[Pkg-openldap-devel] Bug#593566: slapd - Root access to cn=config not working after upgrade
Matthijs Mohlmann
matthijs at cacholong.nl
Thu Aug 19 10:32:11 UTC 2010
On Aug 19, 2010, at 12:10 PM, Bastian Blank wrote:
> Package: slapd
> Version: 2.4.23-3
> Severity: grave
>
> I installed 2.4.23-2 and updated to -3 without a config change. Now I
> cannot access cn=config.
>
> | # ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
> | SASL/EXTERNAL authentication started
> | SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> | SASL SSF: 0
> | # extended LDIF
> | #
> | # LDAPv3
> | # base <cn=config> with scope subtree
> | # filter: (objectclass=*)
> | # requesting: ALL
> | #
> |
> | # search result
> | search: 2
> | result: 32 No such object
> |
> | # numResponses: 1
>
> ACL debugging log:
> [startup]
> | slapd starting
> | => access_allowed: search access to "cn=config" "entry" requested
> | => acl_get: [1] attr entry
> | => acl_mask: access to entry "cn=config", attr "entry" requested
> | => acl_mask: to all values by "cn=localroot,cn=config", (=0)
> | <= check a_dn_pat: *
> | <= acl_mask: [1] applying none(=0) (stop)
> | <= acl_mask: [1] mask: none(=0)
> | => slap_access_allowed: search access denied by none(=0)
> | => access_allowed: no more rules
> | connection_read(12): no connection!
> | connection_read(12): no connection!
> | daemon: shutdown requested and initiated.
> | slapd shutdown: waiting for 0 operations/tasks to finish
> | slapd stopped.
>
> The access is done as cn=localroot,cn=config
> | # grep olcAuthz cn=config.ldif
> | olcAuthzPolicy: none
> | olcAuthzRegexp: gidNumber=[[:digit:]]+\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config
>
> But the first access rule already rejects all access
> | # grep olcAcc cn=config/olcDatabase=\{0\}config.ldif
> | olcAccess: {0}to * by * none
> | olcAccess: {1}to * by dn.exact=cn=localroot,cn=config manage by * break
>
> Not sure why this stunt it done instead of using
> | gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> directly. If seen the later in Ubuntu.
>
> Bastian
>
> -- System Information:
> Debian Release: squeeze/sid
> APT prefers unstable
> APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.35-trunk-amd64 (SMP w/4 CPU cores)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages slapd depends on:
> ii adduser 3.112 add and remove users and groups
> ii coreutils 8.5-1 GNU core utilities
> ii debconf [debconf-2.0] 1.5.35 Debian configuration management sy
> ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
> ii libdb4.8 4.8.30-1 Berkeley v4.8 Database Libraries [
> ii libgnutls26 2.8.6-1 the GNU TLS library - runtime libr
> ii libldap-2.4-2 2.4.23-3 OpenLDAP libraries
> ii libltdl7 2.2.6b-2 A system independent dlopen wrappe
> ii libperl5.10 5.10.1-14 shared Perl library
> ii libsasl2-2 2.1.23.dfsg1-5.1 Cyrus SASL - authentication abstra
> ii libslp1 1.2.1-7.8 OpenSLP libraries
> ii libwrap0 7.6.q-19 Wietse Venema's TCP wrappers libra
> ii lsb-base 3.2-23.1 Linux Standard Base 3.2 init scrip
> ii perl [libmime-base64-pe 5.10.1-14 Larry Wall's Practical Extraction
> ii psmisc 22.12-1 utilities that use the proc file s
> ii unixodbc 2.2.14p2-1 ODBC tools libraries
>
> Versions of packages slapd recommends:
> ii libsasl2-modules 2.1.23.dfsg1-5.1 Cyrus SASL - pluggable authenticat
>
> Versions of packages slapd suggests:
> ii ldap-utils 2.4.23-3 OpenLDAP utilities
>
> -- Configuration Files:
> /etc/default/slapd changed:
> SLAPD_CONF="/etc/ldap/slapd.d"
> SLAPD_USER="openldap"
> SLAPD_GROUP="openldap"
> SLAPD_PIDFILE=
> SLAPD_SERVICES="ldapi:///"
> SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
> SLAPD_OPTIONS=""
>
>
> -- debconf information excluded
Do you have any debconf information ?
Regards,
Matthijs Möhlmann
More information about the Pkg-openldap-devel
mailing list