[Pkg-openldap-devel] [openldap] 02/02: Handle upgrading the ppolicy schema

Ryan Tandy rtandy-guest at moszumanska.debian.org
Mon Jun 27 03:49:33 UTC 2016 

This is an automated email from the git hooks/post-receive script.

rtandy-guest pushed a commit to branch master
in repository openldap.

commit 2c335e5d5482735a575116c01479e7f83723ce55
Author: Ryan Tandy <ryan at nardis.ca>
Date:   Sun Apr 10 12:25:45 2016 -0700

    Handle upgrading the ppolicy schema
---
 debian/changelog            |  5 +--
 debian/slapd.postinst       | 94 +++++++++++++++++++++++++++++++++++++++++++++
 debian/slapd.preinst        |  1 +
 debian/slapd.scripts-common | 18 +++++++++
 4 files changed, 115 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 46dc1f9..dda3812 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,5 @@
 openldap (2.4.44+dfsg-1) UNRELEASED; urgency=medium
 
-  * !!! DO NOT UPLOAD this until updating the ppolicy schema on upgrade is 
-    dealt with, otherwise ppolicy users will be broken!
-
   [ Ryan Tandy ]
   * New upstream release.
     - Fixed ppolicy not unlocking policy entry after initialization failure 
@@ -27,6 +24,8 @@ openldap (2.4.44+dfsg-1) UNRELEASED; urgency=medium
   * Override Lintian errors about schema files derived from RFC documents. 
     Copyrightable content has been removed from these files; however, the 
     copyright notices have been retained to preserve attribution.
+  * On upgrade, if the cn=config database contains the ppolicy schema, add the 
+    new pwdMaxRecordedFailure attribute to it.
 
   [ Helmut Grohne ]
   * Fix policy 8.2 violation (Closes: #330695)
diff --git a/debian/slapd.postinst b/debian/slapd.postinst
index 85c87a0..361c252 100644
--- a/debian/slapd.postinst
+++ b/debian/slapd.postinst
@@ -30,6 +30,9 @@ postinst_upgrade_configuration() {					# {{{
 	backup_config_once
 	echo done. >&2
 
+	# Add new required attribute to the ppolicy schema.
+	upgrade_cnconfig_ppolicy_schema
+
 	# Check if the database format has changed.
 	if database_format_changed; then
 
@@ -62,6 +65,97 @@ olcAccess: {2}to dn.base="cn=Subschema" by * read' "${SLAPD_CONF}/cn=config/olcD
 
 # }}}
 
+upgrade_cnconfig_ppolicy_schema() {						# {{{
+# Add a new required attribute to the ppolicy schema embedded in the 
+# cn=config database when upgrading to 2.4.43 or later.
+# slapd.conf users get schema updates through the regular conffile 
+# handling.
+# FIXME: changes made with serverid=0 (slapadd without -S) are not 
+# replicated in mirror-mode/MMR.
+	local dumped_ldif working_ldif ppolicy_dn tmp_slapd_d failed
+
+	if ! [ -d "$SLAPD_CONF" ]; then
+		return 0
+	fi
+
+	if ! previous_version_older '2.4.44+dfsg-1~'; then
+		return 0
+	fi
+
+	# The config should have been dumped in preinst.
+	# If not, hope for the best.
+	dumped_ldif="$(database_dumping_destdir)/cn=config.ldif"
+	if ! [ -f "$dumped_ldif" ]; then
+		echo "Saved configuration not found at $dumped_ldif. Skipping configuration updates." >&2
+		return 0
+	fi
+
+	# Create a working copy with lines unwrapped.
+	working_ldif="$(mktemp --tmpdir slapd-XXXXXXXX.ldif)"
+	normalize_ldif "$dumped_ldif" > "$working_ldif"
+
+	# Is the ppolicy schema loaded?
+	if ! ppolicy_dn="$(grep '^dn: cn={[0-9]\+}ppolicy,cn=schema,cn=config$' "$working_ldif")"; then
+		rm -f "$working_ldif"
+		return 0
+	fi
+	ppolicy_dn="${ppolicy_dn#dn: }"
+
+	# Has the pwdMaxRecordedFailure attribute already been added?
+	# It might have been replicated from a newer server.
+	if grep -q '^olcAttributeTypes: .*NAME '\''pwdMaxRecordedFailure'\' "$working_ldif"; then
+		rm -f "$working_ldif"
+		return 0
+	fi
+
+	echo -n "Adding pwdMaxRecordedFailure attribute to ${ppolicy_dn}... " >&2
+
+	# Add the pwdMaxRecordedFailure attribute to the ppolicy schema.
+	# Let slapadd update modifiersName and modifyTimestamp so these 
+	# reflect reality, and entryCSN so replication is aware of the change.
+	perl -i -ne '
+		BEGIN { my $nextidx; }
+		if (/^dn: cn=\{\d+\}ppolicy,cn=schema,cn=config/ .. /^$/) {
+			if (/^entryCSN:/ or /^modifiersName:/ or /^modifyTimestamp:/) {
+				next;
+			} elsif (/^olcAttributeTypes: \{(\d+)\}/) {
+				$nextidx = $1 + 1;
+			} elsif (/^olcObjectClasses: .*NAME '\''pwdPolicy'\''/) {
+				s/MAY \( ([^)]+) \)/MAY ( $1 \$ pwdMaxRecordedFailure )/;
+			} elsif (/^$/) {
+				print "olcAttributeTypes: {$nextidx}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME '\''pwdMaxRecordedFailure'\'' EQUALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )\n";
+			}
+		}
+		print;
+	' "$working_ldif"
+
+	# Import the modified config into a temporary location.
+	tmp_slapd_d="$(mktemp -d --tmpdir slapd-XXXXXXXX)"
+	capture_diagnostics slapadd -F "$tmp_slapd_d" -n0 -l "$working_ldif" || failed=1
+	if [ "$failed" ]; then
+		cat >&2 <<-eof
+failed.
+
+Updating the slapd configuration failed with the following error
+while running slapadd:
+eof
+		release_diagnostics
+		rm -rf "$tmp_slapd_d" "$working_ldif"
+		exit 1
+	fi
+
+	# Replace the old config with the updated one.
+	# The current config has already been backed up earlier.
+	rm -r "$SLAPD_CONF/cn=config.ldif" "$SLAPD_CONF/cn=config"
+	mv "$tmp_slapd_d/cn=config.ldif" "$tmp_slapd_d/cn=config" "$SLAPD_CONF/"
+
+	echo 'done.' >&2
+
+	# Clean up
+	rm -rf "$tmp_slapd_d" "$working_ldif"
+}
+# }}}
+
 # Create a new user.  Don't create the user, however, if the local
 # administrator has already customized slapd to run as a different user.
 if [ "$MODE" = "configure" ] || [ "$MODE" = "reconfigure" ] ; then
diff --git a/debian/slapd.preinst b/debian/slapd.preinst
index f573631..af709ee 100755
--- a/debian/slapd.preinst
+++ b/debian/slapd.preinst
@@ -12,6 +12,7 @@ set -e
 # slapcat out the data so we can use it in postinst to do the upgrade
 
 if [ "$MODE" = upgrade ]; then
+	dump_config
 	dump_databases
 fi
 
diff --git a/debian/slapd.scripts-common b/debian/slapd.scripts-common
index f673ab1..1560a5e 100644
--- a/debian/slapd.scripts-common
+++ b/debian/slapd.scripts-common
@@ -155,6 +155,19 @@ olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 }
 
 # }}}
+dump_config() {								# {{{
+# Dump the cn=config database to the backup directory.
+# This is not the same as backup_config_once, which copies the slapd.d 
+# directory verbatim.
+	local dir
+
+	[ -d "$SLAPD_CONF" ] || return 0
+
+	dir="$(database_dumping_destdir)"
+	echo "Saving current slapd configuration to $dir..." >&2
+	slapcat -F "$SLAPD_CONF" -n0 -l "$dir/cn=config.ldif"
+}
+# }}}
 dump_databases() {							# {{{
 # If the user wants us to dump the databases they are dumped to the 
 # configured directory.
@@ -577,6 +590,11 @@ backup_config_once() {							# {{{
 }
 
 # }}}
+normalize_ldif() {							# {{{
+# Unwrap LDIF lines and strip comments.
+	perl -00 -pe 's/\n[ \t]//g; s/^#.*\n//mg' "$@"
+}
+# }}}
 
 
 set_defaults_for_unseen_entries() {					# {{{

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openldap/openldap.git

More information about the Pkg-openldap-devel mailing list