Bug#761407: slapd: changes of cn=config become effective only after restarting slapd

Sat, 13 Sep 2014 09:22:12 -0700 

Package: slapd
Version: 2.4.31-1+nmu2
Severity: normal

I use the following ACLs:

| dn: cn=config
| changetype: modify
| replace: olcAuthzRegexp
| olcAuthzRegexp: uid=([^,]+),cn=gssapi,cn=auth
|   uid=$1,ou=People,dc=example,dc=org
| 
| dn: olcDatabase={1}hdb,cn=config
| changetype: modify
| replace: olcAccess
| olcAccess: to attrs=loginShell,gecos
|   by ssf=56 self write
|   by ssf=56 * read
| olcAccess: to * by ssf=56 * read

An authenticated user can change the gecos field then, using the
following ldif:

| dn: uid=hugo,ou=People,dc=example,dc=org
| changetype: modify
| replace: gecos
| gecos: some_new_value

When I replace the olcAuthzRegexp by a wrong value, say:

| dn: cn=config
| changetype: modify
| replace: olcAuthzRegexp
| olcAuthzRegexp: uid=([^,]+),cn=gssapi,cn=auth
|   uid=$1,ou=People,dc=example,dc=xorg

write access by the user should now be forbidden.  But it isn't.  I need
to "service slapd force-reload" for the config change to become
effective.  The same happens when I change olcAccess or when I change
those attributes back to their right values.  I can reproduce this
behavior on a fresh-installed wheezy.

-- System Information:
Debian Release: 7.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages slapd depends on:
ii  adduser                     3.113+nmu3
ii  coreutils                   8.13-3.5
ii  debconf [debconf-2.0]       1.5.49
ii  libc6                       2.13-38+deb7u4
ii  libdb5.1                    5.1.29-5
ii  libgcrypt11                 1.5.0-5+deb7u1
ii  libgnutls26                 2.12.20-8+deb7u2
ii  libldap-2.4-2               2.4.31-1+nmu2
ii  libltdl7                    2.4.2-1.1
ii  libodbc1                    2.2.14p2-5
ii  libperl5.14                 5.14.2-21+deb7u1
ii  libsasl2-2                  2.1.25.dfsg1-6+deb7u1
ii  libslp1                     1.2.1-9
ii  libwrap0                    7.6.q-24
ii  lsb-base                    4.1+Debian8+deb7u1
ii  multiarch-support           2.13-38+deb7u4
ii  perl [libmime-base64-perl]  5.14.2-21+deb7u1
ii  psmisc                      22.19-1+deb7u1

Versions of packages slapd recommends:
ii  libsasl2-modules  2.1.25.dfsg1-6+deb7u1

Versions of packages slapd suggests:
ii  ldap-utils  2.4.31-1+nmu2

-- Configuration Files:
/etc/default/slapd changed:
SLAPD_CONF=
SLAPD_USER="openldap"
SLAPD_GROUP="openldap"
SLAPD_PIDFILE=
SLAPD_SERVICES="ldap:/// ldapi:///"
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
export KRB5_KTNAME=/etc/ldap/ldap.keytab
SLAPD_OPTIONS=""


-- debconf information:
  slapd/allow_ldap_v2: false
  slapd/password_mismatch:
  slapd/invalid_config: true
  shared/organization: example.org
  slapd/upgrade_slapcat_failure:
  slapd/no_configuration: false
  slapd/move_old_database: true
  slapd/dump_database_destdir: /var/backups/slapd-VERSION
  slapd/purge_database: false
  slapd/domain: example.org
  slapd/backend: HDB
  slapd/dump_database: when needed


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to