blob: 2f5c5509acbc4fa7495f203ef943092babf5f378 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
#! /bin/sh
set -e
. /usr/share/debconf/confmodule
# This will be replaced with debian/slapd.scripts-common which includes
# various helper functions and $OLD_VERSION and $SLAPD_CONF
#SCRIPTSCOMMON#
postinst_upgrade_cn_config() { # {{{
if previous_version_older '2.4.44+dfsg-1~'; then
upgrade_cnconfig_ppolicy_schema
fi
}
# }}}
postinst_initial_configuration() { # {{{
# Configure slapd for the first time (when first installed)
# Usage: postinst_initial_configuration
if manual_configuration_wanted; then
echo " Omitting slapd configuration as requested." >&2
else
crypt_admin_pass
create_new_configuration
fi
}
# }}}
postinst_upgrade_configuration() { # {{{
# Handle upgrading slapd from some older version
# Usage: postinst_upgrade_configuration
# Better back up the config file in any case
backup_config_once
# Complete any config updates before trying to use slapadd
if [ -d "$SLAPD_CONF" ]; then
postinst_upgrade_cn_config
fi
# Check if the database format has changed.
if database_format_changed; then
# During upgrading we have to load the old data
move_incompatible_databases_away
load_databases
fi
# Move to slapd.d configuration style.
migrate_to_slapd_d_style
# One-time upgrade fix for olcAccess on cn=Subschema
if previous_version_older 2.4.23-5 && previous_version_newer 2.4.23-3 \
&& [ -e "$SLAPD_CONF/cn=config/olcDatabase={-1}frontend.ldif" ] \
&& ! grep -i 'olcAccess:.*subschema' "$SLAPD_CONF/cn=config/olcDatabase={-1}frontend.ldif"
then
sed -i '/olcAccess: {0}/a\
olcAccess: {1}to dn.exact="" by * read\
olcAccess: {2}to dn.base="cn=Subschema" by * read' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"
fi
# Update permissions of all database directories and /var/run/slapd
update_databases_permissions
update_permissions /var/run/slapd
# Versions prior to 2.4.7-1 could create a slapd.conf that wasn't
# readable by the openldap user.
update_permissions "${SLAPD_CONF}"
}
# }}}
upgrade_cnconfig_ppolicy_schema() { # {{{
# Add a new required attribute to the ppolicy schema embedded in the
# cn=config database when upgrading to 2.4.43 or later.
# slapd.conf users get schema updates through the regular conffile
# handling.
local dumped_ldif working_ldif ppolicy_dn tmp_slapd_d failed
if ! [ -d "$SLAPD_CONF" ]; then
return 0
fi
if ! previous_version_older '2.4.44+dfsg-1~'; then
return 0
fi
# The config should have been dumped in preinst.
# If not, hope for the best.
dumped_ldif="$(database_dumping_destdir)/cn=config.ldif"
if ! [ -f "$dumped_ldif" ]; then
echo "Saved configuration not found at $dumped_ldif. Skipping configuration updates." >&2
return 0
fi
# Create a working copy with lines unwrapped.
working_ldif="$(mktemp --tmpdir slapd-XXXXXXXX.ldif)"
trap "trap - INT EXIT; rm -f '$working_ldif'" INT EXIT
normalize_ldif "$dumped_ldif" > "$working_ldif"
# Check whether the schema is loaded and needs an update.
ppolicy_dn="$(find_old_ppolicy_schema "$working_ldif")"
if [ -z "$ppolicy_dn" ]; then
return
fi
echo -n "Adding pwdMaxRecordedFailure attribute to ${ppolicy_dn}... " >&2
# Add the pwdMaxRecordedFailure attribute to the ppolicy schema.
# Let slapadd update modifiersName and modifyTimestamp so these
# reflect reality, and entryCSN so replication is aware of the change.
perl -i -ne '
BEGIN { my $nextidx; }
if (/^dn: cn=\{\d+\}ppolicy,cn=schema,cn=config/ .. /^$/) {
if (/^entryCSN:/ or /^modifiersName:/ or /^modifyTimestamp:/) {
next;
} elsif (/^olcAttributeTypes: \{(\d+)\}/) {
$nextidx = $1 + 1;
} elsif (/^olcObjectClasses: .*NAME '\''pwdPolicy'\''/) {
s/MAY \( ([^)]+) \)/MAY ( $1 \$ pwdMaxRecordedFailure )/;
} elsif (/^$/) {
print "olcAttributeTypes: {$nextidx}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME '\''pwdMaxRecordedFailure'\'' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )\n";
}
}
print;
' "$working_ldif"
# Import the modified config into a temporary location.
tmp_slapd_d="$(mktemp -d --tmpdir slapd-XXXXXXXX)"
trap "trap - INT EXIT; rm -rf '$tmp_slapd_d' '$working_ldif'" INT EXIT
capture_diagnostics slapadd -F "$tmp_slapd_d" -n0 -l "$working_ldif" || failed=1
if [ "$failed" ]; then
cat >&2 <<-eof
failed.
Updating the slapd configuration failed with the following error
while running slapadd:
eof
release_diagnostics
exit 1
fi
# Replace the old config with the updated one.
# The current config has already been backed up earlier.
rm -r "$SLAPD_CONF/cn=config.ldif" "$SLAPD_CONF/cn=config"
mv "$tmp_slapd_d/cn=config.ldif" "$tmp_slapd_d/cn=config" "$SLAPD_CONF/"
echo 'done.' >&2
}
# }}}
# Create a new user. Don't create the user, however, if the local
# administrator has already customized slapd to run as a different user.
if [ "$MODE" = "configure" ] || [ "$MODE" = "reconfigure" ] ; then
if [ "openldap" = "$SLAPD_USER" ] ; then
create_new_user
fi
fi
# Configuration.
if is_initial_configuration "$@"; then
postinst_initial_configuration
else
postinst_upgrade_configuration
fi
db_stop || true
#DEBHELPER#
exit 0
# vim: set sw=8 foldmethod=marker:
|
