From 552a762a58f011ad56da11f9409c59b2ae2f8d42 Mon Sep 17 00:00:00 2001 From: Valera V Harseko Date: Fri, 26 Jun 2026 20:19:25 +0300 Subject: [PATCH 1/4] Modernize Debian and RPM packaging (systemd, dedicated user, CI tests) Bring the opendj-deb/opendj-rpm packages up to current Linux packaging practice. The packaging had drifted from the ForgeRock era: jdeb 1.3 (2016), SysV-init only with direct update-rc.d/chkconfig calls, no Standards-Version, a 2015 changelog, and the server running as root. Service management: - Ship a native systemd unit (resources/systemd/opendj.service, Type=simple, start-ds --nodetach), kept alongside the SysV init script as a fallback for non-systemd hosts. - Register/enable/start via deb-systemd-helper / systemctl with an update-rc.d / chkconfig fallback; stop the service on removal. Dedicated service account: - Create an "opendj" system user/group and chown /opt/opendj to it; this also migrates previously root-owned installs on upgrade. - Run start-ds/stop-ds/upgrade as "opendj" from systemd, the maintainer scripts, and the SysV init script (new run_as helper, falls back to the current user when the account is absent). Build tooling and metadata: - jdeb 1.3 -> 1.14; ship the systemd unit from both deb and rpm. - control: add Standards-Version 4.7.3, Section net, a Debian revision in Version, Pre-Depends: adduser, and a newest-first JRE fallback list (default-jre-headless | ... | java25 | java21 | java17 | java11). - rpm: add Requires java-headless >= 1:11 and Requires(pre) shadow-utils. - Maintainer scripts hardened: set -e, fix invalid "exit -1", /var/run -> /run, idempotent guards. Changelog: - Generate the deb and rpm changelogs from the GitHub Releases via a new release-time helper (resources/generate-changelog.sh); committed output keeps the Maven build offline and reproducible. CI: - Add test-deb and test-rpm jobs (needs: build-maven) that install the built package, assert the opendj user and ownership, run setup, and start/stop the service (systemd on the runner; SysV in a Rocky Linux 9 container) with an ldapsearch liveness check. --- .github/workflows/build.yml | 95 +++ .../opendj-deb/opendj-deb-standard/pom.xml | 2 + opendj-packages/opendj-deb/pom.xml | 16 +- .../opendj-deb/resources/changelog | 748 +++++++++++++++++- .../opendj-deb/resources/control/control | 8 +- .../opendj-deb/resources/control/postinst | 82 +- .../opendj-deb/resources/control/postrm | 26 +- .../opendj-deb/resources/control/preinst | 19 +- .../opendj-deb/resources/control/prerm | 25 +- .../opendj-rpm/opendj-rpm-standard/pom.xml | 2 + opendj-packages/opendj-rpm/pom.xml | 21 +- .../opendj-rpm/resources/changelog | 498 +++++++++++- .../opendj-rpm/resources/specs/postinstall.sh | 73 +- .../resources/specs/postuninstall.sh | 13 +- .../opendj-rpm/resources/specs/preinstall.sh | 22 +- .../resources/specs/preuninstall.sh | 29 +- .../resources/generate-changelog.sh | 142 ++++ .../resources/systemd/opendj.service | 36 + opendj-packages/resources/sysv/opendj | 23 +- 19 files changed, 1721 insertions(+), 159 deletions(-) create mode 100755 opendj-packages/resources/generate-changelog.sh create mode 100644 opendj-packages/resources/systemd/opendj.service diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 58927fe9e8..0501537943 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -441,3 +441,98 @@ jobs: timeout 3m bash -c 'until docker inspect --format="{{json .State.Health.Status}}" test_custom | grep -q \"healthy\"; do sleep 10; done' docker exec test_custom 'sh' '-c' '/opt/opendj/bin/ldapsearch --hostname localhost --port 1636 --bindDN "cn=Directory Manager" --bindPassword custom_password --useSsl --trustAll --baseDN "dc=example,dc=com" --searchScope base "(objectClass=*)" 1.1' docker kill test_custom + + test-deb: + needs: build-maven + runs-on: 'ubuntu-latest' + steps: + - name: Download artifacts + uses: actions/download-artifact@v8 + with: + name: ubuntu-latest-11 + - name: Locate .deb + shell: bash + run: | + DEB=$(ls opendj-packages/opendj-deb/opendj-deb-standard/target/*.deb | head -1) + echo "DEB=$PWD/$DEB" >> "$GITHUB_ENV" + echo "Found $DEB" + - name: Lint and inspect + shell: bash + run: | + sudo apt-get update + sudo apt-get install -y lintian + lintian --info --no-tag-display-limit "$DEB" || true + dpkg-deb -I "$DEB" + dpkg-deb -c "$DEB" | grep -E 'lib/systemd/system/opendj\.service|etc/init\.d/opendj' + systemd-analyze verify opendj-packages/resources/systemd/opendj.service || true + sh -n opendj-packages/resources/sysv/opendj + - name: Install + shell: bash + run: | + sudo apt-get install -y "$DEB" + getent passwd opendj + test "$(stat -c '%U' /opt/opendj)" = opendj + - name: Setup OpenDJ (configured, not started) + shell: bash + run: | + sudo runuser -u opendj -- /opt/opendj/setup --cli --no-prompt --acceptLicense --doNotStart \ + --rootUserDN "cn=Directory Manager" --rootUserPassword password \ + --hostname localhost --ldapPort 1389 --adminConnectorPort 4444 \ + --baseDN dc=example,dc=com --addBaseEntry + - name: Start via systemd and verify + shell: bash + run: | + sudo systemctl enable --now opendj + OK=0 + for i in $(seq 1 20); do + if /opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b "dc=example,dc=com" -s base "(objectClass=*)" 1.1 >/dev/null 2>&1; then OK=1; break; fi + sleep 3 + done + sudo systemctl is-active --quiet opendj + test "$OK" = 1 + echo "OpenDJ is active under systemd" + - name: Stop via systemd and verify + shell: bash + run: | + sudo systemctl stop opendj + sleep 3 + if sudo systemctl is-active --quiet opendj; then echo "still active"; exit 1; fi + echo "OpenDJ stopped" + - name: Purge + shell: bash + run: sudo apt-get purge -y opendj + + test-rpm: + needs: build-maven + runs-on: 'ubuntu-latest' + steps: + - name: Download artifacts + uses: actions/download-artifact@v8 + with: + name: ubuntu-latest-11 + - name: Install and start/stop in Rocky Linux 9 + shell: bash + run: | + docker run --rm -v "$PWD:/work" -w /work rockylinux:9 bash -c ' + set -e + RPM=$(ls opendj-packages/opendj-rpm/opendj-rpm-standard/target/rpm/opendj/RPMS/noarch/*.rpm | head -1) + echo "Found $RPM" + dnf install -y java-21-openjdk-headless util-linux initscripts >/dev/null + dnf install -y "$RPM" + id opendj + test "$(stat -c %U /opt/opendj)" = opendj + runuser -u opendj -- /opt/opendj/setup --cli --no-prompt --acceptLicense --doNotStart \ + --rootUserDN "cn=Directory Manager" --rootUserPassword password \ + --hostname localhost --ldapPort 1389 --adminConnectorPort 4444 \ + --baseDN dc=example,dc=com --addBaseEntry + /etc/init.d/opendj start + OK=0 + for i in $(seq 1 20); do + if /opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b "dc=example,dc=com" -s base "(objectClass=*)" 1.1 >/dev/null 2>&1; then OK=1; break; fi + sleep 3 + done + /etc/init.d/opendj status + test "$OK" = 1 + /etc/init.d/opendj stop + rpm -e opendj + ' diff --git a/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml b/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml index 6e2a7f18e4..ebb19445c9 100644 --- a/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml +++ b/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml @@ -13,6 +13,7 @@ information: "Portions Copyright [year] [name of copyright owner]". Copyright 2015 ForgeRock AS. + Portions Copyright 2018-2026 3A Systems, LLC --> 4.0.0 @@ -33,6 +34,7 @@ ${project.parent.parent.basedir}/resources/sysv/opendj + ${project.parent.parent.basedir}/resources/systemd/opendj.service ${product.name} ${product.name.lowercase} This OpenDJ package includes the Berkeley JE Backend and cannot be redistributed without a suitable license diff --git a/opendj-packages/opendj-deb/pom.xml b/opendj-packages/opendj-deb/pom.xml index c3a487e00c..5cba979d2d 100644 --- a/opendj-packages/opendj-deb/pom.xml +++ b/opendj-packages/opendj-deb/pom.xml @@ -13,6 +13,7 @@ information: "Portions Copyright [year] [name of copyright owner]". Copyright 2015-2016 ForgeRock AS. + Portions Copyright 2018-2026 3A Systems, LLC --> 4.0.0 @@ -146,7 +147,7 @@ org.vafer jdeb - 1.3 + 1.14 generate-deb-package @@ -158,7 +159,7 @@ ${project.build.directory}/${deb.product.name.lowercase}_${project.version}-${deb.release}_all.deb ${project.build.directory}/deb/control - + ${sysv.file.location} file @@ -169,6 +170,17 @@ + + + ${systemd.file.location} + file + + perm + /lib/systemd/system + 644 + + + ${basedir}/resources/copyright diff --git a/opendj-packages/opendj-deb/resources/changelog b/opendj-packages/opendj-deb/resources/changelog index c45ffce275..73b97032c2 100644 --- a/opendj-packages/opendj-deb/resources/changelog +++ b/opendj-packages/opendj-deb/resources/changelog @@ -1,17 +1,747 @@ - opendj (3.0.0) unstable; urgency=low +opendj (5.1.1) unstable; urgency=medium - * init.d service script now generates and removes a lockfile. + * CVE-2026-46495 OpenDJ Unauthenticated RCE via Java Deserialization in JMX + RMI + * CVE-2026-42198 pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication + allows CPU exhaustion DoS + * [#648] slow DN.valueOf / AVA normalization for nested DN-syntax values + * chore: bump Bouncy Castle FIPS deps to latest 2.1.x patch releases + * Fix grizzly log level is always FINE + * Fix shell script issues in opendj-docker/run.sh + * Fix Windows CI: use ilammy/msvc-dev-cmd to set up MSVC env + * Add native access JVM flag for Bouncy Castle FIPS on newer Java releases + * Docker base DN entry creation opt-in and improves bootstrap LDIF loading + resilience + * Fix BasicRequestsTest.testReadSelectPartial for nesting-preserving field + projection + * Update org.openidentityplatform.commons to 3.1.1 + * Fix JMX RMI connector startup failure introduced by CVE-2026-46495 + hardening - -- ForgeRock Wed, 9 Dec 2015 16:24:00 +0100 + -- Open Identity Platform Community Thu, 11 Jun 2026 19:19:48 +0000 - opendj (3.0.0) unstable; urgency=low +opendj (5.1.0) unstable; urgency=medium - * Package is now build using maven. + * [#72] Fix infinite loop in doStopApplication() on Windows service stop + * [#259] fix: retry loop for Windows Service start race condition (issue + #259) + * [#566] Fix AttributeValuePasswordValidator: inverted substring logic and + missing reversed-password substring check + * [#579] Fix ReferentialIntegrityPlugin silently bypassing check-references + on modify operations + * [#601] Fix server crash when File-Based Debug Logger is enabled + * Update build.yml add JDK 26 support + * Docs: set neutral version for the docs + * ci: add Windows service start/stop test to CI workflow + * CI: Build and upload Windows native executables (winlauncher, + opendj_service, launcher_administrator) + * fix: use 127.0.0.1 instead of localIP in LockdownModeTaskTestCase + * Filter branches to build workflow triggers (on push) + * Fix intermittent testMultiRS failure by doubling waitForStableGenerationId + timeout + * Fix race condition in ChangelogBackendTestCase flaky test + * Fix flaky testMultiRS: replace fixed sleep with deterministic domain-ready + wait + * increase replication connection timeout to fix Socket Timeout error on Mac + in integration test + * chore: bump GitHub Actions to latest major versions + * Fix snapshot version format + * Fix intermittent GenerationIdTest.testMultiRS race condition on RS-to-RS + topology + * [OpenIdentityPlatform/OpenAM#980] OpenDJ slim maven artifact + * Upgrade local Docker registry from registry:2 to registry:3 in CI + * status CLI: allow --hostname, --port, and --trustAll arguments + * Fix status CLI to accept --hostname, --port, and --trustAll arguments, and + add them to all status command invocations in build.yml + * Remove ENV ROOT_PASSWORD from Dockerfiles, fix HEALTHCHECK default, add + CDDL headers + * Update commons.version to 3.1.0 - -- ForgeRock Tue, 10 Mar 2015 14:24:00 +0100 + -- Open Identity Platform Community Wed, 15 Apr 2026 08:40:44 +0000 - opendj (2.7.0) unstable; urgency=low +opendj (5.0.4) unstable; urgency=medium - * Added changelog to /usr/share/doc/opendj/ + * CVE-2025-24970 SslHandler doesn't correctly validate packets which can + lead to native crash when using native SSLEngine + * CVE‐2025‐12194 While the situation with the JVM garbage collector overrun + for Java 17 and Java 21 greatly improved with the changes in 2.1.1, we’ve + still had some reports that can only be related to the use of the disposal + daemon + * [#590] Fallback to $HOME/tmp dir as a temp if instance root is mounted as + noexec + * Bump logback to 1.5.32 + * Migrate to caffeine 3 + * Update commons.version from 3.0.2 to 3.0.4 + * Docs: fix short version in the upgrade guide - -- ForgeRock Thu, 22 Aug 2013 15:47:00 +0100 \ No newline at end of file + -- Open Identity Platform Community Mon, 23 Mar 2026 20:24:28 +0000 + +opendj (5.0.3) unstable; urgency=medium + + * CVE-2026-1225 Logback allows an attacker to instantiate classes already + present on the class path + * Fix three and more nodes replication process stuck error + * Update org.openidentityplatform.commons to 3.0.2 + * Docs: update supported Java version + + -- Open Identity Platform Community Wed, 04 Feb 2026 06:46:31 +0000 + +opendj (5.0.2) unstable; urgency=medium + + * [#575] FIX unable to install: UnsatisfiedLinkError: /tmp/bc-fips + * [#577] Windows upgrading with Upgrade.bat: an error with "" unexpected + * [#573] Added the SAMPLE_DATA Docker environment variable to generate + sample data during setup. + + -- Open Identity Platform Community Tue, 25 Nov 2025 08:39:22 +0000 + +opendj (5.0.1) unstable; urgency=medium + + * Update target JDK to 11 and move to JakartaEE 9 + * Add support LTS JDK 25 + * Update base docker image Java version to 25 LTS + * CVE-2025-12194 Bouncy Castle Vulnerable to Uncontrolled Resource + Consumption + * CVE-2025-59250 JDBC Driver for SQL Server has improper input validation + issue + * CVE-2025-11226 logback-core is vulnerable to Arbitrary Code Execution + through file processing + * Switch from sun.security.x509 to Bouncy Castle API + * Update OpenDMK external library to fix SNMP monitoring + * Build & deploy: add branch sustaining/4.10.x + * Make GrizzlyLDAPListener close in a synchronous fasion to prevent test + race conditions + * [#141] Test large replication pending changes + * FIX bindFreePort Bind Unable to bind to a free port + * Fix unavailable monitoring attributes over JMX + * Bump org.openidentityplatform.commons to 3.0.1 + * Improve ReplicationDomainTest stability + + -- Open Identity Platform Community Sat, 08 Nov 2025 19:43:23 +0000 + +opendj (4.10.2) unstable; urgency=medium + + * CVE-2025-9092 CVE-2025-9340 CVE-2025-9341 Uncontrolled Resource + Consumption vulnerability + * [#545] Add GroupManager writeLock performance + * [#540] Fix OnDiskMergeImporter::PhaseOneWriteableTransaction: update over + put (referral attr) + * [#544] Add requires-admin-action component-restart for max-request-size + * Update Java minimum version number in the setup UI + * Update README.md: add backers and sponsors + * ISSUE_TEMPLATE: add "Vote to raise the priority" + * Bump commons.version 2.4.1 + + -- Open Identity Platform Community Thu, 04 Sep 2025 15:49:55 +0000 + +opendj (4.10.1) unstable; urgency=medium + + * [#529] FIX jdbc connection deadlock + * [#530] Fixed error when creating a backend for BASE_DN with OU in Docker + * Docker: Fix issues with quoting params + + -- Open Identity Platform Community Tue, 05 Aug 2025 16:47:18 +0000 + +opendj (4.10.0) unstable; urgency=medium + + * [#462] RFC5805 Lightweight Directory Access Protocol (LDAP) Transactions + * CVE-2025-49146 pgjdbc Client Allows Fallback to Insecure Authentication + Despite channelBinding=require Configuration + * Bump io.reactivex.rxjava to 3.x + * Bump various dependencies + * Bump commons to 2.2.5 + * Take Glassfish Grizzly version from commons + * Bump bc.fips to 2.1.x + * Bump commons.version 2.3.0 + * Deploy: migrating from Legacy OSSRH to Central Portal + * Fix OSGI bundle excluded package error for rxjava3 + * Exclude BouncyCastle from OSGI Import-Package + * Fix makeldif templates: add objectClass to baseDN + * Bump org.openidentityplatform.commons 2.4.0 + + -- Open Identity Platform Community Tue, 15 Jul 2025 14:28:53 +0000 + +opendj (4.9.4) unstable; urgency=medium + + * Configure backend type for Docker + * Docs: update OpenDJ release version to 4.9.3 + * Add OpenDJ Docker tests to the build process + * Fix docker env variables + add VERSION autodetect + * Set isRunning later (EmbeddedServer check) + * Bump org.openidentityplatform.commons to 2.2.4 + * [#498] FIX warning output from export-ldif: "grep: warning: stray \ before + -" + * move Java args to java.properties, upgrade docker alpine + * [#497] Set the same indexes for a new backend as for the initial backend + * Add support Java SE 24 + * Bump test containers & cassandra driver + * [#496] FIX MySQL truncate PK default to 64 len + * [#496] FIX JDBC storage update concurrency + * FIX Replication IT tests unstable result + * made their first contribution + * made their first contribution + + -- Open Identity Platform Community Wed, 23 Apr 2025 14:31:19 +0000 + +opendj (4.9.3) unstable; urgency=medium + + * CVE-2025-27497 Fix Denial of Service (Dos) using alias loop () + * [#477] Change permission config.ldif.startok to owner () + * [#208] FIX The definition for the attribute type declared that it should + use the syntax which is not defined in the schema + * Documentation update + * Docs: Generate and publish javadoc + + -- Open Identity Platform Community Wed, 05 Mar 2025 10:11:22 +0000 + +opendj (4.9.2) unstable; urgency=medium + + * [#465] Fix custom library loading when put to the lib directory + * [#463] Disable warning message on downstream closed + * [#471] Fix table name truncate: make jdbc table 63 charter + * [#466] JDBC: added tests for Oracle, MySQL, MSSQL + * [#466] FIX compatibility jdbc backend: Postgres, Oracle, MySQL, MSSQL + * [#471] PluggableBackendImplTestCase: add duplicate mail test + * IT ReplicationDomainTest upper waitEndExport timeout + * Update year in generated documentation templates + * Update documentation issues and update links + + -- Open Identity Platform Community Tue, 04 Feb 2025 16:21:39 +0000 + +opendj (4.9.1) unstable; urgency=medium + + * [#460] Clear unused path info after backupConfig (memory pleasure) + * jdbc: make connection short-lived + * Replace import-ldif with ldapmodify in Postgres IT test + + -- Open Identity Platform Community Mon, 20 Jan 2025 08:49:34 +0000 + +opendj (4.9.0) unstable; urgency=medium + + * Store LDAPv3 database in SQL JDBC database + * CVE-2024-12798 CVE-2024-12801 logback-core Expression Language Injection, + Server-Side Request Forgery vulnerability + * FIX NoSuchMethodError: java.nio.MappedByteBuffer.duplicate + * FIX Unable to locate package winehq-stable + + -- Open Identity Platform Community Thu, 26 Dec 2024 08:36:50 +0000 + +opendj (4.8.2) unstable; urgency=medium + + * [#438] FIX import-ldif --offline "import has been aborted because the + entry does not have a parent entry" + * 00-core.ldif: X.501, cl. 14.2.2: 2.5.15.16 subentryNameForm OC subentry + MUST cn + * FIX makeldif -c suffix=dc=example: Unable to parse a constant argument + expecting name=value + * Bump commons.version 2.2.3 + * Fix MAC OS build failure + * Actions: get ubuntu source from $(lsb_release -c -s) + * depoloy.yml: Fix documents deploy + + -- Open Identity Platform Community Tue, 12 Nov 2024 09:02:28 +0000 + +opendj (4.8.1) unstable; urgency=medium + + * [#393] FIX DIT SUP delimiter + * [#392] FIX RootDSE Entry allow user objectClass + * Addresses #397, #398, #399, #404 + * Docs in asciidoc & deploy antora docs after build + * [#402] Change default SSL HandshakeTimeout -1 -> 10s (see #146) + * [#401] Change "Object class violation (65)" -> "Naming violation (64)" + LDAP result code for DIT Structure Rule violation + * [#394] FIX dsconfig --help- + * [#400] Reduce character escaping in example, add note + * Added missing documentation attachments + * Generate man pages in the AsciiDoc format + * Reduce character escaping in example, add note + * minor docs glitches fix + * Add JDK 23 build support + * Bump org.openidentityplatform.commons 2.2.2 + * Docker: Use tail instead of sleep to allow the container to be stopped + with SIGTERM + * [#423] Eliminate asciidoctor warning messages when generating + documentation + * [#426] ADD maven.compiler.release=8 for cross compile compatibility + * Remove legacy files + * [#90, #432] FIX delete entries in overlapping backends + * [#425] Add option + -Dorg.openidentityplatform.opendj.ERR_ENTRY_SCHEMA_VIOLATES_PARENT_DSR for + force control "Entry is invalid according to the server schema because + there is no DIT structure rule that applies to that entry, but there is a + DIT structure rule for the parent entry". Default: warning level + * [#425] Workaround: Entry is invalid according to the server schema because + there is no DIT structure rule that applies to that entry, but there is a + DIT structure rule for the parent entry + * [#431] Update importldiff --offline and --clearBacked flags descriptions + * made their first contribution + * made their first contribution + + -- Open Identity Platform Community Thu, 17 Oct 2024 14:55:25 +0000 + +opendj (4.8.0) unstable; urgency=medium + + * Switch docker to last LTS JRE 21 + * Add JDK 22 support + * [#376] JMX fix docs with "Allow insecure authentication" + * [#376] FIX SNMP monitoring config + * [#383] FIX docs: import-ldif and export-ldif binaries should be shown + using the --offline option + * [#384] FIX Control Panel: empty help URL values + * FIX do not check DIT structure parent/child on same ObjectClass (thanks + for the research ) + * Bump org.openidentityplatform.commons 2.2.0 + + -- Open Identity Platform Community Mon, 09 Sep 2024 11:26:09 +0000 + +opendj (4.7.0) unstable; urgency=medium + + * [#204] ADD LDAP Relax Rules Control + * [#287] ADD alias dereferencing for search requests + * [#187] FIX RFC3671: collective attribute values should be merged. Virtuals + with other virtuals and real values. + * [#84] FIX incorrect entry-Based ACIs is defined with only "deny" + permission without "allow" + * [#250] Add Overlapping Backend TestSuite + * [#294] Dont send client notification on IOException + * [#368] CASSANDRA ADD property -Dkeyspace=ldap_opendj + * Bump commons.version 2.1.6 + * Publish docs to + * Fix documentation version + + -- Open Identity Platform Community Thu, 08 Aug 2024 08:24:48 +0000 + +opendj (4.6.5) unstable; urgency=medium + + * compress webhelp, xhtml and html docs after build + * add missing docs + * Update README.md + * [#354] FIX "OpenDJ fails to upgrade from version 3->4: An error occurred + while attempting to perform index rebuild: Unable to decode the provided + object class set because it used an undefined token" + * [#167] FIX control-panel ResetUserPasswordTask unpredictable result (wait + async result) + * Add rest operations modifyPassword, resetPassword to docs from + * [#148,#261,#282] FIX control-panel schema errors in remote mode + + -- Open Identity Platform Community Tue, 16 Jul 2024 17:31:29 +0000 + +opendj (4.6.4) unstable; urgency=medium + + * Embedded OpenDJ module initial commit + * Bump ch.qos.logback:logback-core from 1.2.11 to 1.2.13 in /opendj-embedded + * Bump ch.qos.logback:logback-classic from 1.2.9 to 1.2.13 in /opendj- + embedded + * update opendj-parent version + * Bump org.bouncycastle:bc-fips from 1.0.2.3 to 1.0.2.5 in /opendj-core + * Bump org.bouncycastle:bctls-fips from 1.0.13 to 1.0.19 in /opendj-core + * Bump org.openidentityplatform.commons 2.1.4 + * move commons version to property & fix doc-maven-plugin version + * made their first contribution + + -- Open Identity Platform Community Wed, 26 Jun 2024 07:56:13 +0000 + +opendj (4.6.3) unstable; urgency=medium + + * ADD build test with memory pressure + * Update Docker jre 17->19 + * org.openidentityplatform.commons 2.1.3-SNAPSHOT + * FIX OpenIDM compatibility + * [#329] make posixGroup AUXILIARY by default + * [#331] Allow downgrade version without upgrade task + * Bump org.openidentityplatform.commons 2.1.3 + * Add Build test on MacOS M1 arm64 + * Restore macos-latest build strategy + + -- Open Identity Platform Community Tue, 07 May 2024 17:54:49 +0000 + +opendj (4.6.2) unstable; urgency=medium + + * FIX CLIENT_SIDE_NO_RESULTS_RETURNED in hasNext() + * update org.openidentityplatform.commons to 2.1.2-SNAPSHOT + * FIX performance java.util.TimeZone.getTimeZone(TimeZone.java:516) is + synchronized + * [#317] sendUnsolicitedNotification can fail on client disconnect with + OnErrorNotImplementedException + * org.openidentityplatform.commons 2.1.2 + + -- Open Identity Platform Community Wed, 17 Jan 2024 12:17:40 +0000 + +opendj (4.6.1) unstable; urgency=medium + + * Allow store LDAP catalog data in CASSANDRA noSQL cluster --backendType cas + (ldapv3 to cassandra) + * ADD IT test for wars + * Add TestContainers to test Apache Cassandra backend + * Bump org.openidentityplatform.commons 2.0.19-SNAPSHOT + * Update README.md: allow store LDAPv3 database in Cassandra/Scylla cluster + * Bump org.openidentityplatform.commons 2.1.1 + * Add JDK 21 support + * CASSANDRA storage: cursor performance + * FIX newHeapBufferPool calculation (import OOM error) + + -- Open Identity Platform Community Thu, 26 Oct 2023 09:46:54 +0000 + +opendj (4.5.9) unstable; urgency=medium + + * Generate SHA256WithRSA certificate as default + * convert JMX metrics to appropriate type #293 + * Fix attribute value. bean should return native object #293 + * Remove TLSv1 as default protocol FIX + * nexus-staging-maven-plugin 1.6.13 + disable auto release + * made their first contribution + + -- Open Identity Platform Community Fri, 22 Sep 2023 07:10:00 +0000 + +opendj (4.5.6) unstable; urgency=medium + + * FIX unused trailing bytes in ASN.1 SEQUENCE + + -- Open Identity Platform Community Wed, 30 Aug 2023 09:28:52 +0000 + +opendj (4.5.5) unstable; urgency=medium + + * FIX build with Installation failure for grub-efi-amd64-signed on ubuntu- + latest + * FIX add-source for generate-sources + * Restore IT test for server-legacy and fix many errors + * change posixGroup type to structural. and add cn + * FIX argument listBackups is incompatible with use of this tool to interact + * PBKDF2-HMAC-SHA256 and PBKDF-HMAC-SHA512 password storage not configured + by default + * FIX Setup Issue - Error Creating Base Entry + * Extend admin port connection limits + * Restore TLSv1.3 support + * Bump org.openidentityplatform.commons 2.0.18 + + -- Open Identity Platform Community Thu, 20 Jul 2023 09:50:13 +0000 + +opendj (4.5.4) unstable; urgency=medium + + * BUILD java: [ '8','11','17','19'] + fix install wine32:i386 without + conflicts + * FIX build allow fail for remove deb.sury.org + * Docker add jdk17 platforms: linux/amd64, linux/arm64/8, linux/arm/v7, + + -- Open Identity Platform Community Fri, 09 Dec 2022 10:41:35 +0000 + +opendj (4.5.3) unstable; urgency=medium + + * Create target directory before copying custom schema + * Copy ldif configs to the correct template directory + * UPDATE build process + * FIX DSML servlet can't find JAX-B runtime + + -- Open Identity Platform Community Wed, 30 Nov 2022 09:40:42 +0000 + +opendj (4.5.1) unstable; urgency=medium + + * update commons version to 2.0.16-SNAPSHOT + * 'find' command is missing in the 4.5.0 docker image #242 + * FIX wine32 install (from ppa:ondrej/php so that we will be able to install + wine32:i386 without conflicts) + * Don't clone buffer in ldap codec + * Add BCFKS FIPS key store type support + * fix FipsStaticUtils code formatting + * made their first contribution + + -- Open Identity Platform Community Tue, 02 Aug 2022 11:04:58 +0000 + +opendj (4.5.0) unstable; urgency=medium + + * Switch base docker image to Java 17 + + -- Open Identity Platform Community Wed, 01 Jun 2022 10:54:55 +0000 + +opendj (4.4.15) unstable; urgency=medium + + * Add alpine platforms linux/s390x, linux/386, linux/arm/v7, linux/arm/v6, + linux/ppc64le + * Implement PBKDF2-HMAC-SHA256 and PBKDF-HMAC-SHA512 password encoding + schemes + * Docker refactoring + * FIX tamil (ta.6) matching rule schema has typo in definition + * FIX Failed to delete entries under multiple backends + * Add support jdk '16','17','18' + * support AD attributes userAccountControl, msDS-UserAccountDisabled and + pwdLastSet + * Test + Run on jdk15+ + * FIX OpenDJ is not logging errors to logfile #128 + * FIX Windows install to path with spaces + * made their first contribution + + -- Open Identity Platform Community Wed, 01 Jun 2022 06:49:30 +0000 + +opendj (4.4.14) unstable; urgency=medium + + * add docker test + * Release multi-platform Docker images + * Support to load plain ldif files during container setup + * made their first contribution + + -- Open Identity Platform Community Mon, 02 May 2022 19:11:25 +0000 + +opendj (4.4.13) unstable; urgency=medium + + * FIX OpenDJ setup failure + * Add FIPS support + * GithubAction build + * Github action deploy + * actions: separate deploy + * Update opendj_service.exe + * Switch org.openidentityplatform.commons 2.0.13-SNAPSHOT + * Fix rebuild-index in FIPS mode + * ADD JSONEntryWriter JSONEntryReader + * FIX DN escape 'Equal sign': + * FIX JSONEntryWriter escape DN values + * move fips functions to separate class + * do not use fips when bc-fips classes not found + * Update pom.xml nexus-staging-maven-plugin 1.6.11 + * Refactor Dockerfile debian and alpine + * Migrate release from Travis to GitHub + * FIX Deployment of external dependency failed. Failed to deploy artifacts: + Could not transfer artifact openidentityplatform.org:wixtoolset:zip + * made their first contribution + * made their first contribution + * made their first contribution + * made their first contribution + + -- Open Identity Platform Community Fri, 22 Apr 2022 21:42:56 +0000 + +opendj (4.4.11) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.11 + + -- Open Identity Platform Community Mon, 21 Jun 2021 12:11:50 +0000 + +opendj (4.4.10) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.10 + + -- Open Identity Platform Community Mon, 08 Feb 2021 12:09:47 +0000 + +opendj (4.4.9) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.9 + + -- Open Identity Platform Community Wed, 30 Dec 2020 13:11:33 +0000 + +opendj (4.4.8) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.8 + + -- Open Identity Platform Community Tue, 10 Nov 2020 15:01:48 +0000 + +opendj (4.4.7) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.7 + + -- Open Identity Platform Community Wed, 09 Sep 2020 18:41:03 +0000 + +opendj (4.4.6) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.6 + + -- Open Identity Platform Community Thu, 11 Jun 2020 10:34:37 +0000 + +opendj (4.4.5) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.5 + + -- Open Identity Platform Community Tue, 10 Mar 2020 18:32:09 +0000 + +opendj (4.4.4) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.4 + + -- Open Identity Platform Community Fri, 21 Feb 2020 10:07:17 +0000 + +opendj (4.4.3) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.3 + + -- Open Identity Platform Community Mon, 29 Jul 2019 12:46:28 +0000 + +opendj (4.4.2) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.2 + + -- Open Identity Platform Community Mon, 29 Apr 2019 18:00:35 +0000 + +opendj (4.4.1) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.1 + + -- Open Identity Platform Community Sun, 10 Mar 2019 17:15:42 +0000 + +opendj (4.3.5) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.5 + + -- Open Identity Platform Community Mon, 04 Mar 2019 19:44:44 +0000 + +opendj (4.3.4) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.4 + + -- Open Identity Platform Community Sun, 17 Feb 2019 18:38:19 +0000 + +opendj (4.3.3) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.3 + + -- Open Identity Platform Community Fri, 08 Feb 2019 09:15:48 +0000 + +opendj (4.3.2) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.2 + + -- Open Identity Platform Community Tue, 29 Jan 2019 16:23:25 +0000 + +opendj (4.3.1) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.1 + + -- Open Identity Platform Community Mon, 10 Dec 2018 13:19:19 +0000 + +opendj (4.2.5) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.5 + + -- Open Identity Platform Community Fri, 26 Oct 2018 20:44:31 +0000 + +opendj (4.2.4) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.4 + + -- Open Identity Platform Community Thu, 18 Oct 2018 11:54:57 +0000 + +opendj (4.2.3) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.3 + + -- Open Identity Platform Community Wed, 17 Oct 2018 09:17:53 +0000 + +opendj (4.2.2) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.2 + + -- Open Identity Platform Community Mon, 08 Oct 2018 14:04:29 +0000 + +opendj (4.2.1) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.1 + + -- Open Identity Platform Community Fri, 05 Oct 2018 20:50:10 +0000 + +opendj (4.1.10) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.10 + + -- Open Identity Platform Community Wed, 30 May 2018 21:12:00 +0000 + +opendj (4.1.9) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.9 + + -- Open Identity Platform Community Fri, 25 May 2018 05:03:41 +0000 + +opendj (4.1.8) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.8 + + -- Open Identity Platform Community Sat, 12 May 2018 03:36:28 +0000 + +opendj (4.1.7) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.7 + + -- Open Identity Platform Community Tue, 01 May 2018 09:49:37 +0000 + +opendj (4.1.6) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.6 + + -- Open Identity Platform Community Tue, 10 Apr 2018 15:40:59 +0000 + +opendj (4.1.5) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.5 + + -- Open Identity Platform Community Tue, 06 Mar 2018 18:34:23 +0000 + +opendj (4.1.4) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.4 + + -- Open Identity Platform Community Sat, 03 Mar 2018 09:32:59 +0000 + +opendj (4.1.3) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.3 + + -- Open Identity Platform Community Wed, 28 Feb 2018 11:55:36 +0000 + +opendj (4.1.2) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.2 + + -- Open Identity Platform Community Wed, 28 Feb 2018 10:44:28 +0000 + +opendj (4.1.1) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.1 + + -- Open Identity Platform Community Fri, 23 Feb 2018 11:58:58 +0000 + +opendj (4.0.3) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.0.3 + + -- Open Identity Platform Community Tue, 20 Feb 2018 14:19:55 +0000 + +opendj (4.0.2) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.0.2 + + -- Open Identity Platform Community Fri, 16 Feb 2018 16:56:23 +0000 + +opendj (4.0.1) unstable; urgency=medium + + * See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.0.1 + + -- Open Identity Platform Community Fri, 16 Feb 2018 16:10:46 +0000 diff --git a/opendj-packages/opendj-deb/resources/control/control b/opendj-packages/opendj-deb/resources/control/control index 4e372a188c..06875b4429 100644 --- a/opendj-packages/opendj-deb/resources/control/control +++ b/opendj-packages/opendj-deb/resources/control/control @@ -1,9 +1,11 @@ Package: [[deb.product.name.lowercase]] -Version: [[parsedVersion.majorVersion]].[[parsedVersion.minorVersion]].[[parsedVersion.incrementalVersion]] -Section: misc +Version: [[parsedVersion.majorVersion]].[[parsedVersion.minorVersion]].[[parsedVersion.incrementalVersion]]-[[deb.release]] +Section: net Priority: optional Architecture: all -Depends: default-jre-headless | default-jre | java11-runtime | java17-runtime | java21-runtime +Standards-Version: 4.7.3 +Depends: default-jre-headless | default-jre | java25-runtime | java21-runtime | java17-runtime | java11-runtime +Pre-Depends: adduser Homepage: [[deb.doc.homepage.url]] Maintainer: [[deb.maintainer]] Description: [[deb.product.name]] diff --git a/opendj-packages/opendj-deb/resources/control/postinst b/opendj-packages/opendj-deb/resources/control/postinst index 5cfd125250..49ace6a6eb 100644 --- a/opendj-packages/opendj-deb/resources/control/postinst +++ b/opendj-packages/opendj-deb/resources/control/postinst @@ -13,59 +13,71 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2026 3A Systems, LLC -# Post install script -# Install is launched with an empty second arg. -# If the package is already installed, the second arg. is not empty. +# Post install script. +# On a fresh install the second argument is empty; on upgrade it holds the +# previously-installed version. -# Registers the service -update-rc.d opendj defaults +set -e -# Symlinks to process ID -test -h "/var/run/opendj.pid" || ln -s ${deb.prefix}/logs/server.pid /var/run/opendj.pid +# Create the dedicated system user/group that runs the service. +if ! getent group opendj >/dev/null; then + addgroup --system opendj +fi +if ! getent passwd opendj >/dev/null; then + adduser --system --no-create-home --ingroup opendj \ + --home ${deb.prefix} --shell /usr/sbin/nologin \ + --gecos "OpenDJ Directory Server" opendj +fi -# In this case, we are in upgrade mode. -if [ "$1" = "configure" ] && [ ! -z "$2" ] ; then - # For being secure, we check the buildinfo file too. - if [ -f ${deb.prefix}/config/buildinfo ] ; then - echo *Starting upgrade... - ${deb.prefix}/./upgrade -n --force --acceptLicense - echo +# Own the installation tree with the service account. On upgrade this also +# migrates installations that were previously owned by root. +chown -R opendj:opendj ${deb.prefix} + +# Register the service: prefer systemd, fall back to SysV init. +if [ -d /run/systemd/system ] ; then + systemctl --system daemon-reload >/dev/null 2>&1 || true + deb-systemd-helper enable opendj.service >/dev/null 2>&1 || true +else + update-rc.d opendj defaults >/dev/null 2>&1 || true +fi - if [ "$?" -eq 0 ] ; then - # Restarts the service if needed. - # If server is stopped by upgrade process, the server will restart after upgrade. - # If server is stopped before the upgrade process (eg. upgrade the new package), the server will not restart. - # Uses the flag for determining server status at this point. +# Upgrade mode. +if [ "$1" = "configure" ] && [ -n "$2" ] ; then + # For safety, check the buildinfo file too. + if [ -f ${deb.prefix}/config/buildinfo ] ; then + echo "*Starting upgrade..." + if runuser -u opendj -- ${deb.prefix}/upgrade -n --force --acceptLicense ; then + # Restart only if the server was running before the upgrade + # (preinst recorded this via the status flag). if [ -f ${deb.prefix}/logs/status ] ; then - echo echo "*Restarting server..." - ${deb.prefix}/./bin/start-ds - if [ "$?" -eq 0 ] ; then - rm -f ${deb.prefix}/logs/status + if [ -d /run/systemd/system ] ; then + deb-systemd-invoke start opendj.service || true else - echo "start-ds failed with return code $?. Please read ${deb.prefix}/logs/status for more details." + runuser -u opendj -- ${deb.prefix}/bin/start-ds || true fi + rm -f ${deb.prefix}/logs/status fi else - # Upgrade fails - Requires mandatory user interaction. - # Nevertheless, exits successfully of the pkg process. - echo "upgrade failed with return code $?. Please read the installation guide for more information on the upgrade process." + # Upgrade failed - may require manual user interaction. Do not fail + # the package transaction. + echo "upgrade failed. Please read the installation guide for more information on the upgrade process." exit 0 fi else echo "Invalid installation, could not find the build info file." - exit -1 + exit 1 fi fi - -# Add OpenDJ man pages to MANPATH +# Add OpenDJ man pages to MANPATH. MAN_CONFIG_FILE=/etc/manpath.config -MANPATH_DIRECTIVE=MANDATORY_MANPATH -grep -q "$MANPATH_DIRECTIVE.*opendj" $MAN_CONFIG_FILE 2> /dev/null -if [ $? -ne 0 ]; then - echo "$MANPATH_DIRECTIVE ${deb.prefix}/share/man" >> $MAN_CONFIG_FILE +if [ -f "$MAN_CONFIG_FILE" ] && ! grep -q "MANDATORY_MANPATH.*opendj" "$MAN_CONFIG_FILE" 2>/dev/null ; then + echo "MANDATORY_MANPATH ${deb.prefix}/share/man" >> "$MAN_CONFIG_FILE" fi -# End post install script + echo +exit 0 +# End post install script diff --git a/opendj-packages/opendj-deb/resources/control/postrm b/opendj-packages/opendj-deb/resources/control/postrm index 1d7c033b4f..c9c8630520 100644 --- a/opendj-packages/opendj-deb/resources/control/postrm +++ b/opendj-packages/opendj-deb/resources/control/postrm @@ -13,15 +13,27 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2026 3A Systems, LLC set -e -# Post rm script -# Files are removed automatically by pm. -if [ "$1" = "remove" ] ; then - # Deletes the service. - update-rc.d -f opendj remove - echo - echo *OpenDJ successfully removed +# Post rm script. Package files are removed automatically by the package manager. + +if [ "$1" = "remove" ] || [ "$1" = "purge" ] ; then + if [ -d /run/systemd/system ] ; then + systemctl --system daemon-reload >/dev/null 2>&1 || true + else + update-rc.d opendj remove >/dev/null 2>&1 || true + fi +fi + +if [ "$1" = "purge" ] ; then + if command -v deb-systemd-helper >/dev/null 2>&1 ; then + deb-systemd-helper purge opendj.service >/dev/null 2>&1 || true + deb-systemd-helper unmask opendj.service >/dev/null 2>&1 || true + fi + echo "*OpenDJ successfully removed" fi + echo +exit 0 # End of the post rm script diff --git a/opendj-packages/opendj-deb/resources/control/preinst b/opendj-packages/opendj-deb/resources/control/preinst index 6956d8ff27..39df571bb6 100644 --- a/opendj-packages/opendj-deb/resources/control/preinst +++ b/opendj-packages/opendj-deb/resources/control/preinst @@ -13,22 +13,23 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2026 3A Systems, LLC set -e -# Pre installation script +# Pre installation script. if [ "$1" = "upgrade" ] ; then - # Only if the instance has been configured - if [ -f ${deb.prefix}/config/buildinfo ] && [ "$(ls -A ${deb.prefix}/config/archived-configs)" ] ; then - # If the server is running before upgrade, creates a flag. + # Only act if the instance has been configured. + if [ -f ${deb.prefix}/config/buildinfo ] && [ "$(ls -A ${deb.prefix}/config/archived-configs 2>/dev/null)" ] ; then + # If the server is running before the upgrade, record it so postinst can restart it. if [ -f ${deb.prefix}/logs/server.pid ] ; then touch ${deb.prefix}/logs/status fi - echo *Stopping OpenDJ server... - ${deb.prefix}/bin/./stop-ds - else - echo "Instance is not configured. Upgrade aborted." - exit -1 + echo "*Stopping OpenDJ server..." + if [ -d /run/systemd/system ] ; then + deb-systemd-invoke stop opendj.service || true + fi + [ -x ${deb.prefix}/bin/stop-ds ] && ${deb.prefix}/bin/stop-ds || true fi fi echo diff --git a/opendj-packages/opendj-deb/resources/control/prerm b/opendj-packages/opendj-deb/resources/control/prerm index 69e3eeed89..77b10b9765 100644 --- a/opendj-packages/opendj-deb/resources/control/prerm +++ b/opendj-packages/opendj-deb/resources/control/prerm @@ -13,14 +13,25 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2026 3A Systems, LLC set -e -# Pre rm script -# Unlink the symlink to the process ID if it exists. -test -h "/var/run/opendj.pid" && unlink /var/run/opendj.pid +# Pre rm script. -# Stops the server if the instance has been configured -if [ "$1" = "remove" ] && ( [ -f ${deb.prefix}/config/buildinfo ] && [ "$(ls -A ${deb.prefix}/config/archived-configs)" ] ) ; then - ${deb.prefix}/bin/./stop-ds +# Stop the service before the package files are removed. +if [ "$1" = "remove" ] || [ "$1" = "deconfigure" ] ; then + if [ -d /run/systemd/system ] ; then + deb-systemd-invoke stop opendj.service || true + fi + if [ -x ${deb.prefix}/bin/stop-ds ] && [ -f ${deb.prefix}/config/buildinfo ] \ + && [ "$(ls -A ${deb.prefix}/config/archived-configs 2>/dev/null)" ] ; then + ${deb.prefix}/bin/stop-ds || true + fi fi -# End prem script + +# Clean up the legacy PID symlink created by the SysV init script. +[ -h /run/opendj.pid ] && rm -f /run/opendj.pid || true +[ -h /var/run/opendj.pid ] && rm -f /var/run/opendj.pid || true + +exit 0 +# End prerm script diff --git a/opendj-packages/opendj-rpm/opendj-rpm-standard/pom.xml b/opendj-packages/opendj-rpm/opendj-rpm-standard/pom.xml index 12b4e6fec3..341a5fde35 100644 --- a/opendj-packages/opendj-rpm/opendj-rpm-standard/pom.xml +++ b/opendj-packages/opendj-rpm/opendj-rpm-standard/pom.xml @@ -13,6 +13,7 @@ information: "Portions Copyright [year] [name of copyright owner]". Copyright 2015 ForgeRock AS. + Portions Copyright 2018-2026 3A Systems, LLC --> 4.0.0 @@ -33,6 +34,7 @@ ${project.parent.parent.basedir}/resources/sysv/opendj + ${project.parent.parent.basedir}/resources/systemd/opendj.service ${product.name} ${product.name.lowercase} ${project.parent.basedir}/resources diff --git a/opendj-packages/opendj-rpm/pom.xml b/opendj-packages/opendj-rpm/pom.xml index 213e8b7f71..e89e0889d0 100644 --- a/opendj-packages/opendj-rpm/pom.xml +++ b/opendj-packages/opendj-rpm/pom.xml @@ -13,6 +13,7 @@ information: "Portions Copyright [year] [name of copyright owner]". Copyright 2015-2016 ForgeRock AS. + Portions Copyright 2018-2026 3A Systems, LLC --> 4.0.0 @@ -151,6 +152,12 @@ ${doc.homepage.url} noarch linux + + java-headless >= 1:11 + + + shadow-utils + ${rpm.description.header} OpenDJ is an LDAPv3 compliant directory service, developed for the Java @@ -219,7 +226,7 @@ ${rpm.prefix}/snmp/mib - + /etc/init.d false @@ -231,6 +238,18 @@ + + + /usr/lib/systemd/system + false + 644 + + + ${systemd.file.location} + + + + ${rpm.prefix} diff --git a/opendj-packages/opendj-rpm/resources/changelog b/opendj-packages/opendj-rpm/resources/changelog index 21db726dc5..302076bf57 100644 --- a/opendj-packages/opendj-rpm/resources/changelog +++ b/opendj-packages/opendj-rpm/resources/changelog @@ -11,31 +11,485 @@ # Header, with the fields enclosed by brackets [] replaced by your own identifying # information: "Portions Copyright [year] [name of copyright owner]". # -# Copyright 2013-2015 ForgeRock AS. +# Copyright 2013-2015 ForgeRock AS +# Portions Copyright 2026 3A Systems, LLC # ============================= # opendj rpm package changelog # ============================= %changelog -* Wed Dec 9 2015 ForgeRock -- init.d service script now generates and removes a lockfile. - -* Thu Mar 5 2015 ForgeRock -- Package is now build using maven. - -* Thu Aug 22 2013 ForgeRock -- Modified init.d script. - -* Tue Aug 6 2013 ForgeRock -- Added init.d service script. - -* Wed Jul 31 2013 ForgeRock -- Fixed the doc's section. -- Target no longer fails when build path contains spaces. - -* Thu Jul 18 2013 ForgeRock -- Fixed the sections' order and added a new "clean" section. -- Added '%doc' section. -- Added '%changelog' at the end of the file. -- Added license to header's files. +* Thu Jun 11 2026 Open Identity Platform Community - 5.1.1 +- CVE-2026-46495 OpenDJ Unauthenticated RCE via Java Deserialization in JMX + RMI +- CVE-2026-42198 pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication + allows CPU exhaustion DoS +- [#648] slow DN.valueOf / AVA normalization for nested DN-syntax values +- chore: bump Bouncy Castle FIPS deps to latest 2.1.x patch releases +- Fix grizzly log level is always FINE +- Fix shell script issues in opendj-docker/run.sh +- Fix Windows CI: use ilammy/msvc-dev-cmd to set up MSVC env +- Add native access JVM flag for Bouncy Castle FIPS on newer Java releases +- Docker base DN entry creation opt-in and improves bootstrap LDIF loading + resilience +- Fix BasicRequestsTest.testReadSelectPartial for nesting-preserving field + projection +- Update org.openidentityplatform.commons to 3.1.1 +- Fix JMX RMI connector startup failure introduced by CVE-2026-46495 hardening +* Wed Apr 15 2026 Open Identity Platform Community - 5.1.0 +- [#72] Fix infinite loop in doStopApplication() on Windows service stop +- [#259] fix: retry loop for Windows Service start race condition (issue #259) +- [#566] Fix AttributeValuePasswordValidator: inverted substring logic and + missing reversed-password substring check +- [#579] Fix ReferentialIntegrityPlugin silently bypassing check-references on + modify operations +- [#601] Fix server crash when File-Based Debug Logger is enabled +- Update build.yml add JDK 26 support +- Docs: set neutral version for the docs +- ci: add Windows service start/stop test to CI workflow +- CI: Build and upload Windows native executables (winlauncher, + opendj_service, launcher_administrator) +- fix: use 127.0.0.1 instead of localIP in LockdownModeTaskTestCase +- Filter branches to build workflow triggers (on push) +- Fix intermittent testMultiRS failure by doubling waitForStableGenerationId + timeout +- Fix race condition in ChangelogBackendTestCase flaky test +- Fix flaky testMultiRS: replace fixed sleep with deterministic domain-ready + wait +- increase replication connection timeout to fix Socket Timeout error on Mac + in integration test +- chore: bump GitHub Actions to latest major versions +- Fix snapshot version format +- Fix intermittent GenerationIdTest.testMultiRS race condition on RS-to-RS + topology +- [OpenIdentityPlatform/OpenAM#980] OpenDJ slim maven artifact +- Upgrade local Docker registry from registry:2 to registry:3 in CI +- status CLI: allow --hostname, --port, and --trustAll arguments +- Fix status CLI to accept --hostname, --port, and --trustAll arguments, and + add them to all status command invocations in build.yml +- Remove ENV ROOT_PASSWORD from Dockerfiles, fix HEALTHCHECK default, add CDDL + headers +- Update commons.version to 3.1.0 +* Mon Mar 23 2026 Open Identity Platform Community - 5.0.4 +- CVE-2025-24970 SslHandler doesn't correctly validate packets which can lead + to native crash when using native SSLEngine +- CVE‐2025‐12194 While the situation with the JVM garbage collector overrun + for Java 17 and Java 21 greatly improved with the changes in 2.1.1, we’ve + still had some reports that can only be related to the use of the disposal + daemon +- [#590] Fallback to $HOME/tmp dir as a temp if instance root is mounted as + noexec +- Bump logback to 1.5.32 +- Migrate to caffeine 3 +- Update commons.version from 3.0.2 to 3.0.4 +- Docs: fix short version in the upgrade guide +* Wed Feb 4 2026 Open Identity Platform Community - 5.0.3 +- CVE-2026-1225 Logback allows an attacker to instantiate classes already + present on the class path +- Fix three and more nodes replication process stuck error +- Update org.openidentityplatform.commons to 3.0.2 +- Docs: update supported Java version +* Tue Nov 25 2025 Open Identity Platform Community - 5.0.2 +- [#575] FIX unable to install: UnsatisfiedLinkError: /tmp/bc-fips +- [#577] Windows upgrading with Upgrade.bat: an error with "" unexpected +- [#573] Added the SAMPLE_DATA Docker environment variable to generate sample + data during setup. +* Sat Nov 8 2025 Open Identity Platform Community - 5.0.1 +- Update target JDK to 11 and move to JakartaEE 9 +- Add support LTS JDK 25 +- Update base docker image Java version to 25 LTS +- CVE-2025-12194 Bouncy Castle Vulnerable to Uncontrolled Resource Consumption +- CVE-2025-59250 JDBC Driver for SQL Server has improper input validation + issue +- CVE-2025-11226 logback-core is vulnerable to Arbitrary Code Execution + through file processing +- Switch from sun.security.x509 to Bouncy Castle API +- Update OpenDMK external library to fix SNMP monitoring +- Build & deploy: add branch sustaining/4.10.x +- Make GrizzlyLDAPListener close in a synchronous fasion to prevent test race + conditions +- [#141] Test large replication pending changes +- FIX bindFreePort Bind Unable to bind to a free port +- Fix unavailable monitoring attributes over JMX +- Bump org.openidentityplatform.commons to 3.0.1 +- Improve ReplicationDomainTest stability +* Thu Sep 4 2025 Open Identity Platform Community - 4.10.2 +- CVE-2025-9092 CVE-2025-9340 CVE-2025-9341 Uncontrolled Resource Consumption + vulnerability +- [#545] Add GroupManager writeLock performance +- [#540] Fix OnDiskMergeImporter::PhaseOneWriteableTransaction: update over + put (referral attr) +- [#544] Add requires-admin-action component-restart for max-request-size +- Update Java minimum version number in the setup UI +- Update README.md: add backers and sponsors +- ISSUE_TEMPLATE: add "Vote to raise the priority" +- Bump commons.version 2.4.1 +* Tue Aug 5 2025 Open Identity Platform Community - 4.10.1 +- [#529] FIX jdbc connection deadlock +- [#530] Fixed error when creating a backend for BASE_DN with OU in Docker +- Docker: Fix issues with quoting params +* Tue Jul 15 2025 Open Identity Platform Community - 4.10.0 +- [#462] RFC5805 Lightweight Directory Access Protocol (LDAP) Transactions +- CVE-2025-49146 pgjdbc Client Allows Fallback to Insecure Authentication + Despite channelBinding=require Configuration +- Bump io.reactivex.rxjava to 3.x +- Bump various dependencies +- Bump commons to 2.2.5 +- Take Glassfish Grizzly version from commons +- Bump bc.fips to 2.1.x +- Bump commons.version 2.3.0 +- Deploy: migrating from Legacy OSSRH to Central Portal +- Fix OSGI bundle excluded package error for rxjava3 +- Exclude BouncyCastle from OSGI Import-Package +- Fix makeldif templates: add objectClass to baseDN +- Bump org.openidentityplatform.commons 2.4.0 +* Wed Apr 23 2025 Open Identity Platform Community - 4.9.4 +- Configure backend type for Docker +- Docs: update OpenDJ release version to 4.9.3 +- Add OpenDJ Docker tests to the build process +- Fix docker env variables + add VERSION autodetect +- Set isRunning later (EmbeddedServer check) +- Bump org.openidentityplatform.commons to 2.2.4 +- [#498] FIX warning output from export-ldif: "grep: warning: stray \ before + -" +- move Java args to java.properties, upgrade docker alpine +- [#497] Set the same indexes for a new backend as for the initial backend +- Add support Java SE 24 +- Bump test containers & cassandra driver +- [#496] FIX MySQL truncate PK default to 64 len +- [#496] FIX JDBC storage update concurrency +- FIX Replication IT tests unstable result +- made their first contribution +- made their first contribution +* Wed Mar 5 2025 Open Identity Platform Community - 4.9.3 +- CVE-2025-27497 Fix Denial of Service (Dos) using alias loop () +- [#477] Change permission config.ldif.startok to owner () +- [#208] FIX The definition for the attribute type declared that it should use + the syntax which is not defined in the schema +- Documentation update +- Docs: Generate and publish javadoc +* Tue Feb 4 2025 Open Identity Platform Community - 4.9.2 +- [#465] Fix custom library loading when put to the lib directory +- [#463] Disable warning message on downstream closed +- [#471] Fix table name truncate: make jdbc table 63 charter +- [#466] JDBC: added tests for Oracle, MySQL, MSSQL +- [#466] FIX compatibility jdbc backend: Postgres, Oracle, MySQL, MSSQL +- [#471] PluggableBackendImplTestCase: add duplicate mail test +- IT ReplicationDomainTest upper waitEndExport timeout +- Update year in generated documentation templates +- Update documentation issues and update links +* Mon Jan 20 2025 Open Identity Platform Community - 4.9.1 +- [#460] Clear unused path info after backupConfig (memory pleasure) +- jdbc: make connection short-lived +- Replace import-ldif with ldapmodify in Postgres IT test +* Thu Dec 26 2024 Open Identity Platform Community - 4.9.0 +- Store LDAPv3 database in SQL JDBC database +- CVE-2024-12798 CVE-2024-12801 logback-core Expression Language Injection, + Server-Side Request Forgery vulnerability +- FIX NoSuchMethodError: java.nio.MappedByteBuffer.duplicate +- FIX Unable to locate package winehq-stable +* Tue Nov 12 2024 Open Identity Platform Community - 4.8.2 +- [#438] FIX import-ldif --offline "import has been aborted because the entry + does not have a parent entry" +- 00-core.ldif: X.501, cl. 14.2.2: 2.5.15.16 subentryNameForm OC subentry MUST + cn +- FIX makeldif -c suffix=dc=example: Unable to parse a constant argument + expecting name=value +- Bump commons.version 2.2.3 +- Fix MAC OS build failure +- Actions: get ubuntu source from $(lsb_release -c -s) +- depoloy.yml: Fix documents deploy +* Thu Oct 17 2024 Open Identity Platform Community - 4.8.1 +- [#393] FIX DIT SUP delimiter +- [#392] FIX RootDSE Entry allow user objectClass +- Addresses #397, #398, #399, #404 +- Docs in asciidoc & deploy antora docs after build +- [#402] Change default SSL HandshakeTimeout -1 -> 10s (see #146) +- [#401] Change "Object class violation (65)" -> "Naming violation (64)" LDAP + result code for DIT Structure Rule violation +- [#394] FIX dsconfig --help- +- [#400] Reduce character escaping in example, add note +- Added missing documentation attachments +- Generate man pages in the AsciiDoc format +- Reduce character escaping in example, add note +- minor docs glitches fix +- Add JDK 23 build support +- Bump org.openidentityplatform.commons 2.2.2 +- Docker: Use tail instead of sleep to allow the container to be stopped with + SIGTERM +- [#423] Eliminate asciidoctor warning messages when generating documentation +- [#426] ADD maven.compiler.release=8 for cross compile compatibility +- Remove legacy files +- [#90, #432] FIX delete entries in overlapping backends +- [#425] Add option + -Dorg.openidentityplatform.opendj.ERR_ENTRY_SCHEMA_VIOLATES_PARENT_DSR for + force control "Entry is invalid according to the server schema because there + is no DIT structure rule that applies to that entry, but there is a DIT + structure rule for the parent entry". Default: warning level +- [#425] Workaround: Entry is invalid according to the server schema because + there is no DIT structure rule that applies to that entry, but there is a + DIT structure rule for the parent entry +- [#431] Update importldiff --offline and --clearBacked flags descriptions +- made their first contribution +- made their first contribution +* Mon Sep 9 2024 Open Identity Platform Community - 4.8.0 +- Switch docker to last LTS JRE 21 +- Add JDK 22 support +- [#376] JMX fix docs with "Allow insecure authentication" +- [#376] FIX SNMP monitoring config +- [#383] FIX docs: import-ldif and export-ldif binaries should be shown using + the --offline option +- [#384] FIX Control Panel: empty help URL values +- FIX do not check DIT structure parent/child on same ObjectClass (thanks for + the research ) +- Bump org.openidentityplatform.commons 2.2.0 +* Thu Aug 8 2024 Open Identity Platform Community - 4.7.0 +- [#204] ADD LDAP Relax Rules Control +- [#287] ADD alias dereferencing for search requests +- [#187] FIX RFC3671: collective attribute values should be merged. Virtuals + with other virtuals and real values. +- [#84] FIX incorrect entry-Based ACIs is defined with only "deny" permission + without "allow" +- [#250] Add Overlapping Backend TestSuite +- [#294] Dont send client notification on IOException +- [#368] CASSANDRA ADD property -Dkeyspace=ldap_opendj +- Bump commons.version 2.1.6 +- Publish docs to +- Fix documentation version +* Tue Jul 16 2024 Open Identity Platform Community - 4.6.5 +- compress webhelp, xhtml and html docs after build +- add missing docs +- Update README.md +- [#354] FIX "OpenDJ fails to upgrade from version 3->4: An error occurred + while attempting to perform index rebuild: Unable to decode the provided + object class set because it used an undefined token" +- [#167] FIX control-panel ResetUserPasswordTask unpredictable result (wait + async result) +- Add rest operations modifyPassword, resetPassword to docs from +- [#148,#261,#282] FIX control-panel schema errors in remote mode +* Wed Jun 26 2024 Open Identity Platform Community - 4.6.4 +- Embedded OpenDJ module initial commit +- Bump ch.qos.logback:logback-core from 1.2.11 to 1.2.13 in /opendj-embedded +- Bump ch.qos.logback:logback-classic from 1.2.9 to 1.2.13 in /opendj-embedded +- update opendj-parent version +- Bump org.bouncycastle:bc-fips from 1.0.2.3 to 1.0.2.5 in /opendj-core +- Bump org.bouncycastle:bctls-fips from 1.0.13 to 1.0.19 in /opendj-core +- Bump org.openidentityplatform.commons 2.1.4 +- move commons version to property & fix doc-maven-plugin version +- made their first contribution +* Tue May 7 2024 Open Identity Platform Community - 4.6.3 +- ADD build test with memory pressure +- Update Docker jre 17->19 +- org.openidentityplatform.commons 2.1.3-SNAPSHOT +- FIX OpenIDM compatibility +- [#329] make posixGroup AUXILIARY by default +- [#331] Allow downgrade version without upgrade task +- Bump org.openidentityplatform.commons 2.1.3 +- Add Build test on MacOS M1 arm64 +- Restore macos-latest build strategy +* Wed Jan 17 2024 Open Identity Platform Community - 4.6.2 +- FIX CLIENT_SIDE_NO_RESULTS_RETURNED in hasNext() +- update org.openidentityplatform.commons to 2.1.2-SNAPSHOT +- FIX performance java.util.TimeZone.getTimeZone(TimeZone.java:516) is + synchronized +- [#317] sendUnsolicitedNotification can fail on client disconnect with + OnErrorNotImplementedException +- org.openidentityplatform.commons 2.1.2 +* Thu Oct 26 2023 Open Identity Platform Community - 4.6.1 +- Allow store LDAP catalog data in CASSANDRA noSQL cluster --backendType cas + (ldapv3 to cassandra) +- ADD IT test for wars +- Add TestContainers to test Apache Cassandra backend +- Bump org.openidentityplatform.commons 2.0.19-SNAPSHOT +- Update README.md: allow store LDAPv3 database in Cassandra/Scylla cluster +- Bump org.openidentityplatform.commons 2.1.1 +- Add JDK 21 support +- CASSANDRA storage: cursor performance +- FIX newHeapBufferPool calculation (import OOM error) +* Fri Sep 22 2023 Open Identity Platform Community - 4.5.9 +- Generate SHA256WithRSA certificate as default +- convert JMX metrics to appropriate type #293 +- Fix attribute value. bean should return native object #293 +- Remove TLSv1 as default protocol FIX +- nexus-staging-maven-plugin 1.6.13 + disable auto release +- made their first contribution +* Wed Aug 30 2023 Open Identity Platform Community - 4.5.6 +- FIX unused trailing bytes in ASN.1 SEQUENCE +* Thu Jul 20 2023 Open Identity Platform Community - 4.5.5 +- FIX build with Installation failure for grub-efi-amd64-signed on ubuntu- + latest +- FIX add-source for generate-sources +- Restore IT test for server-legacy and fix many errors +- change posixGroup type to structural. and add cn +- FIX argument listBackups is incompatible with use of this tool to interact +- PBKDF2-HMAC-SHA256 and PBKDF-HMAC-SHA512 password storage not configured by + default +- FIX Setup Issue - Error Creating Base Entry +- Extend admin port connection limits +- Restore TLSv1.3 support +- Bump org.openidentityplatform.commons 2.0.18 +* Fri Dec 9 2022 Open Identity Platform Community - 4.5.4 +- BUILD java: [ '8','11','17','19'] + fix install wine32:i386 without + conflicts +- FIX build allow fail for remove deb.sury.org +- Docker add jdk17 platforms: linux/amd64, linux/arm64/8, linux/arm/v7, +* Wed Nov 30 2022 Open Identity Platform Community - 4.5.3 +- Create target directory before copying custom schema +- Copy ldif configs to the correct template directory +- UPDATE build process +- FIX DSML servlet can't find JAX-B runtime +* Tue Aug 2 2022 Open Identity Platform Community - 4.5.1 +- update commons version to 2.0.16-SNAPSHOT +- 'find' command is missing in the 4.5.0 docker image #242 +- FIX wine32 install (from ppa:ondrej/php so that we will be able to install + wine32:i386 without conflicts) +- Don't clone buffer in ldap codec +- Add BCFKS FIPS key store type support +- fix FipsStaticUtils code formatting +- made their first contribution +* Wed Jun 1 2022 Open Identity Platform Community - 4.5.0 +- Switch base docker image to Java 17 +* Wed Jun 1 2022 Open Identity Platform Community - 4.4.15 +- Add alpine platforms linux/s390x, linux/386, linux/arm/v7, linux/arm/v6, + linux/ppc64le +- Implement PBKDF2-HMAC-SHA256 and PBKDF-HMAC-SHA512 password encoding schemes +- Docker refactoring +- FIX tamil (ta.6) matching rule schema has typo in definition +- FIX Failed to delete entries under multiple backends +- Add support jdk '16','17','18' +- support AD attributes userAccountControl, msDS-UserAccountDisabled and + pwdLastSet +- Test + Run on jdk15+ +- FIX OpenDJ is not logging errors to logfile #128 +- FIX Windows install to path with spaces +- made their first contribution +* Mon May 2 2022 Open Identity Platform Community - 4.4.14 +- add docker test +- Release multi-platform Docker images +- Support to load plain ldif files during container setup +- made their first contribution +* Fri Apr 22 2022 Open Identity Platform Community - 4.4.13 +- FIX OpenDJ setup failure +- Add FIPS support +- GithubAction build +- Github action deploy +- actions: separate deploy +- Update opendj_service.exe +- Switch org.openidentityplatform.commons 2.0.13-SNAPSHOT +- Fix rebuild-index in FIPS mode +- ADD JSONEntryWriter JSONEntryReader +- FIX DN escape 'Equal sign': +- FIX JSONEntryWriter escape DN values +- move fips functions to separate class +- do not use fips when bc-fips classes not found +- Update pom.xml nexus-staging-maven-plugin 1.6.11 +- Refactor Dockerfile debian and alpine +- Migrate release from Travis to GitHub +- FIX Deployment of external dependency failed. Failed to deploy artifacts: + Could not transfer artifact openidentityplatform.org:wixtoolset:zip +- made their first contribution +- made their first contribution +- made their first contribution +- made their first contribution +* Mon Jun 21 2021 Open Identity Platform Community - 4.4.11 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.11 +* Mon Feb 8 2021 Open Identity Platform Community - 4.4.10 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.10 +* Wed Dec 30 2020 Open Identity Platform Community - 4.4.9 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.9 +* Tue Nov 10 2020 Open Identity Platform Community - 4.4.8 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.8 +* Wed Sep 9 2020 Open Identity Platform Community - 4.4.7 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.7 +* Thu Jun 11 2020 Open Identity Platform Community - 4.4.6 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.6 +* Tue Mar 10 2020 Open Identity Platform Community - 4.4.5 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.5 +* Fri Feb 21 2020 Open Identity Platform Community - 4.4.4 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.4 +* Mon Jul 29 2019 Open Identity Platform Community - 4.4.3 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.3 +* Mon Apr 29 2019 Open Identity Platform Community - 4.4.2 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.2 +* Sun Mar 10 2019 Open Identity Platform Community - 4.4.1 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.4.1 +* Mon Mar 4 2019 Open Identity Platform Community - 4.3.5 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.5 +* Sun Feb 17 2019 Open Identity Platform Community - 4.3.4 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.4 +* Fri Feb 8 2019 Open Identity Platform Community - 4.3.3 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.3 +* Tue Jan 29 2019 Open Identity Platform Community - 4.3.2 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.2 +* Mon Dec 10 2018 Open Identity Platform Community - 4.3.1 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.3.1 +* Fri Oct 26 2018 Open Identity Platform Community - 4.2.5 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.5 +* Thu Oct 18 2018 Open Identity Platform Community - 4.2.4 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.4 +* Wed Oct 17 2018 Open Identity Platform Community - 4.2.3 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.3 +* Mon Oct 8 2018 Open Identity Platform Community - 4.2.2 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.2 +* Fri Oct 5 2018 Open Identity Platform Community - 4.2.1 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.2.1 +* Wed May 30 2018 Open Identity Platform Community - 4.1.10 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.10 +* Fri May 25 2018 Open Identity Platform Community - 4.1.9 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.9 +* Sat May 12 2018 Open Identity Platform Community - 4.1.8 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.8 +* Tue May 1 2018 Open Identity Platform Community - 4.1.7 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.7 +* Tue Apr 10 2018 Open Identity Platform Community - 4.1.6 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.6 +* Tue Mar 6 2018 Open Identity Platform Community - 4.1.5 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.5 +* Sat Mar 3 2018 Open Identity Platform Community - 4.1.4 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.4 +* Wed Feb 28 2018 Open Identity Platform Community - 4.1.3 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.3 +* Wed Feb 28 2018 Open Identity Platform Community - 4.1.2 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.2 +* Fri Feb 23 2018 Open Identity Platform Community - 4.1.1 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.1.1 +* Tue Feb 20 2018 Open Identity Platform Community - 4.0.3 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.0.3 +* Fri Feb 16 2018 Open Identity Platform Community - 4.0.2 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.0.2 +* Fri Feb 16 2018 Open Identity Platform Community - 4.0.1 +- See release notes: + https://github.com/OpenIdentityPlatform/OpenDJ/releases/tag/4.0.1 diff --git a/opendj-packages/opendj-rpm/resources/specs/postinstall.sh b/opendj-packages/opendj-rpm/resources/specs/postinstall.sh index 5b62246047..d2ed6ea03b 100644 --- a/opendj-packages/opendj-rpm/resources/specs/postinstall.sh +++ b/opendj-packages/opendj-rpm/resources/specs/postinstall.sh @@ -13,50 +13,58 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2026 3A Systems, LLC # =============================== # RPM Post Install Script (%post) # =============================== -# The arguments to a %post are 1 and 2 for a new installation -# and upgrade, respectively. (%pre and %post aren't executed during -# an uninstallation.) +# $1 is 1 for an initial installation and 2 for an upgrade. -# Registers the service -/sbin/chkconfig --add opendj +# Ensure the service account exists and owns the install tree (also migrates +# installations that were previously owned by root on upgrade). +getent group opendj >/dev/null || groupadd -r opendj +getent passwd opendj >/dev/null || \ + useradd -r -g opendj -d "%{_prefix}" -s /sbin/nologin -c "OpenDJ Directory Server" opendj +chown -R opendj:opendj "%{_prefix}" || true -# Symlinks to process ID -test -h "/var/run/opendj.pid" || ln -s /opt/opendj/logs/server.pid /var/run/opendj.pid +# Register the service: prefer systemd, fall back to chkconfig/SysV. +if [ -d /run/systemd/system ] ; then + systemctl daemon-reload >/dev/null 2>&1 || true + systemctl enable opendj.service >/dev/null 2>&1 || true +else + /sbin/chkconfig --add opendj || true +fi -if [ "$1" == "1" ] ; then - echo "Post Install - initial install" -else if [ "$1" == "2" ] ; then +if [ "$1" = "2" ] ; then echo "Post Install - upgrade install" - # Only if the instance has been configured - if [ -e "%{_prefix}"/config/buildinfo ] && [ "$(ls -A "%{_prefix}"/config/archived-configs)" ] ; then - "%{_prefix}"/./upgrade -n --force --acceptLicense - # If upgrade is ok, checks the server status flag for restart - if [ "$?" == "0" ] && [ -f "%{_prefix}"/logs/status ] ; then - echo "" - echo "Restarting server..." - "%{_prefix}"/./bin/start-ds - echo "" - rm -f "%{_prefix}"/logs/status - fi - - # Upgrade fails, needs user interaction (eg. manual mode) - if [ "$?" == "2" ] ; then - exit "0" + # Only if the instance has been configured. + if [ -e "%{_prefix}"/config/buildinfo ] && [ "$(ls -A "%{_prefix}"/config/archived-configs 2>/dev/null)" ] ; then + if runuser -u opendj -- "%{_prefix}"/upgrade -n --force --acceptLicense ; then + # If upgrade is ok, check the server status flag for restart. + if [ -f "%{_prefix}"/logs/status ] ; then + echo "Restarting server..." + if [ -d /run/systemd/system ] ; then + systemctl start opendj.service || true + else + runuser -u opendj -- "%{_prefix}"/bin/start-ds || true + fi + rm -f "%{_prefix}"/logs/status + fi + else + # Upgrade failed; may need manual interaction. Do not fail the transaction. + echo "Upgrade failed; manual interaction may be required." + exit 0 fi else - echo "Instance is not configured. Upgrade aborted." - exit -1 - fi + echo "Instance is not configured." fi +else + echo "Post Install - initial install" fi +# Add OpenDJ man pages to MANPATH. MAN_CONFIG_FILE=NOT_SET -# Add OpenDJ man pages to MANPATH if [ -e /etc/man.config ] ; then MAN_CONFIG_FILE=/etc/man.config MANPATH_DIRECTIVE=MANPATH @@ -65,9 +73,8 @@ elif [ -e /etc/man_db.conf ] ; then MANPATH_DIRECTIVE=MANDATORY_MANPATH fi -if [ $MAN_CONFIG_FILE != "NOT_SET" ] ; then - grep -q "$MANPATH_DIRECTIVE.*opendj" $MAN_CONFIG_FILE 2> /dev/null - if [ $? -ne 0 ]; then - echo "$MANPATH_DIRECTIVE %{_prefix}/share/man" >> $MAN_CONFIG_FILE +if [ "$MAN_CONFIG_FILE" != "NOT_SET" ] ; then + if ! grep -q "$MANPATH_DIRECTIVE.*opendj" "$MAN_CONFIG_FILE" 2>/dev/null ; then + echo "$MANPATH_DIRECTIVE %{_prefix}/share/man" >> "$MAN_CONFIG_FILE" fi fi diff --git a/opendj-packages/opendj-rpm/resources/specs/postuninstall.sh b/opendj-packages/opendj-rpm/resources/specs/postuninstall.sh index c690a73d70..b57609b230 100644 --- a/opendj-packages/opendj-rpm/resources/specs/postuninstall.sh +++ b/opendj-packages/opendj-rpm/resources/specs/postuninstall.sh @@ -13,18 +13,21 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2026 3A Systems, LLC # =================================== # RPM Post Uninstall Script (%postun) # =================================== -# If the first argument to %preun and %postun is 0, the action is uninstallation. -# If the first argument to %preun and %postun is 1, the action is an upgrade. +# $1 is 0 for an uninstallation and 1 for an upgrade. -if [ "$1" == "0" ] ; then +if [ -d /run/systemd/system ] ; then + systemctl daemon-reload >/dev/null 2>&1 || true +fi + +if [ "$1" = "0" ] ; then echo "Post Uninstall - uninstall" echo "OpenDJ successfully removed." -else if [ "$1" == "1" ] ; then +elif [ "$1" = "1" ] ; then echo "Post Uninstall - upgrade uninstall" - fi fi diff --git a/opendj-packages/opendj-rpm/resources/specs/preinstall.sh b/opendj-packages/opendj-rpm/resources/specs/preinstall.sh index 14632dbed6..c741241cfb 100644 --- a/opendj-packages/opendj-rpm/resources/specs/preinstall.sh +++ b/opendj-packages/opendj-rpm/resources/specs/preinstall.sh @@ -13,25 +13,29 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2026 3A Systems, LLC # ============================= # RPM Pre Install Script (%pre) # ============================= -# If the first argument to %pre is 1, the RPM operation is an initial installation. -# If the argument to %pre is 2, the operation is an upgrade from an existing version to a new one. +# $1 is 1 for an initial installation and 2 for an upgrade. -if [ "$1" == "1" ]; then - echo "Pre Install - initial install" -else if [ "$1" == "2" ] ; then - # Only if the instance has been configured - if [ -e "%{_prefix}"/config/buildinfo ] && [ "$(ls -A "%{_prefix}"/config/archived-configs)" ] ; then +# Create the dedicated system user/group that runs the service. +getent group opendj >/dev/null || groupadd -r opendj +getent passwd opendj >/dev/null || \ + useradd -r -g opendj -d "%{_prefix}" -s /sbin/nologin -c "OpenDJ Directory Server" opendj + +if [ "$1" = "2" ] ; then + # Upgrade: stop a running, configured instance and record state for restart. + if [ -e "%{_prefix}"/config/buildinfo ] && [ "$(ls -A "%{_prefix}"/config/archived-configs 2>/dev/null)" ] ; then echo "Pre Install - upgrade install" - # If the server is running before upgrade, creates a file flag if [ -f "%{_prefix}"/logs/server.pid ] ; then touch "%{_prefix}"/logs/status fi - "%{_prefix}"/bin/./stop-ds + if [ -d /run/systemd/system ] ; then + systemctl stop opendj.service >/dev/null 2>&1 || true fi + [ -x "%{_prefix}"/bin/stop-ds ] && "%{_prefix}"/bin/stop-ds || true fi fi diff --git a/opendj-packages/opendj-rpm/resources/specs/preuninstall.sh b/opendj-packages/opendj-rpm/resources/specs/preuninstall.sh index 613a5e7297..73f81b52b8 100644 --- a/opendj-packages/opendj-rpm/resources/specs/preuninstall.sh +++ b/opendj-packages/opendj-rpm/resources/specs/preuninstall.sh @@ -13,28 +13,29 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2026 3A Systems, LLC # ================================= # RPM Pre Uninstall Script (%preun) # ================================= -# If the first argument to %preun and %postun is 0, the action is uninstallation. -# If the first argument to %preun and %postun is 1, the action is an upgrade. +# $1 is 0 for an uninstallation and 1 for an upgrade. -if [ "$1" == "0" ] ; then +if [ "$1" = "0" ] ; then echo "Pre Uninstall - uninstall" - # Unlink the symlink to the process ID. - test -h "/var/run/opendj.pid" && unlink /var/run/opendj.pid - # Only if the instance has been configured - if [ -e "%{_prefix}"/config/buildinfo ] && [ "$(ls -A "%{_prefix}"/config/archived-configs)" ] ; then - "%{_prefix}"/bin/./stop-ds + # Stop and unregister the service. + if [ -d /run/systemd/system ] ; then + systemctl stop opendj.service >/dev/null 2>&1 || true + systemctl disable opendj.service >/dev/null 2>&1 || true fi - - if [ -e /etc/init.d/opendj ] ; then - # Deletes the service. - /sbin/chkconfig --del opendj + if [ -x "%{_prefix}"/bin/stop-ds ] && [ -e "%{_prefix}"/config/buildinfo ] \ + && [ "$(ls -A "%{_prefix}"/config/archived-configs 2>/dev/null)" ] ; then + "%{_prefix}"/bin/stop-ds || true fi -else if [ "$1" == "1" ] ; then - echo "Pre Uninstall - upgrade uninstall" + if [ -e /etc/init.d/opendj ] ; then + /sbin/chkconfig --del opendj || true fi + # Clean up the legacy PID symlink created by the SysV init script. + [ -h /run/opendj.pid ] && rm -f /run/opendj.pid || true + [ -h /var/run/opendj.pid ] && rm -f /var/run/opendj.pid || true fi diff --git a/opendj-packages/resources/generate-changelog.sh b/opendj-packages/resources/generate-changelog.sh new file mode 100755 index 0000000000..ee669840b0 --- /dev/null +++ b/opendj-packages/resources/generate-changelog.sh @@ -0,0 +1,142 @@ +#!/usr/bin/env bash +# +# The contents of this file are subject to the terms of the Common Development and +# Distribution License (the License). You may not use this file except in compliance with the +# License. +# +# You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the +# specific language governing permission and limitations under the License. +# +# When distributing Covered Software, include this CDDL Header Notice in each file and include +# the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL +# Header, with the fields enclosed by brackets [] replaced by your own identifying +# information: "Portions Copyright [year] [name of copyright owner]". +# +# Copyright 2026 3A Systems, LLC +# +# Regenerates the Debian and RPM package changelogs from the GitHub Releases of +# OpenIdentityPlatform/OpenDJ. Run this at release time (it needs network + an +# authenticated `gh`); the produced files are committed so the Maven build stays +# offline and reproducible. +# +# Usage (from the repository root): +# opendj-packages/resources/generate-changelog.sh +# +# Requires: gh (authenticated), python3. + +set -euo pipefail + +REPO="${OPENDJ_REPO:-OpenIdentityPlatform/OpenDJ}" +HERE="$(cd "$(dirname "$0")" && pwd)" +DEB_FILE="${HERE}/../opendj-deb/resources/changelog" +RPM_FILE="${HERE}/../opendj-rpm/resources/changelog" + +echo "Fetching releases from ${REPO} ..." >&2 +RELEASES_TMP="$(mktemp)" +trap 'rm -f "$RELEASES_TMP"' EXIT +gh api --paginate "repos/${REPO}/releases" > "$RELEASES_TMP" 2>/dev/null + +DEB_FILE="${DEB_FILE}" RPM_FILE="${RPM_FILE}" RELEASES_TMP="${RELEASES_TMP}" REPO="${REPO}" python3 - <<'PY' +import json, os, re, sys, textwrap + +with open(os.environ["RELEASES_TMP"]) as _f: + releases = json.load(_f) + +MAINTAINER = "Open Identity Platform Community " +DOW = ["Mon", "Tue", "Wed", "Thu", "Fri", "Sat", "Sun"] +MON = ["Jan", "Feb", "Mar", "Apr", "May", "Jun", + "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"] + +def parse_iso(ts): + # e.g. 2026-06-11T19:19:48Z -> (Y, M, D, h, m, s, weekday) + import datetime + dt = datetime.datetime.strptime(ts, "%Y-%m-%dT%H:%M:%SZ") + return dt + +def clean_bullets(body): + bullets = [] + for raw in (body or "").splitlines(): + line = raw.strip() + if not line.startswith(("* ", "- ")): + continue + line = line[2:].strip() + line = re.sub(r"\[([^\]]+)\]\([^)]+\)", r"\1", line) # md link -> text + line = re.sub(r"\bin https?://\S+", "", line) # drop PR url + line = re.sub(r"https?://\S+", "", line) # drop bare urls + line = re.sub(r"\b(by|thanks)\s+@[\w-]+(\[bot\])?", "", line) # drop "by/thanks @author" + line = re.sub(r"@[\w-]+(\[bot\])?", "", line) # drop any leftover @mention + line = line.replace("**", "").replace("`", "") + line = re.sub(r"[←-➿️❤☀-⛿]", "", line) # emoji/hearts + line = re.sub(r"\s+", " ", line).strip(" -") + if line: + bullets.append(line) + return bullets + +def version_of(rel): + return (rel.get("tag_name") or rel.get("name") or "").lstrip("v").strip() + +deb_chunks, rpm_chunks = [], [] +for rel in releases: + if rel.get("draft"): + continue + ver = version_of(rel) + if not ver or not ver[0].isdigit(): + continue + dt = parse_iso(rel["published_at"]) + bullets = clean_bullets(rel.get("body")) or [ + "See release notes: https://github.com/%s/releases/tag/%s" + % (os.environ.get("REPO", "OpenIdentityPlatform/OpenDJ"), ver) + ] + + # --- Debian stanza --- + deb = ["opendj (%s) unstable; urgency=medium" % ver, ""] + for b in bullets: + wrapped = textwrap.fill(b, width=78, initial_indent=" * ", + subsequent_indent=" ") + deb.append(wrapped) + deb_date = "%s, %02d %s %d %02d:%02d:%02d +0000" % ( + DOW[dt.weekday()], dt.day, MON[dt.month - 1], dt.year, + dt.hour, dt.minute, dt.second) + deb.append("") + deb.append(" -- %s %s" % (MAINTAINER, deb_date)) + deb_chunks.append("\n".join(deb)) + + # --- RPM stanza --- + rpm_date = "%s %s %2d %d" % (DOW[dt.weekday()], MON[dt.month - 1], dt.day, dt.year) + rpm = ["* %s %s - %s" % (rpm_date, MAINTAINER, ver)] + for b in bullets: + rpm.append(textwrap.fill(b, width=78, initial_indent="- ", + subsequent_indent=" ")) + rpm_chunks.append("\n".join(rpm)) + +with open(os.environ["DEB_FILE"], "w") as f: + f.write("\n\n".join(deb_chunks) + "\n") + +RPM_PREAMBLE = """# +# The contents of this file are subject to the terms of the Common Development and +# Distribution License (the License). You may not use this file except in compliance with the +# License. +# +# You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the +# specific language governing permission and limitations under the License. +# +# When distributing Covered Software, include this CDDL Header Notice in each file and include +# the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL +# Header, with the fields enclosed by brackets [] replaced by your own identifying +# information: "Portions Copyright [year] [name of copyright owner]". +# +# Copyright 2013-2026 ForgeRock AS and Open Identity Platform Community. + +# ============================= +# opendj rpm package changelog +# ============================= + +%changelog +""" +with open(os.environ["RPM_FILE"], "w") as f: + f.write(RPM_PREAMBLE + "\n".join(rpm_chunks) + "\n") + +print("Wrote %d releases to:\n %s\n %s" + % (len(deb_chunks), os.environ["DEB_FILE"], os.environ["RPM_FILE"]), + file=sys.stderr) +PY diff --git a/opendj-packages/resources/systemd/opendj.service b/opendj-packages/resources/systemd/opendj.service new file mode 100644 index 0000000000..fe6fe4af99 --- /dev/null +++ b/opendj-packages/resources/systemd/opendj.service @@ -0,0 +1,36 @@ +# +# The contents of this file are subject to the terms of the Common Development and +# Distribution License (the License). You may not use this file except in compliance with the +# License. +# +# You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the +# specific language governing permission and limitations under the License. +# +# When distributing Covered Software, include this CDDL Header Notice in each file and include +# the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL +# Header, with the fields enclosed by brackets [] replaced by your own identifying +# information: "Portions Copyright [year] [name of copyright owner]". +# +# Copyright 2026 3A Systems, LLC + +[Unit] +Description=OpenDJ LDAPv3 Directory Server +Documentation=https://github.com/OpenIdentityPlatform/OpenDJ +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple +User=opendj +Group=opendj +Environment=INSTALL_ROOT=/opt/opendj +# start-ds --nodetach keeps the JVM in the foreground so systemd supervises it directly. +ExecStart=/opt/opendj/bin/start-ds --nodetach --quiet +ExecStop=/opt/opendj/bin/stop-ds --quiet +Restart=on-failure +RestartSec=5 +TimeoutStartSec=180 +LimitNOFILE=65536 + +[Install] +WantedBy=multi-user.target diff --git a/opendj-packages/resources/sysv/opendj b/opendj-packages/resources/sysv/opendj index 579d1dce5c..b12e608405 100644 --- a/opendj-packages/resources/sysv/opendj +++ b/opendj-packages/resources/sysv/opendj @@ -17,6 +17,7 @@ # information: "Portions Copyright [year] [name of copyright owner]". # # Copyright 2013-2015 ForgeRock AS. +# Portions Copyright 2025-2026 3A Systems, LLC # chkconfig: 2345 80 05 @@ -67,9 +68,25 @@ DAEMON=opendj ORIGINPIDFILE=/opt/opendj/logs/server.pid # Pid file is a symlink to /opt/opendj/log/server.pid -PIDFILE=/var/run/opendj.pid +# /run is the canonical location (/var/run is a compatibility symlink to it). +PIDFILE=/run/opendj.pid RETVAL=0 +# The dedicated service account the server runs as (created by the package). +RUNASUSER=opendj + +# Runs the given command as $RUNASUSER when that account exists and we are root; +# otherwise runs it as the current user (keeps old root-only installs working). +run_as() { + if [ "$(id -un)" = "$RUNASUSER" ] || ! getent passwd "$RUNASUSER" >/dev/null 2>&1 ; then + "$@" + elif command -v runuser >/dev/null 2>&1 ; then + runuser -u "$RUNASUSER" -- "$@" + else + su -s /bin/sh "$RUNASUSER" -c "$(while [ "$#" -gt 0 ]; do printf '%s ' "$1"; shift; done)" + fi +} + # If the daemon is not there, then exit / LSB return code. test -x "$INSTALL_ROOT/bin/start-ds" || exit 5 @@ -98,7 +115,7 @@ start() { echo "> Already running." return 0 else - "$INSTALL_ROOT"/bin/start-ds --quiet + run_as "$INSTALL_ROOT"/bin/start-ds --quiet RETVAL=$? if [ $RETVAL = 0 ] ; then touch $LOCKFILE @@ -123,7 +140,7 @@ stop() { if [ -e $PIDFILE ] then # Server is running - "$INSTALL_ROOT"/bin/stop-ds --quiet + run_as "$INSTALL_ROOT"/bin/stop-ds --quiet RETVAL=$? if [ $RETVAL = 0 ] ; then echo "> SUCCESS." From 98da1189537cedc48ae8a4eb8f5bf8bac2e5bfa9 Mon Sep 17 00:00:00 2001 From: Valera V Harseko Date: Sun, 28 Jun 2026 10:24:09 +0300 Subject: [PATCH 2/4] Make the opendj service find Java via a stable symlink, and harden the CI The dedicated `opendj` service user (PR #663) runs setup/start-ds/stop-ds with a clean environment: no inherited JAVA_HOME, and `which` may be absent (e.g. minimal containers). OpenDJ's Java lookup then fell through to an error, because the package shipped config/java.properties with an unsubstituted placeholder (`default.java-home=$JAVA_HOME`) and the PATH fallback relied on the external `which`. Result: setup/start as `opendj` could not find Java. Fix Java discovery at the package level, using STABLE references so a JRE upgrade/reinstall does not break the service: - _script-util.sh: replace `which java` with `command -v java` (POSIX builtin, no dependency on the `which` package; resolves the stable /usr/bin/java alternatives symlink). This is the root-cause fix for the PATH fallback. - deb postinst / rpm %post: substitute `default.java-home` in config/java.properties with a stable symlink (/usr/lib/jvm/default-java, else the grandparent of `command -v java`, typically /usr) -- never a version- specific readlink path. Only the shipped placeholder is touched, so admin edits are preserved. - Ship an EnvironmentFile for admin overrides (OPENDJ_JAVA_HOME / OPENDJ_JAVA_BIN / OPENDJ_JAVA_ARGS): /etc/default/opendj on deb (conffile), /etc/sysconfig/ opendj on rpm (%config(noreplace)). The systemd unit reads it via EnvironmentFile=, and the SysV init script sources and exports it so the values survive the runuser switch to the service account. CI (.github/workflows/build.yml): - test-deb: run in a clean debian:12 container (install + SysV start/stop) plus a live `systemctl enable --now` on the runner. The container has no JAVA_HOME and no `which`, so it actually verifies the package configures Java itself. - test-rpm: drop the OPENDJ_JAVA_HOME band-aid; Java now comes from the package. --- .github/workflows/build.yml | 66 +++++++++++-------- .../opendj-deb/opendj-deb-standard/pom.xml | 1 + opendj-packages/opendj-deb/pom.xml | 11 ++++ .../opendj-deb/resources/control/postinst | 10 +++ .../opendj-rpm/opendj-rpm-standard/pom.xml | 1 + opendj-packages/opendj-rpm/pom.xml | 13 ++++ .../opendj-rpm/resources/specs/postinstall.sh | 10 +++ opendj-packages/resources/env/opendj | 17 +++++ .../resources/systemd/opendj.service | 4 ++ opendj-packages/resources/sysv/opendj | 6 ++ .../resource/bin/_script-util.sh | 4 +- 11 files changed, 112 insertions(+), 31 deletions(-) create mode 100644 opendj-packages/resources/env/opendj diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0501537943..84dfdad702 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -450,38 +450,51 @@ jobs: uses: actions/download-artifact@v8 with: name: ubuntu-latest-11 - - name: Locate .deb + - name: Clean-room install + SysV start/stop (debian:12 container) shell: bash run: | - DEB=$(ls opendj-packages/opendj-deb/opendj-deb-standard/target/*.deb | head -1) - echo "DEB=$PWD/$DEB" >> "$GITHUB_ENV" - echo "Found $DEB" - - name: Lint and inspect + docker run --rm -v "$PWD:/work" -w /work debian:12 bash -c ' + set -e + export DEBIAN_FRONTEND=noninteractive + DEB=$(ls opendj-packages/opendj-deb/opendj-deb-standard/target/*.deb | head -1) + echo "Found $DEB" + apt-get update + apt-get install -y lintian + lintian --info --no-tag-display-limit "$DEB" || true + dpkg-deb -I "$DEB" + dpkg-deb -c "$DEB" | grep -E "lib/systemd/system/opendj.service|etc/init.d/opendj" + apt-get install -y "./$DEB" + id opendj + test "$(stat -c %U /opt/opendj)" = opendj + # No JAVA_HOME and no "which" in this clean container: Java must resolve + # from config/java.properties (default.java-home set by postinst). + runuser -u opendj -- /opt/opendj/setup --cli --no-prompt --acceptLicense --doNotStart \ + --rootUserDN "cn=Directory Manager" --rootUserPassword password \ + --hostname localhost --ldapPort 1389 --adminConnectorPort 4444 \ + --baseDN dc=example,dc=com --addBaseEntry + /etc/init.d/opendj start + OK=0 + for i in $(seq 1 20); do + if /opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b "dc=example,dc=com" -s base "(objectClass=*)" 1.1 >/dev/null 2>&1; then OK=1; break; fi + sleep 3 + done + /etc/init.d/opendj status + test "$OK" = 1 + /etc/init.d/opendj stop + apt-get purge -y opendj + ' + - name: Live systemd install + start/stop (runner) shell: bash run: | + DEB=$(ls opendj-packages/opendj-deb/opendj-deb-standard/target/*.deb | head -1) sudo apt-get update - sudo apt-get install -y lintian - lintian --info --no-tag-display-limit "$DEB" || true - dpkg-deb -I "$DEB" - dpkg-deb -c "$DEB" | grep -E 'lib/systemd/system/opendj\.service|etc/init\.d/opendj' - systemd-analyze verify opendj-packages/resources/systemd/opendj.service || true - sh -n opendj-packages/resources/sysv/opendj - - name: Install - shell: bash - run: | - sudo apt-get install -y "$DEB" - getent passwd opendj + sudo apt-get install -y "$PWD/$DEB" test "$(stat -c '%U' /opt/opendj)" = opendj - - name: Setup OpenDJ (configured, not started) - shell: bash - run: | + # sudo/runuser/systemd strip JAVA_HOME -> also relies on config/java.properties sudo runuser -u opendj -- /opt/opendj/setup --cli --no-prompt --acceptLicense --doNotStart \ --rootUserDN "cn=Directory Manager" --rootUserPassword password \ --hostname localhost --ldapPort 1389 --adminConnectorPort 4444 \ --baseDN dc=example,dc=com --addBaseEntry - - name: Start via systemd and verify - shell: bash - run: | sudo systemctl enable --now opendj OK=0 for i in $(seq 1 20); do @@ -491,16 +504,10 @@ jobs: sudo systemctl is-active --quiet opendj test "$OK" = 1 echo "OpenDJ is active under systemd" - - name: Stop via systemd and verify - shell: bash - run: | sudo systemctl stop opendj sleep 3 if sudo systemctl is-active --quiet opendj; then echo "still active"; exit 1; fi - echo "OpenDJ stopped" - - name: Purge - shell: bash - run: sudo apt-get purge -y opendj + sudo apt-get purge -y opendj test-rpm: needs: build-maven @@ -521,6 +528,7 @@ jobs: dnf install -y "$RPM" id opendj test "$(stat -c %U /opt/opendj)" = opendj + # Java must come from config/java.properties (no JAVA_HOME and no "which" here) runuser -u opendj -- /opt/opendj/setup --cli --no-prompt --acceptLicense --doNotStart \ --rootUserDN "cn=Directory Manager" --rootUserPassword password \ --hostname localhost --ldapPort 1389 --adminConnectorPort 4444 \ diff --git a/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml b/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml index ebb19445c9..33ef15e4ca 100644 --- a/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml +++ b/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml @@ -35,6 +35,7 @@ ${project.parent.parent.basedir}/resources/sysv/opendj ${project.parent.parent.basedir}/resources/systemd/opendj.service + ${project.parent.parent.basedir}/resources/env/opendj ${product.name} ${product.name.lowercase} This OpenDJ package includes the Berkeley JE Backend and cannot be redistributed without a suitable license diff --git a/opendj-packages/opendj-deb/pom.xml b/opendj-packages/opendj-deb/pom.xml index 5cba979d2d..83eadc9ffe 100644 --- a/opendj-packages/opendj-deb/pom.xml +++ b/opendj-packages/opendj-deb/pom.xml @@ -181,6 +181,17 @@ + + + ${env.file.location} + file + + perm + /etc/default + 644 + + + ${basedir}/resources/copyright diff --git a/opendj-packages/opendj-deb/resources/control/postinst b/opendj-packages/opendj-deb/resources/control/postinst index 49ace6a6eb..d0f7ca8a5b 100644 --- a/opendj-packages/opendj-deb/resources/control/postinst +++ b/opendj-packages/opendj-deb/resources/control/postinst @@ -35,6 +35,16 @@ fi # migrates installations that were previously owned by root. chown -R opendj:opendj ${deb.prefix} +# Pin Java for the service via OpenDJ's own config, using a STABLE symlink (not a +# version-specific path) so a JRE upgrade/reinstall does not break the service. +# Only touch the shipped placeholder, never an admin-edited value. +JAVA_PROPS=${deb.prefix}/config/java.properties +JH=/usr/lib/jvm/default-java +[ -x "$JH/bin/java" ] || JH=$(dirname "$(dirname "$(command -v java 2>/dev/null)")" 2>/dev/null) +if [ -n "$JH" ] && [ -x "$JH/bin/java" ] && grep -q '^default.java-home=\$JAVA_HOME' "$JAVA_PROPS" 2>/dev/null ; then + sed -i "s|^default.java-home=.*|default.java-home=$JH|" "$JAVA_PROPS" +fi + # Register the service: prefer systemd, fall back to SysV init. if [ -d /run/systemd/system ] ; then systemctl --system daemon-reload >/dev/null 2>&1 || true diff --git a/opendj-packages/opendj-rpm/opendj-rpm-standard/pom.xml b/opendj-packages/opendj-rpm/opendj-rpm-standard/pom.xml index 341a5fde35..aa151435f6 100644 --- a/opendj-packages/opendj-rpm/opendj-rpm-standard/pom.xml +++ b/opendj-packages/opendj-rpm/opendj-rpm-standard/pom.xml @@ -35,6 +35,7 @@ ${project.parent.parent.basedir}/resources/sysv/opendj ${project.parent.parent.basedir}/resources/systemd/opendj.service + ${project.parent.parent.basedir}/resources/env/opendj ${product.name} ${product.name.lowercase} ${project.parent.basedir}/resources diff --git a/opendj-packages/opendj-rpm/pom.xml b/opendj-packages/opendj-rpm/pom.xml index e89e0889d0..f1fc0b3ed1 100644 --- a/opendj-packages/opendj-rpm/pom.xml +++ b/opendj-packages/opendj-rpm/pom.xml @@ -250,6 +250,19 @@ + + + /etc/sysconfig + false + 644 + noreplace + + + ${env.file.location} + + + + ${rpm.prefix} diff --git a/opendj-packages/opendj-rpm/resources/specs/postinstall.sh b/opendj-packages/opendj-rpm/resources/specs/postinstall.sh index d2ed6ea03b..5129fedf16 100644 --- a/opendj-packages/opendj-rpm/resources/specs/postinstall.sh +++ b/opendj-packages/opendj-rpm/resources/specs/postinstall.sh @@ -28,6 +28,16 @@ getent passwd opendj >/dev/null || \ useradd -r -g opendj -d "%{_prefix}" -s /sbin/nologin -c "OpenDJ Directory Server" opendj chown -R opendj:opendj "%{_prefix}" || true +# Pin Java for the service via OpenDJ's own config, using a STABLE symlink (not a +# version-specific path) so a JRE upgrade/reinstall does not break the service. +# Only touch the shipped placeholder, never an admin-edited value. +JAVA_PROPS="%{_prefix}"/config/java.properties +JH=/usr/lib/jvm/jre +[ -x "$JH/bin/java" ] || JH=$(dirname "$(dirname "$(command -v java 2>/dev/null)")" 2>/dev/null) +if [ -n "$JH" ] && [ -x "$JH/bin/java" ] && grep -q '^default.java-home=\$JAVA_HOME' "$JAVA_PROPS" 2>/dev/null ; then + sed -i "s|^default.java-home=.*|default.java-home=$JH|" "$JAVA_PROPS" +fi + # Register the service: prefer systemd, fall back to chkconfig/SysV. if [ -d /run/systemd/system ] ; then systemctl daemon-reload >/dev/null 2>&1 || true diff --git a/opendj-packages/resources/env/opendj b/opendj-packages/resources/env/opendj new file mode 100644 index 0000000000..3d1a81b358 --- /dev/null +++ b/opendj-packages/resources/env/opendj @@ -0,0 +1,17 @@ +# Environment overrides for the OpenDJ service. +# +# This file is sourced by the systemd unit (EnvironmentFile=) and by the SysV +# init script. By default everything is commented out and the server resolves +# Java from its config/java.properties (default.java-home), which the package +# points at the system default JRE at install time. +# +# Uncomment to override the JRE used by the service (one line, no export): +# - OPENDJ_JAVA_HOME: a JAVA_HOME directory (its bin/java is used) +# - OPENDJ_JAVA_BIN : a direct path to the java binary (takes precedence) +# Using the stable /usr alternatives symlink survives Java upgrades: +# +#OPENDJ_JAVA_HOME=/usr/lib/jvm/default-java +#OPENDJ_JAVA_BIN=/usr/bin/java +# +# Extra JVM args for the server: +#OPENDJ_JAVA_ARGS=-server -Xmx2g diff --git a/opendj-packages/resources/systemd/opendj.service b/opendj-packages/resources/systemd/opendj.service index fe6fe4af99..9e8889c16e 100644 --- a/opendj-packages/resources/systemd/opendj.service +++ b/opendj-packages/resources/systemd/opendj.service @@ -24,6 +24,10 @@ Type=simple User=opendj Group=opendj Environment=INSTALL_ROOT=/opt/opendj +# Optional admin overrides (OPENDJ_JAVA_HOME / OPENDJ_JAVA_BIN / OPENDJ_JAVA_ARGS). +# The leading "-" makes the file optional; deb ships /etc/default, rpm /etc/sysconfig. +EnvironmentFile=-/etc/default/opendj +EnvironmentFile=-/etc/sysconfig/opendj # start-ds --nodetach keeps the JVM in the foreground so systemd supervises it directly. ExecStart=/opt/opendj/bin/start-ds --nodetach --quiet ExecStop=/opt/opendj/bin/stop-ds --quiet diff --git a/opendj-packages/resources/sysv/opendj b/opendj-packages/resources/sysv/opendj index b12e608405..d2a1145997 100644 --- a/opendj-packages/resources/sysv/opendj +++ b/opendj-packages/resources/sysv/opendj @@ -59,6 +59,12 @@ fi # LOCKFILE is used by the service subsystem to know whether the opendj service is started and act upon it +# Optional admin overrides (OPENDJ_JAVA_HOME / OPENDJ_JAVA_BIN / OPENDJ_JAVA_ARGS). +# Exported so they survive the runuser switch to the service account in run_as(). +[ -r /etc/default/opendj ] && . /etc/default/opendj +[ -r /etc/sysconfig/opendj ] && . /etc/sysconfig/opendj +export OPENDJ_JAVA_HOME OPENDJ_JAVA_BIN OPENDJ_JAVA_ARGS + # Sets the script vars INSTALL_ROOT="/opt/opendj" export INSTALL_ROOT diff --git a/opendj-server-legacy/resource/bin/_script-util.sh b/opendj-server-legacy/resource/bin/_script-util.sh index da3a9e6ce4..5a4fbe3b4b 100644 --- a/opendj-server-legacy/resource/bin/_script-util.sh +++ b/opendj-server-legacy/resource/bin/_script-util.sh @@ -40,7 +40,7 @@ get_property() { # is defined and 'SCRIPT_NAME.java-home'/bin/java points to a regular file # 4 - use the 'default.java-home' property from the config/java.properties file # is defined and 'default.java-home'/bin/java points to a regular file -# 5 - use `which java` command to find java path +# 5 - use `command -v java` to find java path (POSIX builtin; no dependency on the `which` package) # 6 - use JAVA_BIN if defined and points to an existing regular file # 7 - use JAVA_HOME if defined and JAVA_HOME/bin/java points to a regural file # 8 - Displays an error message which says that java was not found on the running machine @@ -63,7 +63,7 @@ set_opendj_java_bin() { then OPENDJ_JAVA_BIN=${PROPERTY_VALUE}/bin/java else - TEST_JAVA_PATH=`which java 2> /dev/null` + TEST_JAVA_PATH=`command -v java 2> /dev/null` if test ! -z ${TEST_JAVA_PATH} -a -f ${TEST_JAVA_PATH} then OPENDJ_JAVA_BIN=${TEST_JAVA_PATH} From 7b5c11b72fc44510d40e4398c541d1151f9fba31 Mon Sep 17 00:00:00 2001 From: Valera V Harseko Date: Sun, 28 Jun 2026 23:37:55 +0300 Subject: [PATCH 3/4] systemd: grant CAP_NET_BIND_SERVICE so the non-root service can bind privileged ports The service runs as the dedicated opendj user and so cannot bind privileged ports (LDAP 389, LDAPS 636) by default. Grant CAP_NET_BIND_SERVICE via AmbientCapabilities (and restrict CapabilityBoundingSet to it) so the non-root service can listen on those ports without running as root or applying setcap to the java binary. --- opendj-packages/resources/systemd/opendj.service | 3 +++ 1 file changed, 3 insertions(+) diff --git a/opendj-packages/resources/systemd/opendj.service b/opendj-packages/resources/systemd/opendj.service index 9e8889c16e..171eaa3613 100644 --- a/opendj-packages/resources/systemd/opendj.service +++ b/opendj-packages/resources/systemd/opendj.service @@ -23,6 +23,9 @@ Wants=network-online.target Type=simple User=opendj Group=opendj +# Allow the non-root service to bind privileged ports (e.g. LDAP 389, LDAPS 636). +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE Environment=INSTALL_ROOT=/opt/opendj # Optional admin overrides (OPENDJ_JAVA_HOME / OPENDJ_JAVA_BIN / OPENDJ_JAVA_ARGS). # The leading "-" makes the file optional; deb ships /etc/default, rpm /etc/sysconfig. From 2ff41db2c317637c23086abf91e6264c3a4988da Mon Sep 17 00:00:00 2001 From: Valera V Harseko Date: Sun, 28 Jun 2026 23:37:55 +0300 Subject: [PATCH 4/4] docs: update deb/rpm install/upgrade/uninstall for systemd + dedicated opendj user The install guide described the old behavior (init.d, root-owned files, setup as root). Update the Debian and RPM sections to match the current packages: dedicated opendj system user, systemd service (systemctl) with a SysV fallback, JRE installed automatically via the package dependency, run setup as the opendj user, override Java via /etc/default or /etc/sysconfig/opendj, and CAP_NET_BIND_SERVICE for privileged ports. --- .../asciidoc/install-guide/chap-install.adoc | 83 ++++++------------- .../install-guide/chap-uninstall.adoc | 4 +- .../asciidoc/install-guide/chap-upgrade.adoc | 2 +- 3 files changed, 28 insertions(+), 61 deletions(-) diff --git a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-install.adoc b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-install.adoc index 92be08f08a..666c2d12cc 100644 --- a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-install.adoc +++ b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-install.adoc @@ -432,48 +432,26 @@ You can install OpenDJ in unattended and silent fashion, too. See the procedure, ==== On Debian and related Linux distributions such as Ubuntu, you can install OpenDJ directory server from the Debian package: -. (Optional) Before you install OpenDJ, install a Java runtime environment if none is installed yet: -+ - -[source, console] ----- -$ sudo apt-get install default-jre ----- - -. Install the OpenDJ directory server package: +. Install the OpenDJ directory server package. Use `apt-get install ./.deb` (rather than `dpkg -i`) so the required Java runtime dependency (`default-jre-headless`) is resolved and installed automatically: + [source, console, subs="attributes"] ---- -$ sudo dpkg -i opendj_{opendj-version}-1_all.deb -Selecting previously unselected package opendj. -(Reading database ... 185569 files and directories currently installed.) -Unpacking opendj (from opendj_{opendj-version}-1_all.deb) ... - -Setting up opendj ({opendj-version}) ... - Adding system startup for /etc/init.d/opendj ... - /etc/rc0.d/K20opendj -> ../init.d/opendj - /etc/rc1.d/K20opendj -> ../init.d/opendj - /etc/rc6.d/K20opendj -> ../init.d/opendj - /etc/rc2.d/S20opendj -> ../init.d/opendj - /etc/rc3.d/S20opendj -> ../init.d/opendj - /etc/rc4.d/S20opendj -> ../init.d/opendj - /etc/rc5.d/S20opendj -> ../init.d/opendj - -Processing triggers for ureadahead ... -ureadahead will be reprofiled on next reboot +$ sudo apt-get install ./opendj_{opendj-version}-1_all.deb ---- + -The Debian package installs OpenDJ directory server in the `/opt/opendj` directory, generates service management scripts, adds documentation files under `/usr/share/doc/opendj`, and adds man pages under `/opt/opendj/share/man`. +The Debian package installs OpenDJ directory server in the `/opt/opendj` directory, registers the service with systemd (`opendj.service`, with a SysV init script kept as a fallback on non-systemd hosts), adds documentation files under `/usr/share/doc/opendj`, and adds man pages under `/opt/opendj/share/man`. ++ +The package creates a dedicated `opendj` system user; the files under `/opt/opendj` are owned by it and the service runs as that user. The systemd service is granted `CAP_NET_BIND_SERVICE`, so it can bind privileged ports such as LDAP 389 and LDAPS 636 even though it runs as a non-root user. On non-systemd hosts that use the SysV init script, grant the capability another way (for example `authbind` or an `iptables` redirect) or use ports above 1024. + -The files are owned by root by default, making it easier to have OpenDJ listen on ports 389 and 636. +To pin or override the Java runtime used by the service, set `OPENDJ_JAVA_HOME` (or `OPENDJ_JAVA_ARGS`) in `/etc/default/opendj`. -. Configure OpenDJ directory server by using the command `sudo /opt/opendj/setup`: +. Configure OpenDJ directory server by running `setup` as the `opendj` user (the account that owns the files and runs the service): + [source, console] ---- -$ sudo /opt/opendj/setup --cli +$ sudo -u opendj /opt/opendj/setup --cli ... To see basic server configuration status and configuration you can launch /opt/opendj/bin/status @@ -484,9 +462,9 @@ To see basic server configuration status and configuration you can launch [source, console, subs="attributes"] ---- -$ service opendj status -opendj status: > Running. -$ sudo /opt/opendj/bin/status +$ systemctl is-active opendj +active +$ sudo -u opendj /opt/opendj/bin/status >>>> Specify OpenDJ LDAP connection parameters @@ -541,38 +519,28 @@ Password: # ---- -. Before you install OpenDJ, install a Java runtime environment if none is installed yet. -+ -You might need to download an RPM to install the Java runtime environment, and then install the RPM by using the `rpm` command: -+ - -[source, console] ----- -# rpm -ivh jre-*.rpm ----- - -. Install the OpenDJ directory server package: +. Install the OpenDJ directory server package. Use `dnf install ./.rpm` (rather than `rpm -i`) so the required Java runtime dependency (`java-headless >= 11`) is resolved and installed automatically: + [source, console, subs="attributes"] ---- -# rpm -i opendj-{opendj-version}-1.noarch.rpm +# dnf install ./opendj-{opendj-version}-1.noarch.rpm Pre Install - initial install Post Install - initial install - -# ---- + -The RPM package installs OpenDJ directory server in the `/opt/opendj` directory, generates service management scripts, and adds man pages under `/opt/opendj/share/man`. +The RPM package installs OpenDJ directory server in the `/opt/opendj` directory, registers the service with systemd (`opendj.service`, with a SysV init script kept as a fallback on non-systemd hosts), and adds man pages under `/opt/opendj/share/man`. + -The files are owned by root by default, making it easier to have OpenDJ listen on ports 389 and 636. +The package creates a dedicated `opendj` system user; the files under `/opt/opendj` are owned by it and the service runs as that user. The systemd service is granted `CAP_NET_BIND_SERVICE`, so it can bind privileged ports such as LDAP 389 and LDAPS 636 even though it runs as a non-root user. On non-systemd hosts that use the SysV init script, grant the capability another way (for example `authbind` or an `iptables` redirect) or use ports above 1024. ++ +To pin or override the Java runtime used by the service, set `OPENDJ_JAVA_HOME` (or `OPENDJ_JAVA_ARGS`) in `/etc/sysconfig/opendj`. -. Configure OpenDJ directory server by using the command `/opt/opendj/setup`: +. Configure OpenDJ directory server by running `setup` as the `opendj` user (the account that owns the files and runs the service): + [source, console] ---- -# /opt/opendj/setup --cli +# runuser -u opendj -- /opt/opendj/setup --cli ... To see basic server configuration status and configuration you can launch /opt/opendj/bin/status @@ -583,9 +551,9 @@ To see basic server configuration status and configuration you can launch [source, console, subs="attributes"] ---- -# service opendj status -opendj status: > Running. -# /opt/opendj/bin/status +# systemctl is-active opendj +active +# runuser -u opendj -- /opt/opendj/bin/status >>>> Specify OpenDJ LDAP connection parameters @@ -623,14 +591,13 @@ Entries: 2002 Replication: ---- + -By default OpenDJ starts in run levels 2, 3, 4, and 5: +The service is enabled to start at boot: + [source, console] ---- -# chkconfig --list | grep opendj -... -opendj 0:off 1:off 2:on 3:on 4:on 5:on 6:off +# systemctl is-enabled opendj +enabled ---- ==== diff --git a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-uninstall.adoc b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-uninstall.adoc index 19cc3a3875..65f18bcee5 100644 --- a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-uninstall.adoc +++ b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-uninstall.adoc @@ -127,7 +127,7 @@ Stopping Server... $ ---- + -Removing the package does not remove your data or configuration. You must remove `/opt/opendj` manually to get rid of all files. +Removing the package stops the server but does not remove your data or configuration, nor the dedicated `opendj` system user it created. Remove `/opt/opendj` manually to delete all files, and remove the `opendj` user if you no longer need it. ==== @@ -153,7 +153,7 @@ OpenDJ successfully removed. # ---- + -Removing the package does not remove your data or configuration. You must remove `/opt/opendj` manually to get rid of all files. +Removing the package stops the server but does not remove your data or configuration, nor the dedicated `opendj` system user it created. Remove `/opt/opendj` manually to delete all files, and remove the `opendj` user if you no longer need it. ==== diff --git a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-upgrade.adoc b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-upgrade.adoc index cf0268dec0..af11988c54 100644 --- a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-upgrade.adoc +++ b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-upgrade.adoc @@ -89,7 +89,7 @@ Due to changes to the backup archive format, make sure you stop OpenDJ directory ==== Before starting this procedure, follow the steps in xref:#before-you-upgrade["Before You Upgrade"]. -To upgrade to OpenDJ directory server installed from native packages (.deb, .rpm), use the command-line package management tools provided by the system. +To upgrade OpenDJ directory server installed from native packages (.deb, .rpm), install the newer package with the system package manager (`sudo apt-get install ./opendj_{opendj-version}-1_all.deb` or `sudo dnf install ./opendj-{opendj-version}-1.noarch.rpm`). The package stops the running server, runs the `upgrade` tool as the dedicated `opendj` user, migrates file ownership under `/opt/opendj` to that user, and restarts the service (systemd, with a SysV init fallback) if it was running before the upgrade. Back up the installation directory first, as described in xref:#before-you-upgrade["Before You Upgrade"]. [NOTE] ======