Hi,
Excerpts from Peter Marschall's message of Sat Aug 21 15:30:23 -0400 2010:
>
> The attached patch to debian/slapd.script-common fixes the problem:
> - it check for the existence a bit more flexibly
> - and adds the clauses with {-1} prepended
> so that they get evaluated first (making use of the fact that slapd's
> conversion logic starts with X=0 ;-))
>
> With this patch applied and slapd re-compiled locally the upgrade works
> without problems
>
> --- openldap-2.4.32/debian/slapd.scripts-common
> +++ openldap-2.4.32/debian/slapd.scripts-common
> @@ -137,16 +137,16 @@
> SLAPD_CONF=/etc/ldap/slapd.d
>
> # Add the localroot authz mapping
> - if ! grep -q -E '^olcAuthzRegexp:
> gidNumber=\[\[:digit:]]\+\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
> cn=localroot,cn=config' "${SLAPD_CONF}/cn=config.ldif"; then
> - sed -i 's/^\(structuralObjectClass:
> olcGlobal\)/olcAuthzRegexp:
> gidNumber=[[:digit:]]+\\+uidNumber=0,cn=peercred,cn=external,cn=auth
> cn=localroot,cn=config\n\0/' "${SLAPD_CONF}/cn=config.ldif"
> + if ! grep -q -E '^olcAuthzRegexp:
> ({.*})?gidNumber=\[\[:digit:]]\+\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
> cn=localroot,cn=config' "${SLAPD_CONF}/cn=config.ldif"; then
> + sed -i 's/^\(structuralObjectClass:
> olcGlobal\)/olcAuthzRegexp:
> {-1}gidNumber=[[:digit:]]+\\+uidNumber=0,cn=peercred,cn=external,cn=auth
> cn=localroot,cn=config\n\0/' "${SLAPD_CONF}/cn=config.ldif"
> fi
I'd suggest to bypass the use of AuthzRegexp mapping to
cn=localroot,cn=config and use
gidNumber=[[:digit:]]+\\+uidNumber=0,cn=peercred,cn=external,cn=auth
directly in the ACL.
Ubuntu used AuthzRegexp during the first upgrade to slapd.d but I've
simplified the upgrade by dropping the auth mapping and just adding
olcAccess lines:
# Grant manage access to connections made by the root user via
# SASL EXTERNAL
if previous_version_older 2.4.21-0ubuntu5 ; then
if [ -d "$SLAPD_CONF" ]; then
# Stick the new olcAccess at the begining of the
# olcAccess list (using an index of 0 *and*
# adding it as early as possible in the ldif file)
# to make sure that local root has access to the
# database no matter what other acls say.
sed -i 's/^\(olcDatabase: {-1}frontend\)/\0\nolcAccess:
{0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage by * break/' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif"
sed -i 's/^\(olcDatabase: {0}config\)/\0\nolcAccess:
{0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage by * break/' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif"
fi
fi
This makes the whole configuration easier to understand IMO.
I've also implemented an alternate solution to using an index of -1:
The olcAccess lines are inserted at the very beginning of the ldif
file with an index set to 0 so that ACL defined by them are
applied first. slapd seems to sort first on index (0 being lowest) and
then by order of appearance in the ldif file.
I don't know which of the two solutions upstream supports the best.
--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
