[Pkg-openldap-devel] Bug#603544: Bug#603544: Update failed, no way to continue now

Robert Kehl robertkehl at robertkehl.de
Fri Feb 18 17:40:59 UTC 2011 

Dear Steve!

Thank you for taking the time to care about this issue.

Am 18.02.2011 02:52, schrieb Steve Langasek:
> And I'm afraid it's not clear to me why this is
> failing.  Does /etc/ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif exist
> and contain the proper schema definition for groupOfNames?

No, it does not exist. This is what I find:

# find slapd.d
slapd.d
slapd.d/cn=config.ldif
slapd.d/cn=config
slapd.d/cn=config/cn=module{0}.ldif
slapd.d/cn=config/olcDatabase={1}hdb.ldif
slapd.d/cn=config/cn=schema.ldif
slapd.d/cn=config/olcDatabase={-1}frontend.ldif
slapd.d/cn=config/olcDatabase={0}config.ldif

groupOfNames is defined only here:

# grep -ir groupofnames schema/
schema/core.ldif:olcObjectClasses: ( 2.5.6.9 NAME 'groupOfNames'
schema/core.schema:objectclass ( 2.5.6.9 NAME 'groupOfNames'

> What does your slapd.conf look like, prior to upgrade?

It consists of several files:

/etc/ldap/slapd.conf:
====%<====
include /etc/ldap/slapd.log.conf
include /etc/ldap/slapd.schemata.conf
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
modulepath      /usr/lib/ldap
moduleload      back_hdb
sizelimit 500
tool-threads 1
backend         hdb
include /etc/ldap/slapd.db1.conf
====>%====

/etc/ldap/slapd.log.conf:
====%<====
loglevel 0
====>%====

/etc/ldap/slapd.schemata.conf:
====%<====
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/misc.schema
====>%====

/etc/ldap/slapd.db1.conf:
====%<====
database        hdb
suffix          "o=base"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
checkpoint 512 30
directory       "/var/lib/ldap/db1"
index   default                                                sub
index   uid,mail                                               eq
index   cn,sn,givenName,ou                                     pres,eq,sub
index   objectClass                                            pres,eq
index   uidNumber,gidNumber,memberuid                          eq
index   sambaSID                                               eq
index   sambaPrimaryGroupSID                                   eq
index   sambaDomainName                                        eq
password-hash {crypt}
password-crypt-salt-format "$1$%.8s"
rootdn "cn=Manager,o=base"
rootpw XxXxXxXxXxXxXx
lastmod on
include /etc/ldap/slapd.db1.access
====>%====

/etc/ldap/slapd.db1.access:
====%<====
access to dn.base=""
        by * read

access to dn=*
        by group="cn=FullWriters,ou=Groups,ou=Managers,o=base" write
        by * none break

access to dn.subtree="o=base"
                attrs=userPassword,sambaNTPassword,sambaLMPassword
        by self write
        by * auth

access to dn="cn=Manager,o=base"
        by * none
access to dn.regex="^cn=(Read|Write)ACL,.*,?o=base$"
        by group="cn=ACLManagers,ou=Groups,ou=Managers,o=base" write
access to dn.subtree="ou=Managers,o=base"
        by group="cn=WriteACL,ou=Managers,o=base" write

access to dn.subtree="o=base"
                attrs=entry,objectClass,uid
        by group="cn=UidSearchers,ou=Groups,ou=Managers,o=base" read
        by * none break

access to dn.subtree="o=base"
                attrs=member
        by group="cn=MemberSearchers,ou=Groups,ou=Managers,o=base" read
        by * none break

access to dn.subtree="o=base"
        by group="cn=UidSearchers,ou=Groups,ou=Managers,o=base" none
        by group="cn=MemberSearchers,ou=Groups,ou=Managers,o=base" none
        by * none break

access to dn.subtree="ou=Groups,o=base"
        by group="cn=WriteACL,ou=groups,o=base" write
        by group="cn=ReadACL,ou=groups,o=base" read

access to dn.subtree="ou=GAB,o=base"
        by group="cn=WriteACL,ou=GAB,o=base" write
        by group="cn=ReadACL,ou=GAB,o=base" read
        by * none break

access to dn.regex="^ou=PAB,(uid=[^,]+,ou=intern,o=base)$"
        by group="cn=WriteACL,ou=intern,o=base" write
        by group="cn=ReadACL,ou=intern,o=base" read
        by dn.exact,expand="$1" read

access to dn.regex="^.+,ou=PAB,(uid=[^,]+,ou=intern,o=base)$"
        by dn.exact,expand="$1" write

access to dn.subtree="o=base"
        by group="cn=WriteACL,ou=intern,o=base" write
        by group="cn=ReadACL,ou=intern,o=base" read
        by realusers read
====>%====

That'd be it. I shortened the config files to not include comments.

> Staying with the old slapd.conf won't actually be ok for anyone when wheezy
> comes out and the new openldap has no support for even *reading* the old
> slapd.conf style configs...  We need to do this migration now if we want to
> have a clean upgrade in another two years.

Wheezy is far away - breaking the update from Lenny to Squeeze without
need because we need a smooth Wheezy update in a few years is not a good
option taken. A smooth squeezy is what'd have been desirable now ime.

Besides, I couldn't get past this installation/conversion error without
fiddling inside the postinst script. Most users would not dare to do so.
I needed to get past this error to complete the squeeze update.

So, letting the user choose wether to now stay with slapd.conf and later
convert to slapd.d format or do it right with the update would have been
the better choice.

I guess a "dpkg-reconfigure slapd" would allow me to convert to slapd.d
format after the upgrade issue has been fixed?

With highest regards,

Robert Kehl

More information about the Pkg-openldap-devel mailing list