[Pkg-openldap-devel] Bug#593878: Bug#593878: Bug#593878: slapd upgrade/start fails when authz-regex / access statements are used in local config
Matthijs Mohlmann
matthijs at cacholong.nl
Tue Aug 24 07:22:57 UTC 2010
On Aug 23, 2010, at 3:34 PM, Mathias Gug wrote:
> Hi,
>
> Excerpts from Peter Marschall's message of Sat Aug 21 15:30:23 -0400 2010:
>>
>> The attached patch to debian/slapd.script-common fixes the problem:
>> - it check for the existence a bit more flexibly
>
>> - and adds the clauses with {-1} prepended
>> so that they get evaluated first (making use of the fact that slapd's
>> conversion logic starts with X=0 ;-))
>>
>> With this patch applied and slapd re-compiled locally the upgrade works
>> without problems
>>
>> --- openldap-2.4.32/debian/slapd.scripts-common
>> +++ openldap-2.4.32/debian/slapd.scripts-common
>> @@ -137,16 +137,16 @@
>> SLAPD_CONF=/etc/ldap/slapd.d
>>
>> # Add the localroot authz mapping
>> - if ! grep -q -E '^olcAuthzRegexp: gidNumber=\[\[:digit:]]\+\\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config' "${SLAPD_CONF}/cn=config.ldif"; then
>> - sed -i 's/^\(structuralObjectClass: olcGlobal\)/olcAuthzRegexp: gidNumber=[[:digit:]]+\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config\n\0/' "${SLAPD_CONF}/cn=config.ldif"
>> + if ! grep -q -E '^olcAuthzRegexp: ({.*})?gidNumber=\[\[:digit:]]\+\\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config' "${SLAPD_CONF}/cn=config.ldif"; then
>> + sed -i 's/^\(structuralObjectClass: olcGlobal\)/olcAuthzRegexp: {-1}gidNumber=[[:digit:]]+\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config\n\0/' "${SLAPD_CONF}/cn=config.ldif"
>> fi
>
> I'd suggest to bypass the use of AuthzRegexp mapping to
> cn=localroot,cn=config and use
>
> gidNumber=[[:digit:]]+\\+uidNumber=0,cn=peercred,cn=external,cn=auth
>
> directly in the ACL.
>
> Ubuntu used AuthzRegexp during the first upgrade to slapd.d but I've
> simplified the upgrade by dropping the auth mapping and just adding
> olcAccess lines:
>
> # Grant manage access to connections made by the root user via
> # SASL EXTERNAL
> if previous_version_older 2.4.21-0ubuntu5 ; then
> if [ -d "$SLAPD_CONF" ]; then
> # Stick the new olcAccess at the begining of the
> # olcAccess list (using an index of 0 *and*
> # adding it as early as possible in the ldif file)
> # to make sure that local root has access to the
> # database no matter what other acls say.
> sed -i 's/^\(olcDatabase: {-1}frontend\)/\0\nolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break/' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"
> sed -i 's/^\(olcDatabase: {0}config\)/\0\nolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break/' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"
> fi
> fi
>
> This makes the whole configuration easier to understand IMO.
>
> I've also implemented an alternate solution to using an index of -1:
> The olcAccess lines are inserted at the very beginning of the ldif
> file with an index set to 0 so that ACL defined by them are
> applied first. slapd seems to sort first on index (0 being lowest) and
> then by order of appearance in the ldif file.
>
> I don't know which of the two solutions upstream supports the best.
I have committed the fix in svn. Peter can you try and see if this fixes
your problem ?
Regards,
Matthijs Möhlmann
More information about the Pkg-openldap-devel
mailing list