[Pkg-openldap-devel] [openldap] 02/02: Prevent upgrading with smbk5pwd+krb5 enabled in cn=config

Fri Nov 11 05:02:48 UTC 2016

This is an automated email from the git hooks/post-receive script.

rtandy-guest pushed a commit to branch master
in repository openldap.

commit 2db9a0c244f9467b58de917ac6e6647b2e863240
Author: Ryan Tandy <ryan at nardis.ca>
Date:   Thu Nov 10 20:45:32 2016 -0800

    Prevent upgrading with smbk5pwd+krb5 enabled in cn=config
---
 debian/changelog              |  3 +-
 debian/slapd-smbk5pwd.preinst | 45 ++++++++++++++++++++++++++++
 debian/slapd.NEWS             |  6 ++--
 debian/slapd.preinst          | 68 ++++++++++++++++++++++++++-----------------
 debian/slapd.templates        |  8 +++++
 5 files changed, 101 insertions(+), 29 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index ce5c6e6..56f4064 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -32,7 +32,8 @@ openldap (2.4.44+dfsg-1) UNRELEASED; urgency=medium
   * Build smbk5pwd without Kerberos support and drop the build-dependency on 
     heimdal. (Closes: #836885)
   * On upgrade, comment the krb5 setting on any instances of the smbk5pwd 
-    overlay in slapd.conf.
+    overlay in slapd.conf. Require cn=config users to disable krb5 manually 
+    before upgrading.
 
   [ Helmut Grohne ]
   * Fix policy 8.2 violation (Closes: #330695)
diff --git a/debian/slapd-smbk5pwd.preinst b/debian/slapd-smbk5pwd.preinst
new file mode 100644
index 0000000..ef22232
--- /dev/null
+++ b/debian/slapd-smbk5pwd.preinst
@@ -0,0 +1,45 @@
+#!/bin/sh
+
+set -e
+
+# This will be replaced with debian/slapd.scripts-common which includes
+# various helper functions and $OLD_VERSION and $SLAPD_CONF
+#SCRIPTSCOMMON#
+
+is_krb5_enabled() {							# {{{
+# Cannot depend on a working slapcat here. If a new slapd was already 
+# unpacked, slap* binaries may be broken until it is configured.
+	find "$SLAPD_CONF" \
+		-type f -iname 'olcOverlay={*}smbk5pwd.ldif' \
+		-exec grep -qi '^olcSmbK5PwdEnable:\s\+krb5' {} \+
+}
+# }}}
+ensure_krb5_disabled() {						# {{{
+# Prevent upgrading smbk5pwd with krb5 still enabled
+# This is to avoid a case where a new smbk5pwd (without krb5 support) 
+# has already been unpacked, but slapd.preinst stops the upgrade because 
+# manual config changes are needed.
+	if [ ! -d "$SLAPD_CONF" ]; then
+		# slapd.conf is handled automatically in postinst
+		return
+	fi
+
+	if ! is_krb5_enabled; then
+		return
+	fi
+
+	# A more detailed message is shown from slapd.preinst.
+	echo 'smbk5pwd overlay must have krb5 disabled before upgrading' >&2
+	exit 1
+}
+# }}}
+
+if [ "$MODE" = upgrade ] && previous_version_older '2.44+dfsg-1~'; then
+	ensure_krb5_disabled
+fi
+
+#DEBHELPER#
+
+exit 0
+
+# vim: set sw=8 foldmethod=marker:
diff --git a/debian/slapd.NEWS b/debian/slapd.NEWS
index d73c567..a8406aa 100644
--- a/debian/slapd.NEWS
+++ b/debian/slapd.NEWS
@@ -9,8 +9,10 @@ openldap (2.4.44+dfsg-1) unstable; urgency=medium
    as the heimdal package is being removed at the request of its
    maintainers. On upgrade, if slapd is using a slapd.conf file, any
    instances of 'smbk5pwd-enable krb5' will be commented out
-   automatically. Please see <https://bugs.debian.org/836885> for more
-   information.
+   automatically. If slapd is using dynamic configuration (cn=config),
+   any instances of 'olcSmbK5PwdEnable: krb5' must be disabled manually
+   before upgrading. Please see <https://bugs.debian.org/836885> for
+   more information.
 
  -- Ryan Tandy <ryan at nardis.ca>  Sat, 29 Oct 2016 20:36:03 -0700
 
diff --git a/debian/slapd.preinst b/debian/slapd.preinst
index 067cd41..90b2184 100755
--- a/debian/slapd.preinst
+++ b/debian/slapd.preinst
@@ -40,33 +40,15 @@ eof
 	fi
 }
 # }}}
-
 check_ppolicy_schema() {						# {{{
 # When upgrading to 2.4.43 or later, if the cn=config database contains 
 # an old version of the ppolicy schema, check that it is safe to upgrade 
 # it automatically in postinst, or instruct the user to do so before 
 # upgrading.
-	local dumped_ldif working_ldif ppolicy_dn
-
-	# Only applicable for cn=config.
-	if [ ! -d "$SLAPD_CONF" ]; then
-		return
-	fi
-
-	# Locate the file exported by dump_config.
-	dumped_ldif="$(database_dumping_destdir)/cn=config.ldif"
-	if [ ! -f "$dumped_ldif" ]; then
-		echo "Expected to find a configuration backup in $dumped_ldif but it is missing. Please retry the upgrade." >&2
-		exit 1
-	fi
-
-	# Create a working copy with lines unwrapped.
-	working_ldif="$(mktemp --tmpdir slapd-XXXXXXXX.ldif)"
-	trap "trap - INT EXIT; rm -f '$working_ldif'" INT EXIT
-	normalize_ldif "$dumped_ldif" > "$working_ldif"
+	local config_ldif="$1"
 
 	# Check whether the schema is loaded and needs an update.
-	ppolicy_dn="$(find_old_ppolicy_schema "$working_ldif")"
+	local ppolicy_dn="$(find_old_ppolicy_schema "$config_ldif")"
 	if [ -z "$ppolicy_dn" ]; then
 		return
 	fi
@@ -77,10 +59,10 @@ check_ppolicy_schema() {						# {{{
 	# As well, if a content database is a sync provider, we want to 
 	# recommend that the schema be updated on every server before 
 	# going through with the upgrade.
-	if grep -q -e '^dn: olcOverlay=.\+,olcDatabase={-1}frontend,cn=config$' -e '^dn: olcOverlay=.\+,olcDatabase={0}config,cn=config$' "$working_ldif" \
-		|| sed -n '/^dn: olcDatabase={-1}frontend,cn=config$/,// p' "$working_ldif" | grep -q '^olcSyncrepl:' \
-		|| sed -n '/^dn: olcDatabase={0}config,cn=config$/,//p' "$working_ldif" | grep -q '^olcSyncrepl:' \
-		|| grep -q '^dn: olcOverlay={[0-9]\+}syncprov,olcDatabase=.\+,cn=config' "$working_ldif"; then
+	if grep -q -e '^dn: olcOverlay=.\+,olcDatabase={-1}frontend,cn=config$' -e '^dn: olcOverlay=.\+,olcDatabase={0}config,cn=config$' "$config_ldif" \
+		|| sed -n '/^dn: olcDatabase={-1}frontend,cn=config$/,// p' "$config_ldif" | grep -q '^olcSyncrepl:' \
+		|| sed -n '/^dn: olcDatabase={0}config,cn=config$/,//p' "$config_ldif" | grep -q '^olcSyncrepl:' \
+		|| grep -q '^dn: olcOverlay={[0-9]\+}syncprov,olcDatabase=.\+,cn=config' "$config_ldif"; then
 		ppolicy_schema_needs_update "$ppolicy_dn"
 	fi
 
@@ -88,14 +70,48 @@ check_ppolicy_schema() {						# {{{
 	# schema automatically in postinst.
 }
 # }}}
+ensure_smbk5pwd_krb5_disabled() {					# {{{
+	local config_ldif="$1"
+
+	if grep -q '^olcSmbK5PwdEnable:\s\+krb5' "$config_ldif"; then
+		db_fset slapd/must_disable_smbk5pwd_krb5 seen false
+		db_input critical slapd/must_disable_smbk5pwd_krb5 || true
+		db_go || true
+		exit 1
+	fi
+}
+# }}}
+preinst_check_config() {						# {{{
+# Check whether manual config changes are required before upgrading
+	if ! previous_version_older '2.4.44+dfsg-1~'; then
+		# no pre-checks required
+		return 0
+	fi
+
+	# Locate the file exported by dump_config.
+	local dumped_ldif="$(database_dumping_destdir)/cn=config.ldif"
+	if [ ! -f "$dumped_ldif" ]; then
+		echo "Expected to find a configuration backup in $dumped_ldif but it is missing. Please retry the upgrade." >&2
+		exit 1
+	fi
+
+	# Create a working copy with lines unwrapped.
+	local config_ldif="$(mktemp --tmpdir slapd.XXXXXXXX.ldif)"
+	trap "trap - INT EXIT; rm -f '$config_ldif'" INT EXIT
+	normalize_ldif "$dumped_ldif" > "$config_ldif"
+
+	check_ppolicy_schema "$config_ldif"
+	ensure_smbk5pwd_krb5_disabled "$config_ldif"
+}
+# }}}
 
 # If we are upgrading from an old version then stop slapd and attempt to
 # slapcat out the data so we can use it in postinst to do the upgrade
 
 if [ "$MODE" = upgrade ]; then
 	dump_config
-	if previous_version_older '2.4.44+dfsg-1~'; then
-		check_ppolicy_schema
+	if [ -d "$SLAPD_CONF" ]; then
+		preinst_check_config
 	fi
 	dump_databases
 fi
diff --git a/debian/slapd.templates b/debian/slapd.templates
index f58eb6d..a3c1096 100644
--- a/debian/slapd.templates
+++ b/debian/slapd.templates
@@ -189,3 +189,11 @@ _Description: Kerberos support disabled for smbk5pwd overlay
  The smbk5pwd overlay is no longer built with Kerberos support. The
  "smbk5pwd-enable krb5" setting has been automatically disabled in the
  slapd configuration file.
+
+Template: slapd/must_disable_smbk5pwd_krb5
+Type: error
+#flag:translate!:4,6
+_Description: Disable Kerberos in smbk5pwd before upgrading slapd
+ The smbk5pwd overlay is no longer built with Kerberos support. The
+ "olcSmbK5PwdEnable: krb5" setting must be removed from any instances of
+ the smbk5pwd overlay before upgrading slapd.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openldap/openldap.git

