On Aug 23, 2010, at 3:34 PM, Mathias Gug wrote: > Hi, > > Excerpts from Peter Marschall's message of Sat Aug 21 15:30:23 -0400 2010: >> >> The attached patch to debian/slapd.script-common fixes the problem: >> - it check for the existence a bit more flexibly > >> - and adds the clauses with {-1} prepended >> so that they get evaluated first (making use of the fact that slapd's >> conversion logic starts with X=0 ;-)) >> >> With this patch applied and slapd re-compiled locally the upgrade works >> without problems >> >> --- openldap-2.4.32/debian/slapd.scripts-common >> +++ openldap-2.4.32/debian/slapd.scripts-common >> @@ -137,16 +137,16 @@ >> SLAPD_CONF=/etc/ldap/slapd.d >> >> # Add the localroot authz mapping >> - if ! grep -q -E '^olcAuthzRegexp: >> gidNumber=\[\[:digit:]]\+\\\+uidNumber=0,cn=peercred,cn=external,cn=auth >> cn=localroot,cn=config' "${SLAPD_CONF}/cn=config.ldif"; then >> - sed -i 's/^\(structuralObjectClass: >> olcGlobal\)/olcAuthzRegexp: >> gidNumber=[[:digit:]]+\\+uidNumber=0,cn=peercred,cn=external,cn=auth >> cn=localroot,cn=config\n\0/' "${SLAPD_CONF}/cn=config.ldif" >> + if ! grep -q -E '^olcAuthzRegexp: >> ({.*})?gidNumber=\[\[:digit:]]\+\\\+uidNumber=0,cn=peercred,cn=external,cn=auth >> cn=localroot,cn=config' "${SLAPD_CONF}/cn=config.ldif"; then >> + sed -i 's/^\(structuralObjectClass: >> olcGlobal\)/olcAuthzRegexp: >> {-1}gidNumber=[[:digit:]]+\\+uidNumber=0,cn=peercred,cn=external,cn=auth >> cn=localroot,cn=config\n\0/' "${SLAPD_CONF}/cn=config.ldif" >> fi > > I'd suggest to bypass the use of AuthzRegexp mapping to > cn=localroot,cn=config and use > > gidNumber=[[:digit:]]+\\+uidNumber=0,cn=peercred,cn=external,cn=auth > > directly in the ACL. > > Ubuntu used AuthzRegexp during the first upgrade to slapd.d but I've > simplified the upgrade by dropping the auth mapping and just adding > olcAccess lines: > > # Grant manage access to connections made by the root user via > # SASL EXTERNAL > if previous_version_older 2.4.21-0ubuntu5 ; then > if [ -d "$SLAPD_CONF" ]; then > # Stick the new olcAccess at the begining of the > # olcAccess list (using an index of 0 *and* > # adding it as early as possible in the ldif file) > # to make sure that local root has access to the > # database no matter what other acls say. > sed -i 's/^\(olcDatabase: {-1}frontend\)/\0\nolcAccess: > {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > manage by * break/' "${SLAPD_CONF}/cn=config/olcDatabase={-1}frontend.ldif" > sed -i 's/^\(olcDatabase: {0}config\)/\0\nolcAccess: > {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > manage by * break/' "${SLAPD_CONF}/cn=config/olcDatabase={0}config.ldif" > fi > fi > > This makes the whole configuration easier to understand IMO. > > I've also implemented an alternate solution to using an index of -1: > The olcAccess lines are inserted at the very beginning of the ldif > file with an index set to 0 so that ACL defined by them are > applied first. slapd seems to sort first on index (0 being lowest) and > then by order of appearance in the ldif file. > > I don't know which of the two solutions upstream supports the best.
I have committed the fix in svn. Peter can you try and see if this fixes your problem ? Regards, Matthijs Möhlmann -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org