[Pkg-openldap-devel] Bug#864719: Bug#864719: slapd: fails to configure when olcSuffix contains a backslash-escaped umlaut

Ryan Tandy ryan at nardis.ca
Wed Jun 14 02:13:23 UTC 2017 

Control: found -1 2.4.31-1

Hi Thorsten, thanks for reporting this.

On Tue, Jun 13, 2017 at 03:13:50PM +0200, Thorsten Glaser wrote:
>+ read suffix
>+ get_suffix
>+ '[' -f /etc/ldap/slapd.d ']'
>+ cut -d: -f 2
>+ grep -h olcSuffix '/etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif' '/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif' '/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif'
>++ get_directory 'o=Kundenname Mc3bcumlaut,c=de'
>++ '[' -d /etc/ldap/slapd.d ']'
>++ grep -q 'o=Kundenname Mc3bcumlaut,c=de'

Interesting difference between slapd versions. In wheezy, slapd 
serializes that as base64:

olcSuffix:: bz1LdW5kZW5uYW1lIE3DvHVtbGF1dCxjPWRl

while in jessie and stretch, it writes it out in the escaped form like 
you have there.

olcSuffix: o=Kundenname M\c3\bcumlaut,c=de

(But I'm curious: how did you wind up with the escaped form on wheezy?  
For me, slapd via ldapmodify and slapadd both write it in base64.)

Sadly the scripts do the wrong thing with the base64 form too. This also 
needs to be accounted for.

+ get_suffix
+ '[' -f /etc/ldap/slapd.d ']'
+ grep -h olcSuffix '/etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif' '/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif' '/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif'
+ cut -d: -f 2
++ get_directory ''
++ '[' -d /etc/ldap/slapd.d ']'
++ grep -q ''

It may be work as workaround, though, to let you complete your updates 
on wheezy:

ldapmodify -H ldapi:// -Y EXTERNAL << eof
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: o=Kundenname M\c3\bcumlaut,c=de

eof

That should change the olcSuffix in the .ldif to base64. It makes 
update_permissions a no-op, but at least it doesn't fail. Obviously that 
isn't a fix, only a nasty hack to hopefully unblock you sooner than I 
can upload a working solution.

And there are other easy ways to break the scripts' assumptions, too... 
"olcSuffix: o=nar/dis,c=CA" for example breaks the backup/restore 
machinery.

More information about the Pkg-openldap-devel mailing list