[Bug 563829] Re: olcAccess are options broken on upgrade in {-1}frontend.ldif
Nathan Stratton Treadway
ubuntu.lp at nathanst.com
Wed Apr 28 16:53:28 BST 2010
To follow up on my comment #2: I did some more testing and determined that the behavior I was seeing related to the olcAccess lines in the olcDatabase={0}config.ldif file was due to the "localroot"-related lines left over from earlier versions of the slapd.posting script. Once I removed all those references, then everything worked as expected even when the two lines
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: {0}to * by * none
were both found in the config.ldif file.
I will add a comment on bug 571057 related to the manual cleanup steps
that should be mentioned in the release notes.
(In case any else is following this trail of crumbs, the issue I had was
that the olcAuthzRegexp line that mapped the UID=0 user to
"cn=localroot,cn=config" was still found in my slapd.d/cn=config.ldif
file. This meant that the "dn.exact=gidNumber=0" line mentioned above
was not matched. Thus, the permission check would fall to the
"olcAccess: {0}to * by * none" line and access would be denied.
When the "olcAccess: {0}to * by * none" line was removed from the
{0}config.ldif file, the access control search continued on through to
the olcAccess lines found in the olcDatabase={-1}frontend.ldif file...
and that file still contained a line granting "localroot" access, so my
ldapsearch succeeded.)
--
olcAccess are options broken on upgrade in {-1}frontend.ldif
https://bugs.launchpad.net/bugs/563829
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
More information about the Ubuntu-server-bugs
mailing list