#! /bin/sh set -e . /usr/share/debconf/confmodule # This will be replaced with debian/slapd.scripts-common which includes # various helper functions and $OLD_VERSION and $SLAPD_CONF #SCRIPTSCOMMON# postinst_upgrade_cn_config() { # {{{ if previous_version_older '2.4.44+dfsg-1~'; then upgrade_cnconfig_ppolicy_schema fi } # }}} postinst_initial_configuration() { # {{{ # Configure slapd for the first time (when first installed) # Usage: postinst_initial_configuration if manual_configuration_wanted; then echo " Omitting slapd configuration as requested." >&2 else crypt_admin_pass create_new_configuration fi } # }}} postinst_upgrade_configuration() { # {{{ # Handle upgrading slapd from some older version # Usage: postinst_upgrade_configuration # Better back up the config file in any case backup_config_once # Complete any config updates before trying to use slapadd if [ -d "$SLAPD_CONF" ]; then postinst_upgrade_cn_config fi # Check if the database format has changed. if database_format_changed; then # During upgrading we have to load the old data move_incompatible_databases_away load_databases fi # Move to slapd.d configuration style. migrate_to_slapd_d_style # One-time upgrade fix for olcAccess on cn=Subschema if previous_version_older 2.4.23-5 && previous_version_newer 2.4.23-3 \ && [ -e "$SLAPD_CONF/cn=config/olcDatabase={-1}frontend.ldif" ] \ && ! grep -i 'olcAccess:.*subschema' "$SLAPD_CONF/cn=config/olcDatabase={-1}frontend.ldif" then sed -i '/olcAccess: {0}/a\ olcAccess: {1}to dn.exact="" by * read\ olcAccess: {2}to dn.base="cn=Subschema" by * read' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif" fi # Update permissions of all database directories and /var/run/slapd update_databases_permissions update_permissions /var/run/slapd # Versions prior to 2.4.7-1 could create a slapd.conf that wasn't # readable by the openldap user. update_permissions "${SLAPD_CONF}" } # }}} upgrade_cnconfig_ppolicy_schema() { # {{{ # Add a new required attribute to the ppolicy schema embedded in the # cn=config database when upgrading to 2.4.43 or later. # slapd.conf users get schema updates through the regular conffile # handling. local dumped_ldif working_ldif ppolicy_dn tmp_slapd_d failed if ! [ -d "$SLAPD_CONF" ]; then return 0 fi if ! previous_version_older '2.4.44+dfsg-1~'; then return 0 fi # The config should have been dumped in preinst. # If not, hope for the best. dumped_ldif="$(database_dumping_destdir)/cn=config.ldif" if ! [ -f "$dumped_ldif" ]; then echo "Saved configuration not found at $dumped_ldif. Skipping configuration updates." >&2 return 0 fi # Create a working copy with lines unwrapped. working_ldif="$(mktemp --tmpdir slapd-XXXXXXXX.ldif)" trap "trap - INT EXIT; rm -f '$working_ldif'" INT EXIT normalize_ldif "$dumped_ldif" > "$working_ldif" # Check whether the schema is loaded and needs an update. ppolicy_dn="$(find_old_ppolicy_schema "$working_ldif")" if [ -z "$ppolicy_dn" ]; then return fi echo -n "Adding pwdMaxRecordedFailure attribute to ${ppolicy_dn}... " >&2 # Add the pwdMaxRecordedFailure attribute to the ppolicy schema. # Let slapadd update modifiersName and modifyTimestamp so these # reflect reality, and entryCSN so replication is aware of the change. perl -i -ne ' BEGIN { my $nextidx; } if (/^dn: cn=\{\d+\}ppolicy,cn=schema,cn=config/ .. /^$/) { if (/^entryCSN:/ or /^modifiersName:/ or /^modifyTimestamp:/) { next; } elsif (/^olcAttributeTypes: \{(\d+)\}/) { $nextidx = $1 + 1; } elsif (/^olcObjectClasses: .*NAME '\''pwdPolicy'\''/) { s/MAY \( ([^)]+) \)/MAY ( $1 \$ pwdMaxRecordedFailure )/; } elsif (/^$/) { print "olcAttributeTypes: {$nextidx}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME '\''pwdMaxRecordedFailure'\'' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )\n"; } } print; ' "$working_ldif" # Import the modified config into a temporary location. tmp_slapd_d="$(mktemp -d --tmpdir slapd-XXXXXXXX)" trap "trap - INT EXIT; rm -rf '$tmp_slapd_d' '$working_ldif'" INT EXIT capture_diagnostics slapadd -F "$tmp_slapd_d" -n0 -l "$working_ldif" || failed=1 if [ "$failed" ]; then cat >&2 <<-eof failed. Updating the slapd configuration failed with the following error while running slapadd: eof release_diagnostics exit 1 fi # Replace the old config with the updated one. # The current config has already been backed up earlier. rm -r "$SLAPD_CONF/cn=config.ldif" "$SLAPD_CONF/cn=config" mv "$tmp_slapd_d/cn=config.ldif" "$tmp_slapd_d/cn=config" "$SLAPD_CONF/" echo 'done.' >&2 } # }}} # Create a new user. Don't create the user, however, if the local # administrator has already customized slapd to run as a different user. if [ "$MODE" = "configure" ] || [ "$MODE" = "reconfigure" ] ; then if [ "openldap" = "$SLAPD_USER" ] ; then create_new_user fi fi # Configuration. if is_initial_configuration "$@"; then postinst_initial_configuration else postinst_upgrade_configuration fi db_stop || true #DEBHELPER# exit 0 # vim: set sw=8 foldmethod=marker: