summaryrefslogtreecommitdiffstats
path: root/debian/slapd.postinst
diff options
context:
space:
mode:
Diffstat (limited to 'debian/slapd.postinst')
-rw-r--r--debian/slapd.postinst174
1 files changed, 174 insertions, 0 deletions
diff --git a/debian/slapd.postinst b/debian/slapd.postinst
new file mode 100644
index 0000000..2f5c550
--- /dev/null
+++ b/debian/slapd.postinst
@@ -0,0 +1,174 @@
+#! /bin/sh
+
+set -e
+
+. /usr/share/debconf/confmodule
+
+# This will be replaced with debian/slapd.scripts-common which includes
+# various helper functions and $OLD_VERSION and $SLAPD_CONF
+#SCRIPTSCOMMON#
+
+postinst_upgrade_cn_config() { # {{{
+ if previous_version_older '2.4.44+dfsg-1~'; then
+ upgrade_cnconfig_ppolicy_schema
+ fi
+}
+# }}}
+postinst_initial_configuration() { # {{{
+# Configure slapd for the first time (when first installed)
+# Usage: postinst_initial_configuration
+
+ if manual_configuration_wanted; then
+ echo " Omitting slapd configuration as requested." >&2
+ else
+ crypt_admin_pass
+ create_new_configuration
+ fi
+}
+
+# }}}
+postinst_upgrade_configuration() { # {{{
+# Handle upgrading slapd from some older version
+# Usage: postinst_upgrade_configuration
+
+ # Better back up the config file in any case
+ backup_config_once
+
+ # Complete any config updates before trying to use slapadd
+ if [ -d "$SLAPD_CONF" ]; then
+ postinst_upgrade_cn_config
+ fi
+
+ # Check if the database format has changed.
+ if database_format_changed; then
+
+ # During upgrading we have to load the old data
+ move_incompatible_databases_away
+ load_databases
+ fi
+
+ # Move to slapd.d configuration style.
+ migrate_to_slapd_d_style
+
+ # One-time upgrade fix for olcAccess on cn=Subschema
+ if previous_version_older 2.4.23-5 && previous_version_newer 2.4.23-3 \
+ && [ -e "$SLAPD_CONF/cn=config/olcDatabase={-1}frontend.ldif" ] \
+ && ! grep -i 'olcAccess:.*subschema' "$SLAPD_CONF/cn=config/olcDatabase={-1}frontend.ldif"
+ then
+ sed -i '/olcAccess: {0}/a\
+olcAccess: {1}to dn.exact="" by * read\
+olcAccess: {2}to dn.base="cn=Subschema" by * read' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"
+ fi
+
+ # Update permissions of all database directories and /var/run/slapd
+ update_databases_permissions
+ update_permissions /var/run/slapd
+
+ # Versions prior to 2.4.7-1 could create a slapd.conf that wasn't
+ # readable by the openldap user.
+ update_permissions "${SLAPD_CONF}"
+}
+
+# }}}
+
+upgrade_cnconfig_ppolicy_schema() { # {{{
+# Add a new required attribute to the ppolicy schema embedded in the
+# cn=config database when upgrading to 2.4.43 or later.
+# slapd.conf users get schema updates through the regular conffile
+# handling.
+ local dumped_ldif working_ldif ppolicy_dn tmp_slapd_d failed
+
+ if ! [ -d "$SLAPD_CONF" ]; then
+ return 0
+ fi
+
+ if ! previous_version_older '2.4.44+dfsg-1~'; then
+ return 0
+ fi
+
+ # The config should have been dumped in preinst.
+ # If not, hope for the best.
+ dumped_ldif="$(database_dumping_destdir)/cn=config.ldif"
+ if ! [ -f "$dumped_ldif" ]; then
+ echo "Saved configuration not found at $dumped_ldif. Skipping configuration updates." >&2
+ return 0
+ fi
+
+ # Create a working copy with lines unwrapped.
+ working_ldif="$(mktemp --tmpdir slapd-XXXXXXXX.ldif)"
+ trap "trap - INT EXIT; rm -f '$working_ldif'" INT EXIT
+ normalize_ldif "$dumped_ldif" > "$working_ldif"
+
+ # Check whether the schema is loaded and needs an update.
+ ppolicy_dn="$(find_old_ppolicy_schema "$working_ldif")"
+ if [ -z "$ppolicy_dn" ]; then
+ return
+ fi
+
+ echo -n "Adding pwdMaxRecordedFailure attribute to ${ppolicy_dn}... " >&2
+
+ # Add the pwdMaxRecordedFailure attribute to the ppolicy schema.
+ # Let slapadd update modifiersName and modifyTimestamp so these
+ # reflect reality, and entryCSN so replication is aware of the change.
+ perl -i -ne '
+ BEGIN { my $nextidx; }
+ if (/^dn: cn=\{\d+\}ppolicy,cn=schema,cn=config/ .. /^$/) {
+ if (/^entryCSN:/ or /^modifiersName:/ or /^modifyTimestamp:/) {
+ next;
+ } elsif (/^olcAttributeTypes: \{(\d+)\}/) {
+ $nextidx = $1 + 1;
+ } elsif (/^olcObjectClasses: .*NAME '\''pwdPolicy'\''/) {
+ s/MAY \( ([^)]+) \)/MAY ( $1 \$ pwdMaxRecordedFailure )/;
+ } elsif (/^$/) {
+ print "olcAttributeTypes: {$nextidx}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME '\''pwdMaxRecordedFailure'\'' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )\n";
+ }
+ }
+ print;
+ ' "$working_ldif"
+
+ # Import the modified config into a temporary location.
+ tmp_slapd_d="$(mktemp -d --tmpdir slapd-XXXXXXXX)"
+ trap "trap - INT EXIT; rm -rf '$tmp_slapd_d' '$working_ldif'" INT EXIT
+ capture_diagnostics slapadd -F "$tmp_slapd_d" -n0 -l "$working_ldif" || failed=1
+ if [ "$failed" ]; then
+ cat >&2 <<-eof
+failed.
+
+Updating the slapd configuration failed with the following error
+while running slapadd:
+eof
+ release_diagnostics
+ exit 1
+ fi
+
+ # Replace the old config with the updated one.
+ # The current config has already been backed up earlier.
+ rm -r "$SLAPD_CONF/cn=config.ldif" "$SLAPD_CONF/cn=config"
+ mv "$tmp_slapd_d/cn=config.ldif" "$tmp_slapd_d/cn=config" "$SLAPD_CONF/"
+
+ echo 'done.' >&2
+}
+# }}}
+
+# Create a new user. Don't create the user, however, if the local
+# administrator has already customized slapd to run as a different user.
+if [ "$MODE" = "configure" ] || [ "$MODE" = "reconfigure" ] ; then
+ if [ "openldap" = "$SLAPD_USER" ] ; then
+ create_new_user
+ fi
+fi
+
+# Configuration.
+if is_initial_configuration "$@"; then
+ postinst_initial_configuration
+else
+ postinst_upgrade_configuration
+fi
+
+db_stop || true
+
+#DEBHELPER#
+
+exit 0
+
+# vim: set sw=8 foldmethod=marker: