RE: [EXT] Re: Migration from 2.4 to 2.5: problem with using "olcPPolicyDefault" in ACL duriung slapadd

Thu, 20 Feb 2025 23:11:15 -0800 

Stefan,

You saved my life 😉
It seems SLES12 had policy compiled in statically while SLES15 did not:

# /usr/lib/openldap/slapd -VVV
@(#) $OpenLDAP: slapd 2.4.41 $
        [email protected]

Included static overlays:
    ppolicy
    syncprov
Included static backends:
    config
    ldif
    monitor
    bdb
    hdb
    ldap
    mdb
    relay

# slapd -VVV
@(#) $OpenLDAP: slapd 2.5.X (Nov  6 2024 12:00:00) $
        openldap

Included static backends:
    config
    ldif
    monitor

Kind regards,
Ulrich Windl

> -----Original Message-----
> From: Stefan Kania <[email protected]>
> Sent: Thursday, February 20, 2025 3:43 PM
> To: [email protected]
> Subject: [EXT] Re: Migration from 2.4 to 2.5: problem with using
> "olcPPolicyDefault" in ACL duriung slapadd
> 
> Do you have the ppolicy overlay in your database configured and is the
> module loaded? I tried your acl (with my settings) and it worked fine
> for me in OpenLDAP 2.6
> 
> 
> 
> Am 20.02.25 um 12:05 schrieb Windl, Ulrich:
> > Hi!
> >
> > I’m about to migrate openLDAP 2.4 from SLES12 SP5 to openLDAP 2.5 from
> > SLES15 SP6, following the rather terse https://www.openldap.org/doc/
> > admin25/appendix-upgrading.html
> <https://www.openldap.org/doc/admin25/
> > appendix-upgrading.html>.
> >
> > I’ve removed the policy schema as advised from the LDIF export of
> > cn=config, but now it seems that slapadd cannot use "olcPPolicyDefault"
> > in an ACL:
> >
> > # slapadd -v -n0 -F /etc/openldap/slapd.d -S 1 -w -l 0.ldif
> >
> > added: "cn=config" (00000001)
> >
> > added: "cn=module{0},cn=config" (00000001)
> >
> > added: "cn=schema,cn=config" (00000001)
> >
> > added: "cn={0}core,cn=schema,cn=config" (00000001)
> >
> > added: "cn={1}cosine,cn=schema,cn=config" (00000001)
> >
> > added: "cn={2}inetorgperson,cn=schema,cn=config" (00000001)
> >
> > added: "cn={3}rfc2307bis,cn=schema,cn=config" (00000001)
> >
> > added: "cn={4}yast,cn=schema,cn=config" (00000001)
> >
> > added: "cn={5}sudo,cn=schema,cn=config" (00000001)
> >
> > added: "olcDatabase={-1}frontend,cn=config" (00000001)
> >
> > olcAccess: value #1: unknown attr "olcPPolicyDefault" in to clause.
> >
> > <access clause> ::= access to <what> [ by <who> [ <access> ]
> > [ <control> ] ]+
> >
> > <what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]
> >
> > <attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] |
> > <attrlist>
> >
> > <attrlist> ::= <attr> [ , <attrlist> ]
> >
> > <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children
> >
> > <who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]
> >
> >          [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]
> >
> >          [dnattr=<attrname>]
> >
> >          [realdnattr=<attrname>]
> >
> >          [group[/<objectclass>[/<attrname>]][.<style>]=<group>]
> >
> >          [peername[.<peernamestyle>]=<peer>]
> [sockname[.<style>]=<name>]
> >
> >          [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]
> >
> >          [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]
> >
> > <style> ::= exact | regex | base(Object)
> >
> > <dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact |
> > regex
> >
> > <attrstyle> ::= exact | regex | base(Object) | one(level) | sub(tree) |
> > children
> >
> > <peernamestyle> ::= exact | regex | ip | ipv6 | path
> >
> > <domainstyle> ::= exact | regex | base(Object) | sub(tree)
> >
> > <access> ::= [[real]self]{<level>|<priv>}
> >
> > <level> ::=
> none|disclose|auth|compare|search|read|{write|add|delete}|manage
> >
> > <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+
> >
> > <control> ::= [ stop | continue | break ]
> >
> > slapadd: could not add entry dn="olcDatabase={0}
> > config,cn=config" (line=908): ▒5=▒
> >
> > Closing DB...
> >
> > (Also note the garbage in the error message that seems to appear for any
> > slapadd error)
> >
> > As noted Openldap is SUSE’s version
> > (openldap2_5-2.5.18+31-150500.11.12.1.x86_64) they re-introduced in
> > SLES15 SP5 (maybe due to failing to provide a working migration tool to
> > 389-DS and a proper administration manual)
> >
> > So is it a bug that the attribute cannot be used in ACL, or is it a
> > configuration error on my side? (line 908 is “dn: olcDatabase={0}
> > config,cn=config”)
> >
> > The actual line in question is like this:
> >
> > olcAccess: {1}to attrs=olcPPolicyDefault by dn.exact="uid=PP-
> > Checker,ou=system,dc=domain,dc=org" read by * break
> >
> > Kind regards,
> >
> > Ulrich Windl
> >
> 
> --
> Stefan Kania
> Landweg 13
> 25693 St. Michaelisdonn
> 
> ---------------------
> Es gibt keine WOLKE, nur die Computer fremder Leute

Reply via email to