Accepting request 593976 from home:zkalmar:branches:network:ldap

- bsc#1085064 Add script "openldap_update_modules_path.sh" which
  which removes the configuration item olcModulePath in cn=config
  which is after upgrade from SLE12 to SLE15 holds inappropriate
  information. If the cn=config is being used on a system, the
  conflicting items in slapd.conf are ignored, despite of it, the
  backend DB configuration section has been also commented out in
  the default slapd.conf.
  In case of correct cn=config (the olcModulePath has been already
  removed), the script stops without touching anything.

OBS-URL: https://build.opensuse.org/request/show/593976
OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=207

openldap2.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Fri Apr  6 11:29:22 UTC 2018 - zsolt.kalmar@suse.com
+
+- bsc#1085064 Add script "openldap_update_modules_path.sh" which
+  which removes the configuration item olcModulePath in cn=config
+  which is after upgrade from SLE12 to SLE15 holds inappropriate
+  information. If the cn=config is being used on a system, the
+  conflicting items in slapd.conf are ignored, despite of it, the
+  backend DB configuration section has been also commented out in
+  the default slapd.conf.
+  In case of correct cn=config (the olcModulePath has been already
+  removed), the script stops without touching anything.
+
 -------------------------------------------------------------------
 Fri Mar 23 19:43:23 UTC 2018 - michael@stroeder.com
 

openldap2.spec

@@ -55,6 +55,7 @@ Source13:       start
 Source14:       slapd.service
 Source15:       SuSEfirewall2.openldap
 Source16:       sysconfig.openldap
+Source17:       openldap_update_modules_path.sh
 Patch3:         0003-LDAPI-socket-location.dif
 Patch5:         0005-pie-compile.dif
 Patch6:         0006-No-Build-date-and-time-in-binaries.dif
@@ -365,6 +366,7 @@ install -m 755 -d ${RPM_BUILD_ROOT}/var/lib/ldap
 chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/liblber.so*
 chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap_r.so*
 install -m 755 %{SOURCE6} ${RPM_BUILD_ROOT}/usr/sbin/schema2ldif
+install -m 755 %{SOURCE17} ${RPM_BUILD_ROOT}/usr/sbin
 
 # Install ppolicy check module
 make -C contrib/slapd-modules/ppolicy-check-password STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install
@@ -442,6 +444,10 @@ if [ ${1:-0} -gt 1 ] && [ -f %{_libdir}/sasl2/slapd.conf ] ; then
   cp /etc/sasl2/slapd.conf /etc/sasl2/slapd.conf.rpmnew
   cp %{_libdir}/sasl2/slapd.conf /etc/sasl2/slapd.conf
 fi
+
+if [ ${1:-0} -gt 1 ! -e /var/adm/openldap_modules_path_updated ] ; then
+    /usr/sbin/openldap_update_modules_path.sh
+fi
 %{fillup_only -n openldap ldap}
 %service_add_post slapd.service
 
@@ -476,6 +482,7 @@ fi
 %{_fillupdir}/sysconfig.openldap
 %{_sbindir}/slap*
 %{_sbindir}/rcslapd
+%{_sbindir}/openldap_update_modules_path.sh
 %{_libdir}/openldap/back_bdb*
 %{_libdir}/openldap/back_hdb*
 %{_libdir}/openldap/back_ldap*

openldap_update_modules_path.sh

@@ -0,0 +1,113 @@
+#!/bin/bash
+# This script has been created to update the OpenLDAP modules path in cn=config
+# For details of changing the configuration items' location read these:
+# https://www.openldap.org/lists/openldap-software/200812/msg00080.html
+# This script writes over the config entry of backend databases location, which files are necessary to run LDAP. The procedure has been created upon this description:
+# https://serverfault.com/questions/863274/modify-openldap-cn-config-without-slapd-running
+
+# Author: Zsolt KALMAR (SUSE Linux GmbH) zkalmar@suse.com
+
+conf_dir='/etc/openldap/slapd.d'
+tmp_file='/tmp/ldap_conf_tmp.ldif'
+backup='/tmp/slapd.d'
+res=0
+
+rm -f ${tmp_file}
+
+# Check if the configuration is containing the inappropriate entry
+
+/usr/sbin/slapcat -n0 -F ${conf_dir} -l ${tmp_file} -o ldif-wrap=no
+res=$?
+
+if [ $res -ne 0 ]
+then
+    logger -p user.error "Creating ${tmp_file} has failed."
+    exit 1
+fi
+
+entry_cnt=`cat ${tmp_file} | grep ^[^#\;] | grep olcModulePath | wc -l`
+
+if [ $entry_cnt -eq 0 ]
+then
+    logger -p user.info "The current LDAP configuration does not contain the wrong item. Stop applying this script. Bye."
+    exit 0
+fi
+
+rm -rf ${tmp_file}
+
+# Make sure the LDAP is not running:
+/usr/bin/systemctl stop slapd.service
+
+# Creating symlinks for the modules required for the slapcat and slapadd
+ln -s /usr/lib64/openldap/back_bdb.so /usr/lib/openldap/back_bdb.so
+ln -s /usr/lib64/openldap/back_hdb.so /usr/lib/openldap/back_hdb.so
+ln -s /usr/lib64/openldap/back_mdb.so /usr/lib/openldap/back_mdb.so
+ln -s /usr/lib64/openldap/syncprov.so /usr/lib/openldap/syncprov.so
+
+# Export the config to a text
+/usr/sbin/slapcat -n0 -F ${conf_dir} -l ${tmp_file} -o ldif-wrap=no
+res=$?
+
+if [ $res -ne 0 ]
+then
+    logger -p user.error "Creating ${tmp_file} has failed."
+    exit 1
+fi
+
+# Create a backup of LDAP config
+mkdir ${backup}
+cp -r ${conf_dir}/* ${backup}/
+res=$?
+
+if [ $res -ne 0 ]
+then
+    logger -p user.error "LDAP Update script: Backing up ${conf_dir} has failed."
+    exit 1
+fi
+
+# Remove the configuration item "olcModulePath"
+sed -n -i '/olcModulePath/!p'  ${tmp_file}
+res=$?
+
+if [ $res -ne 0 ]
+then
+    logger -p user.error "LDAP Update script: Removing of entry in ${tmp_file} has failed."
+    exit 1
+fi
+
+# Remove the current configuration
+rm -rf ${conf_dir}/*
+
+# Load the modified configuration
+/usr/sbin/slapadd -n0 -F ${conf_dir} -l ${tmp_file}
+res=$?
+
+# Catch result code of slapadd
+if [ $res -ne 0 ]
+then
+    logger -p user.error "LDAP Update script: Implementing new configuration has failed."
+    exit 1
+else
+# Remove temporary symlinks
+    rm -rf /usr/lib/openldap/back_bdb.so
+    rm -rf /usr/lib/openldap/back_hdb.so
+    rm -rf /usr/lib/openldap/back_mdb.so
+    rm -rf /usr/lib/openldap/syncprov.so
+fi
+
+# Start the SLAPD with the new configuration
+/usr/bin/systemctl start slapd.service
+res=$?
+
+if [ $res -ne 0 ]
+then
+    logger -p user.error "LDAP Update script: Starting updated LDAP server has been failed."
+    exit 1
+else
+    # Remove backups
+    rm -rf ${backup}
+    rm -rf ${tmp_file}
+    # Create "/var/adm/openldap_update_modules"
+    touch /var/adm/openldap_update_modules
+    exit 0
+fi

slapd.conf

@@ -37,8 +37,8 @@ include /etc/openldap/schema/rfc2307bis.schema
 include /etc/openldap/schema/yast.schema
 
 # Load backend modules such as databas engines
-modulepath /usr/lib64/openldap
-moduleload back_mdb.la
+#modulepath /usr/lib64/openldap
+#moduleload back_mdb.la
 #moduleload back_hdb.la
 #moduleload back_bdb.la
 

slapd.conf.olctemplate

@@ -33,10 +33,10 @@ include /etc/openldap/schema/rfc2307bis.schema
 include /etc/openldap/schema/yast.schema
 
 # Load backend modules such as database engines
-modulepath /usr/lib64/openldap
-moduleload back_mdb.la
-#moduleload back_hdb.la
-#moduleload back_bdb.la
+# modulepath /usr/lib64/openldap
+# moduleload back_mdb.la
+# moduleload back_hdb.la
+# moduleload back_bdb.la
 
 # Define the config database that holds all online configurations
 database config