[Pkg-openldap-devel] new debconf template for openldap

Justin B Rye justin.byam.rye at gmail.com
Sat Jan 7 22:10:16 UTC 2017


Ryan Tandy wrote:
> Dear debian-l10n-english,
>
> I would like to ask for your review of a new debconf template for slapd.

Glad to - it's been really quiet around here.
 
> Some background information: If slapd's configuration is not replicated to
> or from any other server, and has no overlays (plugins) applied to it, we
> can upgrade the schema automatically. However, if those conditions are not
> met (replicating the config database is uncommon but definitely supported),
> then it is not safe to perform the change offline: it has to be done by the
> admin *before* removing or replacing the old binaries.
> 
> What we do here is generate an LDIF file containing the necessary changeset,
> and show the admin how to apply it.
> 
> "Replication with other servers may be affected" is intentionally vague:
> depending on the specific configuration, this specific change might not be
> replicated, replication in general might get stuck and never sync again, or
> everything might just work.
> 
> Lintian complains about this template being too long, so I'd welcome
> suggestions for how to reduce it, as well as any other feedback.
> 
> Template: slapd/ppolicy_schema_needs_update
> Type: select
> __Choices: abort installation, continue regardless
> DefaultChoice: abort installation
> #flag:comment:2
> # "ppolicy", "pwdMaxRecordedFailure", and "cn=config" are not translatable.
> #flag:translate!:5,7
> _Description: Manual ppolicy schema update recommended

Ppolicy looks so much like a typo, but okay, it's the name of the
Password-Policy module.  Probably the first time the term occurs in
the long description it needs to be expanded.

> In the version of slapd about to be installed, the ppolicy overlay
> requires the new pwdMaxRecordedFailure attribute to be defined in the
> ppolicy schema. The schema contained in the cn=config database does not
> currently include this attribute.

Expanding "ppolicy" and crushing everything else:

  In the new version of slapd, the Password Policy (ppolicy) overlay schema
  requires a defined pwdMaxRecordedFailure attribute, which is not present
  in the schema contained in the cn=config database.

(Or would just "the schema currently in use" be okay?)

> .
> You may choose to continue the installation. In this case, the
> maintainer scripts will add the new attribute automatically during the
> upgrade. However, the change will not be acted on by slapd overlays,
> and replication with other servers may be affected.

  If you choose to continue the installation, the new attribute will be
  added automatically, but the change will not be acted on by slapd overlays,
  and replication with other servers may be affected.

> .
> The ppolicy schema can be updated by applying the changes found in the
> following LDIF file:
> .
> ${ldif}
> .
> If slapd is using the default access control rules, after starting
> slapd, the changes can be applied using the following command:
> .
> ldapmodify -H ldapi:/// -Y EXTERNAL -f ${ldif}

Maybe you could crush that down to

  An LDIF file has been generated containing the required changes:
   ${ldif}
  so if slapd is using the default access control rules, these changes can be
  applied (after starting slapd) by using the command:
   ldapmodify -H ldapi:/// -Y EXTERNAL -f ${ldif}

But it's a bit ugly, and might require extra "untranslatable" flags...
Another possibility is that maybe you could make it just:

  An LDIF file has been generated under '/tmp/wherever/it/goes'
  containing the required changes, so if slapd is using the default access
  control rules, these changes can be applied (after starting slapd) by
  using the command:
   ldapmodify -H ldapi:/// -Y EXTERNAL -f ${ldif}

(Crushing the quoted command rather than the English text might also
be kinder to translators, but I've mostly avoided it in my patch.)

> .
> It is recommended to abort the upgrade now and to update the ppolicy
> schema before upgrading slapd. If replication is in use, the schema
> update should be applied on every server before continuing with the
> upgrade.

Perhaps this could be fewer paragraphs if you handled them in the
other order:

 _Description: Manual ppolicy schema update recommended
  In the new version of slapd, the Password Policy (ppolicy) overlay schema
  requires a defined pwdMaxRecordedFailure attribute, which is not present
  in the schema currently in use. It is recommended to abort the upgrade now,
  and to update the ppolicy schema before upgrading slapd. If replication is
  in use, the schema update should be applied on every server before
  continuing with the upgrade.
  .
  An LDIF file has been generated with the changes required for the upgrade:
  .
  ${ldif}
  .
  so if slapd is using the default access control rules, these changes can be
  applied (after starting slapd) by using the command:
  .
  ldapmodify -H ldapi:/// -Y EXTERNAL -f ${ldif}
  .
  If instead you choose to continue the installation, the new attribute will
  be added automatically, but the change will not be acted on by slapd
  overlays, and replication with other servers may be affected.

Fingers crossed that that's short enough for Lintian; if necessary
perhaps you could drop the first paragraph break.
 
> The full templates file can be found in the git repository: https://anonscm.debian.org/git/pkg-openldap/openldap.git/tree/debian/slapd.templates

Oh, I used apt-get source - hope the attached patch is useful.
-- 
JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package
-------------- next part --------------
A non-text attachment was scrubbed...
Name: slapd.templates.patch
Type: text/x-diff
Size: 2392 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20170107/a37b8aed/attachment.patch>
-------------- next part --------------
Template: slapd/no_configuration
Type: boolean
Default: false
_Description: Omit OpenLDAP server configuration?
 If you enable this option, no initial configuration or database will be
 created for you.

Template: slapd/dump_database
Type: select
__Choices: always, when needed, never
Default: when needed
_Description: Dump databases to file on upgrade:
 Before upgrading to a new version of the OpenLDAP server, the data from
 your LDAP directories can be dumped into plain text files in the
 standard LDAP Data Interchange Format.
 .
 Selecting "always" will cause the databases to be dumped
 unconditionally before an upgrade. Selecting "when needed" will only
 dump the database if the new version is incompatible with the old
 database format and it needs to be reimported. If you select "never",
 no dump will be done.

Template: slapd/dump_database_destdir
Type: string
Default: /var/backups/slapd-VERSION
_Description: Directory to use for dumped databases:
 Please specify the directory where the LDAP databases will be exported.
 In this directory, several LDIF files will be created which correspond
 to the search bases located on the server. Make sure you have enough
 free space on the partition where the directory is located. The first
 occurrence of the string "VERSION" is replaced with the server version
 you are upgrading from.

Template: slapd/move_old_database
Type: boolean
Default: true
_Description: Move old database?
 There are still files in /var/lib/ldap which will probably break
 the configuration process. If you enable this option, the maintainer
 scripts will move the old database files out of the way before
 creating a new database.

Template: slapd/invalid_config
Type: boolean
Default: true
_Description: Retry configuration?
 The configuration you entered is invalid. Make sure that the DNS domain name
 is syntactically valid, the field for the organization is not left empty and
 the admin passwords match. If you decide not to retry the configuration the
 LDAP server will not be set up. Run 'dpkg-reconfigure slapd' if you want to
 retry later.

Template: slapd/domain
Type: string
_Description: DNS domain name:
 The DNS domain name is used to construct the base DN of the LDAP directory.
 For example, 'foo.example.org' will create the directory with
 'dc=foo, dc=example, dc=org' as base DN.

Template: shared/organization
Type: string
_Description: Organization name:
 Please enter the name of the organization to use in the base DN of your
 LDAP directory.

Template: slapd/password1
Type: password
_Description: Administrator password:
 Please enter the password for the admin entry in your LDAP directory.

Template: slapd/password2
Type: password
_Description: Confirm password:
 Please enter the admin password for your LDAP directory again to verify
 that you have typed it correctly.

Template: slapd/password_mismatch
Type: note
_Description: Password mismatch
 The two passwords you entered were not the same. Please try again.

Template: slapd/purge_database
Type: boolean
Default: false
_Description: Do you want the database to be removed when slapd is purged?

Template: slapd/internal/adminpw
Type: password
Description: Encrypted admin password:
 Internal template, should never be displayed to users.

Template: slapd/internal/generated_adminpw
Type: password
Description: Generated admin password:
 Internal template, should never be displayed to users.

Template: slapd/upgrade_slapcat_failure
Type: error
#flag:translate!:5
#flag:comment:4
# This paragraph is followed by a (non translatable) paragraph
# containing a command line
#flag:comment:6
# Translators: keep "${location}" unchanged. This is a variable that
# will be replaced by a directory name at execution
_Description: slapcat failure during upgrade
 An error occurred while upgrading the LDAP directory.
 .
 The 'slapcat' program failed while extracting the LDAP directory. This
 may be caused by an incorrect configuration file (for example, missing
 'moduleload' lines to support the backend database).
 .
 This failure will cause 'slapadd' to fail later as well. The old database
 files will be moved to /var/backups. If you want to try this upgrade
 again, you should move the old database files back into place, fix
 whatever caused slapcat to fail, and run:
 .
  slapcat > ${location}
 .
 Then move the database files back to a backup area and then try running
 slapadd from ${location}.

Template: slapd/backend
Type: select
Choices: BDB, HDB, MDB
Default: MDB
_Description: Database backend to use:
 HDB and BDB use similar storage formats, but HDB adds support for
 subtree renames. Both support the same configuration options.
 .
 The MDB backend is recommended. MDB uses a new storage format and
 requires less configuration than BDB or HDB.
 .
 In any case, you should review the resulting database configuration for
 your needs. See /usr/share/doc/slapd/README.Debian.gz for more details.

Template: slapd/unsafe_selfwrite_acl
Type: note
#flag:comment:3
# Translators: keep "by self write" and "to *" unchanged. These are part
# of the slapd configuration and are not translatable.
_Description: Potentially unsafe slapd access control configuration
 One or more of the configured databases has an access control rule that
 allows users to modify most of their own attributes. This may be
 unsafe, depending on how the database is used.
 .
 In the case of slapd access rules that begin with "to *", it is
 recommended to remove any instances of "by self write", so that users
 are only able to modify specifically allowed attributes.
 .
 See /usr/share/doc/slapd/README.Debian.gz for more details.

Template: slapd/ppolicy_schema_needs_update
Type: select
__Choices: abort installation, continue regardless
DefaultChoice: abort installation
#flag:comment:2
# "ppolicy", "pwdMaxRecordedFailure", and "cn=config" are not translatable.
#flag:translate!:5,7
_Description: Manual ppolicy schema update recommended
 In the new version of slapd, the Password Policy (ppolicy) overlay schema
 requires a defined pwdMaxRecordedFailure attribute, which is not present
 in the schema currently in use. It is recommended to abort the upgrade now,
 and to update the ppolicy schema before upgrading slapd. If replication is
 in use, the schema update should be applied on every server before
 continuing with the upgrade.
 .
 An LDIF file has been generated with the changes required for the upgrade:
 .
 ${ldif}
 .
 so if slapd is using the default access control rules, these changes can be
 applied (after starting slapd) by using the command:
 .
 ldapmodify -H ldapi:/// -Y EXTERNAL -f ${ldif}
 .
 If instead you choose to continue the installation, the new attribute will
 be added automatically, but the change will not be acted on by slapd
 overlays, and replication with other servers may be affected.

Template: slapd/smbk5pwd_krb5_disabled
Type: error
_Description: Kerberos support disabled for smbk5pwd overlay
 The smbk5pwd overlay is no longer built with Kerberos support. The
 "smbk5pwd-enable krb5" setting has been automatically disabled in the
 slapd configuration file.

Template: slapd/must_disable_smbk5pwd_krb5
Type: error
#flag:translate!:4,6
_Description: Disable Kerberos in smbk5pwd before upgrading slapd
 The smbk5pwd overlay is no longer built with Kerberos support. The
 "olcSmbK5PwdEnable: krb5" setting must be removed from any instances of
 the smbk5pwd overlay before upgrading slapd.


More information about the Pkg-openldap-devel mailing list