Prior to v2 uffd stored users, groups and mail aliases on an LDAP server. OAuth2 and API client credentials were defined in the config. Starting with v2 uffd stores all of this in its database and no longer supports LDAP. A number of other features and configurations are no longer supported. See the changelog for details on changed and removed features.
Create a backup of the database before attempting an upgrade. The database migration scripts are quite complex and somewhat fragile. If anything fails, you will end up with a broken database that is difficult or impossible to recover from. Furthermore downgrading from v2 to v1 is not supported.
Make sure no service (besides uffd) directly accesses your LDAP server. Migrate any remaining services to uffd-ldapd or other solutions that solely rely on uffds API and OAuth2 endpoints. Uffd will cease to update any data stored in the LDAP directory.
Migrate all API clients defined with the API_CLIENTS config option to the
API_CLIENTS_2 option. This includes changing authentication from a
token-based mechanism to HTTP Basic Authentication and consequently replacing
affected credentials.
The imported OAuth2 and API clients are grouped by service objects. These
service objects will be auto-created for each client with unique names derived
from the client_id parameter. Add the service_name parameter to clients to
set a custom name. This name is visible to users in place of the OAuth2
client_id. Use the same service_name for multiple clients to group them
together. This is recommended for OAuth2 and API credentials used by the same
services, as future features like service-specific email addresses will be
added as service-level options. The OAuth2 client parameter required_group is
imported as a service-level option. Make sure that grouped OAuth2 clients have
the same required_group value, otherwise nobody will be able to access the
service. Note that values other than a single group name are not supported.
Adjust the ACLs of your LDAP server so uffd can read the userPassword
attribute of user objects. Note that uffd will not perform any writes to the
LDAP server during or after the upgrade.
If you use user bind (config option LDAP_SERVICE_USER_BIND), i.e. if you
have uffd authenticate with the LDAP server using the credentials of the
currently logged in user, you will have to replace this configuration and
grant uffd full read access to all user, group and mail alias data with
config-defined credentials.
Install the new dependency python3-argon2. (Dist-)Upgrading the Debian
package will do that for you. Do not uninstall the removed dependency
python3-ldap3 (i.e. do not run apt autoremove)! It is required to import
data from the LDAP server.
There is a safeguard in place to prevent accidental upgrades. Add the following line to your config file to disable the safeguard:
UPGRADE_V1_TO_V2=True
Upgrade the Debian package to v2. This will restart the uffd UWSGI app. With the default UWSGI configuration, the database migration scripts will run automatically.
Otherwise run them manually:
uffd-admin db upgrade
The database migration scripts import users, groups and mail aliases from the
configured LDAP server. They also import OAuth2 and API clients defined with
the OAUTH2_CLIENTS and API_CLIENTS_2 config options to the database.
Due to data being split between the LDAP server and the database, uffd v1 tended to accumulate orphaned database objects (e.g. role memberships of deleted users). All orphaned objects are deleted during the upgrade.
As a side-effect upgrading resets all rate limits.
Rename the following config options:
LDAP_USER_GID->USER_GIDLDAP_USER_MIN_UID->USER_MIN_UIDLDAP_USER_MAX_UID->USER_MAX_UIDLDAP_USER_SERVICE_MIN_UID->USER_SERVICE_MIN_UIDLDAP_USER_SERVICE_MAX_UID->USER_SERVICE_MAX_UID
Add the following config options:
GROUP_MIN_GIDGROUP_MAX_GID
Remove the following config options:
UPGRADE_V1_TO_V2LDAP_USER_SEARCH_BASELDAP_USER_SEARCH_FILTERLDAP_USER_OBJECTCLASSESLDAP_USER_DN_ATTRIBUTELDAP_USER_UID_ATTRIBUTELDAP_USER_UID_ALIASESLDAP_USER_LOGINNAME_ATTRIBUTELDAP_USER_LOGINNAME_ALIASESLDAP_USER_DISPLAYNAME_ATTRIBUTELDAP_USER_DISPLAYNAME_ALIASESLDAP_USER_MAIL_ATTRIBUTELDAP_USER_MAIL_ALIASESLDAP_USER_DEFAULT_ATTRIBUTESLDAP_GROUP_SEARCH_BASELDAP_GROUP_SEARCH_FILTERLDAP_GROUP_GID_ATTRIBUTELDAP_GROUP_NAME_ATTRIBUTELDAP_GROUP_DESCRIPTION_ATTRIBUTELDAP_GROUP_MEMBER_ATTRIBUTELDAP_MAIL_SEARCH_BASELDAP_MAIL_SEARCH_FILTERLDAP_MAIL_OBJECTCLASSESLDAP_MAIL_DN_ATTRIBUTELDAP_MAIL_UID_ATTRIBUTELDAP_MAIL_RECEIVERS_ATTRIBUTELDAP_MAIL_DESTINATIONS_ATTRIBUTELDAP_SERVICE_URLLDAP_SERVICE_USE_STARTTLSLDAP_SERVICE_BIND_DNLDAP_SERVICE_BIND_PASSWORDLDAP_SERVICE_USER_BINDENABLE_INVITEENABLE_PASSWORDRESETENABLE_ROLESELFSERVICEOAUTH2_CLIENTSAPI_CLIENTS(should not be set, see "Preperation")API_CLIENTS_2LDAP_SERVICE_MOCK(development option, should not be set)
If you set a custom config filename with the environment variable
CONFIG_FILENAME, replace it with CONFIG_PATH. The new variable must be
set to a full path instead of a filename.
If you set the config option ACL_SELFSERVICE_GROUP, but not
ACL_ACCESS_GROUP, make sure to set ACL_ACCESS_GROUP to the same value as
ACL_SELFSERVICE_GROUP.
Add a cron job that runs uffd-admin cleanup at least daily. Unless you
modified /etc/cron.d/uffd, upgrading the Debian package will do this for you.
Uninstall the previous dependency python3-ldap3 (i.e. run apt autoremove).