[Pkg-openldap-devel] Bug#593878: slapd upgrade/start fails when authz-regex / access statements are used in local config

Peter Marschall peter at adpm.de
Sat Aug 21 19:30:23 UTC 2010


Package: slapd
Version: 2.4.23-3
Severity: grave
Tags: sid patch
Justification: renders package unusable

Hi Matthijs (and the other Debian openldap maintainers,

I have quite some authz-regex & access statements in my slapd.conf.
On upgrade they get converted to 
  olcAuthzRegex: {X}....
and
  olcAccess: {Y}....
attributes (with X,Y numbers) in the slapd.d/ config ldifs.

The addition of additional values for these attributes that lack the
"{X}" part at the beginning causes slapd to fail to start and the abgrade to fail.

The attached patch to debian/slapd.script-common fixes the problem:
- it check for the existence a bit more flexibly
- and adds the clauses with {-1} prepended 
so that they get evaluated first (making use of the fact that slapd's
conversion logic starts with X=0 ;-))

With this patch applied and slapd re-compiled locally the upgrade works
without problems

As a plus, this patch also fixes bug #593566

Best regards
Peter



-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages slapd depends on:
ii  adduser                   3.112          add and remove users and groups
ii  coreutils                 8.5-1          GNU core utilities
ii  debconf [debconf-2.0]     1.5.35         Debian configuration management sy
ii  libc6                     2.11.2-2       Embedded GNU C Library: Shared lib
ii  libdb4.8                  4.8.30-1       Berkeley v4.8 Database Libraries [
ii  libgnutls26               2.8.6-1        the GNU TLS library - runtime libr
ii  libldap-2.4-2             2.4.23-3pm1    OpenLDAP libraries
ii  libltdl7                  2.2.6b-2       A system independent dlopen wrappe
ii  libperl5.10               5.10.1-14      shared Perl library
ii  libsasl2-2                2.1.23.dfsg1-5 Cyrus SASL - authentication abstra
ii  libslp1                   1.2.1-7.7      OpenSLP libraries
ii  libwrap0                  7.6.q-19       Wietse Venema's TCP wrappers libra
ii  lsb-base                  3.2-23.1       Linux Standard Base 3.2 init scrip
ii  perl [libmime-base64-perl 5.10.1-14      Larry Wall's Practical Extraction 
ii  psmisc                    22.11-1        utilities that use the proc file s
ii  unixodbc                  2.2.14p2-1     ODBC tools libraries

Versions of packages slapd recommends:
ii  libsasl2-modules          2.1.23.dfsg1-5 Cyrus SASL - pluggable authenticat

Versions of packages slapd suggests:
ii  ldap-utils                   2.4.23-3pm1 OpenLDAP utilities

-- Configuration Files:
/etc/default/slapd changed:
SLAPD_CONF="/etc/ldap/slapd.d"
SLAPD_USER="openldap"
SLAPD_GROUP="openldap"
SLAPD_PIDFILE=
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
export KRB5_KTNAME="FILE:/etc/ldap/slapd.keytab"
SLAPD_OPTIONS="-o slp=(tree=experimental),(server-type=OpenLDAP),(server-version=2.4.21)"


-- debconf information:
  slapd/tlsciphersuite:
  shared/organization: adpm.de
  slapd/upgrade_slapcat_failure:
  slapd/backend: HDB
  slapd/allow_ldap_v2: false
  slapd/no_configuration: false
  slapd/move_old_database: true
  slapd/suffix_change: false
  slapd/dump_database_destdir: /var/backups/slapd-VERSION
  slapd/domain: adpm.de
  slapd/password_mismatch:
  slapd/invalid_config: true
  slapd/slurpd_obsolete:
  slapd/dump_database: when needed
  slapd/migrate_ldbm_to_bdb: false
  slapd/purge_database: false
-------------- next part --------------
--- openldap-2.4.32/debian/slapd.scripts-common
+++ openldap-2.4.32/debian/slapd.scripts-common
@@ -137,16 +137,16 @@
 		SLAPD_CONF=/etc/ldap/slapd.d
 
 		# Add the localroot authz mapping
-		if ! grep -q -E '^olcAuthzRegexp: gidNumber=\[\[:digit:]]\+\\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config' "${SLAPD_CONF}/cn=config.ldif"; then
-			sed -i 's/^\(structuralObjectClass: olcGlobal\)/olcAuthzRegexp: gidNumber=[[:digit:]]+\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config\n\0/' "${SLAPD_CONF}/cn=config.ldif"
+		if ! grep -q -E '^olcAuthzRegexp: ({.*})?gidNumber=\[\[:digit:]]\+\\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config' "${SLAPD_CONF}/cn=config.ldif"; then
+			sed -i 's/^\(structuralObjectClass: olcGlobal\)/olcAuthzRegexp: {-1}gidNumber=[[:digit:]]+\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config\n\0/' "${SLAPD_CONF}/cn=config.ldif"
 		fi
 
 		# Add olcAccess control to grant cn=localroot,cn=config manage access
-		if ! grep -q -E '^olcAccess: to \* by dn.exact=cn=localroot,cn=config manage by \* break' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"; then
-			sed -i 's/^\(structuralObjectClass: olcDatabaseConfig\)/olcAccess: to * by dn.exact=cn=localroot,cn=config manage by * break\n\0/' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"
+		if ! grep -q -E '^olcAccess: ({.*})?to \* by dn.exact=cn=localroot,cn=config manage by \* break' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"; then
+			sed -i 's/^\(structuralObjectClass: olcDatabaseConfig\)/olcAccess: {-1}to * by dn.exact=cn=localroot,cn=config manage by * break\n\0/' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"
 		fi
-		if ! grep -q -E '^olcAccess: {1}to \* by dn.exact=cn=localroot,cn=config manage by \* break' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"; then
-			sed -i 's/^\(structuralObjectClass: olcDatabaseConfig\)/olcAccess: {1}to * by dn.exact=cn=localroot,cn=config manage by * break\n\0/' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"
+		if ! grep -q -E '^olcAccess: ({.*})?to \* by dn.exact=cn=localroot,cn=config manage by \* break' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"; then
+			sed -i 's/^\(structuralObjectClass: olcDatabaseConfig\)/olcAccess: {-1}to * by dn.exact=cn=localroot,cn=config manage by * break\n\0/' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"
 		fi
 
 		# TODO: Now we are doing something that is not allowed by policy but it


More information about the Pkg-openldap-devel mailing list