From d41e5ca07b67f8f2d09128f8d96e0b26744cedc0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 8 Feb 2024 18:21:32 +0200
Subject: [PATCH] Support 389-ds with lmdb backend

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
 freeipa-support-389-ds-with-lmdb-backup.patch |  83 ++++++++++++++
 ...ipa-support-389-ds-with-lmdb-restore.patch | 106 ++++++++++++++++++
 freeipa.spec                                  |  11 +-
 3 files changed, 197 insertions(+), 3 deletions(-)
 create mode 100644 freeipa-support-389-ds-with-lmdb-backup.patch
 create mode 100644 freeipa-support-389-ds-with-lmdb-restore.patch

diff --git a/freeipa-support-389-ds-with-lmdb-backup.patch b/freeipa-support-389-ds-with-lmdb-backup.patch
new file mode 100644
index 0000000..2766d0b
--- /dev/null
+++ b/freeipa-support-389-ds-with-lmdb-backup.patch
@@ -0,0 +1,83 @@
+From 677d30806662856595289525ef529a77adbf2272 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Fri, 26 Jan 2024 13:26:48 +0100
+Subject: [PATCH] ipa-backup: adapt for 389ds switch to LMDB
+
+ipa-backup is relying on the presence of the directory
+/var/lib/dirsrv/slapd-<INSTANCE>/db/ipaca/
+to detect if the CA is installed on the server and backup
+the ipaca backend.
+
+With the switch to LMDB, this directory does not exist and the
+backup is missing ipaca information.
+
+Use lib389.cli_ctl.dblib.run_dbscan utility instead to
+check if ipaca backend is present (this method has been
+introduced in 389ds 2.1.0 and works with Berkeley DB and LMDB).
+
+Fixes: https://pagure.io/freeipa/issue/9516
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
+---
+ freeipa.spec.in                 | 7 ++++---
+ ipaserver/install/ipa_backup.py | 8 ++++++--
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index a091fee68..997a55d8d 100755
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -78,8 +78,8 @@
+ %global ds_version 1.4.3.16-12
+ %global selinux_policy_version 3.14.3-107
+ %else
+-# DNA interval enabled
+-%global ds_version 2.0.5-1
++# version supporting LMDB and lib389.cli_ctl.dblib.run_dbscan utility
++%global ds_version 2.1.0
+ %global selinux_policy_version 38.1.1-1
+ %endif
+ 
+@@ -124,10 +124,11 @@
+ 
+ # Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4700
+ # and has DNA interval enabled
++# version supporting LMDB and lib389.cli_ctl.dblib.run_dbscan utility
+ %if 0%{?fedora} < 34
+ %global ds_version 1.4.4.16-1
+ %else
+-%global ds_version 2.0.7-1
++%global ds_version 2.1.0
+ %endif
+ 
+ # Fix for TLS 1.3 PHA, RHBZ#1775146
+diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
+index 2904c9e2e..f4fa73ff5 100644
+--- a/ipaserver/install/ipa_backup.py
++++ b/ipaserver/install/ipa_backup.py
+@@ -41,6 +41,7 @@ from ipaserver.install import installutils
+ from ipapython import ipaldap
+ from ipaplatform.constants import constants
+ from ipaplatform.tasks import tasks
++from lib389.cli_ctl.dblib import run_dbscan
+ 
+ # pylint: disable=import-error
+ if six.PY3:
+@@ -337,8 +338,11 @@ class Backup(admintool.AdminTool):
+             instance = ipaldap.realm_to_serverid(api.env.realm)
+             if os.path.exists(paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE %
+                               instance):
+-                if os.path.exists(paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE %
+-                                  (instance, 'ipaca')):
++                # Check existence of ipaca backend
++                dbpath = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE %
++                          (instance, ""))
++                output = run_dbscan(['-L', dbpath])
++                if 'ipaca/' in output:
+                     self.db2ldif(instance, 'ipaca', online=options.online)
+                 self.db2ldif(instance, 'userRoot', online=options.online)
+                 self.db2bak(instance, online=options.online)
+-- 
+2.43.0
+
diff --git a/freeipa-support-389-ds-with-lmdb-restore.patch b/freeipa-support-389-ds-with-lmdb-restore.patch
new file mode 100644
index 0000000..ef2ee4e
--- /dev/null
+++ b/freeipa-support-389-ds-with-lmdb-restore.patch
@@ -0,0 +1,106 @@
+From cb16071635e8c60faa5b6062ed1dd61c3f133fa3 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Wed, 7 Feb 2024 13:42:11 -0500
+Subject: ipa-restore: adapt for 389-ds switch to LMDB
+
+ipa-restore is relying on the presence of specific directories,
+e.g.  /var/lib/dirsrv/slapd-<INSTANCE>/db/ipaca, to detect
+which backends are in use (userRoot or ipaca).
+
+With the switch to LMDB, these directories do not exist and the
+restore fails finding the ipaca backend.
+
+Use lib389.cli_ctl.dblib.run_dbscan utility instead to
+check which backends are present.
+
+This method was been introduced in 389ds 2.1.0 and works with
+Berkeley DB and LMDB.
+
+Fixes: https://pagure.io/freeipa/issue/9526
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/install/ipa_restore.py | 45 +++++++++++++++++++++++++++-----
+ 1 file changed, 38 insertions(+), 7 deletions(-)
+
+diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
+index 5b7ac61d08f..88b34477049 100644
+--- a/ipaserver/install/ipa_restore.py
++++ b/ipaserver/install/ipa_restore.py
+@@ -50,6 +50,8 @@
+ from ipaplatform import services
+ from ipaplatform.paths import paths
+ 
++from lib389.cli_ctl.dblib import run_dbscan
++
+ try:
+     from ipaserver.install import adtrustinstance
+ except ImportError:
+@@ -65,6 +67,29 @@
+ 
+ logger = logging.getLogger(__name__)
+ 
++backends = []  # global to save running dbscan multiple times
++
++
++def get_backends(db_dir):
++    """Retrieve the set of backends directly from the current database"""
++    global backends
++
++    if backends:
++        return backends
++
++    output = run_dbscan(['-L', db_dir])
++    output = output.replace(db_dir + '/', '')
++    output = output.split('\n')
++    for line in output:
++        if '/' not in line:
++            continue
++        backends.append(line.split('/')[0].strip().lower())
++    backends = set(backends)
++    if 'changelog' in backends:
++        backends.remove('changelog')
++
++    return backends
++
+ 
+ def recursive_chown(path, uid, gid):
+     '''
+@@ -295,8 +320,9 @@ def run(self):
+             if options.backend:
+                 for instance in self.instances:
+                     db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE %
+-                              (instance, options.backend))
+-                    if os.path.exists(db_dir):
++                              (instance, ""))
++                    backends = get_backends(db_dir)
++                    if options.backend.lower() in backends:
+                         break
+                 else:
+                     raise admintool.ScriptError(
+@@ -304,15 +330,20 @@ def run(self):
+ 
+                 self.backends = [options.backend]
+ 
++            missing_backends = []
+             for instance, backend in itertools.product(self.instances,
+                                                        self.backends):
+                 db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE %
+-                          (instance, backend))
+-                if os.path.exists(db_dir):
+-                    break
+-            else:
++                          (instance, ""))
++                backends = get_backends(db_dir)
++                if backend.lower() not in backends:
++                    missing_backends.append(backend)
++
++            if missing_backends:
+                 raise admintool.ScriptError(
+-                    "Cannot restore a data backup into an empty system")
++                    "Cannot restore a data backup into an empty system. "
++                    "Missing backend(s) %s" % ', '.join(missing_backends)
++                )
+ 
+         logger.info("Performing %s restore from %s backup",
+                     restore_type, self.backup_type)
diff --git a/freeipa.spec b/freeipa.spec
index 478a485..6994899 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -78,8 +78,8 @@
 %global ds_version 1.4.3.16-12
 %global selinux_policy_version 3.14.3-107
 %else
-# DNA interval enabled
-%global ds_version 2.0.5-1
+# version supporting LMDB and lib389.cli_ctl.dblib.run_dbscan utility
+%global ds_version 2.1.0
 %global selinux_policy_version 38.1.1-1
 %endif
 
@@ -200,7 +200,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        2%{?rc_version:.%rc_version}%{?dist}
+Release:        3%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPL-3.0-or-later
@@ -229,6 +229,8 @@ Patch0009:      0005-pyca-42.0.0-support.patch
 Patch0010:      0004-ipa-cli-krb5-crash.patch
 Patch0011:      0003-kdb-memory-leak.patch
 Patch0012:      0010-support-samba-4.20.patch
+Patch0013:      freeipa-support-389-ds-with-lmdb-backup.patch
+Patch0014:      freeipa-support-389-ds-with-lmdb-restore.patch
 
 # RHEL spec file only: START: Change branding to IPA and Identity Management
 # Moved branding logos and background to redhat-logos-ipa-80.4:
@@ -1749,6 +1751,9 @@ fi
 %endif
 
 %changelog
+* Thu Feb 08 2024 Alexander Bokovoy <abokovoy@redhat.com> - 4.11.1-3
+- Support 389-ds with lmdb backend
+
 * Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.11.1-2
 - Rebuild against Samba 4.20rc1
 - Fix memory leak in Kerberos KDC driver