Add support for slapd on bookworm #14
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The ppolicy schema is now internal to the slapo-ppolicy(5) module,
meaning that:
a) It can't be loaded (harmless, the role already checks for
"already exists" error messages); and
b) Updating an existing slapd installation from pre-Bookworm to
Bookworm will cause pain, see [1] and [2].
Not sure if that should be documented somewhere...
Also, the fusiondirectory packages aren't in Bookworm [3], that's sure to
cause pain. Perhaps we should import the schema files into the repo instead
(GPL2+ according to the copyright file in the Debian package).
[1] /usr/share/doc/slapd/README.Debian.gz)
[2] https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#openldap-2.5
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016029
(cherry picked from commit 4775796)
The fusiondirectory packages have been removed from Debian [1] and are unlikely to return, so create a local copy of the relevant schemas and simplify the role in the process. (cherry picked from commit 36b6a20)
(cherry picked from commit 7b02c08)
This avoids the need for the fusiondirectory-insert-schema tool, which should be the last piece of the puzzle to support slapd in Bookworm. Note that schema2ldif has been available since Buster at least and that it was a dependency of the previous schema packages, so it's not actually a new requirement. (cherry picked from commit 9ff3415)
A couple of attributes changed names in OpenLDAP 2.5, this patch makes the slapd role deal with both names. Also the replication example needed updating. Since those values will be in people's Ansible inventories, we can't fix it but we can document the change. Maybe something should be added to the DebOps release notes as well? With this patch, I think the support for OpenLDAP 2.5 is finished, so this PR would: Close: debops#2244 Close: debops#2243 (cherry picked from commit 4ddcbee)
First, the role tries to create the cn=Hidden Object Viewer,ou=Roles,...
entry with a "memberOf" attribute pointing to the
cn=Hidden Objects, ou=Groups,... group (which is created in the next task).
This causes the OpenLDAP version in Bookworm to complain (edited to break
up overlong lines):
TASK [debops.debops.slapd : Create cn=Hidden Object Viewer role] ***************
An exception occurred during task execution. To see the full traceback, use -vvv.
The error was: ldap.CONSTRAINT_VIOLATION: {
'msgtype': 105,
'msgid': 4,
'result': 19,
'desc': 'Constraint violation',
'ctrls': [],
'info': 'memberOf: no user modification allowed'}
Ok, so removing the "memberOf" attribute allows the role to continue to the
next default task, which is the actual creation of the
cn=Hidden Objects, ou=Groups,... group...which has a similar issue, it tries
to set both the "member" and "memberOf" attribute at the same time...which
explodes in a similar manner.
TASK [debops.debops.slapd : Create cn=Hidden Objects group] ********************
An exception occurred during task execution. To see the full traceback, use -vvv.
The error was: ldap.CONSTRAINT_VIOLATION: {
'msgtype': 105,
[snip]
'info': 'memberOf: no user modification allowed'}
First, I tried just removing the "memberOf" attributes while keeping the
"member" attribute intact, but that meant that cn=Hidden Objects did not
get a "memberOf" attribute. It seems that OpenLDAP 2.5 is stricter in this
sense.
So the approach I took was for the the cn=Hidden Objects entry
to be created first, and then added to itself in a subsequent operation
in order for the entry to look like it did in Bullseye and earlier.
I'm hoping this is backwards compatible, but it works on Bookworm.
This change makes sure that the new "modern" project directories are supported properly by the custom Ansible plugins included in DebOps. (cherry picked from commit 849ecf8)
Without the FQCN, the debops ldap_attrs plugin is used, which is buggy. This is a manual fix in lieue of cherry-picking this commit, which should nonetheless apply cleanly once we switch to Debops 3.1: debops@4d70e99
|
Working nicely, thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is mostly a cherry-picked version of debops#2419, with an additional fix that won't be necessary anymore with Debops 3.1.