[Bug 571057] Re: slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again)

Mathias Gug mathiaz at ubuntu.com
Fri Jul 23 14:41:24 BST 2010 

** Description changed:

  Bug 526230 is back.
  
  I had slapd 2.4.21-0ubuntu4 installed, then "apt-get dist-upgrade",
  which pulled in slapd 2.4.21-0ubuntu5. This modified
  /etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif by adding
  duplicate olcAccess lines without any {0} index prefix, causing slapd to
  fail to start. This caused:
  
  ==========
  Setting up slapd (2.4.21-0ubuntu5) ...
    Backing up /etc/ldap/slapd.d/ in /var/backups/slapd-2.4.21-0ubuntu4... done.
  Starting OpenLDAP: slapd - failed.
  The operation failed but no output was produced. For hints on what went
  wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
  try running the daemon in Debug mode like via "slapd -d 16383" (warning:
  this will create copious output).
  
  Below, you can find the command line options used by this script to
  run slapd. Do not forget to specify those options if you
  want to look to debugging output:
    slapd -h 'ldap:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d/
  invoke-rc.d: initscript slapd, action "start" failed.
  dpkg: error processing slapd (--configure):
   subprocess installed post-installation script returned error exit status 1
  ==========
  
  and:
  
  ==========
  Apr 27 21:15:16 esk slapd[8805]: @(#) $OpenLDAP: slapd 2.4.21 (Apr 26 2010 11:07:14) $#012#011buildd at rothera:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
  Apr 27 21:15:16 esk slapd[8805]: config error processing olcDatabase={-1}frontend,cn=config: ordered_value_sort failed on attr olcAccess#012
  Apr 27 21:15:16 esk slapd[8805]: slapd stopped.
  ==========
  
  due to content:
  
  ==========
  dn: olcDatabase={-1}frontend
  objectClass: olcDatabaseConfig
  objectClass: olcFrontendConfig
  olcDatabase: {-1}frontend
  olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
  olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
  olcAddContentAcl: FALSE
  olcLastMod: TRUE
  olcMaxDerefDepth: 0
  olcReadOnly: FALSE
  olcSchemaDN: cn=Subschema
  olcMonitoring: FALSE
  olcAccess: to * by dn.exact=cn=localroot,cn=config manage by * break
  structuralObjectClass: olcDatabaseConfig
  entryUUID: 9d222b1e-24cc-102e-9a29-375c9ad51446
  creatorsName: cn=config
  createTimestamp: 20090824073643Z
  entryCSN: 20090824073643.173347Z#000000#000#000000
  modifiersName: cn=config
  modifyTimestamp: 20090824073643Z
  ==========
  
  Note: I tried "apt-get dist-upgrade" a few times to see if the problem
  would fix itself before investigating. I think each run added a new
  duplicate olcAccess entry without checking for pre-existing entries.
  After I deleted the first two olcAccess above, slapd would start again.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 10.04
  Package: slapd 2.4.21-0ubuntu5
  ProcVersionSignature: Ubuntu 2.6.32-21.32-generic 2.6.32.11+drm33.2
  Uname: Linux 2.6.32-21-generic i686
  Architecture: i386
  Date: Tue Apr 27 21:16:07 2010
  ProcEnviron:
   PATH=(custom, user)
   LANG=en_US.utf8
   SHELL=/bin/bash
  SourcePackage: openldap
  
  Lucid Release Note:
  
  == Openldap fails to start on upgrade ==
  
  When upgrading some systems from Karmic openldap may fail to start by
  logging messages similar to "ordered_value_sort failed on attr
  olcAccess#012". To workaround the problem remove the line "olcAccess: to
  * by dn.exact=cn=localroot,cn=config manage by * break" from
  /etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif and
  /etc/ldap/slapd./cn=config/olcDatabase={0}config.ldif.
+ 
+ ==========
+ SRU REPORT
+ ==========
+ 
+ BUG IMPACT:
+ On systems upgraded from jaunty -> karmic -> lucid, the local root
+ user is mapped to cn=localroot,cn=config. The latter dn has then full
+ access to the cn=config tree. The olcAccess line added during the
+ karmic upgrade isn't prefixed with an index. Additional olcAccess
+ lines are added during the lucid upgrade which makes slapd fail to
+ start as all olcAccess lines need to be prefixed with an index.
+ 
+ BUG FIX:
+ The olcAccess line is updated to have an index during the upgrade.
+ 
+ TEST CASE:
+ 1. Install slapd on a jaunty system.
+ 2. Upgrade to  karmic.
+ 3. Upgrade to lucid:
+    * without the fix: after upgrade slapd is not running.
+    * with the fix: after upgrade slapd is running.
+ 
+ REGRESSION POTENTIAL:
+ Unknown.

-- 
slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again)
https://bugs.launchpad.net/bugs/571057
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

More information about the Ubuntu-server-bugs mailing list