-ds - echo "" - rm -f "%{_prefix}"/logs/status - fi - - # Upgrade fails, needs user interaction (eg. manual mode) - if [ "$?" == "2" ] ; then - exit "0" + # Only if the instance has been configured. + if [ -e "%{_prefix}"/config/buildinfo ] && [ "$(ls -A "%{_prefix}"/config/archived-configs 2>/dev/null)" ] ; then + if runuser -u opendj -- "%{_prefix}"/upgrade -n --force --acceptLicense ; then + # If upgrade is ok, check the server status flag for restart. + if [ -f "%{_prefix}"/logs/status ] ; then + echo "Restarting server..." + if [ -d /run/systemd/system ] ; then + systemctl start opendj.service || true + else + runuser -u opendj -- "%{_prefix}"/bin/start-ds || true + fi + rm -f "%{_prefix}"/logs/status + fi + else + # Upgrade failed; may need manual interaction. Do not fail the transaction. + echo "Upgrade failed; manual interaction may be required." + exit 0 fi else - echo "Instance is not configured. Upgrade aborted." - exit -1 - fi + echo "Instance is not configured." fi +else + echo "Post Install - initial install" fi +# Add OpenDJ man pages to MANPATH. MAN_CONFIG_FILE=NOT_SET -# Add OpenDJ man pages to MANPATH if [ -e /etc/man.config ] ; then MAN_CONFIG_FILE=/etc/man.config MANPATH_DIRECTIVE=MANPATH @@ -65,9 +73,8 @@ elif [ -e /etc/man_db.conf ] ; then MANPATH_DIRECTIVE=MANDATORY_MANPATH fi -if [ $MAN_CONFIG_FILE != "NOT_SET" ] ; then - grep -q "$MANPATH_DIRECTIVE.*opendj" $MAN_CONFIG_FILE 2> /dev/null - if [ $? -ne 0 ]; then - echo "$MANPATH_DIRECTIVE %{_prefix}/share/man" >> $MAN_CONFIG_FILE +if [ "$MAN_CONFIG_FILE" != "NOT_SET" ] ; then + if ! grep -q "$MANPATH_DIRECTIVE.*opendj" "$MAN_CONFIG_FILE" 2>/dev/null ; then + echo "$MANPATH_DIRECTIVE %{_prefix}/share/man" >> "$MAN_CONFIG_FILE" fi fi diff --git a/opendj-packages/opendj-rpm/resources/specs/postuninstall.sh b/opendj-packages/opendj-rpm/resources/specs/postuninstall.sh index c690a73d70..b57609b230 100644 --- a/opendj-packages/opendj-rpm/resources/specs/postuninstall.sh +++ b/opendj-packages/opendj-rpm/resources/specs/postuninstall.sh @@ -13,18 +13,21 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2026 3A Systems, LLC # =================================== # RPM Post Uninstall Script (%postun) # =================================== -# If the first argument to %preun and %postun is 0, the action is uninstallation. -# If the first argument to %preun and %postun is 1, the action is an upgrade. +# $1 is 0 for an uninstallation and 1 for an upgrade. -if [ "$1" == "0" ] ; then +if [ -d /run/systemd/system ] ; then + systemctl daemon-reload >/dev/null 2>&1 || true +fi + +if [ "$1" = "0" ] ; then echo "Post Uninstall - uninstall" echo "OpenDJ successfully removed." -else if [ "$1" == "1" ] ; then +elif [ "$1" = "1" ] ; then echo "Post Uninstall - upgrade uninstall" - fi fi diff --git a/opendj-packages/opendj-rpm/resources/specs/preinstall.sh b/opendj-packages/opendj-rpm/resources/specs/preinstall.sh index 14632dbed6..c741241cfb 100644 --- a/opendj-packages/opendj-rpm/resources/specs/preinstall.sh +++ b/opendj-packages/opendj-rpm/resources/specs/preinstall.sh @@ -13,25 +13,29 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2026 3A Systems, LLC # ============================= # RPM Pre Install Script (%pre) # ============================= -# If the first argument to %pre is 1, the RPM operation is an initial installation. -# If the argument to %pre is 2, the operation is an upgrade from an existing version to a new one. +# $1 is 1 for an initial installation and 2 for an upgrade. -if [ "$1" == "1" ]; then - echo "Pre Install - initial install" -else if [ "$1" == "2" ] ; then - # Only if the instance has been configured - if [ -e "%{_prefix}"/config/buildinfo ] && [ "$(ls -A "%{_prefix}"/config/archived-configs)" ] ; then +# Create the dedicated system user/group that runs the service. +getent group opendj >/dev/null || groupadd -r opendj +getent passwd opendj >/dev/null || \ + useradd -r -g opendj -d "%{_prefix}" -s /sbin/nologin -c "OpenDJ Directory Server" opendj + +if [ "$1" = "2" ] ; then + # Upgrade: stop a running, configured instance and record state for restart. + if [ -e "%{_prefix}"/config/buildinfo ] && [ "$(ls -A "%{_prefix}"/config/archived-configs 2>/dev/null)" ] ; then echo "Pre Install - upgrade install" - # If the server is running before upgrade, creates a file flag if [ -f "%{_prefix}"/logs/server.pid ] ; then touch "%{_prefix}"/logs/status fi - "%{_prefix}"/bin/./stop-ds + if [ -d /run/systemd/system ] ; then + systemctl stop opendj.service >/dev/null 2>&1 || true fi + [ -x "%{_prefix}"/bin/stop-ds ] && "%{_prefix}"/bin/stop-ds || true fi fi diff --git a/opendj-packages/opendj-rpm/resources/specs/preuninstall.sh b/opendj-packages/opendj-rpm/resources/specs/preuninstall.sh index 613a5e7297..73f81b52b8 100644 --- a/opendj-packages/opendj-rpm/resources/specs/preuninstall.sh +++ b/opendj-packages/opendj-rpm/resources/specs/preuninstall.sh @@ -13,28 +13,29 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2026 3A Systems, LLC # ================================= # RPM Pre Uninstall Script (%preun) # ================================= -# If the first argument to %preun and %postun is 0, the action is uninstallation. -# If the first argument to %preun and %postun is 1, the action is an upgrade. +# $1 is 0 for an uninstallation and 1 for an upgrade. -if [ "$1" == "0" ] ; then +if [ "$1" = "0" ] ; then echo "Pre Uninstall - uninstall" - # Unlink the symlink to the process ID. - test -h "/var/run/opendj.pid" && unlink /var/run/opendj.pid - # Only if the instance has been configured - if [ -e "%{_prefix}"/config/buildinfo ] && [ "$(ls -A "%{_prefix}"/config/archived-configs)" ] ; then - "%{_prefix}"/bin/./stop-ds + # Stop and unregister the service. + if [ -d /run/systemd/system ] ; then + systemctl stop opendj.service >/dev/null 2>&1 || true + systemctl disable opendj.service >/dev/null 2>&1 || true fi - - if [ -e /etc/init.d/opendj ] ; then - # Deletes the service. - /sbin/chkconfig --del opendj + if [ -x "%{_prefix}"/bin/stop-ds ] && [ -e "%{_prefix}"/config/buildinfo ] \ + && [ "$(ls -A "%{_prefix}"/config/archived-configs 2>/dev/null)" ] ; then + "%{_prefix}"/bin/stop-ds || true fi -else if [ "$1" == "1" ] ; then - echo "Pre Uninstall - upgrade uninstall" + if [ -e /etc/init.d/opendj ] ; then + /sbin/chkconfig --del opendj || true fi + # Clean up the legacy PID symlink created by the SysV init script. + [ -h /run/opendj.pid ] && rm -f /run/opendj.pid || true + [ -h /var/run/opendj.pid ] && rm -f /var/run/opendj.pid || true fi diff --git a/opendj-packages/resources/generate-changelog.sh b/opendj-packages/resources/generate-changelog.sh new file mode 100755 index 0000000000..ee669840b0 --- /dev/null +++ b/opendj-packages/resources/generate-changelog.sh @@ -0,0 +1,142 @@ +#!/usr/bin/env bash +# +# The contents of this file are subject to the terms of the Common Development and +# Distribution License (the License). You may not use this file except in compliance with the +# License. +# +# You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the +# specific language governing permission and limitations under the License. +# +# When distributing Covered Software, include this CDDL Header Notice in each file and include +# the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL +# Header, with the fields enclosed by brackets [] replaced by your own identifying +# information: "Portions Copyright [year] [name of copyright owner]". +# +# Copyright 2026 3A Systems, LLC +# +# Regenerates the Debian and RPM package changelogs from the GitHub Releases of +# OpenIdentityPlatform/OpenDJ. Run this at release time (it needs network + an +# authenticated `gh`); the produced files are committed so the Maven build stays +# offline and reproducible. +# +# Usage (from the repository root): +# opendj-packages/resources/generate-changelog.sh +# +# Requires: gh (authenticated), python3. + +set -euo pipefail + +REPO="${OPENDJ_REPO:-OpenIdentityPlatform/OpenDJ}" +HERE="$(cd "$(dirname "$0")" && pwd)" +DEB_FILE="${HERE}/../opendj-deb/resources/changelog" +RPM_FILE="${HERE}/../opendj-rpm/resources/changelog" + +echo "Fetching releases from ${REPO} ..." >&2 +RELEASES_TMP="$(mktemp)" +trap 'rm -f "$RELEASES_TMP"' EXIT +gh api --paginate "repos/${REPO}/releases" > "$RELEASES_TMP" 2>/dev/null + +DEB_FILE="${DEB_FILE}" RPM_FILE="${RPM_FILE}" RELEASES_TMP="${RELEASES_TMP}" REPO="${REPO}" python3 - <<'PY' +import json, os, re, sys, textwrap + +with open(os.environ["RELEASES_TMP"]) as _f: + releases = json.load(_f) + +MAINTAINER = "Open Identity Platform Community " +DOW = ["Mon", "Tue", "Wed", "Thu", "Fri", "Sat", "Sun"] +MON = ["Jan", "Feb", "Mar", "Apr", "May", "Jun", + "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"] + +def parse_iso(ts): + # e.g. 2026-06-11T19:19:48Z -> (Y, M, D, h, m, s, weekday) + import datetime + dt = datetime.datetime.strptime(ts, "%Y-%m-%dT%H:%M:%SZ") + return dt + +def clean_bullets(body): + bullets = [] + for raw in (body or "").splitlines(): + line = raw.strip() + if not line.startswith(("* ", "- ")): + continue + line = line[2:].strip() + line = re.sub(r"\[([^\]]+)\]\([^)]+\)", r"\1", line) # md link -> text + line = re.sub(r"\bin https?://\S+", "", line) # drop PR url + line = re.sub(r"https?://\S+", "", line) # drop bare urls + line = re.sub(r"\b(by|thanks)\s+@[\w-]+(\[bot\])?", "", line) # drop "by/thanks @author" + line = re.sub(r"@[\w-]+(\[bot\])?", "", line) # drop any leftover @mention + line = line.replace("**", "").replace("`", "") + line = re.sub(r"[←-➿️❤☀-⛿]", "", line) # emoji/hearts + line = re.sub(r"\s+", " ", line).strip(" -") + if line: + bullets.append(line) + return bullets + +def version_of(rel): + return (rel.get("tag_name") or rel.get("name") or "").lstrip("v").strip() + +deb_chunks, rpm_chunks = [], [] +for rel in releases: + if rel.get("draft"): + continue + ver = version_of(rel) + if not ver or not ver[0].isdigit(): + continue + dt = parse_iso(rel["published_at"]) + bullets = clean_bullets(rel.get("body")) or [ + "See release notes: https://github.com/%s/releases/tag/%s" + % (os.environ.get("REPO", "OpenIdentityPlatform/OpenDJ"), ver) + ] + + # --- Debian stanza --- + deb = ["opendj (%s) unstable; urgency=medium" % ver, ""] + for b in bullets: + wrapped = textwrap.fill(b, width=78, initial_indent=" * ", + subsequent_indent=" ") + deb.append(wrapped) + deb_date = "%s, %02d %s %d %02d:%02d:%02d +0000" % ( + DOW[dt.weekday()], dt.day, MON[dt.month - 1], dt.year, + dt.hour, dt.minute, dt.second) + deb.append("") + deb.append(" -- %s %s" % (MAINTAINER, deb_date)) + deb_chunks.append("\n".join(deb)) + + # --- RPM stanza --- + rpm_date = "%s %s %2d %d" % (DOW[dt.weekday()], MON[dt.month - 1], dt.day, dt.year) + rpm = ["* %s %s - %s" % (rpm_date, MAINTAINER, ver)] + for b in bullets: + rpm.append(textwrap.fill(b, width=78, initial_indent="- ", + subsequent_indent=" ")) + rpm_chunks.append("\n".join(rpm)) + +with open(os.environ["DEB_FILE"], "w") as f: + f.write("\n\n".join(deb_chunks) + "\n") + +RPM_PREAMBLE = """# +# The contents of this file are subject to the terms of the Common Development and +# Distribution License (the License). You may not use this file except in compliance with the +# License. +# +# You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the +# specific language governing permission and limitations under the License. +# +# When distributing Covered Software, include this CDDL Header Notice in each file and include +# the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL +# Header, with the fields enclosed by brackets [] replaced by your own identifying +# information: "Portions Copyright [year] [name of copyright owner]". +# +# Copyright 2013-2026 ForgeRock AS and Open Identity Platform Community. + +# ============================= +# opendj rpm package changelog +# ============================= + +%changelog +""" +with open(os.environ["RPM_FILE"], "w") as f: + f.write(RPM_PREAMBLE + "\n".join(rpm_chunks) + "\n") + +print("Wrote %d releases to:\n %s\n %s" + % (len(deb_chunks), os.environ["DEB_FILE"], os.environ["RPM_FILE"]), + file=sys.stderr) +PY diff --git a/opendj-packages/resources/systemd/opendj.service b/opendj-packages/resources/systemd/opendj.service new file mode 100644 index 0000000000..fe6fe4af99 --- /dev/null +++ b/opendj-packages/resources/systemd/opendj.service @@ -0,0 +1,36 @@ +# +# The contents of this file are subject to the terms of the Common Development and +# Distribution License (the License). You may not use this file except in compliance with the +# License. +# +# You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the +# specific language governing permission and limitations under the License. +# +# When distributing Covered Software, include this CDDL Header Notice in each file and include +# the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL +# Header, with the fields enclosed by brackets [] replaced by your own identifying +# information: "Portions Copyright [year] [name of copyright owner]". +# +# Copyright 2026 3A Systems, LLC + +[Unit] +Description=OpenDJ LDAPv3 Directory Server +Documentation=https://github.com/OpenIdentityPlatform/OpenDJ +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple +User=opendj +Group=opendj +Environment=INSTALL_ROOT=/opt/opendj +# start-ds --nodetach keeps the JVM in the foreground so systemd supervises it directly. +ExecStart=/opt/opendj/bin/start-ds --nodetach --quiet +ExecStop=/opt/opendj/bin/stop-ds --quiet +Restart=on-failure +RestartSec=5 +TimeoutStartSec=180 +LimitNOFILE=65536 + +[Install] +WantedBy=multi-user.target diff --git a/opendj-packages/resources/sysv/opendj b/opendj-packages/resources/sysv/opendj index 579d1dce5c..b12e608405 100644 --- a/opendj-packages/resources/sysv/opendj +++ b/opendj-packages/resources/sysv/opendj @@ -17,6 +17,7 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2025-2026 3A Systems, LLC # chkconfig: 2345 80 05 @@ -67,9 +68,25 @@ DAEMON=opendj ORIGINPIDFILE=/opt/opendj/logs/server.pid # Pid file is a symlink to /opt/opendj/log/server.pid -PIDFILE=/var/run/opendj.pid +# /run is the canonical location (/var/run is a compatibility symlink to it). +PIDFILE=/run/opendj.pid RETVAL=0 +# The dedicated service account the server runs as (created by the package). +RUNASUSER=opendj + +# Runs the given command as $RUNASUSER when that account exists and we are root; +# otherwise runs it as the current user (keeps old root-only installs working). +run_as() { + if [ "$(id -un)" = "$RUNASUSER" ] || ! getent passwd "$RUNASUSER" >/dev/null 2>&1 ; then + "$@" + elif command -v runuser >/dev/null 2>&1 ; then + runuser -u "$RUNASUSER" -- "$@" + else + su -s /bin/sh "$RUNASUSER" -c "$(while [ "$#" -gt 0 ]; do printf '%s ' "$1"; shift; done)" + fi +} + # If the daemon is not there, then exit / LSB return code. test -x "$INSTALL_ROOT/bin/start-ds" || exit 5 @@ -98,7 +115,7 @@ start() { echo "> Already running." return 0 else - "$INSTALL_ROOT"/bin/start-ds --quiet + run_as "$INSTALL_ROOT"/bin/start-ds --quiet RETVAL=$? if [ $RETVAL = 0 ] ; then touch $LOCKFILE @@ -123,7 +140,7 @@ stop() { if [ -e $PIDFILE ] then # Server is running - "$INSTALL_ROOT"/bin/stop-ds --quiet + run_as "$INSTALL_ROOT"/bin/stop-ds --quiet RETVAL=$? if [ $RETVAL = 0 ] ; then echo "> SUCCESS." From 98da1189537cedc48ae8a4eb8f5bf8bac2e5bfa9 Mon Sep 17 00:00:00 2001 From: Valera V Harseko Date: Sun, 28 Jun 2026 10:24:09 +0300 Subject: [PATCH 2/5] Make the opendj service find Java via a stable symlink, and harden the CI The dedicated `opendj` service user (PR #663) runs setup/start-ds/stop-ds with a clean environment: no inherited JAVA_HOME, and `which` may be absent (e.g. minimal containers). OpenDJ's Java lookup then fell through to an error, because the package shipped config/java.properties with an unsubstituted placeholder (`default.java-home=$JAVA_HOME`) and the PATH fallback relied on the external `which`. Result: setup/start as `opendj` could not find Java. Fix Java discovery at the package level, using STABLE references so a JRE upgrade/reinstall does not break the service: - _script-util.sh: replace `which java` with `command -v java` (POSIX builtin, no dependency on the `which` package; resolves the stable /usr/bin/java alternatives symlink). This is the root-cause fix for the PATH fallback. - deb postinst / rpm %post: substitute `default.java-home` in config/java.properties with a stable symlink (/usr/lib/jvm/default-java, else the grandparent of `command -v java`, typically /usr) -- never a version- specific readlink path. Only the shipped placeholder is touched, so admin edits are preserved. - Ship an EnvironmentFile for admin overrides (OPENDJ_JAVA_HOME / OPENDJ_JAVA_BIN / OPENDJ_JAVA_ARGS): /etc/default/opendj on deb (conffile), /etc/sysconfig/ opendj on rpm (%config(noreplace)). The systemd unit reads it via EnvironmentFile=, and the SysV init script sources and exports it so the values survive the runuser switch to the service account. CI (.github/workflows/build.yml): - test-deb: run in a clean debian:12 container (install + SysV start/stop) plus a live `systemctl enable --now` on the runner. The container has no JAVA_HOME and no `which`, so it actually verifies the package configures Java itself. - test-rpm: drop the OPENDJ_JAVA_HOME band-aid; Java now comes from the package. --- .github/workflows/build.yml | 66 +++++++++++-------- .../opendj-deb/opendj-deb-standard/pom.xml | 1 + opendj-packages/opendj-deb/pom.xml | 11 ++++ .../opendj-deb/resources/control/postinst | 10 +++ .../opendj-rpm/opendj-rpm-standard/pom.xml | 1 + opendj-packages/opendj-rpm/pom.xml | 13 ++++ .../opendj-rpm/resources/specs/postinstall.sh | 10 +++ opendj-packages/resources/env/opendj | 17 +++++ .../resources/systemd/opendj.service | 4 ++ opendj-packages/resources/sysv/opendj | 6 ++ .../resource/bin/_script-util.sh | 4 +- 11 files changed, 112 insertions(+), 31 deletions(-) create mode 100644 opendj-packages/resources/env/opendj diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0501537943..84dfdad702 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -450,38 +450,51 @@ jobs: uses: actions/download-artifact@v8 with: name: ubuntu-latest-11 - - name: Locate .deb + - name: Clean-room install + SysV start/stop (debian:12 container) shell: bash run: | - DEB=$(ls opendj-packages/opendj-deb/opendj-deb-standard/target/*.deb | head -1) - echo "DEB=$PWD/$DEB" >> "$GITHUB_ENV" - echo "Found $DEB" - - name: Lint and inspect + docker run --rm -v "$PWD:/work" -w /work debian:12 bash -c ' + set -e + export DEBIAN_FRONTEND=noninteractive + DEB=$(ls opendj-packages/opendj-deb/opendj-deb-standard/target/*.deb | head -1) + echo "Found $DEB" + apt-get update + apt-get install -y lintian + lintian --info --no-tag-display-limit "$DEB" || true + dpkg-deb -I "$DEB" + dpkg-deb -c "$DEB" | grep -E "lib/systemd/system/opendj.service|etc/init.d/opendj" + apt-get install -y "./$DEB" + id opendj + test "$(stat -c %U /opt/opendj)" = opendj + # No JAVA_HOME and no "which" in this clean container: Java must resolve + # from config/java.properties (default.java-home set by postinst). + runuser -u opendj -- /opt/opendj/setup --cli --no-prompt --acceptLicense --doNotStart \ + --rootUserDN "cn=Directory Manager" --rootUserPassword password \ + --hostname localhost --ldapPort 1389 --adminConnectorPort 4444 \ + --baseDN dc=example,dc=com --addBaseEntry + /etc/init.d/opendj start + OK=0 + for i in $(seq 1 20); do + if /opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b "dc=example,dc=com" -s base "(objectClass=*)" 1.1 >/dev/null 2>&1; then OK=1; break; fi + sleep 3 + done + /etc/init.d/opendj status + test "$OK" = 1 + /etc/init.d/opendj stop + apt-get purge -y opendj + ' + - name: Live systemd install + start/stop (runner) shell: bash run: | + DEB=$(ls opendj-packages/opendj-deb/opendj-deb-standard/target/*.deb | head -1) sudo apt-get update - sudo apt-get install -y lintian - lintian --info --no-tag-display-limit "$DEB" || true - dpkg-deb -I "$DEB" - dpkg-deb -c "$DEB" | grep -E 'lib/systemd/system/opendj\.service|etc/init\.d/opendj' - systemd-analyze verify opendj-packages/resources/systemd/opendj.service || true - sh -n opendj-packages/resources/sysv/opendj - - name: Install - shell: bash - run: | - sudo apt-get install -y "$DEB" - getent passwd opendj + sudo apt-get install -y "$PWD/$DEB" test "$(stat -c '%U' /opt/opendj)" = opendj - - name: Setup OpenDJ (configured, not started) - shell: bash - run: | + # sudo/runuser/systemd strip JAVA_HOME -> also relies on config/java.properties sudo runuser -u opendj -- /opt/opendj/setup --cli --no-prompt --acceptLicense --doNotStart \ --rootUserDN "cn=Directory Manager" --rootUserPassword password \ --hostname localhost --ldapPort 1389 --adminConnectorPort 4444 \ --baseDN dc=example,dc=com --addBaseEntry - - name: Start via systemd and verify - shell: bash - run: | sudo systemctl enable --now opendj OK=0 for i in $(seq 1 20); do @@ -491,16 +504,10 @@ jobs: sudo systemctl is-active --quiet opendj test "$OK" = 1 echo "OpenDJ is active under systemd" - - name: Stop via systemd and verify - shell: bash - run: | sudo systemctl stop opendj sleep 3 if sudo systemctl is-active --quiet opendj; then echo "still active"; exit 1; fi - echo "OpenDJ stopped" - - name: Purge - shell: bash - run: sudo apt-get purge -y opendj + sudo apt-get purge -y opendj test-rpm: needs: build-maven @@ -521,6 +528,7 @@ jobs: dnf install -y "$RPM" id opendj test "$(stat -c %U /opt/opendj)" = opendj + # Java must come from config/java.properties (no JAVA_HOME and no "which" here) runuser -u opendj -- /opt/opendj/setup --cli --no-prompt --acceptLicense --doNotStart \ --rootUserDN "cn=Directory Manager" --rootUserPassword password \ --hostname localhost --ldapPort 1389 --adminConnectorPort 4444 \ diff --git a/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml b/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml index ebb19445c9..33ef15e4ca 100644 --- a/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml +++ b/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml @@ -35,6 +35,7 @@ ${project.parent.parent.basedir}/resources/sysv/opendj ${project.parent.parent.basedir}/resources/systemd/opendj.service + ${project.parent.parent.basedir}/resources/env/opendj ${product.name} ${product.name.lowercase} This OpenDJ package includes the Berkeley JE Backend and cannot be redistributed without a suitable license diff --git a/opendj-packages/opendj-deb/pom.xml b/opendj-packages/opendj-deb/pom.xml index 5cba979d2d..83eadc9ffe 100644 --- a/opendj-packages/opendj-deb/pom.xml +++ b/opendj-packages/opendj-deb/pom.xml @@ -181,6 +181,17 @@ + + + ${env.file.location} + file + + perm + /etc/default + 644 + + + ${basedir}/resources/copyright diff --git a/opendj-packages/opendj-deb/resources/control/postinst b/opendj-packages/opendj-deb/resources/control/postinst index 49ace6a6eb..d0f7ca8a5b 100644 --- a/opendj-packages/opendj-deb/resources/control/postinst +++ b/opendj-packages/opendj-deb/resources/control/postinst @@ -35,6 +35,16 @@ fi # migrates installations that were previously owned by root. chown -R opendj:opendj ${deb.prefix} +# Pin Java for the service via OpenDJ's own config, using a STABLE symlink (not a +# version-specific path) so a JRE upgrade/reinstall does not break the service. +# Only touch the shipped placeholder, never an admin-edited value. +JAVA_PROPS=${deb.prefix}/config/java.properties +JH=/usr/lib/jvm/default-java +[ -x "$JH/bin/java" ] || JH=$(dirname "$(dirname "$(command -v java 2>/dev/null)")" 2>/dev/null) +if [ -n "$JH" ] && [ -x "$JH/bin/java" ] && grep -q '^default.java-home=\$JAVA_HOME' "$JAVA_PROPS" 2>/dev/null ; then + sed -i "s|^default.java-home=.*|default.java-home=$JH|" "$JAVA_PROPS" +fi + # Register the service: prefer systemd, fall back to SysV init. if [ -d /run/systemd/system ] ; then systemctl --system daemon-reload >/dev/null 2>&1 || true diff --git a/opendj-packages/opendj-rpm/opendj-rpm-standard/pom.xml b/opendj-packages/opendj-rpm/opendj-rpm-standard/pom.xml index 341a5fde35..aa151435f6 100644 --- a/opendj-packages/opendj-rpm/opendj-rpm-standard/pom.xml +++ b/opendj-packages/opendj-rpm/opendj-rpm-standard/pom.xml @@ -35,6 +35,7 @@ ${project.parent.parent.basedir}/resources/sysv/opendj ${project.parent.parent.basedir}/resources/systemd/opendj.service + ${project.parent.parent.basedir}/resources/env/opendj ${product.name} ${product.name.lowercase} ${project.parent.basedir}/resources diff --git a/opendj-packages/opendj-rpm/pom.xml b/opendj-packages/opendj-rpm/pom.xml index e89e0889d0..f1fc0b3ed1 100644 --- a/opendj-packages/opendj-rpm/pom.xml +++ b/opendj-packages/opendj-rpm/pom.xml @@ -250,6 +250,19 @@ + + + /etc/sysconfig + false + 644 + noreplace + + + ${env.file.location} + + + + ${rpm.prefix} diff --git a/opendj-packages/opendj-rpm/resources/specs/postinstall.sh b/opendj-packages/opendj-rpm/resources/specs/postinstall.sh index d2ed6ea03b..5129fedf16 100644 --- a/opendj-packages/opendj-rpm/resources/specs/postinstall.sh +++ b/opendj-packages/opendj-rpm/resources/specs/postinstall.sh @@ -28,6 +28,16 @@ getent passwd opendj >/dev/null || \ useradd -r -g opendj -d "%{_prefix}" -s /sbin/nologin -c "OpenDJ Directory Server" opendj chown -R opendj:opendj "%{_prefix}" || true +# Pin Java for the service via OpenDJ's own config, using a STABLE symlink (not a +# version-specific path) so a JRE upgrade/reinstall does not break the service. +# Only touch the shipped placeholder, never an admin-edited value. +JAVA_PROPS="%{_prefix}"/config/java.properties +JH=/usr/lib/jvm/jre +[ -x "$JH/bin/java" ] || JH=$(dirname "$(dirname "$(command -v java 2>/dev/null)")" 2>/dev/null) +if [ -n "$JH" ] && [ -x "$JH/bin/java" ] && grep -q '^default.java-home=\$JAVA_HOME' "$JAVA_PROPS" 2>/dev/null ; then + sed -i "s|^default.java-home=.*|default.java-home=$JH|" "$JAVA_PROPS" +fi + # Register the service: prefer systemd, fall back to chkconfig/SysV. if [ -d /run/systemd/system ] ; then systemctl daemon-reload >/dev/null 2>&1 || true diff --git a/opendj-packages/resources/env/opendj b/opendj-packages/resources/env/opendj new file mode 100644 index 0000000000..3d1a81b358 --- /dev/null +++ b/opendj-packages/resources/env/opendj @@ -0,0 +1,17 @@ +# Environment overrides for the OpenDJ service. +# +# This file is sourced by the systemd unit (EnvironmentFile=) and by the SysV +# init script. By default everything is commented out and the server resolves +# Java from its config/java.properties (default.java-home), which the package +# points at the system default JRE at install time. +# +# Uncomment to override the JRE used by the service (one line, no export): +# - OPENDJ_JAVA_HOME: a JAVA_HOME directory (its bin/java is used) +# - OPENDJ_JAVA_BIN : a direct path to the java binary (takes precedence) +# Using the stable /usr alternatives symlink survives Java upgrades: +# +#OPENDJ_JAVA_HOME=/usr/lib/jvm/default-java +#OPENDJ_JAVA_BIN=/usr/bin/java +# +# Extra JVM args for the server: +#OPENDJ_JAVA_ARGS=-server -Xmx2g diff --git a/opendj-packages/resources/systemd/opendj.service b/opendj-packages/resources/systemd/opendj.service index fe6fe4af99..9e8889c16e 100644 --- a/opendj-packages/resources/systemd/opendj.service +++ b/opendj-packages/resources/systemd/opendj.service @@ -24,6 +24,10 @@ Type=simple User=opendj Group=opendj Environment=INSTALL_ROOT=/opt/opendj +# Optional admin overrides (OPENDJ_JAVA_HOME / OPENDJ_JAVA_BIN / OPENDJ_JAVA_ARGS). +# The leading "-" makes the file optional; deb ships /etc/default, rpm /etc/sysconfig. +EnvironmentFile=-/etc/default/opendj +EnvironmentFile=-/etc/sysconfig/opendj # start-ds --nodetach keeps the JVM in the foreground so systemd supervises it directly. ExecStart=/opt/opendj/bin/start-ds --nodetach --quiet ExecStop=/opt/opendj/bin/stop-ds --quiet diff --git a/opendj-packages/resources/sysv/opendj b/opendj-packages/resources/sysv/opendj index b12e608405..d2a1145997 100644 --- a/opendj-packages/resources/sysv/opendj +++ b/opendj-packages/resources/sysv/opendj @@ -59,6 +59,12 @@ fi # LOCKFILE is used by the service subsystem to know whether the opendj service is started and act upon it +# Optional admin overrides (OPENDJ_JAVA_HOME / OPENDJ_JAVA_BIN / OPENDJ_JAVA_ARGS). +# Exported so they survive the runuser switch to the service account in run_as(). +[ -r /etc/default/opendj ] && . /etc/default/opendj +[ -r /etc/sysconfig/opendj ] && . /etc/sysconfig/opendj +export OPENDJ_JAVA_HOME OPENDJ_JAVA_BIN OPENDJ_JAVA_ARGS + # Sets the script vars INSTALL_ROOT="/opt/opendj" export INSTALL_ROOT diff --git a/opendj-server-legacy/resource/bin/_script-util.sh b/opendj-server-legacy/resource/bin/_script-util.sh index da3a9e6ce4..5a4fbe3b4b 100644 --- a/opendj-server-legacy/resource/bin/_script-util.sh +++ b/opendj-server-legacy/resource/bin/_script-util.sh @@ -40,7 +40,7 @@ get_property() { # is defined and 'SCRIPT_NAME.java-home'/bin/java points to a regular file # 4 - use the 'default.java-home' property from the config/java.properties file # is defined and 'default.java-home'/bin/java points to a regular file -# 5 - use `which java` command to find java path +# 5 - use `command -v java` to find java path (POSIX builtin; no dependency on the `which` package) # 6 - use JAVA_BIN if defined and points to an existing regular file # 7 - use JAVA_HOME if defined and JAVA_HOME/bin/java points to a regural file # 8 - Displays an error message which says that java was not found on the running machine @@ -63,7 +63,7 @@ set_opendj_java_bin() { then OPENDJ_JAVA_BIN=${PROPERTY_VALUE}/bin/java else - TEST_JAVA_PATH=`which java 2> /dev/null` + TEST_JAVA_PATH=`command -v java 2> /dev/null` if test ! -z ${TEST_JAVA_PATH} -a -f ${TEST_JAVA_PATH} then OPENDJ_JAVA_BIN=${TEST_JAVA_PATH} From 7b5c11b72fc44510d40e4398c541d1151f9fba31 Mon Sep 17 00:00:00 2001 From: Valera V Harseko Date: Sun, 28 Jun 2026 23:37:55 +0300 Subject: [PATCH 3/5] systemd: grant CAP_NET_BIND_SERVICE so the non-root service can bind privileged ports The service runs as the dedicated opendj user and so cannot bind privileged ports (LDAP 389, LDAPS 636) by default. Grant CAP_NET_BIND_SERVICE via AmbientCapabilities (and restrict CapabilityBoundingSet to it) so the non-root service can listen on those ports without running as root or applying setcap to the java binary. --- opendj-packages/resources/systemd/opendj.service | 3 +++ 1 file changed, 3 insertions(+) diff --git a/opendj-packages/resources/systemd/opendj.service b/opendj-packages/resources/systemd/opendj.service index 9e8889c16e..171eaa3613 100644 --- a/opendj-packages/resources/systemd/opendj.service +++ b/opendj-packages/resources/systemd/opendj.service @@ -23,6 +23,9 @@ Wants=network-online.target Type=simple User=opendj Group=opendj +# Allow the non-root service to bind privileged ports (e.g. LDAP 389, LDAPS 636). +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE Environment=INSTALL_ROOT=/opt/opendj # Optional admin overrides (OPENDJ_JAVA_HOME / OPENDJ_JAVA_BIN / OPENDJ_JAVA_ARGS). # The leading "-" makes the file optional; deb ships /etc/default, rpm /etc/sysconfig. From 2ff41db2c317637c23086abf91e6264c3a4988da Mon Sep 17 00:00:00 2001 From: Valera V Harseko Date: Sun, 28 Jun 2026 23:37:55 +0300 Subject: [PATCH 4/5] docs: update deb/rpm install/upgrade/uninstall for systemd + dedicated opendj user The install guide described the old behavior (init.d, root-owned files, setup as root). Update the Debian and RPM sections to match the current packages: dedicated opendj system user, systemd service (systemctl) with a SysV fallback, JRE installed automatically via the package dependency, run setup as the opendj user, override Java via /etc/default or /etc/sysconfig/opendj, and CAP_NET_BIND_SERVICE for privileged ports. --- .../asciidoc/install-guide/chap-install.adoc | 83 ++++++------------- .../install-guide/chap-uninstall.adoc | 4 +- .../asciidoc/install-guide/chap-upgrade.adoc | 2 +- 3 files changed, 28 insertions(+), 61 deletions(-) diff --git a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-install.adoc b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-install.adoc index 92be08f08a..666c2d12cc 100644 --- a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-install.adoc +++ b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-install.adoc @@ -432,48 +432,26 @@ You can install OpenDJ in unattended and silent fashion, too. See the procedure, ==== On Debian and related Linux distributions such as Ubuntu, you can install OpenDJ directory server from the Debian package: -. (Optional) Before you install OpenDJ, install a Java runtime environment if none is installed yet: -+ - -[source, console] ----- -$ sudo apt-get install default-jre ----- - -. Install the OpenDJ directory server package: +. Install the OpenDJ directory server package. Use `apt-get install ./.deb` (rather than `dpkg -i`) so the required Java runtime dependency (`default-jre-headless`) is resolved and installed automatically: + [source, console, subs="attributes"] ---- -$ sudo dpkg -i opendj_{opendj-version}-1_all.deb -Selecting previously unselected package opendj. -(Reading database ... 185569 files and directories currently installed.) -Unpacking opendj (from opendj_{opendj-version}-1_all.deb) ... - -Setting up opendj ({opendj-version}) ... - Adding system startup for /etc/init.d/opendj ... - /etc/rc0.d/K20opendj -> ../init.d/opendj - /etc/rc1.d/K20opendj -> ../init.d/opendj - /etc/rc6.d/K20opendj -> ../init.d/opendj - /etc/rc2.d/S20opendj -> ../init.d/opendj - /etc/rc3.d/S20opendj -> ../init.d/opendj - /etc/rc4.d/S20opendj -> ../init.d/opendj - /etc/rc5.d/S20opendj -> ../init.d/opendj - -Processing triggers for ureadahead ... -ureadahead will be reprofiled on next reboot +$ sudo apt-get install ./opendj_{opendj-version}-1_all.deb ---- + -The Debian package installs OpenDJ directory server in the `/opt/opendj` directory, generates service management scripts, adds documentation files under `/usr/share/doc/opendj`, and adds man pages under `/opt/opendj/share/man`. +The Debian package installs OpenDJ directory server in the `/opt/opendj` directory, registers the service with systemd (`opendj.service`, with a SysV init script kept as a fallback on non-systemd hosts), adds documentation files under `/usr/share/doc/opendj`, and adds man pages under `/opt/opendj/share/man`. ++ +The package creates a dedicated `opendj` system user; the files under `/opt/opendj` are owned by it and the service runs as that user. The systemd service is granted `CAP_NET_BIND_SERVICE`, so it can bind privileged ports such as LDAP 389 and LDAPS 636 even though it runs as a non-root user. On non-systemd hosts that use the SysV init script, grant the capability another way (for example `authbind` or an `iptables` redirect) or use ports above 1024. + -The files are owned by root by default, making it easier to have OpenDJ listen on ports 389 and 636. +To pin or override the Java runtime used by the service, set `OPENDJ_JAVA_HOME` (or `OPENDJ_JAVA_ARGS`) in `/etc/default/opendj`. -. Configure OpenDJ directory server by using the command `sudo /opt/opendj/setup`: +. Configure OpenDJ directory server by running `setup` as the `opendj` user (the account that owns the files and runs the service): + [source, console] ---- -$ sudo /opt/opendj/setup --cli +$ sudo -u opendj /opt/opendj/setup --cli ... To see basic server configuration status and configuration you can launch /opt/opendj/bin/status @@ -484,9 +462,9 @@ To see basic server configuration status and configuration you can launch [source, console, subs="attributes"] ---- -$ service opendj status -opendj status: > Running. -$ sudo /opt/opendj/bin/status +$ systemctl is-active opendj +active +$ sudo -u opendj /opt/opendj/bin/status >>>> Specify OpenDJ LDAP connection parameters @@ -541,38 +519,28 @@ Password: # ---- -. Before you install OpenDJ, install a Java runtime environment if none is installed yet. -+ -You might need to download an RPM to install the Java runtime environment, and then install the RPM by using the `rpm` command: -+ - -[source, console] ----- -# rpm -ivh jre-*.rpm ----- - -. Install the OpenDJ directory server package: +. Install the OpenDJ directory server package. Use `dnf install ./.rpm` (rather than `rpm -i`) so the required Java runtime dependency (`java-headless >= 11`) is resolved and installed automatically: + [source, console, subs="attributes"] ---- -# rpm -i opendj-{opendj-version}-1.noarch.rpm +# dnf install ./opendj-{opendj-version}-1.noarch.rpm Pre Install - initial install Post Install - initial install - -# ---- + -The RPM package installs OpenDJ directory server in the `/opt/opendj` directory, generates service management scripts, and adds man pages under `/opt/opendj/share/man`. +The RPM package installs OpenDJ directory server in the `/opt/opendj` directory, registers the service with systemd (`opendj.service`, with a SysV init script kept as a fallback on non-systemd hosts), and adds man pages under `/opt/opendj/share/man`. + -The files are owned by root by default, making it easier to have OpenDJ listen on ports 389 and 636. +The package creates a dedicated `opendj` system user; the files under `/opt/opendj` are owned by it and the service runs as that user. The systemd service is granted `CAP_NET_BIND_SERVICE`, so it can bind privileged ports such as LDAP 389 and LDAPS 636 even though it runs as a non-root user. On non-systemd hosts that use the SysV init script, grant the capability another way (for example `authbind` or an `iptables` redirect) or use ports above 1024. ++ +To pin or override the Java runtime used by the service, set `OPENDJ_JAVA_HOME` (or `OPENDJ_JAVA_ARGS`) in `/etc/sysconfig/opendj`. -. Configure OpenDJ directory server by using the command `/opt/opendj/setup`: +. Configure OpenDJ directory server by running `setup` as the `opendj` user (the account that owns the files and runs the service): + [source, console] ---- -# /opt/opendj/setup --cli +# runuser -u opendj -- /opt/opendj/setup --cli ... To see basic server configuration status and configuration you can launch /opt/opendj/bin/status @@ -583,9 +551,9 @@ To see basic server configuration status and configuration you can launch [source, console, subs="attributes"] ---- -# service opendj status -opendj status: > Running. -# /opt/opendj/bin/status +# systemctl is-active opendj +active +# runuser -u opendj -- /opt/opendj/bin/status >>>> Specify OpenDJ LDAP connection parameters @@ -623,14 +591,13 @@ Entries: 2002 Replication: ---- + -By default OpenDJ starts in run levels 2, 3, 4, and 5: +The service is enabled to start at boot: + [source, console] ---- -# chkconfig --list | grep opendj -... -opendj 0:off 1:off 2:on 3:on 4:on 5:on 6:off +# systemctl is-enabled opendj +enabled ---- ==== diff --git a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-uninstall.adoc b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-uninstall.adoc index 19cc3a3875..65f18bcee5 100644 --- a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-uninstall.adoc +++ b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-uninstall.adoc @@ -127,7 +127,7 @@ Stopping Server... $ ---- + -Removing the package does not remove your data or configuration. You must remove `/opt/opendj` manually to get rid of all files. +Removing the package stops the server but does not remove your data or configuration, nor the dedicated `opendj` system user it created. Remove `/opt/opendj` manually to delete all files, and remove the `opendj` user if you no longer need it. ==== @@ -153,7 +153,7 @@ OpenDJ successfully removed. # ---- + -Removing the package does not remove your data or configuration. You must remove `/opt/opendj` manually to get rid of all files. +Removing the package stops the server but does not remove your data or configuration, nor the dedicated `opendj` system user it created. Remove `/opt/opendj` manually to delete all files, and remove the `opendj` user if you no longer need it. ==== diff --git a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-upgrade.adoc b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-upgrade.adoc index cf0268dec0..af11988c54 100644 --- a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-upgrade.adoc +++ b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-upgrade.adoc @@ -89,7 +89,7 @@ Due to changes to the backup archive format, make sure you stop OpenDJ directory ==== Before starting this procedure, follow the steps in xref:#before-you-upgrade["Before You Upgrade"]. -To upgrade to OpenDJ directory server installed from native packages (.deb, .rpm), use the command-line package management tools provided by the system. +To upgrade OpenDJ directory server installed from native packages (.deb, .rpm), install the newer package with the system package manager (`sudo apt-get install ./opendj_{opendj-version}-1_all.deb` or `sudo dnf install ./opendj-{opendj-version}-1.noarch.rpm`). The package stops the running server, runs the `upgrade` tool as the dedicated `opendj` user, migrates file ownership under `/opt/opendj` to that user, and restarts the service (systemd, with a SysV init fallback) if it was running before the upgrade. Back up the installation directory first, as described in xref:#before-you-upgrade["Before You Upgrade"]. [NOTE] ====== From 67f0d6bd6ef31995a6c6073a2e17fb2c62a0fe75 Mon Sep 17 00:00:00 2001 From: Valera V Harseko Date: Thu, 2 Jul 2026 22:10:27 +0300 Subject: [PATCH 5/5] CI: test deb/rpm upgrade from the released 5.1.1 packages New test-deb-upgrade (debian:12) and test-rpm-upgrade (rockylinux:9) jobs: install the released 5.1.1 package (root-owned tree, SysV only), configure an instance and start it, then upgrade to the newly built package while the server is RUNNING. The package must stop the server, create the opendj user, migrate file ownership, run the upgrade tool and restart the server; the jobs assert the pre-upgrade data is served again and the process now runs as opendj. --- .github/workflows/build.yml | 105 ++++++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 84dfdad702..bf239c91ff 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -544,3 +544,108 @@ jobs: /etc/init.d/opendj stop rpm -e opendj ' + + # Upgrade path: released 5.1.1 deb (root-owned, SysV) -> this build's deb. The new package + # must stop the running server, create the opendj user, migrate ownership, run the upgrade + # tool and restart the server with the old data (docs: chap-upgrade). + test-deb-upgrade: + needs: build-maven + runs-on: 'ubuntu-latest' + steps: + - name: Download artifacts + uses: actions/download-artifact@v8 + with: + name: ubuntu-latest-11 + - name: Download released 5.1.1 deb + shell: bash + run: curl -fsSL -o opendj-5.1.1.deb https://github.com/OpenIdentityPlatform/OpenDJ/releases/download/5.1.1/opendj_5.1.1-1_all.deb + - name: Upgrade 5.1.1 -> new deb (debian:12 container) + shell: bash + run: | + docker run --rm -v "$PWD:/work" -w /work debian:12 bash -c ' + set -e + export DEBIAN_FRONTEND=noninteractive + NEW=$(ls opendj-packages/opendj-deb/opendj-deb-standard/target/*.deb | head -1) + echo "New deb: $NEW" + apt-get update + apt-get install -y default-jre-headless procps >/dev/null + apt-get install -y ./opendj-5.1.1.deb + # 5.1.1 model: no dedicated user, root-owned tree, SysV only + /opt/opendj/setup --cli --no-prompt --acceptLicense --doNotStart \ + --rootUserDN "cn=Directory Manager" --rootUserPassword password \ + --hostname localhost --ldapPort 1389 --adminConnectorPort 4444 \ + --baseDN dc=example,dc=com --addBaseEntry + /etc/init.d/opendj start + OK=0 + for i in $(seq 1 20); do + if /opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b "dc=example,dc=com" -s base "(objectClass=*)" 1.1 >/dev/null 2>&1; then OK=1; break; fi + sleep 3 + done + test "$OK" = 1 + # Leave the server RUNNING: the new package must stop it, upgrade and restart it. + apt-get install -y "./$NEW" + id opendj + test "$(stat -c %U /opt/opendj)" = opendj + test -f /opt/opendj/config/config.ldif + # The package restarted the server; the pre-upgrade data must be served again, + # now by the dedicated user. + OK=0 + for i in $(seq 1 20); do + if /opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b "dc=example,dc=com" -s base "(objectClass=*)" 1.1 >/dev/null 2>&1; then OK=1; break; fi + sleep 3 + done + test "$OK" = 1 + test "$(ps -o user= -p "$(cat /opt/opendj/logs/server.pid)" | tr -d " ")" = opendj + /etc/init.d/opendj stop + apt-get purge -y opendj + ' + + test-rpm-upgrade: + needs: build-maven + runs-on: 'ubuntu-latest' + steps: + - name: Download artifacts + uses: actions/download-artifact@v8 + with: + name: ubuntu-latest-11 + - name: Download released 5.1.1 rpm + shell: bash + run: curl -fsSL -o opendj-5.1.1.rpm https://github.com/OpenIdentityPlatform/OpenDJ/releases/download/5.1.1/opendj-5.1.1-1.noarch.rpm + - name: Upgrade 5.1.1 -> new rpm (Rocky Linux 9 container) + shell: bash + run: | + docker run --rm -v "$PWD:/work" -w /work rockylinux:9 bash -c ' + set -e + NEW=$(ls opendj-packages/opendj-rpm/opendj-rpm-standard/target/rpm/opendj/RPMS/noarch/*.rpm | head -1) + echo "New rpm: $NEW" + dnf install -y java-21-openjdk-headless util-linux initscripts procps-ng >/dev/null + dnf install -y ./opendj-5.1.1.rpm + # 5.1.1 model: no dedicated user, root-owned tree, SysV only + /opt/opendj/setup --cli --no-prompt --acceptLicense --doNotStart \ + --rootUserDN "cn=Directory Manager" --rootUserPassword password \ + --hostname localhost --ldapPort 1389 --adminConnectorPort 4444 \ + --baseDN dc=example,dc=com --addBaseEntry + /etc/init.d/opendj start + OK=0 + for i in $(seq 1 20); do + if /opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b "dc=example,dc=com" -s base "(objectClass=*)" 1.1 >/dev/null 2>&1; then OK=1; break; fi + sleep 3 + done + test "$OK" = 1 + # Leave the server RUNNING: the new package must stop it, upgrade and restart it. + dnf install -y "./$NEW" + id opendj + test "$(stat -c %U /opt/opendj)" = opendj + test -f /opt/opendj/config/config.ldif + # The package restarted the server; the pre-upgrade data must be served again, + # now by the dedicated user. + OK=0 + for i in $(seq 1 20); do + if /opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b "dc=example,dc=com" -s base "(objectClass=*)" 1.1 >/dev/null 2>&1; then OK=1; break; fi + sleep 3 + done + test "$OK" = 1 + test "$(ps -o user= -p "$(cat /opt/opendj/logs/server.pid)" | tr -d " ")" = opendj + /etc/init.d/opendj stop + rpm -e opendj + '