[Pkg-openldap-devel] Bug#593878: slapd upgrade/start fails when authz-regex / access statements are used in local config
Peter Marschall
peter at adpm.de
Sat Aug 21 19:30:23 UTC 2010
Package: slapd
Version: 2.4.23-3
Severity: grave
Tags: sid patch
Justification: renders package unusable
Hi Matthijs (and the other Debian openldap maintainers,
I have quite some authz-regex & access statements in my slapd.conf.
On upgrade they get converted to
olcAuthzRegex: {X}....
and
olcAccess: {Y}....
attributes (with X,Y numbers) in the slapd.d/ config ldifs.
The addition of additional values for these attributes that lack the
"{X}" part at the beginning causes slapd to fail to start and the abgrade to fail.
The attached patch to debian/slapd.script-common fixes the problem:
- it check for the existence a bit more flexibly
- and adds the clauses with {-1} prepended
so that they get evaluated first (making use of the fact that slapd's
conversion logic starts with X=0 ;-))
With this patch applied and slapd re-compiled locally the upgrade works
without problems
As a plus, this patch also fixes bug #593566
Best regards
Peter
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages slapd depends on:
ii adduser 3.112 add and remove users and groups
ii coreutils 8.5-1 GNU core utilities
ii debconf [debconf-2.0] 1.5.35 Debian configuration management sy
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libdb4.8 4.8.30-1 Berkeley v4.8 Database Libraries [
ii libgnutls26 2.8.6-1 the GNU TLS library - runtime libr
ii libldap-2.4-2 2.4.23-3pm1 OpenLDAP libraries
ii libltdl7 2.2.6b-2 A system independent dlopen wrappe
ii libperl5.10 5.10.1-14 shared Perl library
ii libsasl2-2 2.1.23.dfsg1-5 Cyrus SASL - authentication abstra
ii libslp1 1.2.1-7.7 OpenSLP libraries
ii libwrap0 7.6.q-19 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-23.1 Linux Standard Base 3.2 init scrip
ii perl [libmime-base64-perl 5.10.1-14 Larry Wall's Practical Extraction
ii psmisc 22.11-1 utilities that use the proc file s
ii unixodbc 2.2.14p2-1 ODBC tools libraries
Versions of packages slapd recommends:
ii libsasl2-modules 2.1.23.dfsg1-5 Cyrus SASL - pluggable authenticat
Versions of packages slapd suggests:
ii ldap-utils 2.4.23-3pm1 OpenLDAP utilities
-- Configuration Files:
/etc/default/slapd changed:
SLAPD_CONF="/etc/ldap/slapd.d"
SLAPD_USER="openldap"
SLAPD_GROUP="openldap"
SLAPD_PIDFILE=
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
export KRB5_KTNAME="FILE:/etc/ldap/slapd.keytab"
SLAPD_OPTIONS="-o slp=(tree=experimental),(server-type=OpenLDAP),(server-version=2.4.21)"
-- debconf information:
slapd/tlsciphersuite:
shared/organization: adpm.de
slapd/upgrade_slapcat_failure:
slapd/backend: HDB
slapd/allow_ldap_v2: false
slapd/no_configuration: false
slapd/move_old_database: true
slapd/suffix_change: false
slapd/dump_database_destdir: /var/backups/slapd-VERSION
slapd/domain: adpm.de
slapd/password_mismatch:
slapd/invalid_config: true
slapd/slurpd_obsolete:
slapd/dump_database: when needed
slapd/migrate_ldbm_to_bdb: false
slapd/purge_database: false
-------------- next part --------------
--- openldap-2.4.32/debian/slapd.scripts-common
+++ openldap-2.4.32/debian/slapd.scripts-common
@@ -137,16 +137,16 @@
SLAPD_CONF=/etc/ldap/slapd.d
# Add the localroot authz mapping
- if ! grep -q -E '^olcAuthzRegexp: gidNumber=\[\[:digit:]]\+\\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config' "${SLAPD_CONF}/cn=config.ldif"; then
- sed -i 's/^\(structuralObjectClass: olcGlobal\)/olcAuthzRegexp: gidNumber=[[:digit:]]+\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config\n\0/' "${SLAPD_CONF}/cn=config.ldif"
+ if ! grep -q -E '^olcAuthzRegexp: ({.*})?gidNumber=\[\[:digit:]]\+\\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config' "${SLAPD_CONF}/cn=config.ldif"; then
+ sed -i 's/^\(structuralObjectClass: olcGlobal\)/olcAuthzRegexp: {-1}gidNumber=[[:digit:]]+\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config\n\0/' "${SLAPD_CONF}/cn=config.ldif"
fi
# Add olcAccess control to grant cn=localroot,cn=config manage access
- if ! grep -q -E '^olcAccess: to \* by dn.exact=cn=localroot,cn=config manage by \* break' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"; then
- sed -i 's/^\(structuralObjectClass: olcDatabaseConfig\)/olcAccess: to * by dn.exact=cn=localroot,cn=config manage by * break\n\0/' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"
+ if ! grep -q -E '^olcAccess: ({.*})?to \* by dn.exact=cn=localroot,cn=config manage by \* break' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"; then
+ sed -i 's/^\(structuralObjectClass: olcDatabaseConfig\)/olcAccess: {-1}to * by dn.exact=cn=localroot,cn=config manage by * break\n\0/' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"
fi
- if ! grep -q -E '^olcAccess: {1}to \* by dn.exact=cn=localroot,cn=config manage by \* break' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"; then
- sed -i 's/^\(structuralObjectClass: olcDatabaseConfig\)/olcAccess: {1}to * by dn.exact=cn=localroot,cn=config manage by * break\n\0/' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"
+ if ! grep -q -E '^olcAccess: ({.*})?to \* by dn.exact=cn=localroot,cn=config manage by \* break' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"; then
+ sed -i 's/^\(structuralObjectClass: olcDatabaseConfig\)/olcAccess: {-1}to * by dn.exact=cn=localroot,cn=config manage by * break\n\0/' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"
fi
# TODO: Now we are doing something that is not allowed by policy but it
More information about the Pkg-openldap-devel
mailing list