[Pkg-openldap-devel] Bug#593566: - Root access to cn=config not working after upgrade

[Peter Marschall]

Package: slapd
Severity: normal

Hi Matthijs,

> Thanks for the patch. I came up with a different approach to this patch.
> On converting the slapd.conf to slapd.d there is an entry olcAccess
> added to olcDatabase=cn=config database, namely:
> olcAccess: {0}to *  by * none

That's right, removing the automatically added olcAccess attriubte is
the other solution for cn= config, but it does not help in the presence of
other olcAccess or olcAuthzRegex statements in the local setup.

> Another olcAccess line wouldn't help as this was the first entry so
> replacing this line was the correct way. But I think your approach is
> better so I'll apply your patch and will test it.

I am sorry to disagree here.
I checked that it works before I sent my patch.

The olcAccess attributes are evaluated in numerical order of the
numbers X given inside the curly braces "{X}" that start the attribute's
values.

I used X=-1 to be sure that the olcAccess statement for cn=localroot
gets evaluated first.

BTW the same applies for olcAuthzRegex.
I have a local olcAuthzRegex based on uidNumber and gidNumber similar to
the one you use to map uidNumber=0+gidNumber=0 to cn=localroot.

With the X=-1 on my patch I made sure that the olcAuthzRegex for
cn=localroot triggers before my local configuration.

I checked it by trying to access cn=config as root (which worked)
and with my local admin account (which did not work).

Although this caused a change in the behaviour of my system I considered
the patch the best (i.e. simplest/most elegant/...) solution.
And it matches README.Debian ;-)

Best
PEter