[debian-edu-commits] r82897 - in branches/wheezy/debian-edu-config: debian share/debian-edu-config/tools

pere at alioth.debian.org pere at alioth.debian.org
Sun Jan 5 13:38:38 UTC 2014 

Author: pere
Date: 2014-01-05 13:38:38 +0000 (Sun, 05 Jan 2014)
New Revision: 82897

Modified:
   branches/wheezy/debian-edu-config/debian/changelog
   branches/wheezy/debian-edu-config/share/debian-edu-config/tools/ldap-migrate-squeeze-wheezy
Log:
  Add more details on migration of kerberos passwords.  Avoid trying to
  migrate OpenLDAP internal attributes that are impossible to set.

Modified: branches/wheezy/debian-edu-config/debian/changelog
===================================================================
--- branches/wheezy/debian-edu-config/debian/changelog	2014-01-05 05:33:27 UTC (rev 82896)
+++ branches/wheezy/debian-edu-config/debian/changelog	2014-01-05 13:38:38 UTC (rev 82897)
@@ -14,6 +14,8 @@
     automatically replace sudo with sudo-ldap on Raspbian and others
     like it.
   * Fix typo in ldap-migrate-squeeze-wheezy and improve error reporting.
+    Add more details on migration of kerberos passwords.  Avoid trying to
+    migrate OpenLDAP internal attributes that are impossible to set.
 
  -- Petter Reinholdtsen <pere at debian.org>  Wed, 18 Sep 2013 14:35:10 +0200
 

Modified: branches/wheezy/debian-edu-config/share/debian-edu-config/tools/ldap-migrate-squeeze-wheezy
===================================================================
--- branches/wheezy/debian-edu-config/share/debian-edu-config/tools/ldap-migrate-squeeze-wheezy	2014-01-05 05:33:27 UTC (rev 82896)
+++ branches/wheezy/debian-edu-config/share/debian-edu-config/tools/ldap-migrate-squeeze-wheezy	2014-01-05 13:38:38 UTC (rev 82897)
@@ -18,19 +18,43 @@
 
   # Get a copy of the Squeeze LDAP database
   ssh root at squeeze-tjener "service slapd stop"
-  ssh root at squeeze-tjener "slapcat" > squeeze-tjener.ldif
+  ssh root at squeeze-tjener "slapcat" > tjener-squeeze.ldif
   ssh root at squeeze-tjener "service slapd start"
 
+  # Fetch Kerberos master key used to encrypt user passwords
+  ssh root at squeeze-tjener "klist -K -k /etc/krb5kdc/stash"
+
   # Get a copy of the current Wheezy LDAP database
   service slapd stop
-  slapcat > wheezy-tjener.ldif
+  slapcat > tjener-wheezy.ldif
   service slapd start                 # Restart local LDAP server
 
   ldap-migrate-squeeze-wheezy         # Merge the two databases
 
   ldapadmindn=$(ldapsearch -H ldap://localhost/ -x "(&(cn=admin)(objectClass=simpleSecurityObject))" 2>/dev/null | perl -p0e 's/\n //g' | awk '/^dn: / {print $2}')
-  ldapmodify -H ldap://localhost/ -ZZ -D "$ldapadmindn" -W -v -x < newtjener-slapadd.ldif # Load the new/changed entries into LDAP
+  ldapmodify -H ldap://localhost/ -ZZ -D "$ldapadmindn" -W -v -x < tjener-wheezy-ldapmodify.ldif # Load the new/changed entries into LDAP
 
+  # List current key with KNVO 1
+  klist -K -k /etc/krb5kdc/stash
+
+  # Add old Kerberos master key used to encrypt user passwords as KNVO 2
+  kdb5_util add_mkey
+
+  # Add new Kerberos master key to get a KNVO number higher than the old key
+  kdb5_util add_mkey
+
+  # Activate key with KNVO 3
+  kdb5_util use_mkey 3
+
+  # Migrate all users to KNVO 3
+  kdb5_util update_princ_encryption
+
+  # Store key with KNVO 3 in /etc/krb5kdc/stash
+  kdb5_util stash
+
+  # Remove now obsolete keys with KNVO 1 and 2
+  kdb5_util purge_mkeys -v
+
   # Copy home directories from old to new main-server
   rsync -av root at squeeze-tjener:/skole/tjener/home0/. /skole/tjener/home0/.
 
@@ -51,9 +75,9 @@
 getopts("d", \%opts) || usage(1);
 $debug = 1 if $opts{d};
 
-my $oldldiffile = "squeeze-tjener.ldif";
-my $curldiffile = "wheezy-tjener.ldif";
-my $newldiffile = "newtjener-slapadd.ldif";
+my $oldldiffile = "tjener-squeeze.ldif";
+my $curldiffile = "tjener-wheezy.ldif";
+my $newldiffile = "tjener-wheezy-ldapmodify.ldif";
 
 my $oldldif = Net::LDAP::LDIF->new( $oldldiffile, "r", onerror => 'undef' );
 unless ($oldldif) { warn "unable to read $oldldiffile"; usage(1); }
@@ -97,6 +121,7 @@
             && ! exists $cls{'gosaUserTemplate'}) {
             my $uid = $entry->get_value('uid');
             if (!exists ($curuser{$uid})) {
+                $entry = trim_internal_attributes_from_entry($entry);
                 $newldif->write_entry($entry);
             }
         } elsif (exists $cls{'posixGroup'} ) {
@@ -131,6 +156,7 @@
                 }
             } else {
                 # Missing entry, just add it
+                $entry = trim_internal_attributes_from_entry($entry);
                 $newldif->write_entry($entry);
             }
         }
@@ -141,3 +167,18 @@
 $newldif->done();
 $curldif->done();
 $oldldif->done();
+
+sub trim_internal_attributes_from_entry {
+    my ($entry) = @_;
+
+    # Drop these attributes from all new LDAP objects.  They are not
+    # user settable in OpenLDAP.
+    my @dropattr = qw(creatorsName entryUUID structuralObjectClass
+                      createTimestamp entryCSN modifiersName
+                      modifyTimestamp);
+
+    for my $attr (@dropattr) {
+        $entry->delete( $attr => []);
+    }
+    return $entry;
+}

More information about the debian-edu-commits mailing list