[Bug 563829] Re: olcAccess are options broken on upgrade in {-1}frontend.ldif

Nathan Stratton Treadway ubuntu.lp at nathanst.com
Fri Apr 23 17:33:06 BST 2010 

I took a quick look through the new slapd.postinst script found in:
 lp:~mathiaz/ubuntu/lucid/openldap/fix-root-olcaccess-upgrade

Am I correct that you no longer attempt to delete the 
  olcAccess: {0}to *  by * none
line from the olcDatabase={0}config.ldif file (i.e the line that is generated automatically by the slapd.conf -> slapd.d conversion, e.g. during a Hardy->Lucid upgrade)?

In my quick testing, I found that having that line still in the file
prevented me from accessing that part of the tree (even though it
appeared after the new gidNumber=0 line).  For example, when "grep
olcAccess olcDatabase\=\{0\}config.ldif" returned these two lines:

  olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
  olcAccess: {0}to *  by * none

, then an ldapsearch returned:
=====================
[...]
# LDAPv3
# base <olcDatabase={0}config,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
=====================

But, when I stopped slapd, removed the "olcAccess: {0}to *  by * none" line by hand, and restarted slapd, then the exact same ldapsearch command returned data:
=====================
# LDAPv3
# base <olcDatabase={0}config,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# {0}config, config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
[...]

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
=====================

(On the other hand, I didn't find much explanation about using the "gidNumber=0" form of authentication, other than the very brief mention of the switch to it in the openldap 2.4.17-1ubuntu3 release notes entry, so perhaps I missed something when running these tests....  The command line I ended up using was
  #  ldapsearch -Y EXTERNAL -Hldapi:///  -b "olcDatabase={0}config,cn=config"
, run as root... but let me know if that wasn't actually testing what I should have been testing....)

-- 
olcAccess are options broken on upgrade in {-1}frontend.ldif
https://bugs.launchpad.net/bugs/563829
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

More information about the Ubuntu-server-bugs mailing list