Lucid (or karmic) slapd upgrade does not really allow localroot cn=config manage rights
Bug #559070 reported by
Thierry Carrez
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Lucid |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Lucid upgrade results in editing the /etc/ldap/
olcAccess: {0}to * by * none
to:
olcAccess: {0}to * by * none
olcAccess: {1}to * by dn.exact=
As pointed out by Nathan Stratton Treadway on bug 538516 (which introduced this incomplete fix), the {0} line will always be matched and therefore the {1} line will never be evaluated.
Combining the two lines into:
olcAccess: {0}to * by dn.exact=
or even (since access is implicitely denied when no clause match):
olcAccess: {0}to * by dn.exact=
should solve it.
Changed in openldap (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Triaged |
To post a comment you must log in.
You need to inject only one line:
{0}to * by dn.exact= cn=localroot, cn=config manage by * break