Using this new version of the slapd.postinst script, the "cn=config" database ends up with these two oldAccess attributes:
$ sudo slapcat -b"cn=config" -s"olcDatabase={0}config,cn=config" | grep olcAccess olcAccess: {0}to * by * none olcAccess: {1}to * by dn.exact=cn=localroot,cn=config manage by * break As far as I understand the OpenLDAP Access Control documentation, in this scenario the {0} line will always take precedence over the {1} line (so that the later will just be ignored). It seems like the two separate directives should instead be combined into one, something like: olcAccess: {0}to * by dn.exact=cn=localroot,cn=config manage by * none I haven't yet managed to find any discussion of the exact goals behind adding the various "localroot" access directives into the slapd configuration, so I'm not sure what sort of testing I can do to confirm that my understanding is correct. But I figured I would go ahead and submit this comment now, in hopes that someone who knows more about why this logic was added to the script in version 2.4.17-1ubuntu3 can check to see if this new version of the script is still having the desired effect.... -- slapd package configuration aborts due to "ordered_value_sort failed on attr olcAccess" error during Hardy -> Lucid upgrade https://bugs.launchpad.net/bugs/538516 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs