From a5568311db492c24672b6ece57e5a69f12690261 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Lebleu?= <jerome@maroufle.fr>
Date: Wed, 27 Jan 2016 18:05:04 +0100
Subject: [PATCH] [fix] Save LDAP database when switching to MDB (bugfix #169)

As Wheezy is not supported anymore by next YunoHost releases, the slapd.conf
now comes with MDB as backend.
The LDAP database is also saved before switching to MDB backend and imported
after the configuration re-generation to prevent data loss.
---
 data/hooks/conf_regen/06-slapd  | 48 +++++++++++++++++--------
 data/templates/slapd/slapd.conf | 62 +++++++++++++--------------------
 2 files changed, 57 insertions(+), 53 deletions(-)

diff --git a/data/hooks/conf_regen/06-slapd b/data/hooks/conf_regen/06-slapd
index b5af23538..491a366a5 100644
--- a/data/hooks/conf_regen/06-slapd
+++ b/data/hooks/conf_regen/06-slapd
@@ -24,29 +24,47 @@ cd /usr/share/yunohost/templates/slapd
   || sudo yunohost service saferemove -s slapd \
     /etc/ldap/slapd-yuno.conf
 
+# Retrieve current backend
+backend=$(sudo slapcat -n 0 | sed -n 's/^dn: olcDatabase={1}\(.*\),cn=config$/\1/p')
+
+# Save current database in case of a backend change
+BACKEND_CHANGE=0
+BACKUP_DIR="/var/backups/dc=yunohost,dc=org-${backend}-$(date +%s)"
+if [[ "$backend" != "mdb" && "$force" == "True" ]]; then
+    BACKEND_CHANGE=1
+    sudo mkdir -p "$BACKUP_DIR"
+    sudo slapcat -b dc=yunohost,dc=org \
+      -l "${BACKUP_DIR}/dc=yunohost-dc=org.ldif"
+fi
+
 safe_copy sudo.schema /etc/ldap/schema/sudo.schema
 safe_copy mailserver.schema /etc/ldap/schema/mailserver.schema
 safe_copy ldap.conf /etc/ldap/ldap.conf
 safe_copy slapd.default /etc/default/slapd
-
-# Compatibility: change from HDB to MDB on Jessie
-version=$(sed 's/\..*//' /etc/debian_version)
-if [[ "$version" == '8' ]]; then
-    cat slapd.conf \
-      | sed "s/hdb$/mdb/g" \
-      | sed "s/back_hdb/back_mdb/g" \
-      | sed "s/^dbconfig set_/#dbconfig set_/g" \
-      | sudo tee slapd.conf
-fi
-
 safe_copy slapd.conf /etc/ldap/slapd.conf
+
+# Fix some permissions
 sudo chown root:openldap /etc/ldap/slapd.conf
-sudo rm -Rf /etc/ldap/slapd.d
-sudo mkdir /etc/ldap/slapd.d
 sudo chown -R openldap:openldap /etc/ldap/schema/
 sudo chown -R openldap:openldap /etc/ldap/slapd.d/
 
-sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/ 2>&1
-sudo chown -R openldap:openldap /etc/ldap/slapd.d/
+if [[ $BACKEND_CHANGE -eq 1 ]]; then
+    # Regenerate LDAP configuration and import database as root
+    # since the admin user may be unavailable
+    sudo sh -c "rm -Rf /etc/ldap/slapd.d;
+mkdir /etc/ldap/slapd.d;
+slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d;
+chown -R openldap:openldap /etc/ldap/slapd.d;
+slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org \
+  -l '${BACKUP_DIR}/dc=yunohost-dc=org.ldif';
+chown -R openldap:openldap /var/lib/ldap" 2>&1
+else
+    # Regenerate LDAP configuration from slapd.conf if it is valid
+    sudo slaptest -u -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/ \
+      && (sudo rm -Rf /etc/ldap/slapd.d \
+          && sudo mkdir /etc/ldap/slapd.d \
+          && sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/ 2>&1)
+    sudo chown -R openldap:openldap /etc/ldap/slapd.d/
+fi
 
 sudo service slapd force-reload
diff --git a/data/templates/slapd/slapd.conf b/data/templates/slapd/slapd.conf
index f47e6761b..6178ae00e 100644
--- a/data/templates/slapd/slapd.conf
+++ b/data/templates/slapd/slapd.conf
@@ -22,14 +22,15 @@ pidfile         /var/run/slapd/slapd.pid
 # List of arguments that were passed to the server
 argsfile        /var/run/slapd/slapd.args
 
-password-hash   {SSHA}
-
 # Read slapd.conf(5) for possible values
-loglevel        256
+loglevel        none
+
+# Hashes to be used in generation of user passwords
+password-hash   {SSHA}
 
 # Where the dynamically loaded modules are stored
 modulepath	/usr/lib/ldap
-moduleload	back_hdb
+moduleload	back_mdb
 moduleload      memberof
 
 # The maximum number of entries that is returned for a search operation
@@ -40,26 +41,25 @@ sizelimit 500
 tool-threads 1
 
 #######################################################################
-# Specific Backend Directives for hdb:
+# Specific Backend Directives for mdb:
 # Backend specific directives apply to this backend until another
 # 'backend' directive occurs
-backend		hdb
+backend		mdb
 
 #######################################################################
-# Specific Backend Directives for 'other':
-# Backend specific directives apply to this backend until another
-# 'backend' directive occurs
-#backend		<other>
-
-#######################################################################
-# Specific Directives for database #1, of type hdb:
+# Specific Directives for database #1, of type mdb:
 # Database specific directives apply to this databasse until another
 # 'database' directive occurs
-database        hdb
+database        mdb
 
 # The base of your directory in database #1
 suffix          "dc=yunohost,dc=org"
 
+# rootdn directive for specifying a superuser on the database. This is needed
+# for syncrepl.
+# rootdn          "cn=admin,dc=yunohost,dc=org"
+
+# Where the database file are physically stored for database #1
 directory       "/var/lib/ldap"
 
 # The dbconfig settings are used to generate a DB_CONFIG file the first
@@ -67,10 +67,6 @@ directory       "/var/lib/ldap"
 # file.  You should therefore change these settings in DB_CONFIG directly
 # or remove DB_CONFIG and restart slapd for changes to take effect.
 
-# For the Debian package we use 2MB as default but be sure to update this
-# value if you have plenty of RAM
-dbconfig set_cachesize 0 2097152 0
-
 # Sven Hartge reported that he had to set this value incredibly high
 # to get slapd running at all. See http://bugs.debian.org/303057 for more
 # information.
@@ -83,9 +79,9 @@ dbconfig set_lk_max_locks 1500
 dbconfig set_lk_max_lockers 1500
 
 # Indexing options for database #1
-index           objectClass eq
-index   	uid eq,sub
-index           entryCSN,entryUUID eq
+index  objectClass         eq
+index  uid                 eq,sub
+index  entryCSN,entryUUID  eq
 
 # Save the time that the entry gets modified, for database #1
 lastmod         on
@@ -94,26 +90,25 @@ lastmod         on
 # failure and to speed slapd shutdown.
 checkpoint      512 30
 
-# Where to store the replica logs for database #1
-# replogfile	/var/lib/ldap/replog
-
 # The userPassword by default can be changed
 # by the entry owning it if they are authenticated.
 # Others should not be able to see it, except the
 # admin entry below
 # These access lines apply to database #1 only
-access to attrs=userPassword
+access to attrs=userPassword,shadowLastChange
         by dn="cn=admin,dc=yunohost,dc=org" write
-	by anonymous auth
+        by anonymous auth
         by self write
         by * none
 
+# Personnal information can be changed by the entry
+# owning it if they are authenticated.
+# Others should be able to see it.
 access to attrs=cn,gecos,givenName,mail,maildrop,displayName,sn
         by dn="cn=admin,dc=yunohost,dc=org" write
         by self write
         by * read
 
-
 # Ensure read access to the base for things like
 # supportedSASLMechanisms.  Without this you may
 # have problems with SASL not knowing what
@@ -129,14 +124,5 @@ access to dn.base="" by * read
 # can read everything.
 access to *
         by dn="cn=admin,dc=yunohost,dc=org" write
-	by group/groupOfNames/Member="cn=admin,ou=groups,dc=yunohost,dc=org" write
-	by * read
-
-#######################################################################
-# Specific Directives for database #2, of type 'other' (can be hdb too):
-# Database specific directives apply to this databasse until another
-# 'database' directive occurs
-#database        <other>
-
-# The base of your directory for database #2
-#suffix		"dc=debian,dc=org"
+        by group/groupOfNames/Member="cn=admin,ou=groups,dc=yunohost,dc=org" write
+        by * read