Re: new debconf template for openldap
Ryan Tandy wrote:
> Dear debian-l10n-english,
>
> I would like to ask for your review of a new debconf template for slapd.
Glad to - it's been really quiet around here.
> Some background information: If slapd's configuration is not replicated to
> or from any other server, and has no overlays (plugins) applied to it, we
> can upgrade the schema automatically. However, if those conditions are not
> met (replicating the config database is uncommon but definitely supported),
> then it is not safe to perform the change offline: it has to be done by the
> admin *before* removing or replacing the old binaries.
>
> What we do here is generate an LDIF file containing the necessary changeset,
> and show the admin how to apply it.
>
> "Replication with other servers may be affected" is intentionally vague:
> depending on the specific configuration, this specific change might not be
> replicated, replication in general might get stuck and never sync again, or
> everything might just work.
>
> Lintian complains about this template being too long, so I'd welcome
> suggestions for how to reduce it, as well as any other feedback.
>
> Template: slapd/ppolicy_schema_needs_update
> Type: select
> __Choices: abort installation, continue regardless
> DefaultChoice: abort installation
> #flag:comment:2
> # "ppolicy", "pwdMaxRecordedFailure", and "cn=config" are not translatable.
> #flag:translate!:5,7
> _Description: Manual ppolicy schema update recommended
Ppolicy looks so much like a typo, but okay, it's the name of the
Password-Policy module. Probably the first time the term occurs in
the long description it needs to be expanded.
> In the version of slapd about to be installed, the ppolicy overlay
> requires the new pwdMaxRecordedFailure attribute to be defined in the
> ppolicy schema. The schema contained in the cn=config database does not
> currently include this attribute.
Expanding "ppolicy" and crushing everything else:
In the new version of slapd, the Password Policy (ppolicy) overlay schema
requires a defined pwdMaxRecordedFailure attribute, which is not present
in the schema contained in the cn=config database.
(Or would just "the schema currently in use" be okay?)
> .
> You may choose to continue the installation. In this case, the
> maintainer scripts will add the new attribute automatically during the
> upgrade. However, the change will not be acted on by slapd overlays,
> and replication with other servers may be affected.
If you choose to continue the installation, the new attribute will be
added automatically, but the change will not be acted on by slapd overlays,
and replication with other servers may be affected.
> .
> The ppolicy schema can be updated by applying the changes found in the
> following LDIF file:
> .
> ${ldif}
> .
> If slapd is using the default access control rules, after starting
> slapd, the changes can be applied using the following command:
> .
> ldapmodify -H ldapi:/// -Y EXTERNAL -f ${ldif}
Maybe you could crush that down to
An LDIF file has been generated containing the required changes:
${ldif}
so if slapd is using the default access control rules, these changes can be
applied (after starting slapd) by using the command:
ldapmodify -H ldapi:/// -Y EXTERNAL -f ${ldif}
But it's a bit ugly, and might require extra "untranslatable" flags...
Another possibility is that maybe you could make it just:
An LDIF file has been generated under '/tmp/wherever/it/goes'
containing the required changes, so if slapd is using the default access
control rules, these changes can be applied (after starting slapd) by
using the command:
ldapmodify -H ldapi:/// -Y EXTERNAL -f ${ldif}
(Crushing the quoted command rather than the English text might also
be kinder to translators, but I've mostly avoided it in my patch.)
> .
> It is recommended to abort the upgrade now and to update the ppolicy
> schema before upgrading slapd. If replication is in use, the schema
> update should be applied on every server before continuing with the
> upgrade.
Perhaps this could be fewer paragraphs if you handled them in the
other order:
_Description: Manual ppolicy schema update recommended
In the new version of slapd, the Password Policy (ppolicy) overlay schema
requires a defined pwdMaxRecordedFailure attribute, which is not present
in the schema currently in use. It is recommended to abort the upgrade now,
and to update the ppolicy schema before upgrading slapd. If replication is
in use, the schema update should be applied on every server before
continuing with the upgrade.
.
An LDIF file has been generated with the changes required for the upgrade:
.
${ldif}
.
so if slapd is using the default access control rules, these changes can be
applied (after starting slapd) by using the command:
.
ldapmodify -H ldapi:/// -Y EXTERNAL -f ${ldif}
.
If instead you choose to continue the installation, the new attribute will
be added automatically, but the change will not be acted on by slapd
overlays, and replication with other servers may be affected.
Fingers crossed that that's short enough for Lintian; if necessary
perhaps you could drop the first paragraph break.
> The full templates file can be found in the git repository: https://anonscm.debian.org/git/pkg-openldap/openldap.git/tree/debian/slapd.templates
Oh, I used apt-get source - hope the attached patch is useful.
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
diff -ru openldap-2.4.44+dfsg.pristine/debian/slapd.templates openldap-2.4.44+dfsg/debian/slapd.templates
--- openldap-2.4.44+dfsg.pristine/debian/slapd.templates 2016-11-11 04:45:29.000000000 +0000
+++ openldap-2.4.44+dfsg/debian/slapd.templates 2017-01-07 21:59:08.934520526 +0000
@@ -158,30 +158,25 @@
# "ppolicy", "pwdMaxRecordedFailure", and "cn=config" are not translatable.
#flag:translate!:5,7
_Description: Manual ppolicy schema update recommended
- In the version of slapd about to be installed, the ppolicy overlay
- requires the new pwdMaxRecordedFailure attribute to be defined in the
- ppolicy schema. The schema contained in the cn=config database does not
- currently include this attribute.
+ In the new version of slapd, the Password Policy (ppolicy) overlay schema
+ requires a defined pwdMaxRecordedFailure attribute, which is not present
+ in the schema currently in use. It is recommended to abort the upgrade now,
+ and to update the ppolicy schema before upgrading slapd. If replication is
+ in use, the schema update should be applied on every server before
+ continuing with the upgrade.
.
- You may choose to continue the installation. In this case, the
- maintainer scripts will add the new attribute automatically during the
- upgrade. However, the change will not be acted on by slapd overlays,
- and replication with other servers may be affected.
- .
- The ppolicy schema can be updated by applying the changes found in the
- following LDIF file:
+ An LDIF file has been generated with the changes required for the upgrade:
.
${ldif}
.
- If slapd is using the default access control rules, after starting
- slapd, the changes can be applied using the following command:
+ so if slapd is using the default access control rules, these changes can be
+ applied (after starting slapd) by using the command:
.
ldapmodify -H ldapi:/// -Y EXTERNAL -f ${ldif}
.
- It is recommended to abort the upgrade now and to update the ppolicy
- schema before upgrading slapd. If replication is in use, the schema
- update should be applied on every server before continuing with the
- upgrade.
+ If instead you choose to continue the installation, the new attribute will
+ be added automatically, but the change will not be acted on by slapd
+ overlays, and replication with other servers may be affected.
Template: slapd/smbk5pwd_krb5_disabled
Type: error
Template: slapd/no_configuration
Type: boolean
Default: false
_Description: Omit OpenLDAP server configuration?
If you enable this option, no initial configuration or database will be
created for you.
Template: slapd/dump_database
Type: select
__Choices: always, when needed, never
Default: when needed
_Description: Dump databases to file on upgrade:
Before upgrading to a new version of the OpenLDAP server, the data from
your LDAP directories can be dumped into plain text files in the
standard LDAP Data Interchange Format.
.
Selecting "always" will cause the databases to be dumped
unconditionally before an upgrade. Selecting "when needed" will only
dump the database if the new version is incompatible with the old
database format and it needs to be reimported. If you select "never",
no dump will be done.
Template: slapd/dump_database_destdir
Type: string
Default: /var/backups/slapd-VERSION
_Description: Directory to use for dumped databases:
Please specify the directory where the LDAP databases will be exported.
In this directory, several LDIF files will be created which correspond
to the search bases located on the server. Make sure you have enough
free space on the partition where the directory is located. The first
occurrence of the string "VERSION" is replaced with the server version
you are upgrading from.
Template: slapd/move_old_database
Type: boolean
Default: true
_Description: Move old database?
There are still files in /var/lib/ldap which will probably break
the configuration process. If you enable this option, the maintainer
scripts will move the old database files out of the way before
creating a new database.
Template: slapd/invalid_config
Type: boolean
Default: true
_Description: Retry configuration?
The configuration you entered is invalid. Make sure that the DNS domain name
is syntactically valid, the field for the organization is not left empty and
the admin passwords match. If you decide not to retry the configuration the
LDAP server will not be set up. Run 'dpkg-reconfigure slapd' if you want to
retry later.
Template: slapd/domain
Type: string
_Description: DNS domain name:
The DNS domain name is used to construct the base DN of the LDAP directory.
For example, 'foo.example.org' will create the directory with
'dc=foo, dc=example, dc=org' as base DN.
Template: shared/organization
Type: string
_Description: Organization name:
Please enter the name of the organization to use in the base DN of your
LDAP directory.
Template: slapd/password1
Type: password
_Description: Administrator password:
Please enter the password for the admin entry in your LDAP directory.
Template: slapd/password2
Type: password
_Description: Confirm password:
Please enter the admin password for your LDAP directory again to verify
that you have typed it correctly.
Template: slapd/password_mismatch
Type: note
_Description: Password mismatch
The two passwords you entered were not the same. Please try again.
Template: slapd/purge_database
Type: boolean
Default: false
_Description: Do you want the database to be removed when slapd is purged?
Template: slapd/internal/adminpw
Type: password
Description: Encrypted admin password:
Internal template, should never be displayed to users.
Template: slapd/internal/generated_adminpw
Type: password
Description: Generated admin password:
Internal template, should never be displayed to users.
Template: slapd/upgrade_slapcat_failure
Type: error
#flag:translate!:5
#flag:comment:4
# This paragraph is followed by a (non translatable) paragraph
# containing a command line
#flag:comment:6
# Translators: keep "${location}" unchanged. This is a variable that
# will be replaced by a directory name at execution
_Description: slapcat failure during upgrade
An error occurred while upgrading the LDAP directory.
.
The 'slapcat' program failed while extracting the LDAP directory. This
may be caused by an incorrect configuration file (for example, missing
'moduleload' lines to support the backend database).
.
This failure will cause 'slapadd' to fail later as well. The old database
files will be moved to /var/backups. If you want to try this upgrade
again, you should move the old database files back into place, fix
whatever caused slapcat to fail, and run:
.
slapcat > ${location}
.
Then move the database files back to a backup area and then try running
slapadd from ${location}.
Template: slapd/backend
Type: select
Choices: BDB, HDB, MDB
Default: MDB
_Description: Database backend to use:
HDB and BDB use similar storage formats, but HDB adds support for
subtree renames. Both support the same configuration options.
.
The MDB backend is recommended. MDB uses a new storage format and
requires less configuration than BDB or HDB.
.
In any case, you should review the resulting database configuration for
your needs. See /usr/share/doc/slapd/README.Debian.gz for more details.
Template: slapd/unsafe_selfwrite_acl
Type: note
#flag:comment:3
# Translators: keep "by self write" and "to *" unchanged. These are part
# of the slapd configuration and are not translatable.
_Description: Potentially unsafe slapd access control configuration
One or more of the configured databases has an access control rule that
allows users to modify most of their own attributes. This may be
unsafe, depending on how the database is used.
.
In the case of slapd access rules that begin with "to *", it is
recommended to remove any instances of "by self write", so that users
are only able to modify specifically allowed attributes.
.
See /usr/share/doc/slapd/README.Debian.gz for more details.
Template: slapd/ppolicy_schema_needs_update
Type: select
__Choices: abort installation, continue regardless
DefaultChoice: abort installation
#flag:comment:2
# "ppolicy", "pwdMaxRecordedFailure", and "cn=config" are not translatable.
#flag:translate!:5,7
_Description: Manual ppolicy schema update recommended
In the new version of slapd, the Password Policy (ppolicy) overlay schema
requires a defined pwdMaxRecordedFailure attribute, which is not present
in the schema currently in use. It is recommended to abort the upgrade now,
and to update the ppolicy schema before upgrading slapd. If replication is
in use, the schema update should be applied on every server before
continuing with the upgrade.
.
An LDIF file has been generated with the changes required for the upgrade:
.
${ldif}
.
so if slapd is using the default access control rules, these changes can be
applied (after starting slapd) by using the command:
.
ldapmodify -H ldapi:/// -Y EXTERNAL -f ${ldif}
.
If instead you choose to continue the installation, the new attribute will
be added automatically, but the change will not be acted on by slapd
overlays, and replication with other servers may be affected.
Template: slapd/smbk5pwd_krb5_disabled
Type: error
_Description: Kerberos support disabled for smbk5pwd overlay
The smbk5pwd overlay is no longer built with Kerberos support. The
"smbk5pwd-enable krb5" setting has been automatically disabled in the
slapd configuration file.
Template: slapd/must_disable_smbk5pwd_krb5
Type: error
#flag:translate!:4,6
_Description: Disable Kerberos in smbk5pwd before upgrading slapd
The smbk5pwd overlay is no longer built with Kerberos support. The
"olcSmbK5PwdEnable: krb5" setting must be removed from any instances of
the smbk5pwd overlay before upgrading slapd.
Reply to: