Hi Torsten > > I upgraded my slapd installation a couple days ago to the latest version in > > unstable, but the upgrade script failed. The upgrade script rewrote my > > slapd.conf config file and changed the access specifications. Then i dumped > > my > > database to /var/backup/slapd-VERSION. After that it tried to load the > > database > > Erm, it should use /var/backups/slapd-2.1.30-3 under the assumption that > you were upgrading from the last version in sid. Is it in fact using > slapd-VERSION as the directory name unchanged?
No it did use /var/backups/slapd-2.1.30-3, so that went alright :) > > again, but it failed because the slapd.conf file got corrupted. It seems > > that the upgrade-script creates lines like: > > > > access to attrs=userPassword by dn.regex="cn=admin,dc=arriesoft,dc=nl" > > write by anonymous auth by self write by * none # NT Password > > That's right. It's way to hard to collect continued lines into a single > line for parsing them and converting it back before writing so I did not > try to achieve this at this time. Of course the comment should not be > merged to the line. Also the maintainer scripts do not yet backup > slapd.conf which is on the TODO for the next version. > > > That is everything on one line with to comment on the next line appended, > > which > > slapcat doesn't seem to understand. After changing the layout back to the > > Hmm. I wonder how that can happen. The merge_logical_lines shell > function is used to merge any lines which start with a space to the > preceding line. Can you try to reproduce this and give me the relevant > section of the config file? How can i reproduce this? Can I call some program the convert my slapd.conf the way the maintainer script does? I will attach my slapd.conf file > > original layout (see below), I did a dpkg --configure --pending, but this > > failed > > because the maintainer script isn't idempotent and tried to dump the > > database > > again to /var/backup/slapd-VERSION, but couldn't do that because there was > > This is not true. In fact the dump is only done before unpacking the new > package. But currently it may try to replace the backup copy of the > database directory with the new (empty) database. I still have to check > that code path. Well you can say it isn't true but it still tried to write something in or create the /var/backups/slapd-2.1.30-3 directory. I don't know whether it tried to dump the database again but i couldn't complete the installation without moving the /var/backups/slapd-2.1.30-3 directory out of the way. And after the installation was complete I did a manual slapadd. > > already a database present there from the first try to upgrade slapd. > > > access to attrs=userPassword > by dn.regex="cn=admin,dc=arriesoft,dc=nl" write > by anonymous auth > by self write > by * none > # NT Password > > Is this the exact indentation? This works just fine here... This is supposed to work (and works), but the maintainer script changes it to one single line. > > p.s. It seems that slapd is now linked with openssl in stead of gnutls? Are > > the > > GPL problems with linking to openssl solved? Linking with openssl broke my > > samba > > No, they are not. The problem is linking applications to OpenSSL via > libldap which are not compatible with the OpenSSL license. Therefore we > build only the server and runtime library at this time and allow no > client applications to link those OpenSSL libraries. > > > installation (samba linked with gnutls, user accounts in ldap) though :( , > > but > > I will investigate that further and send another bugreport. > > I don't think the breakage in your Samba installation is related. Samba > is using the libldap2 libraries which should still be from 2.1.x on any > Debian system. So nothing has changed on that front. Not sure if that is > a good thing... :( I think it is. The breakage occured right after upgrading slapd and in the trace I get from smbd i seel some calls to SSL related functions. So it seems the change from gnutls to openssl triggers a bug in Samba (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=303272 ). Greetings Arjan Oosting
# This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 #allow bind_anon_dn security ssf=128 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema # Schema check allows for forcing entries to # match schemas for their objectClasses's schemacheck on # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd.args # Read slapd.conf(5) for possible values loglevel 0 # TLSCipherSuite HIGH TLSCACertificateFile /etc/ssl/demoCA/cacert.pem TLSCertificateFile /etc/ldap/servercrt.pem TLSCertificateKeyFile /etc/ldap/serverkey.pem TLSVerifyClient never # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # The base of your directory in database #1 suffix "dc=arriesoft,dc=nl" # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # Indexing options for database #1 index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber pres,eq index gidNumber pres,eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSid eq index sambaDomainName eq index default sub # Save the time that the entry gets modified, for database #1 lastmod on # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword by dn.regex="cn=admin,dc=arriesoft,dc=nl" write by anonymous auth by self write by * none # NT Password access to attrs=sambaLMPassword,sambaNTPassword,sambaPasswordHistory by dn.regex="cn=admin,dc=arriesoft,dc=nl" write by * none # #access to dn.subtree="ou=People,dc=arriesoft,dc=nl" # attrs=cn,displayName,gecos,gidNumber,homeDirectory,loginShell,sn,objectClass,ou,uid,uidNumber # by anonymous read stop # # #access to dn.subtree="ou=People,dc=arriesoft,dc=nl" # by anonymous none stop # # The admin dn has full write access access to * by dn.regex="cn=admin,dc=arriesoft,dc=nl" write by * read # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=armoonshine,dc=dnsalias,dc=org" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be bdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database <other> # The base of your directory for database #2 #suffix "dc=debian,dc=org"
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
#allow bind_anon_dn
security ssf=128
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.args
# Read slapd.conf(5) for possible values
loglevel 0
#
TLSCipherSuite HIGH
TLSCACertificateFile /etc/ssl/demoCA/cacert.pem
TLSCertificateFile /etc/ldap/servercrt.pem
TLSCertificateKeyFile /etc/ldap/serverkey.pem
TLSVerifyClient never
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
# The base of your directory in database #1
suffix "dc=arriesoft,dc=nl"
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# Indexing options for database #1
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber pres,eq
index gidNumber pres,eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSid eq
index sambaDomainName eq
index default sub
# Save the time that the entry gets modified, for database #1
lastmod on
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword
by dn.regex="cn=admin,dc=arriesoft,dc=nl" write
by anonymous auth
by self write
by * none
# NT Password
access to attrs=sambaLMPassword,sambaNTPassword,sambaPasswordHistory
by dn.regex="cn=admin,dc=arriesoft,dc=nl" write
by * none
#
#access to dn.subtree="ou=People,dc=arriesoft,dc=nl"
#
attrs=cn,displayName,gecos,gidNumber,homeDirectory,loginShell,sn,objectClass,ou,uid,uidNumber
# by anonymous read stop
#
#
#access to dn.subtree="ou=People,dc=arriesoft,dc=nl"
# by anonymous none stop
#
# The admin dn has full write access
access to *
by dn.regex="cn=admin,dc=arriesoft,dc=nl" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=armoonshine,dc=dnsalias,dc=org" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
signature.asc
Description: Dit berichtdeel is digitaal ondertekend
