#! /bin/bash 

set -e

. /usr/share/debconf/confmodule

# This will be replaced with debian/slapd.scripts-common which includes
# various helper functions and $OLD_VERSION and $SLAPD_CONF
#SCRIPTSCOMMON#

postinst_initial_configuration() {					# {{{
# Configure slapd for the first time (when first installed)
# Usage: postinst_initial_configuration

	if manual_configuration_wanted; then
		echo "  Omitting slapd configuration as requested." >&2
	else
		create_new_configuration
		configure_v2_protocol_support
	fi
}

# }}}
postinst_upgrade_configuration() {					# {{{
# Handle upgrading slapd from some older version
# Usage: postinst_upgrade_configuration

	# Better back up the config file in any case
	echo -n "  Backing up $SLAPD_CONF in `database_dumping_destdir`... " >&2
	backup_config_once
	echo done. >&2

	if database_format_changed; then
		# During upgrading we have to load the old data
		move_incompatible_databases_away
		load_databases
	fi
	
 	# Migrate from slapd.conf to slapd.d/.
        if previous_version_older 2.4.11-0ubuntu1 && [ -f "${SLAPD_CONF}" ]; then
		# Initial migration
		mkdir /etc/ldap/slapd.d/
		capture_diagnostics slaptest -f ${SLAPD_CONF} -F /etc/ldap/slapd.d/ || failed=1
		if [ "$failed" ]; then
			echo failed. >&2
			echo >&2
			cat <<-EOF
Migrating slapd.conf file (${SLAPD_CONF}) to slapd.d failed with the following error while running slaptest:
EOF
			release_diagnostics "    "
			rm -rf /etc/ldap/slapd.d/
			exit 1
		fi
		echo "  Successfully migrated ${SLAPD_CONF} configuration file to /etc/ldap/slapd.d/ directory. " >&2
		mv ${SLAPD_CONF} ${SLAPD_CONF}.old
		SLAPD_CONF=/etc/ldap/slapd.d
		# Fix SLAPD_CONF setting in slapd default file
		sed -i "s|^SLAPD_CONF=.\+|SLAPD_CONF=${SLAPD_CONF}|" /etc/default/slapd
	fi

	configure_v2_protocol_support

	# fix systems incorrectly upgraded by 2.4.21-0ubuntu3 (LP: #559070)
	cfg_ldif="${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"; 
	if [ "$OLD_VERSION" = "2.4.21-0ubuntu3" -a -f "${cfg_ldif}" ]; then
		sed -i "/^olcAccess: {0}to \*[ ]* by \* none/d;" "${cfg_ldif}"
	fi

	# Grant manage access to connections made by the root user via
	# SASL EXTERNAL
	if previous_version_older 2.4.21-0ubuntu5 ; then
		if [ -d "$SLAPD_CONF" ]; then 
			# Stick the new olcAccess at the begining of the
			# olcAccess list (using an index of 0 *and* 
			# adding it as early as possible in the ldif file)
			# to make sure that local root has access to the
			# database no matter what other acls say.
			sed -i 's/^\(olcDatabase: {-1}frontend\)/\0\nolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break/' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"
			sed -i 's/^\(olcDatabase: {0}config\)/\0\nolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break/' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"
		fi
	fi

	# Properly index cn=localroot,cn=config olcAccess line. 
	# LP: #571057.
	#
	# On systems upgraded from jaunty -> karmic -> lucid, the local root
	# user is mapped to cn=localroot,cn=config. The latter dn has then full
	# access to the cn=config tree. The olcAccess line added during the
	# karmic upgrade isn't prefixed with an index. Additional olcAccess
	# lines are added during the lucid upgrade which makes slapd fail to
	# start as all olcAccess lines need to be prefixed with an index.
	#
	if previous_version_older 2.4.21-0ubuntu5.1 ; then
		if [ -d "$SLAPD_CONF" ]; then 
			sed -i 's/^olcAccess: to \* by dn.exact=cn=localroot,cn=config manage by \* break/olcAccess: {0}to \* by dn.exact=cn=localroot,cn=config manage by \* break/' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"
			sed -i 's/^olcAccess: to \* by dn.exact=cn=localroot,cn=config manage by \* break/olcAccess: {0}to \* by dn.exact=cn=localroot,cn=config manage by \* break/' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"
	       	fi
	fi

	# Update permissions of all database directories and /var/run/slapd
	update_databases_permissions
	if [ ! -d "/var/run/slapd" ]; then
		mkdir -p "/var/run/slapd" 
	fi
	update_permissions /var/run/slapd
	# update_permissions doesn't allow a world readable dir.
	# slapd run dir has the slapi socket and thus needs 
	# to be world accessible.
 	chmod 0755 /var/run/slapd

	# Versions prior to 2.4.7-1 could create a slapd.conf that wasn't
	# readable by the openldap user.
	update_permissions "${SLAPD_CONF}"
	
}

# }}}

# Create a new user.  Don't create the user, however, if the local
# administrator has already customized slapd to run as a different user.
if [ "$MODE" = "configure" ] || [ "$MODE" = "reconfigure" ] ; then
	if [ "openldap" = "$SLAPD_USER" ] ; then
		create_new_user
	fi
fi

# Configuration.
if is_initial_configuration "$@"; then
	postinst_initial_configuration
else
	postinst_upgrade_configuration
fi

db_stop || true

# Reload AppArmor profile
profile="/etc/apparmor.d/usr.sbin.slapd"
if [ -f "$profile" ] && aa-status --enabled 2>/dev/null; then
	apparmor_parser -r "$profile" || true
fi

#DEBHELPER#

exit 0

# vim: set sw=8 foldmethod=marker: