[Pkg-openldap-devel] r1308 - openldap/trunk/debian

Mon Aug 23 21:14:00 UTC 2010

tags 593566 pending
tags 593878 pending
thanks

Author: matthijs
Date: 2010-08-23 21:13:56 +0000 (Mon, 23 Aug 2010)
New Revision: 1308

Modified:
   openldap/trunk/debian/changelog
   openldap/trunk/debian/slapd.scripts-common
Log:
 * Fix for the two grave bugs. A different approach used for the olcAccess
   replacements.


Modified: openldap/trunk/debian/changelog
===================================================================

--- openldap/trunk/debian/changelog	2010-08-19 21:41:39 UTC (rev 1307)
+++ openldap/trunk/debian/changelog	2010-08-23 21:13:56 UTC (rev 1308)
@@ -1,11 +1,16 @@
 openldap (2.4.23-4) UNRELEASED; urgency=low
 
+  [ Steve Langasek ]
   * Bump the database upgrade version check to 2.4.23-4; should have been
     set to 2.4.23-1 when we switched to db4.8, but was missed so we need to
     clean up.  Closes: #593550.
 
- -- Steve Langasek <vorlon at debian.org>  Thu, 19 Aug 2010 14:40:42 -0700
+  [ Matthijs Mohlmann ]
+  * Fix root access to cn=config on upgrades from configuration style slapd.conf
+    Thanks to Mathias Gug (Closes: #593566, #593878)
 
+ -- Matthijs Mohlmann <matthijs at cacholong.nl>  Mon, 23 Aug 2010 20:35:27 +0200
+
 openldap (2.4.23-3) unstable; urgency=low
 
   * Configure the newly installed openldap package using slapd.d instead of

Modified: openldap/trunk/debian/slapd.scripts-common
===================================================================
--- openldap/trunk/debian/slapd.scripts-common	2010-08-19 21:41:39 UTC (rev 1307)
+++ openldap/trunk/debian/slapd.scripts-common	2010-08-23 21:13:56 UTC (rev 1308)
@@ -136,18 +136,9 @@
 		mv ${SLAPD_CONF} ${SLAPD_CONF}.old
 		SLAPD_CONF=/etc/ldap/slapd.d
 
-		# Add the localroot authz mapping
-		if ! grep -q -E '^olcAuthzRegexp: gidNumber=\[\[:digit:]]\+\\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config' "${SLAPD_CONF}/cn=config.ldif"; then
-			sed -i 's/^\(structuralObjectClass: olcGlobal\)/olcAuthzRegexp: gidNumber=[[:digit:]]+\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config\n\0/' "${SLAPD_CONF}/cn=config.ldif"
-		fi
-
 		# Add olcAccess control to grant cn=localroot,cn=config manage access
-		if ! grep -q -E '^olcAccess: to \* by dn.exact=cn=localroot,cn=config manage by \* break' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"; then
-			sed -i 's/^\(structuralObjectClass: olcDatabaseConfig\)/olcAccess: to * by dn.exact=cn=localroot,cn=config manage by * break\n\0/' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"
-		fi
-		if ! grep -q -E '^olcAccess: {1}to \* by dn.exact=cn=localroot,cn=config manage by \* break' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"; then
-			sed -i 's/^\(structuralObjectClass: olcDatabaseConfig\)/olcAccess: {1}to * by dn.exact=cn=localroot,cn=config manage by * break\n\0/' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"
-		fi
+		sed -i 's/^\(olcDatabase: {-1}frontend\)/\0\nolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break/' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"
+		sed -i 's/^\(olcDatabase: {0}config\)/\0\nolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break/' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"
 
 		# TODO: Now we are doing something that is not allowed by policy but it
 		# has to be done.


