[Pkg-openldap-devel] Bug#593566: slapd - Root access to cn=config not working after upgrade
Bastian Blank
waldi at debian.org
Thu Aug 19 10:10:35 UTC 2010
Package: slapd
Version: 2.4.23-3
Severity: grave
I installed 2.4.23-2 and updated to -3 without a config change. Now I
cannot access cn=config.
| # ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
| SASL/EXTERNAL authentication started
| SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
| SASL SSF: 0
| # extended LDIF
| #
| # LDAPv3
| # base <cn=config> with scope subtree
| # filter: (objectclass=*)
| # requesting: ALL
| #
|
| # search result
| search: 2
| result: 32 No such object
|
| # numResponses: 1
ACL debugging log:
[startup]
| slapd starting
| => access_allowed: search access to "cn=config" "entry" requested
| => acl_get: [1] attr entry
| => acl_mask: access to entry "cn=config", attr "entry" requested
| => acl_mask: to all values by "cn=localroot,cn=config", (=0)
| <= check a_dn_pat: *
| <= acl_mask: [1] applying none(=0) (stop)
| <= acl_mask: [1] mask: none(=0)
| => slap_access_allowed: search access denied by none(=0)
| => access_allowed: no more rules
| connection_read(12): no connection!
| connection_read(12): no connection!
| daemon: shutdown requested and initiated.
| slapd shutdown: waiting for 0 operations/tasks to finish
| slapd stopped.
The access is done as cn=localroot,cn=config
| # grep olcAuthz cn=config.ldif
| olcAuthzPolicy: none
| olcAuthzRegexp: gidNumber=[[:digit:]]+\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config
But the first access rule already rejects all access
| # grep olcAcc cn=config/olcDatabase=\{0\}config.ldif
| olcAccess: {0}to * by * none
| olcAccess: {1}to * by dn.exact=cn=localroot,cn=config manage by * break
Not sure why this stunt it done instead of using
| gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
directly. If seen the later in Ubuntu.
Bastian
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.35-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages slapd depends on:
ii adduser 3.112 add and remove users and groups
ii coreutils 8.5-1 GNU core utilities
ii debconf [debconf-2.0] 1.5.35 Debian configuration management sy
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libdb4.8 4.8.30-1 Berkeley v4.8 Database Libraries [
ii libgnutls26 2.8.6-1 the GNU TLS library - runtime libr
ii libldap-2.4-2 2.4.23-3 OpenLDAP libraries
ii libltdl7 2.2.6b-2 A system independent dlopen wrappe
ii libperl5.10 5.10.1-14 shared Perl library
ii libsasl2-2 2.1.23.dfsg1-5.1 Cyrus SASL - authentication abstra
ii libslp1 1.2.1-7.8 OpenSLP libraries
ii libwrap0 7.6.q-19 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-23.1 Linux Standard Base 3.2 init scrip
ii perl [libmime-base64-pe 5.10.1-14 Larry Wall's Practical Extraction
ii psmisc 22.12-1 utilities that use the proc file s
ii unixodbc 2.2.14p2-1 ODBC tools libraries
Versions of packages slapd recommends:
ii libsasl2-modules 2.1.23.dfsg1-5.1 Cyrus SASL - pluggable authenticat
Versions of packages slapd suggests:
ii ldap-utils 2.4.23-3 OpenLDAP utilities
-- Configuration Files:
/etc/default/slapd changed:
SLAPD_CONF="/etc/ldap/slapd.d"
SLAPD_USER="openldap"
SLAPD_GROUP="openldap"
SLAPD_PIDFILE=
SLAPD_SERVICES="ldapi:///"
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
SLAPD_OPTIONS=""
-- debconf information excluded
More information about the Pkg-openldap-devel
mailing list