Bug 55998 – Make inclusion of ppolicy.schema configurable for the upgrade to OpenLDAP 2.5

Bug 55998 - Make inclusion of ppolicy.schema configurable for the upgrade to OpenLDAP 2.5


Summary:	Make inclusion of ppolicy.schema configurable for the upgrade to OpenLDAP 2.5

Status:	VERIFIED FIXED

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 5.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.2
Assigned To:	Julia Bremer
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-04-20 16:34 CEST by Florian Best
Modified:	2024-03-08 10:51 CET (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2023-04-20 16:34:49 CEST

During upgrade of openldap the preinst migrates the database and postinst restarts slapd. (afair).

During this short time period we need to include
'/etc/ldap/schema/ppolicy.schema.dpkg-remove'
in the slapd.conf so that the UCS 5.2 upgrade doesn't fail.

Comment 2 Julia Bremer

2023-10-25 10:07:49 CEST

The ppolicy schema was an external file, included in the slapd.conf in 5.0/5.1. 
In 5.2 it became built into slapd.
That means, that during upgrade, we need to remove the ppolicy.schema file from the slapd conf in the exact right moment.
If it's removed too early slapd won't start because the schema for some attributes is missing,
If it's removed too late, it won't start because of duplicate schema, or because the schema file doesn't exist. 


This is further complicated, because during this upgrade, the whole LDAP database and configuration is dumped and reimported. And the ppolicy.schmema is removed in the maintscript. 
The maintscript moves the file to /etc/ldap/schema/ppolicy.schema.dpkg-remove in the first step. At this time though, the file is still needed, because slapd is restarted during the upgrade as well.


We patched the slapd.conf template to include /etc/ldap/schema/ppolicy.schema.dpkg-remove if it exists in that moment. 
The patch is in branch preview/5.1 only, because the univention-ldap package pre-depends to slapd, which means that during upgrade of slapd, the slapd.conf from 5.1 is used. 

We also patched the slapd postinst to commit the slapd conf at the perfect time.


ucs-patches: 263fb96f2c0690966672cd21e3e4dcc79fe848bb Bug #55833: commit slapd.conf before (re-)starting slapd

ucs: (preview/5.1) 207e041dd3b582c5a5fc985e9c159e3e2bf8b1fc fix(ldap): Make include of ppolicy.schema optional so that we can remove it in UCS 5.2

Comment 3 Arvid Requate

2023-10-26 15:35:02 CEST

LGTM.

Comment 4 Florian Best

2024-02-06 10:33:46 CET

*** Bug 56909 has been marked as a duplicate of this bug. ***

Comment 5 Florian Best

2024-03-08 10:51:25 CET

univention-ldap (18.0.1)
88e033f7a1e3 | fix(ldap): ppolicy.schema can be removed in 5.2

univention-ldap (17.0.4)
1162a57e821b | fix(ldap): always enable ppolicy module because it provides the schema necessary to create our internal entries
1dfd1580daf1 | fix(ldap): make include of ppolicy.schema optional so that we can remove it in UCS 5.2

ucs-test (11.0.4)
1162a57e821b | fix(ldap): always enable ppolicy module because it provides the schema necessary to create our internal entries