slapd upgrades don't add frontend ACLs for base="" and cn=subschema
Bug #571752 reported by
Nathan Stratton Treadway
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
As a result of LP: #427842, the initial configuration created upon installation of slapd 2.4.21-0ubuntu4 and later will include the following ACLs on the {-1}frontend database:
olcAccess: to dn.base="" by * read
olcAccess: to dn.base=
However, when upgrading from earlier versions of slapd, no attempt is made make sure these ACLs exist.
In the case of a Hardy -> Lucid upgrade, this causes e.g. "ldapvi --discover" to stop working.
Changed in openldap (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Confirmed |
To post a comment you must log in.
Based on hints found in the documents mentioned in bug #506317 and other places, I think the following three commands can be used to confirm that the permissions are set up correctly to allow various LDAP-related functionality to work:
Naming context discovery (e.g. "ldapvi --discover"):
ldapsearch -x -H ldap://testhost/ -LLL -b "" -s base namingContexts
Determining supported SASL mechanisms: chanisms
ldapsearch -x -H ldap://testhost/ -LLL -b "" -s base supportedSASLMe
Retrieving the server's schema: subschema) ' attributetypes
ldapsearch -x -Hldap://testhost/ -b 'cn=Subschema' -s base '(objectClass=
I just ran a test and confirmed that those three commands return data when run against a stock Hardy slapd installation, but all three return no records when run against that same server immediately after a Hardy -> Lucid upgrade (when upgrading to slapd 2.4.21-0ubuntu5).
After manually adding the two lines "cn=subschema" by * read slapd.d/ cn=config/ olcDatabase\ =\{-1\} frontend. ldif file gidNumber= 0...." line) and restarting slapd, all three searches returned data again.
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.base=
to the /etc/ldap/
(just below the "olcAccess: {0}to * by dn.exact=