[Pkg-openldap-devel] Bug#603544: Bug#603544: Update failed, no way to continue now
Robert Kehl
robertkehl at robertkehl.de
Fri Feb 18 17:40:59 UTC 2011
Dear Steve!
Thank you for taking the time to care about this issue.
Am 18.02.2011 02:52, schrieb Steve Langasek:
> And I'm afraid it's not clear to me why this is
> failing. Does /etc/ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif exist
> and contain the proper schema definition for groupOfNames?
No, it does not exist. This is what I find:
# find slapd.d
slapd.d
slapd.d/cn=config.ldif
slapd.d/cn=config
slapd.d/cn=config/cn=module{0}.ldif
slapd.d/cn=config/olcDatabase={1}hdb.ldif
slapd.d/cn=config/cn=schema.ldif
slapd.d/cn=config/olcDatabase={-1}frontend.ldif
slapd.d/cn=config/olcDatabase={0}config.ldif
groupOfNames is defined only here:
# grep -ir groupofnames schema/
schema/core.ldif:olcObjectClasses: ( 2.5.6.9 NAME 'groupOfNames'
schema/core.schema:objectclass ( 2.5.6.9 NAME 'groupOfNames'
> What does your slapd.conf look like, prior to upgrade?
It consists of several files:
/etc/ldap/slapd.conf:
====%<====
include /etc/ldap/slapd.log.conf
include /etc/ldap/slapd.schemata.conf
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap
moduleload back_hdb
sizelimit 500
tool-threads 1
backend hdb
include /etc/ldap/slapd.db1.conf
====>%====
/etc/ldap/slapd.log.conf:
====%<====
loglevel 0
====>%====
/etc/ldap/slapd.schemata.conf:
====%<====
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/misc.schema
====>%====
/etc/ldap/slapd.db1.conf:
====%<====
database hdb
suffix "o=base"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
checkpoint 512 30
directory "/var/lib/ldap/db1"
index default sub
index uid,mail eq
index cn,sn,givenName,ou pres,eq,sub
index objectClass pres,eq
index uidNumber,gidNumber,memberuid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
password-hash {crypt}
password-crypt-salt-format "$1$%.8s"
rootdn "cn=Manager,o=base"
rootpw XxXxXxXxXxXxXx
lastmod on
include /etc/ldap/slapd.db1.access
====>%====
/etc/ldap/slapd.db1.access:
====%<====
access to dn.base=""
by * read
access to dn=*
by group="cn=FullWriters,ou=Groups,ou=Managers,o=base" write
by * none break
access to dn.subtree="o=base"
attrs=userPassword,sambaNTPassword,sambaLMPassword
by self write
by * auth
access to dn="cn=Manager,o=base"
by * none
access to dn.regex="^cn=(Read|Write)ACL,.*,?o=base$"
by group="cn=ACLManagers,ou=Groups,ou=Managers,o=base" write
access to dn.subtree="ou=Managers,o=base"
by group="cn=WriteACL,ou=Managers,o=base" write
access to dn.subtree="o=base"
attrs=entry,objectClass,uid
by group="cn=UidSearchers,ou=Groups,ou=Managers,o=base" read
by * none break
access to dn.subtree="o=base"
attrs=member
by group="cn=MemberSearchers,ou=Groups,ou=Managers,o=base" read
by * none break
access to dn.subtree="o=base"
by group="cn=UidSearchers,ou=Groups,ou=Managers,o=base" none
by group="cn=MemberSearchers,ou=Groups,ou=Managers,o=base" none
by * none break
access to dn.subtree="ou=Groups,o=base"
by group="cn=WriteACL,ou=groups,o=base" write
by group="cn=ReadACL,ou=groups,o=base" read
access to dn.subtree="ou=GAB,o=base"
by group="cn=WriteACL,ou=GAB,o=base" write
by group="cn=ReadACL,ou=GAB,o=base" read
by * none break
access to dn.regex="^ou=PAB,(uid=[^,]+,ou=intern,o=base)$"
by group="cn=WriteACL,ou=intern,o=base" write
by group="cn=ReadACL,ou=intern,o=base" read
by dn.exact,expand="$1" read
access to dn.regex="^.+,ou=PAB,(uid=[^,]+,ou=intern,o=base)$"
by dn.exact,expand="$1" write
access to dn.subtree="o=base"
by group="cn=WriteACL,ou=intern,o=base" write
by group="cn=ReadACL,ou=intern,o=base" read
by realusers read
====>%====
That'd be it. I shortened the config files to not include comments.
> Staying with the old slapd.conf won't actually be ok for anyone when wheezy
> comes out and the new openldap has no support for even *reading* the old
> slapd.conf style configs... We need to do this migration now if we want to
> have a clean upgrade in another two years.
Wheezy is far away - breaking the update from Lenny to Squeeze without
need because we need a smooth Wheezy update in a few years is not a good
option taken. A smooth squeezy is what'd have been desirable now ime.
Besides, I couldn't get past this installation/conversion error without
fiddling inside the postinst script. Most users would not dare to do so.
I needed to get past this error to complete the squeeze update.
So, letting the user choose wether to now stay with slapd.conf and later
convert to slapd.d format or do it right with the update would have been
the better choice.
I guess a "dpkg-reconfigure slapd" would allow me to convert to slapd.d
format after the upgrade issue has been fixed?
With highest regards,
Robert Kehl
More information about the Pkg-openldap-devel
mailing list