[Pkg-openldap-devel] [openldap] 01/01: Add preinst prompt to update ppolicy schema

Ryan Tandy rtandy-guest at moszumanska.debian.org
Wed Oct 5 04:57:58 UTC 2016 

This is an automated email from the git hooks/post-receive script.

rtandy-guest pushed a commit to branch master
in repository openldap.

commit 8a4e6e982ff05ddb9d45ac36d3bd98fd1c1b0a27
Author: Ryan Tandy <ryan at nardis.ca>
Date:   Tue Oct 4 21:53:59 2016 -0700

    Add preinst prompt to update ppolicy schema
---
 debian/slapd.postinst       | 24 ++++---------
 debian/slapd.preinst        | 84 +++++++++++++++++++++++++++++++++++++++++++++
 debian/slapd.scripts-common | 27 +++++++++++++++
 debian/slapd.templates      | 34 ++++++++++++++++++
 4 files changed, 151 insertions(+), 18 deletions(-)

diff --git a/debian/slapd.postinst b/debian/slapd.postinst
index 361c252..8e6a918 100644
--- a/debian/slapd.postinst
+++ b/debian/slapd.postinst
@@ -70,8 +70,6 @@ upgrade_cnconfig_ppolicy_schema() {						# {{{
 # cn=config database when upgrading to 2.4.43 or later.
 # slapd.conf users get schema updates through the regular conffile 
 # handling.
-# FIXME: changes made with serverid=0 (slapadd without -S) are not 
-# replicated in mirror-mode/MMR.
 	local dumped_ldif working_ldif ppolicy_dn tmp_slapd_d failed
 
 	if ! [ -d "$SLAPD_CONF" ]; then
@@ -92,20 +90,13 @@ upgrade_cnconfig_ppolicy_schema() {						# {{{
 
 	# Create a working copy with lines unwrapped.
 	working_ldif="$(mktemp --tmpdir slapd-XXXXXXXX.ldif)"
+	trap "trap - INT EXIT; rm -f '$working_ldif'" INT EXIT
 	normalize_ldif "$dumped_ldif" > "$working_ldif"
 
-	# Is the ppolicy schema loaded?
-	if ! ppolicy_dn="$(grep '^dn: cn={[0-9]\+}ppolicy,cn=schema,cn=config$' "$working_ldif")"; then
-		rm -f "$working_ldif"
-		return 0
-	fi
-	ppolicy_dn="${ppolicy_dn#dn: }"
-
-	# Has the pwdMaxRecordedFailure attribute already been added?
-	# It might have been replicated from a newer server.
-	if grep -q '^olcAttributeTypes: .*NAME '\''pwdMaxRecordedFailure'\' "$working_ldif"; then
-		rm -f "$working_ldif"
-		return 0
+	# Check whether the schema is loaded and needs an update.
+	ppolicy_dn="$(find_old_ppolicy_schema "$working_ldif")"
+	if [ -z "$ppolicy_dn" ]; then
+		return
 	fi
 
 	echo -n "Adding pwdMaxRecordedFailure attribute to ${ppolicy_dn}... " >&2
@@ -131,6 +122,7 @@ upgrade_cnconfig_ppolicy_schema() {						# {{{
 
 	# Import the modified config into a temporary location.
 	tmp_slapd_d="$(mktemp -d --tmpdir slapd-XXXXXXXX)"
+	trap "trap - INT EXIT; rm -rf "$tmp_slapd_d" '$working_ldif'" INT EXIT
 	capture_diagnostics slapadd -F "$tmp_slapd_d" -n0 -l "$working_ldif" || failed=1
 	if [ "$failed" ]; then
 		cat >&2 <<-eof
@@ -140,7 +132,6 @@ Updating the slapd configuration failed with the following error
 while running slapadd:
 eof
 		release_diagnostics
-		rm -rf "$tmp_slapd_d" "$working_ldif"
 		exit 1
 	fi
 
@@ -150,9 +141,6 @@ eof
 	mv "$tmp_slapd_d/cn=config.ldif" "$tmp_slapd_d/cn=config" "$SLAPD_CONF/"
 
 	echo 'done.' >&2
-
-	# Clean up
-	rm -rf "$tmp_slapd_d" "$working_ldif"
 }
 # }}}
 
diff --git a/debian/slapd.preinst b/debian/slapd.preinst
index af709ee..067cd41 100755
--- a/debian/slapd.preinst
+++ b/debian/slapd.preinst
@@ -8,11 +8,95 @@ set -e
 # various helper functions and $OLD_VERSION and $SLAPD_CONF
 #SCRIPTSCOMMON#
 
+ppolicy_schema_needs_update() {						# {{{
+# Provide an LDIF to add the pwdMaxRecordedFailure attribute to the 
+# ppolicy schema, and recommend the user apply it before continuing with 
+# the slapd upgrade.
+	local update_ldif
+
+	update_ldif="$(mktemp --tmpdir ppolicy-schema-update-XXXXXXXX.ldif)"
+	cat > "$update_ldif" << eof
+dn: $1
+changetype: modify
+add: olcAttributeTypes
+olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+-
+delete: olcObjectClasses
+olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXILIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )
+-
+add: olcObjectClasses
+olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXILIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) )
+
+eof
+
+	db_subst slapd/ppolicy_schema_needs_update ldif "$update_ldif"
+	db_fset slapd/ppolicy_schema_needs_update seen false
+	db_input critical slapd/ppolicy_schema_needs_update || true
+	db_go || true
+	db_get slapd/ppolicy_schema_needs_update
+	if [ "$RET" = 'abort installation' ]; then
+		db_stop
+		exit 1
+	fi
+}
+# }}}
+
+check_ppolicy_schema() {						# {{{
+# When upgrading to 2.4.43 or later, if the cn=config database contains 
+# an old version of the ppolicy schema, check that it is safe to upgrade 
+# it automatically in postinst, or instruct the user to do so before 
+# upgrading.
+	local dumped_ldif working_ldif ppolicy_dn
+
+	# Only applicable for cn=config.
+	if [ ! -d "$SLAPD_CONF" ]; then
+		return
+	fi
+
+	# Locate the file exported by dump_config.
+	dumped_ldif="$(database_dumping_destdir)/cn=config.ldif"
+	if [ ! -f "$dumped_ldif" ]; then
+		echo "Expected to find a configuration backup in $dumped_ldif but it is missing. Please retry the upgrade." >&2
+		exit 1
+	fi
+
+	# Create a working copy with lines unwrapped.
+	working_ldif="$(mktemp --tmpdir slapd-XXXXXXXX.ldif)"
+	trap "trap - INT EXIT; rm -f '$working_ldif'" INT EXIT
+	normalize_ldif "$dumped_ldif" > "$working_ldif"
+
+	# Check whether the schema is loaded and needs an update.
+	ppolicy_dn="$(find_old_ppolicy_schema "$working_ldif")"
+	if [ -z "$ppolicy_dn" ]; then
+		return
+	fi
+
+	# If either the config or frontend databases have any overlays 
+	# or syncrepl clients on them, don't assume it's safe to change 
+	# the config offline.
+	# As well, if a content database is a sync provider, we want to 
+	# recommend that the schema be updated on every server before 
+	# going through with the upgrade.
+	if grep -q -e '^dn: olcOverlay=.\+,olcDatabase={-1}frontend,cn=config$' -e '^dn: olcOverlay=.\+,olcDatabase={0}config,cn=config$' "$working_ldif" \
+		|| sed -n '/^dn: olcDatabase={-1}frontend,cn=config$/,// p' "$working_ldif" | grep -q '^olcSyncrepl:' \
+		|| sed -n '/^dn: olcDatabase={0}config,cn=config$/,//p' "$working_ldif" | grep -q '^olcSyncrepl:' \
+		|| grep -q '^dn: olcOverlay={[0-9]\+}syncprov,olcDatabase=.\+,cn=config' "$working_ldif"; then
+		ppolicy_schema_needs_update "$ppolicy_dn"
+	fi
+
+	# If we made it this far, it should be safe to upgrade the 
+	# schema automatically in postinst.
+}
+# }}}
+
 # If we are upgrading from an old version then stop slapd and attempt to
 # slapcat out the data so we can use it in postinst to do the upgrade
 
 if [ "$MODE" = upgrade ]; then
 	dump_config
+	if previous_version_older '2.4.44+dfsg-1~'; then
+		check_ppolicy_schema
+	fi
 	dump_databases
 fi
 
diff --git a/debian/slapd.scripts-common b/debian/slapd.scripts-common
index 1560a5e..7160d67 100644
--- a/debian/slapd.scripts-common
+++ b/debian/slapd.scripts-common
@@ -734,6 +734,33 @@ is_empty_dir() {							# {{{
 
 # }}}
 
+find_old_ppolicy_schema() {						# {{{
+# Helper for the ppolicy schema update in 2.4.43. Checks whether the 
+# exported config includes an old version of the ppolicy schema that 
+# needs the new attribute added. If such a schema is found, echos its DN 
+# to stdout. If the schema is not loaded or is already up-to-date, 
+# returns nothing. The provided LDIF should have its lines unwrapped 
+# already.
+# Usage: ppolicy_dn="$(find_old_ppolicy_schema "$exported_ldif")"
+	local ppolicy_dn
+
+	# Is the ppolicy schema loaded?
+	if ! ppolicy_dn="$(grep '^dn: cn={[0-9]\+}ppolicy,cn=schema,cn=config$' "$1")"; then
+		return
+	fi
+
+	# Has the pwdMaxRecordedFailure attribute already been added?
+	# It might have been replicated from a newer server.
+	if grep -q '^olcAttributeTypes: .*NAME '\''pwdMaxRecordedFailure'\' "$1"; then
+		return
+	fi
+
+	# The schema is loaded and needs to be updated.
+	ppolicy_dn="${ppolicy_dn#dn: }"
+	echo "$ppolicy_dn"
+}
+# }}}
+
 # ===== Global variables ================================================ {{{
 #
 # At some points we need to know which version we are upgrading from if
diff --git a/debian/slapd.templates b/debian/slapd.templates
index c102144..050dc4b 100644
--- a/debian/slapd.templates
+++ b/debian/slapd.templates
@@ -149,3 +149,37 @@ _Description: Potentially unsafe slapd access control configuration
  are only able to modify specifically allowed attributes.
  .
  See /usr/share/doc/slapd/README.Debian.gz for more details.
+
+Template: slapd/ppolicy_schema_needs_update
+Type: select
+__Choices: abort installation, continue regardless
+DefaultChoice: abort installation
+#flag:comment:2
+# "pwdMaxRecordedFailure" and "cn=config" are not translatable.
+#flag:translate!:4
+#flag:translate!:6
+_Description: Manual ppolicy schema update recommended
+ In the version of slapd about to be installed, the ppolicy overlay
+ requires the new pwdMaxRecordedFailure attribute to be defined in the
+ ppolicy schema. The schema contained in the cn=config database does not
+ currently include this attribute.
+ .
+ You may choose to continue the installation. In this case, the
+ maintainer scripts will add the new attribute automatically during the
+ upgrade. However, the change will not be acted on by slapd overlays,
+ and replication with other servers may be affected.
+ .
+ The ppolicy schema can be updated by applying the changes found in the
+ following LDIF file:
+ .
+ ${ldif}
+ .
+ If slapd is using the default access control rules, after starting
+ slapd, the changes can be applied using the following command:
+ .
+ ldapmodify -H ldapi:/// -Y EXTERNAL -f ${ldif}
+ .
+ It is recommended to abort the upgrade now and to update the ppolicy
+ schema before upgrading slapd. If replication is in use, the schema
+ update should be applied on every server before continuing with the
+ upgrade.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openldap/openldap.git

More information about the Pkg-openldap-devel mailing list