[Pkg-openldap-devel] Bug#593878: Bug#593878: slapd upgrade/start fails when authz-regex / access statements are used in local config

Mathias Gug mathiaz at ubuntu.com
Mon Aug 23 13:34:12 UTC 2010 

Hi,

Excerpts from Peter Marschall's message of Sat Aug 21 15:30:23 -0400 2010:
> 
> The attached patch to debian/slapd.script-common fixes the problem:
> - it check for the existence a bit more flexibly

> - and adds the clauses with {-1} prepended 
> so that they get evaluated first (making use of the fact that slapd's
> conversion logic starts with X=0 ;-))
> 
> With this patch applied and slapd re-compiled locally the upgrade works
> without problems
> 
> --- openldap-2.4.32/debian/slapd.scripts-common
> +++ openldap-2.4.32/debian/slapd.scripts-common
> @@ -137,16 +137,16 @@
>                  SLAPD_CONF=/etc/ldap/slapd.d
>  
>                  # Add the localroot authz mapping
> -                if ! grep -q -E '^olcAuthzRegexp: gidNumber=\[\[:digit:]]\+\\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config' "${SLAPD_CONF}/cn=config.ldif"; then
> -                        sed -i 's/^\(structuralObjectClass: olcGlobal\)/olcAuthzRegexp: gidNumber=[[:digit:]]+\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config\n\0/' "${SLAPD_CONF}/cn=config.ldif"
> +                if ! grep -q -E '^olcAuthzRegexp: ({.*})?gidNumber=\[\[:digit:]]\+\\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config' "${SLAPD_CONF}/cn=config.ldif"; then
> +                        sed -i 's/^\(structuralObjectClass: olcGlobal\)/olcAuthzRegexp: {-1}gidNumber=[[:digit:]]+\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config\n\0/' "${SLAPD_CONF}/cn=config.ldif"
>                  fi

I'd suggest to bypass the use of AuthzRegexp mapping to
cn=localroot,cn=config and use

 gidNumber=[[:digit:]]+\\+uidNumber=0,cn=peercred,cn=external,cn=auth

directly in the ACL.

Ubuntu used AuthzRegexp during the first upgrade to slapd.d but I've
simplified the upgrade by dropping the auth mapping and just adding
olcAccess lines:

	# Grant manage access to connections made by the root user via
	# SASL EXTERNAL
	if previous_version_older 2.4.21-0ubuntu5 ; then
		if [ -d "$SLAPD_CONF" ]; then 
			# Stick the new olcAccess at the begining of the
			# olcAccess list (using an index of 0 *and* 
			# adding it as early as possible in the ldif file)
			# to make sure that local root has access to the
			# database no matter what other acls say.
			sed -i 's/^\(olcDatabase: {-1}frontend\)/\0\nolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break/' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"
			sed -i 's/^\(olcDatabase: {0}config\)/\0\nolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break/' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"
		fi
	fi

This makes the whole configuration easier to understand IMO.

I've also implemented an alternate solution to using an index of -1: 
The olcAccess lines are inserted at the very beginning of the ldif
file with an index set to 0 so that ACL defined by them are
applied first. slapd seems to sort first on index (0 being lowest) and
then by order of appearance in the ldif file.

I don't know which of the two solutions upstream supports the best.

-- 
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com

More information about the Pkg-openldap-devel mailing list