[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
@Nathan: yes, rereading the slapd.access manpage I think you're right,
the first match will define level of access:
Access control checking stops at the first match of the what and
who clause, unless otherwise dictated by the control clause.
Also, given that:
Each who clause list is implicitly terminated by a by * none stop clause
that results in stopping the access control with no access privileges
granted
I think the right way is to completely replace the existing olcAccess: {0} line
by
olcAccess: {0}to * by dn.exact=cn=localroot,cn=config manage break
and remove the new olcAccess: {1} line.
I'll file a new bug about this.
--
slapd package configuration aborts due to ordered_value_sort failed on attr
olcAccess error during Hardy - Lucid upgrade
https://bugs.launchpad.net/bugs/538516
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
See bug 559070 (targeted to Lucid) for followup -- slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/538516 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
Using this new version of the slapd.postinst script, the cn=config
database ends up with these two oldAccess attributes:
$ sudo slapcat -bcn=config -solcDatabase={0}config,cn=config | grep
olcAccess
olcAccess: {0}to * by * none
olcAccess: {1}to * by dn.exact=cn=localroot,cn=config manage by * break
As far as I understand the OpenLDAP Access Control documentation, in
this scenario the {0} line will always take precedence over the {1} line
(so that the later will just be ignored). It seems like the two
separate directives should instead be combined into one, something like:
olcAccess: {0}to * by dn.exact=cn=localroot,cn=config manage by * none
I haven't yet managed to find any discussion of the exact goals behind
adding the various localroot access directives into the slapd
configuration, so I'm not sure what sort of testing I can do to confirm
that my understanding is correct.
But I figured I would go ahead and submit this comment now, in hopes
that someone who knows more about why this logic was added to the script
in version 2.4.17-1ubuntu3 can check to see if this new version of the
script is still having the desired effect
--
slapd package configuration aborts due to ordered_value_sort failed on attr
olcAccess error during Hardy - Lucid upgrade
https://bugs.launchpad.net/bugs/538516
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
** Changed in: openldap (Ubuntu Lucid) Assignee: Mathias Gug (mathiaz) = Thierry Carrez (ttx) -- slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/538516 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
** Changed in: openldap (Ubuntu Lucid) Status: Confirmed = In Progress -- slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/538516 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
This bug was fixed in the package openldap - 2.4.21-0ubuntu3
---
openldap (2.4.21-0ubuntu3) lucid; urgency=low
* debian/slapd.postinst, debian/slapd.scripts-common: Upgrade databases
before trying to convert to slapd.d, to avoid upgrade failure from hardy
(LP: #536958)
* debian/slapd.postinst: Add a {1} numeric index to olcAccess entry in
olcDatabase={0}config.ldif to avoid upgrade failures (LP: #538516, #526230)
-- Thierry Carrez thierry.car...@ubuntu.com Mon, 29 Mar 2010 13:31:47 +0200
** Changed in: openldap (Ubuntu Lucid)
Status: In Progress = Fix Released
--
slapd package configuration aborts due to ordered_value_sort failed on attr
olcAccess error during Hardy - Lucid upgrade
https://bugs.launchpad.net/bugs/538516
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
As I commented earlier, I belive this is the same bug as in karmic, https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/450645. Will this be fixed so you can dist upgrade an ldap from jaunty - karmic - lucid ... or will this remain broken for karmic ? Thanks, Jay -- slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/538516 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
I will try to actually run a test of this scenario sometime in the next
few days, but at first glance it appears to me that simply adding {1}
to both the grep and the sed lines of the postinst script will fix
Hardy - Lucid upgrades, but will cause new problems for other upgrade
paths.
In particular, if the slapd package was upgraded 2.4.17/2.4.18
timeframe, an oldAccess line without any index would have already been
added to the .ldif file, and then upon upgrade to Lucid, this updated
postinst script would add the new {1} version of the line as well
--
slapd package configuration aborts due to ordered_value_sort failed on attr
olcAccess error during Hardy - Lucid upgrade
https://bugs.launchpad.net/bugs/538516
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
@Jay: once this is fixed, it can be backported for Karmic.
@Nathan: My understanding is that the olcAccess line added before would
make the package fail to start until it is manually fixed to include a
{1}. The idea here is to keep the package working on a hardy-lucid
upgrade, not to automagically fix a broken karmic setup in karmic-lucid
upgrades...
--
slapd package configuration aborts due to ordered_value_sort failed on attr
olcAccess error during Hardy - Lucid upgrade
https://bugs.launchpad.net/bugs/538516
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
Ah, never mind.
I was thinking that if the user upgraded from jaunty up to karmic and
then again to lucid, both copies of the oldAccess line would be added to
the file (i.e. one with no index, by the karmic upgrade, and one with
{1}, by the lucid upgrade) -- but I see now the postinst script checks
to see what version of the package we're upgrading from before adding
the lines, which would prevent the lucid upgrade from trying to edit the
file a second time.
--
slapd package configuration aborts due to ordered_value_sort failed on attr
olcAccess error during Hardy - Lucid upgrade
https://bugs.launchpad.net/bugs/538516
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
I think this is a repetition of https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/450645 Other bug has been assigned low importance - this is a major problem and has been around since karmic. Be good to see some resolution of the various ldap issues in ubuntu at the minute. -- slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/538516 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
** Changed in: openldap (Ubuntu Lucid) Assignee: (unassigned) = Mathias Gug (mathiaz) -- slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/538516 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
Thanks for the bug report, we'll try to get this fixed for lucid. Regards chuck ** Changed in: openldap (Ubuntu) Importance: Undecided = High ** Changed in: openldap (Ubuntu) Status: New = Confirmed -- slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/538516 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
** Also affects: openldap (Ubuntu Lucid) Importance: High Status: Confirmed ** Changed in: openldap (Ubuntu Lucid) Milestone: None = ubuntu-10.04-beta-2 -- slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/538516 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
I found that running slaptest -F /etc/ldap/slapd.d generated that same
error message.
To investigate further, I used the command line
slaptest -F /etc/ldap/slapd.d -d 1 21 | grep \.ldif
to track down the full path of the file that contained the offending line,
which turned out to be
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
I am attaching a copy of that file, as it was created by the
slapd.postinst script.
Eventually I was able to track the error down to the following line from that
file:
olcAccess: to * by dn.exact=cn=localroot,cn=config manage by * break
When I edited that line to read:
olcAccess: {1}to * by dn.exact=cn=localroot,cn=config manage by * break
and then re-ran the slaptest command, the error went away.
I then tried running dpkg --pending --configure again... but the
postinst script errored out because
/var/backups/*-2.4.9-0ubuntu0.8.04.2.ldapdb already existed.
I moved the old backup file out of the way and tried again... only to
get the Starting OpenLDAP: slapd - failed. message again. It turned
out that the postinst script had re-converted the slapd.conf file and
then re-added the oldAccess line back to the config file, and so slapd
was still erroring out.
So I went ahead and edited the grep and sed lines in
/var/lib/dpkg/info/slapd.postinst (inside the if previous_version_older
2.4.11-0ubuntu1 block) so that the text of the line added there used
there included the {1}.
Then I moved the backup file out of the way and reran dpkg --pending
--configure... and this time slapd started up successfully, and the
slapd package was left in the installed state.
** Attachment added: slapd.postinst-generated version of the *{0}config.ldif
file
http://launchpadlibrarian.net/40912615/olcDatabase%3D%7B0%7Dconfig.ldif_generated_by_2.4.21-0ubuntu1_postinst
--
slapd package configuration aborts due to ordered_value_sort failed on attr
olcAccess error during Hardy - Lucid upgrade
https://bugs.launchpad.net/bugs/538516
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
I did some additional testing and believe that all Hardy - Lucid
upgrades will hit this bug.
Specifically, I installed the slapd package on Hardy box, one that had
never had any openldap packages installed. I let the package
installation script create the default slapd.conf file there, and then
copied the resulting file over to the machine that is now running Lucid.
I then created an empty slapd.d directory, ran slaptest -f slapd.conf
-F slapd.d, and compared the new slapd.d directory tree with the
/etc/ldap/slapd.d tree that was generated from my system local
slapd.conf file.
Sure enough, the *{0}config.ldif file generated from the stock slapd.conf fle
contained the same
olcAccess: {0}to * by * none
line that was causing the conflict with the olcAccess: to * by ... line being
added by the slapd.postinst script.(So in other words, even a stock,
uncustomized slapd.conf file would trigger this error upon upgrade to Lucid's
slapd.)
I see from the changelog.Debian.gz file for slapd that the postinst
script started edited this config file in the Karmic timeframe:
openldap (2.4.17-1ubuntu3) karmic; urgency=low
[...]
* Add cn=localroot,cn=config authz mapping on upgrades.
-- Mathias Gug math...@ubuntu.com Tue, 11 Aug 2009 14:48:56
-0400
Out of curiousity, I ran slaptest -f slapd.conf -F ... on my Hardy
box, and then compared the *{0}config.ldif file generated there with the
one generated on Lucid.. and saw that the olcAccess: {0}to * by *
none line was NOT generated there.
So, I think that the issue here is that between 2.4.17 and 2.4.21, the
*{0}config.ldif file generated by slaptest -f ... -F ... changed in
such a way that it's no longer compatible with the cn=localroot lines
that the postinst script is adding.
There was no problem for machines that were upgraded first to Intrepid
(when the configuration data migration took place) and then to Karmic
(when the cn=localroot lines were added to the previously-generated
*{0}config.ldif file)... but anyone migrating directly from Hardy will
run into problems since by openldap 2.4.21 the two steps are
incompatible
--
slapd package configuration aborts due to ordered_value_sort failed on attr
olcAccess error during Hardy - Lucid upgrade
https://bugs.launchpad.net/bugs/538516
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
A few other notes:
Bug #526230 On upgrade modifies multiple olcAccess definition are not
handled correclty is definitely related to this one. However, #526230
deals with a Jaunty-Karmic upgrade, and specifically mentions that the
pre-upgrade configuration had multiple oldAccess lines (so presumably it
had been customized locally). I created a separate bug here in case
there is simple tweak to the slapd.postinst script that would allow the
Hardy-Lucid upgrade to work, but which wouldn't fix #526230. On the
other hand, a more comprensive solution of some sort could certainly
resolve both bugs at the same time.
Also, I should mention that my goal when I added the {1} to the text of the
new dn.exact=cn=localroot line was simply to make the smallest possible change
needed get dpkg to think that the package installation had succeeded (so that
it would stop trying to reconfigure the package every time I installed some
other package, etc.).
I haven't actually tried doing anything with my LDAP database yet, but I
as far as I understand the workings of the oldAccess lines, the
dn.exact=cn=localroot line as it now exists is actually completely
ignored, since the {0}to * by * none line will prevent any lines with
higher sequence numbers from being processed So presumably the
actual fix will have to take some other approach to getting past this
error
--
slapd package configuration aborts due to ordered_value_sort failed on attr
olcAccess error during Hardy - Lucid upgrade
https://bugs.launchpad.net/bugs/538516
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
