[Pkg-openldap-devel] [openldap] 01/03: Restore heimdal support for smbk5pwd
Ryan Tandy
rtandy-guest at moszumanska.debian.org
Mon Jan 2 21:01:42 UTC 2017
This is an automated email from the git hooks/post-receive script.
rtandy-guest pushed a commit to branch master
in repository openldap.
commit 824b4c1b2ad550cd9126988a5a42ca6eb0ec3d40
Author: Ryan Tandy <ryan at nardis.ca>
Date: Wed Dec 28 15:45:34 2016 -0800
Restore heimdal support for smbk5pwd
---
debian/changelog | 1 +
debian/control | 10 ++--
debian/dh_installscripts-common | 9 +--
debian/patches/series | 1 +
debian/patches/smbk5pwd-makefile | 19 ++++---
debian/patches/smbk5pwd-makefile-manpage | 18 ++++--
debian/rules | 2 +-
debian/slapd-smbk5pwd.lintian-overrides | 3 -
debian/slapd-smbk5pwd.preinst | 44 ---------------
debian/slapd.NEWS | 11 +---
debian/slapd.postinst | 23 --------
debian/slapd.preinst | 12 ----
debian/slapd.scripts-common | 94 --------------------------------
debian/slapd.templates | 15 -----
14 files changed, 36 insertions(+), 226 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 882873c..3767f8c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
openldap (2.4.44+dfsg-3) UNRELEASED; urgency=medium
* Apply upstream patch to fix FTBFS on kFreeBSD. (Closes: #845394)
+ * Restore heimdal support to the smbk5pwd overlay.
-- Ryan Tandy <ryan at nardis.ca> Wed, 28 Dec 2016 10:58:31 -0800
diff --git a/debian/control b/debian/control
index 80c591f..a3b235d 100644
--- a/debian/control
+++ b/debian/control
@@ -12,6 +12,7 @@ Build-Depends: debhelper (>= 9.20141010),
dh-autoreconf,
dpkg-dev (>= 1.17.14),
groff-base,
+ heimdal-multidev <!stage1>,
libdb5.3-dev <!stage1>,
libgnutls28-dev,
libltdl-dev <!stage1>,
@@ -55,10 +56,11 @@ Priority: extra
Architecture: any
Build-Profiles: <!stage1>
Depends: slapd (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}
-Description: Keeps Samba passwords in sync within slapd.
- Extends the PasswordModify Extended Operation to update Samba password hashes
- for an LDAP user. The Samba support is written using the Samba 3.0 LDAP
- schema.
+Description: Keeps Samba and Kerberos passwords in sync within slapd.
+ Extends the PasswordModify Extended Operation to update Kerberos keys
+ and Samba password hashes for an LDAP user. The Kerberos support is
+ written for Heimdal using its hdb-ldap backend. The Samba support is
+ written using the Samba 3.0 LDAP schema.
Package: ldap-utils
Section: net
diff --git a/debian/dh_installscripts-common b/debian/dh_installscripts-common
index 7bc561c..9936b4f 100755
--- a/debian/dh_installscripts-common
+++ b/debian/dh_installscripts-common
@@ -5,10 +5,9 @@ use Debian::Debhelper::Dh_Lib;
init();
-my $scriptscommon = $ARGV[0];
-
foreach my $package (@{$dh{DOPACKAGES}}) {
my $tmp=tmpdir($package);
+ my $ext=pkgext($package);
if (! -d "$tmp/DEBIAN") {
next;
@@ -16,10 +15,8 @@ foreach my $package (@{$dh{DOPACKAGES}}) {
foreach my $file (qw{postinst preinst prerm postrm config}) {
my $f="$tmp/DEBIAN/$file";
- if (! -e $f) {
- next;
+ if ($f) {
+ complex_doit("perl -pe 's~#SCRIPTSCOMMON#~qx{cat debian/${ext}scripts-common}~eg' -i $f");
}
- print "changing $f with $scriptscommon\n";
- complex_doit("perl -pe 's~#SCRIPTSCOMMON#~qx{cat $scriptscommon}~eg' -i $f");
}
}
diff --git a/debian/patches/series b/debian/patches/series
index 68f6fac..723457e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,6 +21,7 @@ fix-build-top-mk
no-AM_INIT_AUTOMAKE
switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
no-bdb-ABI-second-guessing
+heimdal-fix
ITS6035-olcauthzregex-needs-restart.patch
set-maintainer-name
ITS-8554-kFreeBSD-is-like-BSD.patch
diff --git a/debian/patches/smbk5pwd-makefile b/debian/patches/smbk5pwd-makefile
index 8342d46..b7a1039 100644
--- a/debian/patches/smbk5pwd-makefile
+++ b/debian/patches/smbk5pwd-makefile
@@ -1,6 +1,6 @@
--- a/contrib/slapd-modules/smbk5pwd/Makefile
+++ b/contrib/slapd-modules/smbk5pwd/Makefile
-@@ -14,34 +14,34 @@
+@@ -14,34 +14,35 @@
LDAP_SRC = ../../..
LDAP_BUILD = $(LDAP_SRC)
@@ -15,20 +15,21 @@
-SSL_LIB = -lcrypto
+SSL_LIB = -lnettle
- HEIMDAL_INC = -I/usr/heimdal/include
- HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv
+-HEIMDAL_INC = -I/usr/heimdal/include
+-HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv
++HEIMDAL_INC = $(shell krb5-config.heimdal --cflags kadm-server)
++HEIMDAL_LIB = $(shell krb5-config.heimdal --libs kadm-server)
-LIBTOOL = $(LDAP_BUILD)/libtool
+LIBTOOL = $(LDAP_BUILD)/debian/build/libtool
CC = gcc
OPT = -g -O2 -Wall
# Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it.
--DEFS = -DDO_KRB5 -DDO_SAMBA -DDO_SHADOW
--INCS = $(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC)
+ DEFS = -DDO_KRB5 -DDO_SAMBA -DDO_SHADOW
+ INCS = $(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC)
-LIBS = $(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB)
-+DEFS = -DDO_SAMBA -DDO_SHADOW
-+INCS = $(LDAP_INC) $(SSL_INC)
-+LIBS = $(LDAP_LIB) $(SSL_LIB)
++# put /usr/lib/heimdal before /usr/lib in case libkrb5-dev is installed, #745356
++LIBS = $(HEIMDAL_LIB) $(LDAP_LIB) $(SSL_LIB)
PROGRAMS = smbk5pwd.la
LTVER = 0:0:0
@@ -46,7 +47,7 @@
.SUFFIXES: .c .o .lo
-@@ -55,7 +55,7 @@
+@@ -55,7 +56,7 @@
-rpath $(moduledir) -module -o $@ $? $(LIBS)
clean:
diff --git a/debian/patches/smbk5pwd-makefile-manpage b/debian/patches/smbk5pwd-makefile-manpage
index 815bd21..a0ed83b 100644
--- a/debian/patches/smbk5pwd-makefile-manpage
+++ b/debian/patches/smbk5pwd-makefile-manpage
@@ -13,25 +13,27 @@ This patch is derived from the corresponding patch upstreamed in ITS#8205
2 files changed, 192 insertions(+), 1 deletion(-)
create mode 100644 contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5
+diff --git a/contrib/slapd-modules/smbk5pwd/Makefile b/contrib/slapd-modules/smbk5pwd/Makefile
+index 676d914..0042a49 100644
--- a/contrib/slapd-modules/smbk5pwd/Makefile
+++ b/contrib/slapd-modules/smbk5pwd/Makefile
@@ -25,6 +25,7 @@
- HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv
+ HEIMDAL_LIB = $(shell krb5-config.heimdal --libs kadm-server)
LIBTOOL = $(LDAP_BUILD)/debian/build/libtool
+INSTALL = /usr/bin/install
CC = gcc
OPT = -g -O2 -Wall
# Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it.
-@@ -33,6 +34,7 @@
- LIBS = $(LDAP_LIB) $(SSL_LIB)
+@@ -34,6 +35,7 @@
+ LIBS = $(HEIMDAL_LIB) $(LDAP_LIB) $(SSL_LIB)
PROGRAMS = smbk5pwd.la
+MANPAGES = slapo-smbk5pwd.5
LTVER = 0:0:0
prefix=/usr
-@@ -42,6 +44,8 @@
+@@ -43,6 +45,8 @@
libdir=$(exec_prefix)/lib
libexecdir=$(exec_prefix)/libexec
moduledir = $(libdir)$(ldap_subdir)
@@ -40,7 +42,7 @@ This patch is derived from the corresponding patch upstreamed in ITS#8205
.SUFFIXES: .c .o .lo
-@@ -57,9 +61,17 @@
+@@ -58,9 +62,17 @@
clean:
$(LIBTOOL) --mode=clean rm -f
@@ -59,6 +61,9 @@ This patch is derived from the corresponding patch upstreamed in ITS#8205
+
+FORCE:
+
+diff --git a/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 b/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5
+new file mode 100644
+index 0000000..431a765
--- /dev/null
+++ b/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5
@@ -0,0 +1,179 @@
@@ -241,3 +246,6 @@ This patch is derived from the corresponding patch upstreamed in ITS#8205
+.B OpenLDAP
+is derived from University of Michigan LDAP 3.3 Release.
+
+--
+2.5.0
+
diff --git a/debian/rules b/debian/rules
index b4bd470..3d27741 100755
--- a/debian/rules
+++ b/debian/rules
@@ -194,7 +194,7 @@ endif
ifeq ($(filter stage1,$(DEB_BUILD_PROFILES)),)
override_dh_installdeb:
dh_installdeb
- perl -w debian/dh_installscripts-common -pslapd -pslapd-smbk5pwd debian/slapd.scripts-common
+ perl -w debian/dh_installscripts-common -p slapd
endif
override_dh_auto_clean:
diff --git a/debian/slapd-smbk5pwd.lintian-overrides b/debian/slapd-smbk5pwd.lintian-overrides
index f0eb036..0bbf541 100644
--- a/debian/slapd-smbk5pwd.lintian-overrides
+++ b/debian/slapd-smbk5pwd.lintian-overrides
@@ -1,5 +1,2 @@
-# The call to adduser is in a functions library inlined at build time.
-# adduser is not actually called from this script.
-slapd-smbk5pwd: maintainer-script-needs-depends-on-adduser preinst
# #204975
slapd-smbk5pwd: package-has-unnecessary-activation-of-ldconfig-trigger
diff --git a/debian/slapd-smbk5pwd.preinst b/debian/slapd-smbk5pwd.preinst
deleted file mode 100644
index eddad8e..0000000
--- a/debian/slapd-smbk5pwd.preinst
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/bin/sh
-
-set -e
-
-# This will be replaced with debian/slapd.scripts-common which includes
-# various helper functions and $OLD_VERSION and $SLAPD_CONF
-#SCRIPTSCOMMON#
-
-is_krb5_enabled() { # {{{
-# Cannot depend on a working slapcat here. If a new slapd was already
-# unpacked, slap* binaries may be broken until it is configured.
- grep -qri --include='olcOverlay=*smbk5pwd.ldif' \
- '^olcSmbK5PwdEnable:\s\+krb5' "$SLAPD_CONF"
-}
-# }}}
-ensure_krb5_disabled() { # {{{
-# Prevent upgrading smbk5pwd with krb5 still enabled
-# This is to avoid a case where a new smbk5pwd (without krb5 support)
-# has already been unpacked, but slapd.preinst stops the upgrade because
-# manual config changes are needed.
- if [ ! -d "$SLAPD_CONF" ]; then
- # slapd.conf is handled automatically in postinst
- return
- fi
-
- if ! is_krb5_enabled; then
- return
- fi
-
- # A more detailed message is shown from slapd.preinst.
- echo 'smbk5pwd overlay must have krb5 disabled before upgrading' >&2
- exit 1
-}
-# }}}
-
-if [ "$MODE" = upgrade ] && previous_version_older '2.44+dfsg-1~'; then
- ensure_krb5_disabled
-fi
-
-#DEBHELPER#
-
-exit 0
-
-# vim: set sw=8 foldmethod=marker:
diff --git a/debian/slapd.NEWS b/debian/slapd.NEWS
index a8406aa..a3496b9 100644
--- a/debian/slapd.NEWS
+++ b/debian/slapd.NEWS
@@ -5,16 +5,7 @@ openldap (2.4.44+dfsg-1) unstable; urgency=medium
security concerns. Please see <https://bugs.debian.org/795428> for
more information.
- The slapd-smbk5pwd package is no longer built with Kerberos support,
- as the heimdal package is being removed at the request of its
- maintainers. On upgrade, if slapd is using a slapd.conf file, any
- instances of 'smbk5pwd-enable krb5' will be commented out
- automatically. If slapd is using dynamic configuration (cn=config),
- any instances of 'olcSmbK5PwdEnable: krb5' must be disabled manually
- before upgrading. Please see <https://bugs.debian.org/836885> for
- more information.
-
- -- Ryan Tandy <ryan at nardis.ca> Sat, 29 Oct 2016 20:36:03 -0700
+ -- Ryan Tandy <ryan at nardis.ca> Tue, 15 Mar 2016 03:59:27 +0000
openldap (2.4.23-3) unstable; urgency=low
diff --git a/debian/slapd.postinst b/debian/slapd.postinst
index 1927096..cf761fc 100644
--- a/debian/slapd.postinst
+++ b/debian/slapd.postinst
@@ -8,33 +8,12 @@ set -e
# various helper functions and $OLD_VERSION and $SLAPD_CONF
#SCRIPTSCOMMON#
-disable_smbk5pwd_krb5() { # {{{
-# Disable smbk5pwd's Kerberos support in slapd.conf
- if ! read_slapd_conf < "$SLAPD_CONF" | grep -q '^smbk5pwd-enable\s\+krb5'; then
- return 0
- fi
-
- write_slapd_conf "$SLAPD_CONF" 's/^(smbk5pwd-enable\s+krb5)/#$1/i'
- update_slapd_conf_permissions
-
- db_input critical slapd/smbk5pwd_krb5_disabled || true
- db_go
-}
-# }}}
-
postinst_upgrade_cn_config() { # {{{
if previous_version_older '2.4.44+dfsg-1~'; then
upgrade_cnconfig_ppolicy_schema
fi
}
# }}}
-postinst_upgrade_slapd_conf() { # {{{
- if previous_version_older '2.4.44+dfsg-1~'; then
- disable_smbk5pwd_krb5
- fi
-}
-# }}}
-
postinst_initial_configuration() { # {{{
# Configure slapd for the first time (when first installed)
# Usage: postinst_initial_configuration
@@ -60,8 +39,6 @@ postinst_upgrade_configuration() { # {{{
# Complete any config updates before trying to use slapadd
if [ -d "$SLAPD_CONF" ]; then
postinst_upgrade_cn_config
- else
- postinst_upgrade_slapd_conf
fi
# Check if the database format has changed.
diff --git a/debian/slapd.preinst b/debian/slapd.preinst
index 90b2184..b9cc540 100755
--- a/debian/slapd.preinst
+++ b/debian/slapd.preinst
@@ -70,17 +70,6 @@ check_ppolicy_schema() { # {{{
# schema automatically in postinst.
}
# }}}
-ensure_smbk5pwd_krb5_disabled() { # {{{
- local config_ldif="$1"
-
- if grep -q '^olcSmbK5PwdEnable:\s\+krb5' "$config_ldif"; then
- db_fset slapd/must_disable_smbk5pwd_krb5 seen false
- db_input critical slapd/must_disable_smbk5pwd_krb5 || true
- db_go || true
- exit 1
- fi
-}
-# }}}
preinst_check_config() { # {{{
# Check whether manual config changes are required before upgrading
if ! previous_version_older '2.4.44+dfsg-1~'; then
@@ -101,7 +90,6 @@ preinst_check_config() { # {{{
normalize_ldif "$dumped_ldif" > "$config_ldif"
check_ppolicy_schema "$config_ldif"
- ensure_smbk5pwd_krb5_disabled "$config_ldif"
}
# }}}
diff --git a/debian/slapd.scripts-common b/debian/slapd.scripts-common
index 275cada..7160d67 100644
--- a/debian/slapd.scripts-common
+++ b/debian/slapd.scripts-common
@@ -107,20 +107,6 @@ update_databases_permissions() { # {{{
done
}
# }}}
-update_slapd_conf_permissions() { # {{{
- if [ -n "$SLAPD_USER" ] && [ -n "$SLAPD_GROUP" ] ; then
- if perl -e '
- ($o, $m) = (stat $ARGV[0])[4,2];
- exit 1 unless defined $o;
- exit 0 if ($o == 0 && ($m & 040) == 0);
- exit 1;
- ' "$SLAPD_CONF"; then
- chgrp "$SLAPD_GROUP" "$SLAPD_CONF"
- chmod g+r "$SLAPD_CONF"
- fi
- fi
-}
-# }}}
# }}}
# ----- Dumping and loading the data ------------------------------------ {{{
@@ -291,86 +277,6 @@ move_incompatible_databases_away() { # {{{
# For some operations we have to know the slapd configuration. These
# functions are for parsing the slapd configuration file.
-merge_logical_lines() { # {{{
-# slapd supports continuation lines in the slapd.conf. Continuation lines
-# start with spaces and are merged with the preceding line. This function
-# uses perl to merge physical lines into logical lines as seen by the
-# slapd config parser.
-# Usage: merge_logical_lines < input > output
-
- perl -pe 'BEGIN { undef $/ }; s/\n(?!\n)\s+/ /g;'
-}
-
-# }}}
-read_slapd_conf() { # {{{
-# read slapd.conf file and evaluate include statements
-# FIXME: circular loops will cause this to block forever
- merge_logical_lines | while read command data; do
- if [ "$command" = "include" ]; then
- file=`eval echo $data`
- read_slapd_conf < $file
- else
- echo $command $data
- fi
- done
-}
-
-# }}}
-write_slapd_conf() { # {{{
-# Change a configuration setting in a configuration file, follow includes.
-# Usage: write_slapd_conf configuration_file regexpression
-# FIXME: circular loops will cause this to block forever
-
- conf=$1
- reg=$2
-
- # Perl script to change configuration files.
- script='
- use File::Temp;
- use File::Compare;
- use File::Copy;
-
- sub changeConfig {
- my ($conf, $regexp) = @_;
- my ($fh, $name) = mkstemp("/tmp/tmp.XXXXXX");
-
- open(HANDLE, "<". $conf) || return;
- my @data = <HANDLE>;
- close(HANDLE);
-
- foreach $line (@data) {
-
- # Parse includes, but forget the schema files.
- if ($line =~ /^include/ && $line !~ /\/etc\/ldap\/schema\//) {
- my @file = split(/\s+/, $line);
- changeConfig($file[1], $regexp);
- }
-
- # Modify the config with the given regexpression.
- $doit = "\$line =~ $regexp";
- eval $doit;
- print $fh $line;
- }
-
- # Close the tempfile handle opened by mkstemp.
- close($fh);
-
- # If file is changed by the regexp replace the original file.
- if (compare($conf, $name) != 0) {
- move($name, $conf);
- } else {
- unlink($name);
- }
- }
-
- $config = shift;
- $regexp = shift;
- changeConfig($config, $regexp);'
-
- # Use perl to execute the function above.
- perl -e "$script" "$conf" "$reg"
-}
-# }}}
# The following two functions need to support slapd.conf installations
# as long as upgrading from slapd.conf environment is supported.
# They're used to dump database in preinst which may have a slapd.conf file.
diff --git a/debian/slapd.templates b/debian/slapd.templates
index a3c1096..afcbcb1 100644
--- a/debian/slapd.templates
+++ b/debian/slapd.templates
@@ -182,18 +182,3 @@ _Description: Manual ppolicy schema update recommended
schema before upgrading slapd. If replication is in use, the schema
update should be applied on every server before continuing with the
upgrade.
-
-Template: slapd/smbk5pwd_krb5_disabled
-Type: error
-_Description: Kerberos support disabled for smbk5pwd overlay
- The smbk5pwd overlay is no longer built with Kerberos support. The
- "smbk5pwd-enable krb5" setting has been automatically disabled in the
- slapd configuration file.
-
-Template: slapd/must_disable_smbk5pwd_krb5
-Type: error
-#flag:translate!:4,6
-_Description: Disable Kerberos in smbk5pwd before upgrading slapd
- The smbk5pwd overlay is no longer built with Kerberos support. The
- "olcSmbK5PwdEnable: krb5" setting must be removed from any instances of
- the smbk5pwd overlay before upgrading slapd.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openldap/openldap.git
More information about the Pkg-openldap-devel
mailing list