Re: [Bug 1410195] Re: Ctrl+Alt+F7 bypasses the light-locker lock-screen under XFCE
On Fri, Jan 16, 2015 at 18:05:04 -, Ryan Tandy wrote: will no longer be used. But switching to nss-pam-ldapd is a good recommendation anyway, since the older modules are dead upstream. (In fact there is discussion underway regarding downgrading libnss-ldap and libpam-ldap out of main; see LP: #1408478 for more information.) Nathan -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/1410195 Title: Ctrl+Alt+F7 bypasses the light-locker lock-screen under XFCE To manage notifications about this bug go to: https://bugs.launchpad.net/policykit-1/+bug/1410195/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1362481] Re: openldap upgrade fails. chwon of olcDbDirectory, /var/lib/ldap not empty and missing backup of suffix
If you are working on cleaning up the slapd.postinst script, you may find some of these related discussions to be interesting and/or helpful...: LP: #450645 error during slapd configuration: chown: cannot access `olcDbDirectory\nolcDbDirectory' LP: #632051 Improve slapd postinst error message in case database directory can't be determined for a given LDAP suffix LP: #571498 slapd.postinst should put all backed-up items together in one place under /var/backups LP: #571481 when slapd upgrade fails, later upgrade attempts overwrite saved backups of pre-upgrade configuration files -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1362481 Title: openldap upgrade fails. chwon of olcDbDirectory, /var/lib/ldap not empty and missing backup of suffix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1362481/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 826873] Re: ATOM refclock driver not compiled into ntpd
** Also affects: ntp via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691672 Importance: Unknown Status: Unknown ** Also affects: ntp (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691672 Importance: Unknown Status: Unknown ** No longer affects: ntp -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/826873 Title: ATOM refclock driver not compiled into ntpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/826873/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1303893] [NEW] cron.daily/chkrootkit log filtering needs to include current names for dhcpcd and dhclient binaries
Public bug reported: the cron.daily/chkrootkit script's current logic for simplifying the PACKET SNIFFER lines for dhclient and dhcpcd processes needs to be updated to include the names of current versions of those binaries. ** Affects: chkrootkit (Ubuntu) Importance: Undecided Status: New ** Tags: trusty -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to chkrootkit in Ubuntu. https://bugs.launchpad.net/bugs/1303893 Title: cron.daily/chkrootkit log filtering needs to include current names for dhcpcd and dhclient binaries To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/1303893/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1303893] Re: cron.daily/chkrootkit log filtering needs to include current names for dhcpcd and dhclient binaries
We have found that chkrootkit now complains after each reboot, with a message similar to: -eth0: PACKET SNIFFER(/sbin/dhclient[895]) +eth0: PACKET SNIFFER(/sbin/dhclient[888]) ---[ END: diff -u /var/log/chkrootkit/log.expected /var/log/chkrootkit/log.today ] --- Looking at /etc/cron.daily/chkrootkit, I noticed that there is logic that attempts to avoid such warnings: # the sed expression replaces the messages about /sbin/dhclient3 /usr/sbin/dhcpd3 # with a message that is the same whatever order eth0 and eth1 were scanned sed -r -e 's,eth(0|1)(:[0-9])?: PACKET SNIFFER\((/sbin/dhclient3|/usr/sbin/dhcpd3)\[[0-9]+\]\),eth\[0|1\]: PACKET SNIFFER\([dhclient3|dhcpd3]{PID}\),' \ -e 's/(! \w+\s+)[ 0-9]{4}[0-9]/\1#/' $LOG_DIR/log.today.raw $LOG_DIR/log.today ... but this no longer works as expected, since the exact name of the dhclient' binary has changed. ** Bug watch added: Debian Bug tracker #600109 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=600109 ** Also affects: chkrootkit via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=600109 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to chkrootkit in Ubuntu. https://bugs.launchpad.net/bugs/1303893 Title: cron.daily/chkrootkit log filtering needs to include current names for dhcpcd and dhclient binaries To manage notifications about this bug go to: https://bugs.launchpad.net/chkrootkit/+bug/1303893/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 701944] Re: snmpd postinst fails if user cannot be deleted
I noticed that the proposed branch ( lp:~shuff/ubuntu/precise/net-snmp/fix-for-701944 ) includes a new copy of the line: if [ ! `getent passwd snmp /dev/null` ]; then (and also leaves the existing group line untouched), so I thought it was worth mentioning debbugs #609430, which points out that the combo of backticks and redirection to /dev/null means the expression doesn't work as intended... http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609430 Nathan ** Bug watch added: Debian Bug tracker #609430 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609430 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in Ubuntu. https://bugs.launchpad.net/bugs/701944 Title: snmpd postinst fails if user cannot be deleted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/701944/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 933723] Re: bind9 registering itself with resolvconf but not set up to forward queries
Saivann, 1:9.8.1.dfsg.P1-3 changes the default value of the bind9/run-resolvconf debconf setting to false -- but if that setting has already been set to true by an earlier installation of the bind9 package then the RESOLVCONF=yes will still get written to the config file until you manually reconfigure the bind9 package. There's another bug open on that issue: LP: #996088 . ($RET is the return from the db_get function call, which reads the current value of the bind9/run-resolvconf setting from the debconf database.) Nathan -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/933723 Title: bind9 registering itself with resolvconf but not set up to forward queries To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/933723/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 999725] Re: broken start-up dependencies for ntp
On Thu, May 17, 2012 at 19:33:37 -, Paul Crawford wrote: domain, I think). I don't really understand NIS, and the guy usually responsible for this sort of thing is away, but as far as I know it only provides local-area user/machine authentication and so I would be surprised if it 'knows' about anything outside of our sub-domain (like google, or even the other university machines as they are not part of our NIS set-up). For what it's worth, I see that at least some NIS servers do support behind-the-scenes DNS lookups within the hosts map; see for example the -n option to FreeBSD's ypserv command: http://www.gsp.com/cgi-bin/man.cgi?section=8topic=ypserv#10 So presumably some such server is in use at your site. (As far as I can tell, the NIS servers for Linux don't support that function, so I assume your NIS server there is not running Ubuntu...) However, the advice I see on the web generally agrees that this function is obsolete (since the nsswitch.conf file now lets clients configure the NIS v.s. DNS issue directly), so I wonder if your NIS guy actually intended for DNS resolution to be left unconfigured on your Precise system...? Nathan -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/999725 Title: broken start-up dependencies for ntp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/999725/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 999725] Re: broken start-up dependencies for ntp
On Fri, May 18, 2012 at 17:47:21 -, Paul Crawford wrote: I think this bug should concentrate on the key issue: that ntp (and maybe others?) is being brought up on the wrong event, that is it comes up with the interface, and not with the chosen type of name server. More specifically, the ntp package has not been converted to Upstart yet, so it just comes up as part of the rc-sysvinit scripts. That is, ntpd's startup itself isn't tied to any specific event(s) at all (though as Steve's comment hinted at, the execution of the rc-sysvinit scripts as a group is triggered by the filesystem and static-network-up condition). I'm not sure off hand how the decision is made whether to convert a package such as ntp to Upstart... but I see a couple other bugs open on the topic: LP #604717 , LP #913379 In our case NIS provides user and name server resolution, and ntp comes up before it with 12.04 (As far as I can tell, the NIS and ntp start conditions are the same in Lucid and Precise, so I wonder if the reason you don't see this problem on your Lucid machine is that DNS is configured there.) I don't know how LDAP is handled, but from the above comments it would appear be have the same problem, and so ntp is not currently able to resolve machines given only by NIS (or LDAP) name if they are not in the DNS (which I guess might be common with a large private network behind NAT). One thing to note is that ntp does spawn a separate process that continues to retry looking up host names until it finds an answer, so normally it will recover gracefully if the lookup fails when ntp first starts up but start to work later on. I'm not sure of the details of how that interacts with NIS-based host resolution, but I suspect this resolver process doesn't deal with the NIS-is-not-ready-yet situation the same way it does for DNS. Anyway, I suspect that it's pretty rare for a site to have no DNS at all, and that's probably why this issue hasn't shown up for other people. (Also, I don't know if there's an automated way for the system to detect that ntp needs NIS to be up, so probably such a dependency wouldn't be found in a default installation. But if ntp were converted to Upstart, it would be much easier for the system administrator to add that dependency manually) Nathan ** Summary changed: - broken start-up dependencies for ntp + broken start-up dependencies for ntp (starts before NIS is available) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/999725 Title: broken start-up dependencies for ntp (starts before NIS is available) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/999725/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 999725] Re: broken start-up dependencies for ntp (starts before NIS is available)
I'm not sure off hand how the decision is made whether to convert a package such as ntp to Upstart... but I see a couple other bugs open on the topic: LP #604717 , LP #913379 Sorry, should have written those bug references as: LP: #604717 , LP: #913379 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/999725 Title: broken start-up dependencies for ntp (starts before NIS is available) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/999725/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 913379] Re: Migrate ntp from SystemV to Upstart
*** This bug is a duplicate of bug 604717 *** https://bugs.launchpad.net/bugs/604717 ** This bug has been marked a duplicate of bug 604717 Please convert init script to upstart -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/913379 Title: Migrate ntp from SystemV to Upstart To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/913379/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 999725] Re: broken start-up dependencies for ntp
On Thu, May 17, 2012 at 16:10:39 -, Paul Crawford wrote: # The primary network interface auto eth0 iface eth0 inet static address 134.36.22.69 netmask 255.255.255.0 gateway 134.36.22.1 Since the resolvconf package is installed by default in Precise, you'd normally need to have a dns-nameservers line in your interfaces stanza in order for DNS resolution to work at all (given that you are using a static configuration). So, what toes /etc/resolv.conf contain now? Also, what does ls -l /etc/resolv.conf show? Nathan -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/999725 Title: broken start-up dependencies for ntp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/999725/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 999725] Re: broken start-up dependencies for ntp
On Thu, May 17, 2012 at 16:46:15 -, Paul Crawford wrote: Results for 12.04 machine are: $ ls -l /etc/resolv.conf lrwxrwxrwx 1 root root 29 Apr 30 17:39 /etc/resolv.conf - ../run/resolvconf/resolv.conf $ cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN Yes, this confirms that resolvconf is install and active, but not getting any DNS configuration information. On another 10.04 machine I get a file, and its contents have our DNS servers listed. Yes, the resolvconf package wasn't (generally) using in Lucid, so you probably have a static resolv.conf file to go along with a static network interface definition. (You can check by seeing if ls -l /etc/resolv.conf shows a normal file, and has a modification date from a while ago.) But if resolv.conf is missing this, and we don't have any dns- nameservers in /etc/network/interfaces, then how is the machine getting DNS later when everything seems normal? Yes, that's definitely a key question... What happens if you try ping ntp0.dundee.ac.uk from that box? (It doesn't matter if the ping itself actually succeeds, but the question is whether it can resolve the name to an IP number.) How about host ntp0.dundee.ac.uk? Nathan -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/999725 Title: broken start-up dependencies for ntp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/999725/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 999725] Re: broken start-up dependencies for ntp
On Thu, May 17, 2012 at 18:43:59 -, Paul Crawford wrote: So ping is able to perform the name-to-IP conversion fine, but host and nslookup both fail! Right, host and nslookup both (attempt to) do DNS queries directly, while ping does the lookup using libc6 library routines... So, what do you get from: $ ls -l /etc/nsswitch.conf $ cat /etc/nsswitch.conf (Also, does /etc/hosts contain anything besides the default lines?) Other 'normal' programs seem to perform address lookup OK (e.g. entering www.google.com in firefox, or even ntp if restarted later) so there is something bizarre about the network management. You mentioned earlier that you had NIS installed on this machine, so I'm guessing the behavior you are seeing is related to that, but I'm not personally very familiar with using NIS for host information. Nathan -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/999725 Title: broken start-up dependencies for ntp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/999725/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 999725] Re: broken start-up dependencies for ntp
On Thu, May 17, 2012 at 19:33:37 -, Paul Crawford wrote: $ cat /etc/nsswitch.conf [...] hosts: files nis dns domain, I think). I don't really understand NIS, and the guy usually responsible for this sort of thing is away, but as far as I know it only provides local-area user/machine authentication and so I would be surprised if it 'knows' about anything outside of our sub-domain (like google, or even the other university machines as they are not part of our NIS set-up). Yes, I would also have assumed that NIS wouldn't know anything about google.com or other names, but given that /etc/hosts is empty and the contents of the nsswitch.conf hosts line, I can't think of any other place that host-name information would be coming from... Anyway, back to the question of getting ntpd working at boot time: Given that it seems your system does currently require NIS to get host information, it makes sense that ntpd would fail if it started before NIS was up. While I don't have NIS installed anywhere, when I browse the package source code it appears that there is not a direct dependency between ntpd and NIS startup in the boot scripts. (NIS is brought up via Upstart, while ntpd is brought up via the /etc/rc*.d/S*ntp script.) So I'm pretty sure that does explaion why you have problems with ntpd at first but it works if you restart it later (since by that point the NIS servers are running.) However, based on what you said about the /etc/resolv.conf on your Lucid machine, it sounds like your site does have normal DNS name resolution available. If that's true, then I believe adding that information to your eth0 stanza in /etc/network/interfaces would allow DNS-based name resolution to work as soon as that interface is brought up -- and since the /etc/rc*.d scripts aren't run until static networking is up, that should mean that DNS would be available by the time ntpd started. (See the ifup sections of man resolvconf and /usr/share/doc/resolvconf/README.gz for more info on adding that info to the interfaces file.) Since your nsswitch.conf hosts line does include dns, presumably ntpd will then be able to successfully look up the ntp-server names, even if NIS isn't yet running at that point in the booting process. If that isn't a viable work-around, then hopefully someone with more Upstart knowledge will be able to suggest the proper way to resolve this NIS v.s. ntpd start-up dependency issue Nathan -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/999725 Title: broken start-up dependencies for ntp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/999725/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 242313] Re: TLS_CACERTDIR not supported in gnutls
As mentioned earlier in this bug report, the TLS_CACERTDIR configuration directive stopped working when the openldap packages were linked to the GNUTLS library. (At least in the Lucid version, the ldap.conf man page specifcially mentions this issue: TLS_CACERTDIR path Specifies the path of a directory that contains Certifi‐ cate Authority certificates in separate individual files. The TLS_CACERT is always used before TLS_CACERTDIR. This parameter is ignored with GNUtls. ) However, it's worth mentioning that when the Debian/Ubuntu ca- certificates package (or more specificially, the update-ca-certficates script) uses the user's enabled certificate configuration choices to populate the /etc/ssl/certs directory, it also creates a single file, /etc/ssl/certs/ca-certificates.crt, containing all of the trusted certificates that it has processed. So, if one is trying to just use the standard system-wide list of trusted certificates, changing the old config line from TLS_CACERTDIR /etc/ssl/certs into TLS_CACERT /etc/ssl/certs/ca-certificates.crt should work as desired (with GNUTLS). (It should be possible to do the same thing in /etc/ldap.conf for the libpam-ldap/libpam-nss packages -- or in /etc/nslcd.conf for the nscld package -- though it seems like you have to spell it TLS_CACERTFILE instead of TLS_CACERT there.) Nathan -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/242313 Title: TLS_CACERTDIR not supported in gnutls To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/242313/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 658227] Re: upgrade process does not upgrade underlying BDB format from 4.7 to 4.8 (so slapd aborts with Program version 4.8 doesn't match environment version 4.7 error message)
James, would you also be able to re-try an upgrade from Lucid to the current Maverick version (slapd 2.4.23-0ubuntu3), and then confirm that the slapcat command does fail at that point (i.e. without having done the manually recovery steps)? (I'd just like to be sure that once 2.4.23-0ubuntu3 is installed it really is too late for the slapd.preinst script dump_databases() function to be able to export the database) Thanks. Nathan -- upgrade process does not upgrade underlying BDB format from 4.7 to 4.8 (so slapd aborts with Program version 4.8 doesn't match environment version 4.7 error message) https://bugs.launchpad.net/bugs/658227 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 658227] Re: upgrade process does not upgrade underlying BDB format from 4.7 to 4.8 (so slapd aborts with Program version 4.8 doesn't match environment version 4.7 error message)
On Thu, Oct 14, 2010 at 16:31:20 -, Steve Langasek wrote: That's not unavoidable; just bump the minimum version check to the maverick release version instead of the lucid version. New installations of maverick will get an excess database dump/restore, but the upgrade will be clean for everyone. Yeah, that's what I was going to suggest at first, but I don't think it will cover all the cases. Say someone had a working Lucid version of slapd they've already tried upgrading to the Maverick release 2.4.23-0ubuntu3, and they haven't ever done the manual db4.7_ steps to convert the database. In that case, they'll still have a v4.7 BDB environment in their /var/lib/ldap directory... but the version of slapcat installed on their machine will be from 2.4.23-0ubuntu3. That is, they'll already have a slapcat linked against libdb4.8, and so the slapd.pre/postinst scripts won't be able to export the old database in preparation for importing it using the new version. I don't have an environment available where I can actually test this myself, but as far as I can see once someone has installed slapd 2.4.23-0ubuntu3 it's too late to try fixing this problem with the usual export/import cycle Nathan -- upgrade process does not upgrade underlying BDB format from 4.7 to 4.8 (so slapd aborts with Program version 4.8 doesn't match environment version 4.7 error message) https://bugs.launchpad.net/bugs/658227 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 658227] Re: upgrade process does not upgrade underlying BDB format from 4.7 to 4.8 (so slapd aborts with Program version 4.8 doesn't match environment version 4.7 error message)
On Thu, Oct 14, 2010 at 17:47:19 -, Steve Langasek wrote: Ah, you're probably right then and I'm just misremembering how this was handled in Debian. Looking through the Debian changelog, it appears that there was a similar problem between 2.4.23-1 and 2.4.23-4. The switch to libdb4.8 was made in 2.4.23-1, but the change to slapd.scripts-common made at that time (SVN revision 1275) used lt-nl 2.4.21 as the conversion cutoff, so the export/import cycle was missed for systems upgrading from 2.4.21-1. This was corrected in 2.4.23-4 (SVN 1307) after being reported in debbugs #593550. I see that the correction does use 2.4.23-4 as the cutoff version number, so I think that in Debian there would be errors attempting to upgrade from a pre-2.4.23 database to one of the earlier 2.4.23 packages (but without doing any manual fixes) and then up to the -4 version. But it also looks like 2.4.23-4 was the first of the 2.4.23 versions to make it into Testing, so presumably there weren't too many people affected by that gap. In Ubuntu we have the situation that the gap includes the version released in Maverick, so it seems likely to affect more people Nathan -- upgrade process does not upgrade underlying BDB format from 4.7 to 4.8 (so slapd aborts with Program version 4.8 doesn't match environment version 4.7 error message) https://bugs.launchpad.net/bugs/658227 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 658227] Re: upgrade process does not upgrade underlying BDB format from 4.7 to 4.8 (so slapd aborts with Program version 4.8 doesn't match environment version 4.7 error message)
On Thu, Oct 14, 2010 at 19:07:47 -, Mathias Gug wrote: + if dpkg --compare-versions $OLD_VERSION lt-nl 2.4.23-0ubuntu3.1; then return 0 else That will force a database dump for every upgrade to maverick. This is the same fix as in Debian (modulo the package revision). It won't address the use case outlined in comment 17. For users that have already upgraded to maverick the workaround outlined in the bug description should be followed. Again, I don't have a way to actually test this, but I believe that putting the 0ubuntu3.1 onto the comparison means that in the case described in comment 17, the upgrade script will attempt to do the export/import but will not be able to do so (because the existing slapcat will not be compatible with the existing db files), and the package installation will abort. If, on the other hand, the user had done the manual repair steps already, the export/import will succeed -- but in that situation the db files have already been converted, so the export/import cycle would not actually be needed If I'm correct, then it's probably better to leave the comparison as lt-nl 2.4.23 (or perhaps lt-nl 2.4.23-0ubuntu1). That should guarantee that the export is being run using a pre-2.4.23 version of slapcat, and avoid touching the database on systems coming up from post-2.4.23 versions (since the script can't do anything for those systems anyway). Nathan -- upgrade process does not upgrade underlying BDB format from 4.7 to 4.8 (so slapd aborts with Program version 4.8 doesn't match environment version 4.7 error message) https://bugs.launchpad.net/bugs/658227 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 658227] Re: upgrade process does not upgrade underlying BDB format from 4.7 to 4.8 (so slapd aborts with Program version 4.8 doesn't match environment version 4.7 error message)
On Thu, Oct 14, 2010 at 19:07:47 -, Mathias Gug wrote: I've uploaded a fix to maverick-update: How long before this new version will be available by default for a user upgrading to Maverick? Would it make sense to add a Maverick Release Note mentioning this error and advising users with the slapd package installed to wait until the new package is in place (in order to avoid having to go through the manual steps to recover from installing in intermediate package)? Nathan -- upgrade process does not upgrade underlying BDB format from 4.7 to 4.8 (so slapd aborts with Program version 4.8 doesn't match environment version 4.7 error message) https://bugs.launchpad.net/bugs/658227 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 574474] Re: Dist-Upgrade Karmic-Lucid: Upgrading slapd fails with chown: invalid argument: `'
This bug is related to to LP: #632051. The two are triggered by a different specific issue within the slapd.conf file, and would need different changes to the postinst script in order to allow it to actually parse the config file correctly... but I think the patch I proposed in that bug would allow the package upgrade to complete, with a warning message, in both situations (rather than aborting and leaving the package in an unconfigured state, as currently happens in both situations). -- Dist-Upgrade Karmic-Lucid: Upgrading slapd fails with chown: invalid argument: `' https://bugs.launchpad.net/bugs/574474 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 658227] Re: upgrade process does not upgrade underlying BDB format from 4.7 to 4.8
Given that this seems to affect any system upgrading slapd from Lucid to Maverick, I wonder if it's worth trying to get it added to the Maverick release notes? ** Summary changed: - upgrade process does not upgrade underlying BDB format from 4.7 to 4.8 + upgrade process does not upgrade underlying BDB format from 4.7 to 4.8 (so slapd aborts with Program version 4.8 doesn't match environment version 4.7 error message) ** Description changed: I just upgraded from Lucid to Maverick, and now slapd won't start. From syslog: Oct 11 06:10:31 helium slapd[12130]: @(#) $OpenLDAP: slapd 2.4.23 (Aug 7 2010 01:39:36) $#012#011bui...@yellow:/build/buildd/openldap-2.4.23/debian/build/servers/slapd Oct 11 06:10:32 helium slapd[12131]: bdb(dc=5200-glenwood,dc=net): Program version 4.8 doesn't match environment version 4.7 Oct 11 06:10:32 helium slapd[12131]: hdb_db_open: database dc=5200-glenwood,dc=net cannot be opened, err -30971. Restore from backup! Oct 11 06:10:32 helium slapd[12131]: bdb(dc=5200-glenwood,dc=net): txn_checkpoint interface requires an environment configured for the transaction subsystem Oct 11 06:10:32 helium slapd[12131]: bdb_db_close: database dc=5200-glenwood,dc=net: txn_checkpoint failed: Invalid argument (22). Oct 11 06:10:32 helium slapd[12131]: backend_startup_one (type=hdb, suffix=dc=5200-glenwood,dc=net): bi_db_open failed! (-30971) Oct 11 06:10:32 helium slapd[12131]: bdb_db_close: database dc=5200-glenwood,dc=net: alock_close failed Oct 11 06:10:32 helium slapd[12131]: slapd stopped. Information on the web says that I need to run some kind of manual database upgrade to BDB 4.8, but I have no familiarity with the BDB tools, and the recipes that are suggested are varied and uncertain. Please suggest a workaround or manual upgrade, as some of my network services are at a dead stop due to this problem. Thanks, Andrew. ProblemType: BugDistroRelease: Ubuntu 10.10 Package: slapd 2.4.23-0ubuntu3 ProcVersionSignature: Ubuntu 2.6.35-22.33-generic 2.6.35.4 Uname: Linux 2.6.35-22-generic x86_64 NonfreeKernelModules: nvidia Architecture: amd64 Date: Mon Oct 11 06:07:49 2010InstallationMedia: Ubuntu 9.10 Karmic Koala - Release amd64 (20091027) ProcEnviron: - PATH=(custom, user) - LANG=en_US.UTF-8 - SHELL=/bin/bashSourcePackage: openldap + PATH=(custom, user) + LANG=en_US.UTF-8 + SHELL=/bin/bashSourcePackage: openldap WORKAROUND: Install db4.7-util and recover slapd databases: apt-get install db4.7-util cd /var/lib cp -a ldap ldap.bak cd ldap db4.7_checkpoint -1 db4.7_recover slapd will then start correctly. TEST CASE: Steps to re-produce on a new Lucid install sudo apt-get install slapd ldap-utils Follow the Lucid Server guide through the section entitled populating LDAP to the point where data is loaded into ldap for the backend configuration. Perform a Lucid-Maverick update: sudo do-release-upgrade -d slapd fails to start with the following error message Oct 11 16:19:33 lucid-clone-01 slapd[773]: bdb(dc=example,dc=com): Program version 4.8 doesn't match environment version 4.7 -- upgrade process does not upgrade underlying BDB format from 4.7 to 4.8 (so slapd aborts with Program version 4.8 doesn't match environment version 4.7 error message) https://bugs.launchpad.net/bugs/658227 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 574474] Re: Dist-Upgrade Karmic-Lucid: Upgrading slapd fails with chown: invalid argument: `'
** Changed in: openldap (Ubuntu) Status: Incomplete = Confirmed -- Dist-Upgrade Karmic-Lucid: Upgrading slapd fails with chown: invalid argument: `' https://bugs.launchpad.net/bugs/574474 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 658227] Re: won't start after Maverick upgrade; bdb Program version 4.8 doesn't match environment version 4.7
Can you look through the /var/log/dist-upgrade/apt-term.log and post the lines that come from the upgrade of the slapd package? (I don't know off hand if any of the discussion there applies in the Lucid-to-Mavick upgrade case, but in case it's helpful I'll point you to LP #536958, which covers the similar bug I ran into when upgrading from Hardy to Lucid.) -- won't start after Maverick upgrade; bdb Program version 4.8 doesn't match environment version 4.7 https://bugs.launchpad.net/bugs/658227 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 658227] Re: won't start after Maverick upgrade; bdb Program version 4.8 doesn't match environment version 4.7
Ubuntu devs, I took a quick look at the slapd.posting/slapd.scripts-common files in the lp:ubuntu/maverick/openldap branch, and also in the Bazaar change summary for revision 26 (which is the one that includes the note Use libdb4.8-dev (LP: #572489)), but I don't see any edits to the postinst script to cause the database_format_changed() function to to get triggered when upgrading across that db4.7-to-db4.8 switch. Is this step no longer expected to be needed when doing the BDB upgrade, or does the postinst need to be updated to recognize this situation? -- won't start after Maverick upgrade; bdb Program version 4.8 doesn't match environment version 4.7 https://bugs.launchpad.net/bugs/658227 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 658227] Re: won't start after Maverick upgrade; bdb Program version 4.8 doesn't match environment version 4.7
Andrew, As we expected, this shows that the slapd scripts made no attempt to do an export/import cycle on your database. (When that happened during my Hardy-Lucid upgrade, I had a Dumping... line, like this: Preparing to replace slapd 2.4.9-0ubuntu0.8.04.3 (using .../slapd_2.4.21-0ubuntu3_amd64.deb) ... Stopping OpenLDAP: slapd. Dumping to /var/backups/slapd-2.4.9-0ubuntu0.8.04.3: - directory dc=example,dc=com... done. Unpacking replacement slapd ... And the postinst script should generate the corresponding Loading from lines, as well.) However, from the log you posted, it looks like slapd was restarted successfully during the upgrade process. Is that true? In other words, did the upgrade process complete successfully, and the slapd daemon only begin failing when you tried to restart it sometime later? (When I ran into this problem for the Hardy-Lucid upgrade, the error caused the Starting OpenLDAP command to fail, which in turned caused dpkg to abort with a subprocess installed post-installation script returned error exit status 1 error message.) -- won't start after Maverick upgrade; bdb Program version 4.8 doesn't match environment version 4.7 https://bugs.launchpad.net/bugs/658227 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 658227] Re: won't start after Maverick upgrade; bdb Program version 4.8 doesn't match environment version 4.7
I just remembered that the postinst failure I mentioned in my previous post wasn't triggered by the restart of the slapd daemon, but rather by another step that the postinst script was attempting to do at that time. So, in your case, did the apt upgrade/configure cycle appear to complete normally, and it wasn't until afterwards you discovered that the slapd daemon wasn't actually running? (Similarly, James, did your do-release-upgrade -d process appear to finish normally, or did you get an error during the slapd package install that cause the release-upgrade to abort?) -- won't start after Maverick upgrade; bdb Program version 4.8 doesn't match environment version 4.7 https://bugs.launchpad.net/bugs/658227 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632314] Re: slapd Too many open files
I noticed that this very topic (the default file descriptor limit) is currently being discussed on the ubuntu-dev mailing list. In particular, there was a little discussion of the fact that /etc/security/limits.conf does not apply to services: https://lists.ubuntu.com/archives/ubuntu-devel/2010-September/031493.html The thread also covers various situation where otther applications are hitting the limit; if you (Alex) are lucky perhaps something there will give you an idea why you are doing so but other sites don't seem to be Nathan -- slapd Too many open files https://bugs.launchpad.net/bugs/632314 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap2.3 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 632314] Re: slapd Too many open files
On Mon, Sep 20, 2010 at 14:39:27 -, Nathan Stratton Treadway wrote: (The very last comment on Debian bug 378261 seems to indicate that the -DOPENLDAP_FD_SETSIZE=8192 patch shouldn't actually make any difference in the Lucid version.) The bug is currently closed, but just in case new comments are ever posted to it, here's a direct link to the specific one to which I was referring: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378261#52 Nathan -- slapd Too many open files https://bugs.launchpad.net/bugs/632314 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap2.3 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
On Wed, Sep 22, 2010 at 22:26:31 -, greenmoss wrote: My bug 509734 was marked as a duplicate of this one. This was a special case using the atd job scheduler. At jobs launched by ldap users worked, but at jobs launched by root did *not* work. atd was doing a group lookup, and nss was dropping privileges, thus breaking root-launched at Yeah, I found this behavior on in my test machine (where I'm running Lucid), too. Based on the discussion earlier in this bug (423252), I did some testing of the behavior of atd with various combinations of libpam/nss-ldap, nscd, and libpam/nss-ldapd. As greenmoss found, when I was running with libpam/nss-ldap and no nscd (and didn't have any of the users in question listed in the ignoreusers line), my at commands worked for LDAP users but not for ones defined in /etc/passwd. (When an LDAP user attempted to run an at command, the following syslog message would appear: atd[PID]: Cannot delete saved userids: Operation not permitted However, I found that when nscd was running... the situation was reversed: at commands did work for LDAP-defined users, but not for /etc/passwd-defined ones (and attempts to use at as one of those users would cause the same error message as above to show up in the syslog). When I had libpam/nss-ldapd installed (with or without nscd), the at command worked fine for both types of users. jobs. To work around this, I added the following line to my /etc/ldap.conf: nss_initgroups_ignoreusers users where users is the list of local non-ldap users, particularly root! In the libpam/nss-ldap, no nscd case, this also worked in my tests; listing the /etc/passwd-defined user in the ignoreusers line did allow at to work for that user (and it continued to work for the LDAP-defined user as well). Interestingly, this change did NOT help in the libpam/nss-ldap, with nscd case -- even with LDAP username listed in the ignoreusers line, when I tried to run at as the LDAP-defined user, the command still failed and atd still generated the same syslog error message (libpam/nss-ldapd does not reference the /etc/ldapd.conf file, so the ignoreusers line doesn't affect that test case.) [For what it's worth, I tested cron using those same combinations of NSS/PAM resolution libraries but didn't find any situation where it failed...] Nathan -- NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
On Fri, Sep 24, 2010 at 16:46:25 -, Nathan Stratton Treadway wrote: As greenmoss found, when I was running with libpam/nss-ldap and no nscd (and didn't have any of the users in question listed in the ignoreusers line), my at commands worked for LDAP users but not for ones defined in /etc/passwd. (When an LDAP user attempted to run an at command, the following syslog message would appear: atd[PID]: Cannot delete saved userids: Operation not permitted However, I found that when nscd was running... the situation was reversed: at commands did work for LDAP-defined users, but not for /etc/passwd-defined ones (and attempts to use at as one of those users would cause the same error message as above to show up in the syslog). I'm sorry, I seem to have managed to jumble the succeeded/failed statuses given in those two paragraphs... Hopefully the following table is more clear: without ncsd: passwd user: failed (and Cannot delete syslog message appeared) LDAP user: succeeded with ncsd running (and after restarting the atd service): passwd user: succeeded LDAP user: failed (with same Cannot delete syslog message) Nathan -- NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Summary changed: - NSS using LDAP+SSL breaks setuid applications like su and sudo + NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd -- NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632314] Re: slapd Too many open files
Alex, have you tried going back to using the stock Lucid version of the slapd binary (but with the /etc/defaults/slapd ulimit changes)? (The very last comment on Debian bug 378261 seems to indicate that the -DOPENLDAP_FD_SETSIZE=8192 patch shouldn't actually make any difference in the Lucid version.) -- slapd Too many open files https://bugs.launchpad.net/bugs/632314 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap2.3 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632051] Re: Improve slapd postinst error message in case database directory can't be determined for a given LDAP suffix
** Summary changed: - Improve error message in case suffix is incorrect + Improve slapd postinst error message in case database directory can't be determined for a given LDAP suffix ** Description changed: Bug is due to buggy configuration, but we could have a better error message. See comment 5 for details. Original description: When doing a apt-get dist-upgrade going from slapd_2.4.15-1ubuntu3_amd64.deb to slapd_2.4.15-1ubuntu3.1_amd64.deb I get the following output: ba...@work-isp:/tmp$ sudo apt-get dist-upgrade [sudo] password for batch: Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. 1 not fully installed or removed. After this operation, 0B of additional disk space will be used. Do you want to continue [Y/n]? y Setting up slapd (2.4.15-1ubuntu3.1) ... - Backing up /etc/ldap/slapd.conf in /var/backups/slapd-2.4.15-1ubuntu3... done. + Backing up /etc/ldap/slapd.conf in /var/backups/slapd-2.4.15-1ubuntu3... done. chown: invalid argument: `' dpkg: error processing slapd (--configure): - subprocess post-installation script returned error exit status 1 + subprocess post-installation script returned error exit status 1 Errors were encountered while processing: - slapd + slapd E: Sub-process /usr/bin/dpkg returned an error code (1) output of lsb_release -rd: ba...@work-isp:/tmp$ lsb_release -rd Description: Ubuntu 9.04 Release: 9.04 output of apt-cache policy slapd: ba...@work-isp:/tmp$ apt-cache policy slapd slapd: - Installed: 2.4.15-1ubuntu3.1 - Candidate: 2.4.15-1ubuntu3.1 - Version table: - *** 2.4.15-1ubuntu3.1 0 - 500 http://us.archive.ubuntu.com jaunty-updates/main Packages - 500 http://security.ubuntu.com jaunty-security/main Packages - 100 /var/lib/dpkg/status - 2.4.15-1ubuntu3 0 - 500 http://us.archive.ubuntu.com jaunty/main Packages + Installed: 2.4.15-1ubuntu3.1 + Candidate: 2.4.15-1ubuntu3.1 + Version table: + *** 2.4.15-1ubuntu3.1 0 + 500 http://us.archive.ubuntu.com jaunty-updates/main Packages + 500 http://security.ubuntu.com jaunty-security/main Packages + 100 /var/lib/dpkg/status + 2.4.15-1ubuntu3 0 + 500 http://us.archive.ubuntu.com jaunty/main Packages I except the package to install without error. The package did not install correct leaves the sysem with 1 not fully installed or removed -- Improve slapd postinst error message in case database directory can't be determined for a given LDAP suffix https://bugs.launchpad.net/bugs/632051 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 450645] Re: error during slapd configuration: chown: cannot access `olcDbDirectory\nolcDbDirectory'
** Changed in: openldap (Ubuntu) Status: Incomplete = Confirmed -- error during slapd configuration: chown: cannot access `olcDbDirectory\nolcDbDirectory' https://bugs.launchpad.net/bugs/450645 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 450645] Re: error during slapd configuration: chown: cannot access `olcDbDirectory\nolcDbDirectory'
I didn't explain clearly in my earlier comments that it's only the olcDbDirectory grep that actually causes the chown error here. I added the .ldif extension to the grep in the get_suffix function only to keep the two consistent (figuring that if it's true we only care about files that end in .ldif then we should be restricting our searches to such file in both places). However, the two greps are actually different enough that making your changes to the first one won't do what you want In particular, the -h option given there means that the filenames are never printed; adding /dev/null doesn't change anything, and changing the cut command to use the third field just means that the pipeline always returns an empty list of suffixes. In your particular case, though, it ends up working out fine, since the result is that the postinst script completes without an error... but that is because it doesn't try to update the permissions on any of the database directories, rather than because it is now successfully determining the path of the directory that needs to be updated It certainly seems like a good idea, though, to make the get_directory function a bit more robust. But I'm not sure off hand if it makes more sense to just pick the first directory that is found for a given suffix, or to try to return all of those directories. (That is, by making the grep pipeline a bit smarter, it seems like one could just return a list of all the database directories, and run the chown on that list.) (In your case, does the olcDatabase={3}ldap.ldif file really describe an active backend that has both the same suffix and database directory as the one described in the olcDatabase={1}hdb.ldif file?) -- error during slapd configuration: chown: cannot access `olcDbDirectory\nolcDbDirectory' https://bugs.launchpad.net/bugs/450645 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632051] Re: slapd dist-upgrade chown: invalid argument: `'
I wonder if the cause of this chown error is at all related to the one discussed in bug #450645 If you can post the output of the following commands it might provide enough information to figure out what exactly is triggering the bug: $ sudo sh -c ls -l /etc/ldap/slapd.d/cn=config/olcDatabase* $ sudo sh -c grep olcSuffix: /etc/ldap/slapd.d/cn=config/olcDatabase* and $ sudo sh -c grep olcDbDirectory: /etc/ldap/slapd.d/cn=config/olcDatabase* -- slapd dist-upgrade chown: invalid argument: `' https://bugs.launchpad.net/bugs/632051 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632051] Re: slapd dist-upgrade chown: invalid argument: `'
Ah, okay, you are still using the slapd.conf file, rather than the slapd.d configuration directory, so your error and the one in #450645 are more like cousins than siblings :) # Backend specific directives apply to this backend until another # 'backend' directive occurs database hdb suffix dc=domain rootdn cn=admin,dc=domain rootpw {SSHA}some text for a password directory /var/lib/ldap Does the suffix' line in our slapd.conf file really have three double- quote characters in it? If so, I suspect that's the trigger in your case... Specifically, when the postinst script builds the list of suffixes to process, it looks for lines that start with suffix and then removes *all* the characters from the value string found -- so when it goes back to find the directory whose permissions need to be updated, it is looking for a line that says: suffix dc=domain This doesn't match the actual existing line, suffix dc=domain , and so the search fails. In this case, the get_directory() function call would return an empty string, and when chown is called with that empty string as the target path, it would return the invalid argument: `' error message. -- slapd dist-upgrade chown: invalid argument: `' https://bugs.launchpad.net/bugs/632051 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 632051] Re: slapd dist-upgrade chown: invalid argument: `'
It occured to me that when the postinst script is unable to determine the database directory associated with a particular suffix (for whatever reason), simply producing the error message chown: invalid argument: `' and then aborting isn't very helpful to the system administrator. Here's a patch that checks the result of the get_directory function call, and if no directory is returned prints a descriptive warning rather than trying to set permissions on nothing. The patch only changes the update_database_permissions() function, so it should be an improvement regardless of whether slapd.conf or slapd.d-style configuration is in use. This version of the patch simply prints a warning message and continues processing the rest of the postinst run, on the theory the there's a good chance that everything will still work fine even if we don't run this particular missing chown command -- but if there is actually a need to abort the installation in that situation, the patch could easily be tweaked to print an appropriate message and then exit with an error status instead. ** Patch added: print descriptive warning message when get_directory function can't find the database directory for the given suffix https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/632051/+attachment/199/+files/slapd_2.4.21-0ubuntu5.3_postinst_empty_dbdir_warning.patch ** Tags added: patch -- slapd dist-upgrade chown: invalid argument: `' https://bugs.launchpad.net/bugs/632051 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 450645] Re: error during slapd configuration: chown: cannot access `olcDbDirectory\nolcDbDirectory'
** Patch added: restrict grep searches to files with names ending in .ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/450645/+attachment/1535371/+files/slapd_2.4.21-0ubuntu5.3_postinst.patch -- error during slapd configuration: chown: cannot access `olcDbDirectory\nolcDbDirectory' https://bugs.launchpad.net/bugs/450645 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 450645] Re: error during slapd configuration: chown: cannot access `olcDbDirectory\nolcDbDirectory'
Ross, In your case, I believe the error is triggered because you have two different olcDatabase files that include the same oldSuffix line: /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif:olcSuffix: dc=cpd,dc=co,dc=uk /etc/ldap/slapd.d/cn=config/olcDatabase={3}ldap.ldif:olcSuffix: dc=cpd,dc=co,dc=uk (As I mentioned earlier, the postinst script currently assumes that only one file will contain the string olcSuffix: SUFFIX.) Unfortunately, the patch that I just submitted wouldn't make any difference in your case (since the names of both of those files do end in .ldif)... -- error during slapd configuration: chown: cannot access `olcDbDirectory\nolcDbDirectory' https://bugs.launchpad.net/bugs/450645 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 463684] Re: openldap sections in ubuntu server guide not updated for packages in karmic
On Thu, Apr 29, 2010 at 15:03:46 -, Adam Sommer wrote: The OpenLDAP instructions have been updated for Ubuntu Lucid, and they work for Karmic. I noticed that the Lucid version of the Ubuntu Server Guide is now available on the web site: https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html Nathan -- openldap sections in ubuntu server guide not updated for packages in karmic https://bugs.launchpad.net/bugs/463684 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 577375] Re: package slapd 2.4.21-0ubuntu5 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
The DpkgTerminalLog.txt file shows several attempts to upgrade the slapd package, each with the same result; here is the output from one of them: = Setting up slapd (2.4.21-0ubuntu5) ... Backing up /etc/ldap/slapd.d/ in /var/backups/slapd-2.4.21-0ubuntu4... done. Starting OpenLDAP: slapd - failed. The operation failed but no output was produced. For hints on what went wrong please refer to the system's logfiles (e.g. /var/log/syslog) or try running the daemon in Debug mode like via slapd -d 16383 (warning: this will create copious output). Below, you can find the command line options used by this script to run slapd. Do not forget to specify those options if you want to look to debugging output: slapd -h 'ldap:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d/ invoke-rc.d: initscript slapd, action start failed. dpkg: error processing slapd (--configure): subprocess installed post-installation script returned error exit status 1 = David, Can you post the lines that showed up in /var/log/syslog file when the the upgrade script attempted to restart the slapd daemon? -- package slapd 2.4.21-0ubuntu5 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 https://bugs.launchpad.net/bugs/577375 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 574474] Re: Dist-Upgrade Karmic-Lucid: Upgrading slapd fails with chown: invalid argument: `'
Yes, I think that explains why you are getting the chown: invalid argument `' error Specifically, when the slapd.postinst parses through the slapd.conf file, it attempts to process included files... but it assumes that the database, suffix, and directory lines for a particular database are all found in the same file. So in your case, it looks through all the files and find a suffix line (i.e. presumably one found in suffix.include), but then when it goes to look up what directory that suffix was tied to, it isn't able to associate that suffix with the directory line found there in your slapd.conf file. (This in turn means that it ends up calling chown with an empty FILE argument, e.g. chown openldap , which then generates the error message you see). In the short run, since your database files do already have the correct permissions, you can probably work around this dpkg error by commenting out the update_databases_permissions line in slapd.postinst (its line 670 in the script for slapd 2.4.21-0ubuntu5), and then running dpkg --configure again. Obviously you will be likely to have the same problem again the next time slapd is upgraded... but I don't know if there will be any easy fix for that, given the general move away from slapd.conf-style configuration -- Dist-Upgrade Karmic-Lucid: Upgrading slapd fails with chown: invalid argument: `' https://bugs.launchpad.net/bugs/574474 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 574474] Re: Dist-Upgrade Karmic-Lucid: Upgrading slapd fails with chown: invalid argument: `'
The slapd.postinst script attempts to ensure that various files and directories have the proper ownerships (and permissions) set. It looks like it may be having trouble extracting the correct list of directories in your case. Can you post the output of the following command (run as root)? grep -E ^(include|database|suffix|directory) /etc/ldap/slapd.conf Hopefully that will give some hint as to what is causing the confusion. -- Dist-Upgrade Karmic-Lucid: Upgrading slapd fails with chown: invalid argument: `' https://bugs.launchpad.net/bugs/574474 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 450645] Re: error during slapd configuration: chown: cannot access `olcDbDirectory\nolcDbDirectory'
Mathias (or other OpenLDAP developers): Any reason the grep commands in the get_suffix and get_directory fuctions shouldn't use olcDatabase*.ldif for the list of files to search (instead of olcDatabase*, as they currently do)? -- error during slapd configuration: chown: cannot access `olcDbDirectory\nolcDbDirectory' https://bugs.launchpad.net/bugs/450645 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 573049] Re: package slapd 2.4.21-0ubuntu5 failed to install/upgrade:
*** This bug is a duplicate of bug 573048 *** https://bugs.launchpad.net/bugs/573048 (I confirmed that the VarLogDistupgradeApt* and VarLogDistupgradeMainlog.gz files attached here are exactly the same as those attached to bug 473048.) ** This bug has been marked a duplicate of bug 573048 package slapd 2.4.21-0ubuntu5 failed to install/upgrade: -- package slapd 2.4.21-0ubuntu5 failed to install/upgrade: https://bugs.launchpad.net/bugs/573049 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 573048] Re: package slapd 2.4.21-0ubuntu5 failed to install/upgrade:
Looking through VarLogDistupgradeApttermlog, I see that slapd is restarted successfully a few times (i.e. when packages such as libc6, libpam0g, and libssl are upgraded). Then later on these lines appear: === Подготовка к замене пакета ldap-utils 2.4.9-0ubuntu0.8.04.3 (используется файл .../ldap-utils_2.4.21-0ubuntu5_i386.deb) ... Распаковывается замена для пакета ldap-utils ... Подготовка к замене пакета libldap2-dev 2.4.9-0ubuntu0.8.04.3 (используется файл .../libldap2-dev_2.4.21-0ubuntu5_i386.deb) ... Распаковывается замена для пакета libldap2-dev ... Подготовка к замене пакета libldap-2.4-2 2.4.9-0ubuntu0.8.04.3 (используется файл .../libldap-2.4-2_2.4.21-0ubuntu5_i386.deb) ... Распаковывается замена для пакета libldap-2.4-2 ... Выбор ранее не выбранного пакета libltdl7. Распаковывается пакет libltdl7 (из файла .../libltdl7_2.2.6b-2ubuntu1_i386.deb)... Подготовка к замене пакета slapd 2.4.9-0ubuntu0.8.04.3 (используется файл .../slapd_2.4.21-0ubuntu5_i386.deb) ... Stopping OpenLDAP: slapd. Dumping to /var/backups/slapd-2.4.9-0ubuntu0.8.04.3: - directory dc=trct,dc=local... slapcat: Symbol `ldap_int_global_options' has different size in shared object, consider re-linking /etc/ldap/slapd.conf: line 116: rootdn is always granted unlimited privileges. /etc/ldap/slapd.conf: line 133: rootdn is always granted unlimited privileges. done. Распаковывается замена для пакета slapd ... [ *** lines skipped ] Настраивается пакет libldap-2.4-2 (2.4.21-0ubuntu5) ... Настраивается пакет ldap-utils (2.4.21-0ubuntu5) ... [ *** lines skipped ] Настраивается пакет slapd (2.4.21-0ubuntu5) ... Устанавливается новая версия файла настройки /etc/ldap/schema/README ... Устанавливается новая версия файла настройки /etc/ldap/schema/cosine.ldif ... Устанавливается новая версия файла настройки /etc/ldap/schema/inetorgperson.ldif ... Устанавливается новая версия файла настройки /etc/ldap/schema/nis.ldif ... Устанавливается новая версия файла настройки /etc/ldap/schema/openldap.ldif ... Устанавливается новая версия файла настройки /etc/ldap/schema/duaconf.schema ... Устанавливается новая версия файла настройки /etc/ldap/schema/dyngroup.schema ... Устанавливается новая версия файла настройки /etc/ldap/schema/inetorgperson.schema ... Устанавливается новая версия файла настройки /etc/ldap/schema/misc.schema ... Устанавливается новая версия файла настройки /etc/ldap/schema/nis.schema ... Устанавливается новая версия файла настройки /etc/ldap/schema/openldap.schema ... Устанавливается новая версия файла настройки /etc/apparmor.d/usr.sbin.slapd ... Файл настройки `/etc/default/slapd' == Изменён после установки (вами или сценарием). == Автор пакета предоставил обновлённую версию. Что вы будете с этим делать? У вас есть следующие варианты: Y или I : установить версию, предлагаемую сопровождающим пакета N или O : оставить установленную на данный момент версию D: показать различия между версиями Z: перевести этот процесс в фоновый режим для проверки ситуации По умолчанию сохраняется текущая версия файла настройки. *** slapd (Y/I/N/O/D/Z) [по умолчанию N] ? o Устанавливается новая версия файла настройки /etc/init.d/slapd ... Backing up /etc/ldap/slapd.conf in /var/backups/slapd-2.4.9-0ubuntu0.8.04.3... done. Moving old database directories to /var/backups: - directory dc=trct,dc=local... done. Loading from /var/backups/slapd-2.4.9-0ubuntu0.8.04.3: - directory dc=trct,dc=local... done. - chowning database directory (openldap:openldap)... done failed. Migrating slapd.conf file (/etc/ldap/slapd.conf) to slapd.d failed with the following error while running slaptest: /etc/ldap/slapd.conf: line 116: rootdn is always granted unlimited privileges. /etc/ldap/slapd.conf: line 133: rootdn is always granted unlimited privileges. config_build_entry: build cn={11}gosa+samba3 failed: (null) backend_startup_one (type=config, suffix=cn=config): bi_db_open failed! (-1) slap_startup failed (test would succeed using the -u switch) dpkg: не удалось обработать параметр slapd (--configure): подпроцесс установлен сценарий post-installation возвратил код ошибки 1 [ *** end of log file *** ] === -- package slapd 2.4.21-0ubuntu5 failed to install/upgrade: https://bugs.launchpad.net/bugs/573048 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 573048] Re: package slapd 2.4.21-0ubuntu5 failed to install/upgrade:
deutsche Makar, I'm thinking something may have gone wrong setting the permissions on the BDB database files. Can you post the output of the following commands? ls -ld /var/backups/dc* ls -l /var/backups/dc* uname -a grep ^directory /etc/ldap/slapd.conf* ls -la path listed in output of preceding line -- package slapd 2.4.21-0ubuntu5 failed to install/upgrade: https://bugs.launchpad.net/bugs/573048 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 573048] Re: package slapd 2.4.21-0ubuntu5 failed to install/upgrade:
Looking more closely at the slapd.postinst script, I see that the word failed. is actually associated with the Migrating slapd.conf file message below it, not with the chowning database directory message above it. So I don't think there's problem with the permissions after all. What happens if you run slaptest -f /etc/ldap/slapd.conf ? (Do you get the same messages as those found in the VarLogDisupgradeApttermlog file?) If so, what happens if you comment out lines 116 and 133 of the slapd.conf file and then try the test again? -- package slapd 2.4.21-0ubuntu5 failed to install/upgrade: https://bugs.launchpad.net/bugs/573048 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571057] Re: slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again)
Mathias, Thierry: neither of these scripts appear to clean up the olcAuthzRegexp: gidNumber=\[\[:digit:]]\+\\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=localroot,cn=config' line that got added to the ${SLAPD_CONF}/cn=config.ldif file by earlier upgrades. I believe that as long as that mapping is there, the newly-added olcAccess lines referencing dn.exact=gidNumber=0+uidNumber=0,... will be ignored. Does anyone know if # comments are officially supported in these slapd.d config files? (They worked in my manual tests, but I haven't had a chance to research whether one is really supposed to use them.) If they are supported, it might be better for the postinst edits just to comment out these lines, rather than than completely deleting them -- slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again) https://bugs.launchpad.net/bugs/571057 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571057] Re: slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again)
On Thu, Apr 29, 2010 at 02:57:36 -, Stephen Warren wrote: Re: the mention of symptoms in comment #12 above: My symptom was that I could not log in at all, and in existing sessions, sudo wouldn't work etc. I store user information in LDAP, with just system users in /etc/passwd etc., so luckily I could still log in as root to fix this. Ah, good point. I have been working with a test system not configured for LDAP authentication, so I didn't check out that functionality. When you say still log in as root to fix this, did you have to make additional edits after you got slapd running again (as you mentioned in your original problem description)? That is, were you locked out just because slapd wasn't running, and then back to normal again once you got slapd restarted, or did you have to go back and fix the permission settings before LDAP authentication started working again? (If you did have to fix permissions, what exactly did you have to change to get that part working?) Nathan -- slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again) https://bugs.launchpad.net/bugs/571057 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571752] [NEW] slapd upgrades don't add frontend ACLs for base= and cn=subschema
Public bug reported: As a result of LP: #427842, the initial configuration created upon installation of slapd 2.4.21-0ubuntu4 and later will include the following ACLs on the {-1}frontend database: olcAccess: to dn.base= by * read olcAccess: to dn.base=cn=subschema by * read However, when upgrading from earlier versions of slapd, no attempt is made make sure these ACLs exist. In the case of a Hardy - Lucid upgrade, this causes e.g. ldapvi --discover to stop working. ** Affects: openldap (Ubuntu) Importance: Undecided Status: New ** Tags: hardy2lucid -- slapd upgrades don't add frontend ACLs for base= and cn=subschema https://bugs.launchpad.net/bugs/571752 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 563829] Re: olcAccess are options broken on upgrade in {-1}frontend.ldif
I have opened Bug #571752 for the issue related to missing ACLs for the frontend database after upgrading from earlier versions of slapd (discussed in comments 3 12 here). (Obviously, the discussion related to the issue mentioned in comment 11 here has moved to Bug #571057.) -- olcAccess are options broken on upgrade in {-1}frontend.ldif https://bugs.launchpad.net/bugs/563829 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 506317] Re: ldap.schema.urlfetch doesn't work anymore since slapd.d migration
*** This bug is a duplicate of bug 427842 *** https://bugs.launchpad.net/bugs/427842 Note that the fix committed as part of bug #427842 only changed the settings for new installations, while this bug is actually about permission problems after migrating from an earlier version of the slapd package... -- ldap.schema.urlfetch doesn't work anymore since slapd.d migration https://bugs.launchpad.net/bugs/506317 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571057] Re: slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again)
Thierry, any chance of of adding another release note covering the post- upgrade access permissions problems discussed here and in bug #571752? Even though they won't cause the upgrade process to abort the way the ordered_value_sort error does, it still seems pretty significate that some LDAP client software will no longer function as expected after the upgrade -- slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again) https://bugs.launchpad.net/bugs/571057 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571057] Re: slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again)
The history for bug 563829 includes some discussion of this situation with the olcDatabase={-1}frontend.ldif file. -- slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again) https://bugs.launchpad.net/bugs/571057 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570657] Re: package slapd 2.4.21-0ubuntu5 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
(Assuming the /var/log/syslog does include a line saying: config error processing olcDatabase={-1}frontend,cn=config: ordered_value_sort failed on attr olcAccess#012 , then this bug is probably a duplicate of LP: #571057. -- package slapd 2.4.21-0ubuntu5 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 https://bugs.launchpad.net/bugs/570657 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570533] Re: package slapd 2.4.21-0ubuntu5 failed to install/upgrade: podproces zainstalowany skry pt post-installation zwrócił kod błędu 1
(Assuming the /var/log/syslog includes a line saying: config error processing olcDatabase={-1}frontend,cn=config: ordered_value_sort failed on attr olcAccess#012 , then this bug is probably a duplicate of LP: #571057.) -- package slapd 2.4.21-0ubuntu5 failed to install/upgrade: podproces zainstalowany skrypt post-installation zwrócił kod błędu 1 https://bugs.launchpad.net/bugs/570533 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571057] Re: slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again)
(Also, for what it's worth, the slapd.postinst script does include a package-version check which attempts to prevent the new line from being added more than once. However, since the slapd-failure prevents the package from reaching configured status, the script is still trying to upgrade from the older package version each time it's executed, and thus it would add a new copy of the line each time you ran apt dist- upgrade.) -- slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again) https://bugs.launchpad.net/bugs/571057 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571057] Re: slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again)
(I think systems installed in Hardy and then upgraded to pre-release Lucid versions before upgrading to 0ubuntu5 will also be affected.) -- slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again) https://bugs.launchpad.net/bugs/571057 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 563829] Re: olcAccess are options broken on upgrade in {-1}frontend.ldif
To follow up on my comment #2: I did some more testing and determined that the behavior I was seeing related to the olcAccess lines in the olcDatabase={0}config.ldif file was due to the localroot-related lines left over from earlier versions of the slapd.posting script. Once I removed all those references, then everything worked as expected even when the two lines olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {0}to * by * none were both found in the config.ldif file. I will add a comment on bug 571057 related to the manual cleanup steps that should be mentioned in the release notes. (In case any else is following this trail of crumbs, the issue I had was that the olcAuthzRegexp line that mapped the UID=0 user to cn=localroot,cn=config was still found in my slapd.d/cn=config.ldif file. This meant that the dn.exact=gidNumber=0 line mentioned above was not matched. Thus, the permission check would fall to the olcAccess: {0}to * by * none line and access would be denied. When the olcAccess: {0}to * by * none line was removed from the {0}config.ldif file, the access control search continued on through to the olcAccess lines found in the olcDatabase={-1}frontend.ldif file... and that file still contained a line granting localroot access, so my ldapsearch succeeded.) -- olcAccess are options broken on upgrade in {-1}frontend.ldif https://bugs.launchpad.net/bugs/563829 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571057] Re: slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again)
(To be precise, if I have followed the changelog correctly, the problem will be triggered when the upgrade path looks like: slapd older than 2.4.17-1ubuntu3 -- slapd between 2.4.17-1ubuntu3 and 2.4.21-0ubuntu4 -- (maybe some upgrades within that range) -- slapd 2.4.21-0ubuntu5 The first of those upgrades would add the olcAccess: to * by dn.exact=cn=localroot,cn=config manage by * break line, and then final one would add olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break , thus triggering the error. ) -- slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again) https://bugs.launchpad.net/bugs/571057 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571057] Re: slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again)
(To clarify my previous comment: note that while the symptoms are similar, this bug and bug 526230 actually have different underlying causes, and the thus details of the upgrade paths that trigger each one are different, too.) -- slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again) https://bugs.launchpad.net/bugs/571057 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571424] Re: package slapd 2.4.21-0ubuntu5 failed to install/upgrade: Unterprozess installiertes p ost-installation-Skript gab den Fehlerwert 1 zurück
The DpkgTerminalLog file shows that this is an upgrade from slapd 2.4.21-0ubuntu4 to 2.4.21-0ubuntu5 : == Vorbereiten zum Ersetzen von slapd 2.4.21-0ubuntu4 (durch .../slapd_2.4.21-0ubun tu5_i386.deb) ... Stopping OpenLDAP: slapd. Entpacke Ersatz für slapd ... [ *** lines skipped *** ] Richte slapd ein (2.4.21-0ubuntu5) ... Backing up /etc/ldap/slapd.d/ in /var/backups/slapd-2.4.21-0ubuntu4... done. Starting OpenLDAP: slapd - failed. The operation failed but no output was produced. For hints on what went wrong please refer to the system's logfiles (e.g. /var/log/syslog) or try running the daemon in Debug mode like via slapd -d 16383 (warning: this will create copious output). Below, you can find the command line options used by this script to run slapd. Do not forget to specify those options if you want to look to debugging output: slapd -h 'ldap:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d/ invoke-rc.d: initscript slapd, action start failed. dpkg: Fehler beim Bearbeiten von slapd (--configure): Unterprozess installiertes post-installation-Skript gab den Fehlerwert 1 zurück == Can you confirm that your /var/log/syslog file showed a message saying config error processing olcDatabase={-1}frontend,cn=config: ordered_value_sort failed on attr olcAccess#012 at the point that slapd failed to restart? (If so, this is a duplicate of LP: #571057 .) -- package slapd 2.4.21-0ubuntu5 failed to install/upgrade: Unterprozess installiertes post-installation-Skript gab den Fehlerwert 1 zurück https://bugs.launchpad.net/bugs/571424 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571057] Re: slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again)
A few other points that hopefully can be worked into the release notes: * A symptom that indicates the need for this config-file cleanup is when commands that rely on EXTERNAL SASL authentication no longer work for the local root user (e.g. ldapsearch -Y EXTERNAL -Hldapi:/// ) * One can avoid having dpkg abort the installation run by doing the cleanup before kicking off the upgrade to 2.4.21-0ubuntu5. * If the cleanup isn't done beforehand, then (in addition to removing the localroot lines), the user will probably want to go ahead and delete any extra copies of the olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break line that get added to the olcDatabase{0}config.ldif and oldDatabase{-1}frontend.ldif files if the installation script is run multiple times. (This can happen automatically; e.g. aptitude will automatically retry the package install after the first dpkg failure.) The intended situation is to have exactly one copy of that line in each of the files. -- slapd 2.4.21-0ubuntu5 corrupts olcDatabase={-1}frontend.ldif with duplicate olcAccess lines (again) https://bugs.launchpad.net/bugs/571057 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571481] Re: when slapd upgrade fails, later upgrade attempts overwrite saved backups of pre-upgrade configuration files
** Summary changed: - when slapd upgrade fails, later upgrade attempts overwrite saved copies of pre-upgrade configuration files + when slapd upgrade fails, later upgrade attempts overwrite saved backups of pre-upgrade configuration files -- when slapd upgrade fails, later upgrade attempts overwrite saved backups of pre-upgrade configuration files https://bugs.launchpad.net/bugs/571481 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571498] [NEW] slapd.postinst should put all backed-up items together in one place under /var/backups
Public bug reported: Currently the slapd.postinst script uses /var/backups/slapd-old- package-version/ to store both the backup copy of $SLAPD_CONF and the slapcat-generated .ldif file. However, if there is a need to move the BDB files out of the way, they are instead moved to separate rootdn -old-packge-version.ldapdb destination directories found directly under /var/backups/ . Assuming the move_incompatible_databases_away logic is kept in post- Lucid, it might be worth changing the destination path so that it keeps the BDB files together with the other backups under /var/backups/slapd -old-package-version/ . (I think that could be complished by simply changing the hard-coded /var/backups strings found in the compute_backup_path and move_incompatible_databases_away functions to instead call database_dumping_destdir, similar to the call in backup_config_once .) ** Affects: openldap (Ubuntu) Importance: Undecided Status: New -- slapd.postinst should put all backed-up items together in one place under /var/backups https://bugs.launchpad.net/bugs/571498 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 571498] Re: slapd.postinst should put all backed-up items together in one place under /var/backups
** Description changed: Currently the slapd.postinst script uses /var/backups/slapd-old- package-version/ to store both the backup copy of $SLAPD_CONF and the slapcat-generated .ldif file. However, if there is a need to move the BDB files out of the way, they are instead moved to separate rootdn -old-packge-version.ldapdb destination directories found directly under /var/backups/ . Assuming the move_incompatible_databases_away logic is kept in post- - Lucid, it might be worth changing the destination path so that it keeps + Lucid, it might be worth changing the destination path so that it keeps the BDB files together with the other backups under /var/backups/slapd -old-package-version/ . - (I think that could be complished by simply changing the hard-coded + (I think that could be accomplished by simply changing the hard-coded /var/backups strings found in the compute_backup_path and move_incompatible_databases_away functions to instead call database_dumping_destdir, similar to the call in backup_config_once .) -- slapd.postinst should put all backed-up items together in one place under /var/backups https://bugs.launchpad.net/bugs/571498 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570657] Re: package slapd 2.4.21-0ubuntu5 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
The DpkgTerminalLog.gz file includes the following lines related to the slapd package upgrade: === Log started: 2010-04-03 20:07:47 [...] Preparing to replace ldap-utils 2.4.21-0ubuntu3 (using .../ldap-utils_2.4.21-0ub untu4_i386.deb) ... Unpacking replacement ldap-utils ... Preparing to replace slapd 2.4.21-0ubuntu3 (using .../slapd_2.4.21-0ubuntu4_i386 .deb) ... Stopping OpenLDAP: slapd. Unpacking replacement slapd ... Preparing to replace libldap-2.4-2 2.4.21-0ubuntu3 (using .../libldap-2.4-2_2.4. 21-0ubuntu4_i386.deb) ... Unpacking replacement libldap-2.4-2 ... [] Setting up libldap-2.4-2 (2.4.21-0ubuntu4) ... Setting up slapd (2.4.21-0ubuntu4) ... Installing new version of config file /etc/init.d/slapd ... Backing up /etc/ldap/slapd.d/ in /var/backups/slapd-2.4.21-0ubuntu3... done. Starting OpenLDAP: slapd. [...] Setting up ldap-utils (2.4.21-0ubuntu4) ... [...] Log ended: 2010-04-26 13:01:29 Log started: 2010-04-27 13:26:09 [...] Preparing to replace ldap-utils 2.4.21-0ubuntu4 (using .../ldap-utils_2.4.21-0ub untu5_i386.deb) ... Unpacking replacement ldap-utils ... Preparing to replace slapd 2.4.21-0ubuntu4 (using .../slapd_2.4.21-0ubuntu5_i386 .deb) ... Stopping OpenLDAP: slapd. Unpacking replacement slapd ... Preparing to replace libldap-2.4-2 2.4.21-0ubuntu4 (using .../libldap-2.4-2_2.4. 21-0ubuntu5_i386.deb) ... [] Setting up libldap-2.4-2 (2.4.21-0ubuntu5) ... Setting up ldap-utils (2.4.21-0ubuntu5) ... Setting up slapd (2.4.21-0ubuntu5) ... Backing up /etc/ldap/slapd.d/ in /var/backups/slapd-2.4.21-0ubuntu4... done. Starting OpenLDAP: slapd - failed. The operation failed but no output was produced. For hints on what went wrong please refer to the system's logfiles (e.g. /var/log/syslog) or try running the daemon in Debug mode like via slapd -d 16383 (warning: this will create copious output). Below, you can find the command line options used by this script to run slapd. Do not forget to specify those options if you want to look to debugging output: slapd -h 'ldap:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d/ invoke-rc.d: initscript slapd, action start failed. dpkg: error processing slapd (--configure): subprocess installed post-installation script returned error exit status 1 [ file ends here ...] === -- package slapd 2.4.21-0ubuntu5 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 https://bugs.launchpad.net/bugs/570657 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570533] Re: package slapd 2.4.21-0ubuntu5 failed to install/upgrade: podproces zainstalowany skry pt post-installation zwrócił kod błędu 1
Looking through the DpkgTerminalLog lines, it seems that slapd was upgraded to slapd 2.4.21-0ubuntu4 on 4/19, but the restart of the OpenLDAP daemon isn't shown in the log due to an unrelated failure: === Log started: 2010-04-19 03:40:24 [ *** lines skipped *** ] Przygotowanie do zastąpienia slapd 2.4.21-0ubuntu3 (wykorzystując .../slapd_2.4. 21-0ubuntu4_amd64.deb) ... Stopping OpenLDAP: slapd. Rozpakowanie pakietu zastępującego slapd ... Przygotowanie do zastąpienia libldap-2.4-2 2.4.21-0ubuntu3 (wykorzystując .../li bldap-2.4-2_2.4.21-0ubuntu4_amd64.deb) ... [ *** no further slapd/ldap lines found *** ] Przygotowanie do zastąpienia openoffice.org-dev 1:3.2.0-4ubuntu3 (wykorzystując .../openoffice.org-dev_1%3a3.2.0-7ubuntu1_amd64.deb) ... Rozpakowanie pakietu zastępującego openoffice.org-dev ... dpkg: błąd przetwarzania /var/cache/apt/archives/openoffice.org-dev_1%3a3.2.0-7u buntu1_amd64.deb (--unpack): próba nadpisania /usr/share/doc/openoffice.org-dev, który istnieje także w pa kiecie openoffice.org-dev-doc 1:3.2.0-4ubuntu3 [ *** lines skipped ***] Wystąpiły błędy podczas przetwarzania: /var/cache/apt/archives/openoffice.org-dev_1%3a3.2.0-7ubuntu1_amd64.deb Log ended: 2010-04-19 03:52:24 === So it's not completely clear if the OpenLDAP daemon was running before the second stage of the upgrade: === Log started: 2010-04-27 03:14:57 [ *** lines skipped ***] Przygotowanie do zastąpienia slapd 2.4.21-0ubuntu4 (wykorzystując .../slapd_2.4. 21-0ubuntu5_amd64.deb) ... Stopping OpenLDAP: slapd. Rozpakowanie pakietu zastępującego slapd ... Przygotowanie do zastąpienia libldap-2.4-2 2.4.21-0ubuntu4 (wykorzystując .../li bldap-2.4-2_2.4.21-0ubuntu5_amd64.deb) ... Rozpakowanie pakietu zastępującego libldap-2.4-2 ... [ *** lines skipped *** ] Konfigurowanie libldap-2.4-2 (2.4.21-0ubuntu5) ... Konfigurowanie slapd (2.4.21-0ubuntu5) ... Backing up /etc/ldap/slapd.d/ in /var/backups/slapd-2.4.21-0ubuntu4... done. Starting OpenLDAP: slapd - failed. The operation failed but no output was produced. For hints on what went wrong please refer to the system's logfiles (e.g. /var/log/syslog) or try running the daemon in Debug mode like via slapd -d 16383 (warning: this will create copious output). Below, you can find the command line options used by this script to run slapd. Do not forget to specify those options if you want to look to debugging output: slapd -h 'ldap:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d/ invoke-rc.d: initscript slapd, action start failed. dpkg: błąd przetwarzania slapd (--configure): podproces zainstalowany skrypt post-installation zwrócił kod błędu 1 Konfigurowanie wine1.2-gecko (1.0.0-0ubuntu4) ... [ *** file ends here, with no Log ended: line *** ] === Still, it seems very likely that this is the same issue as Bug 570657 (which shows a successful restart of the slapd server the day before the attempt to upgrade toslapd_2.4.21-0ubuntu5 failed when attempting to do the post-upgrade restart) -- package slapd 2.4.21-0ubuntu5 failed to install/upgrade: podproces zainstalowany skrypt post-installation zwrócił kod błędu 1 https://bugs.launchpad.net/bugs/570533 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570657] Re: package slapd 2.4.21-0ubuntu5 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
If your syslog file includes a line that looks similar to slapd[7087]: config error processing olcDatabase={0}config,cn=config: ordered_value_sort failed on attr olcAccess#012 , then it would also be helpful to attach a copy of the /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif file here. -- package slapd 2.4.21-0ubuntu5 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 https://bugs.launchpad.net/bugs/570657 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570657] Re: package slapd 2.4.21-0ubuntu5 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
Or, if the syslog line instead mentions olcDatabase={-1}frontend, the related file would be /etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif . -- package slapd 2.4.21-0ubuntu5 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 https://bugs.launchpad.net/bugs/570657 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 563829] Re: olcAccess are options broken on upgrade in {-1}frontend.ldif
When you say bugs, would you like two separate new bugs, one for the slapd-won't-start-after-upgrading issue and the other about the dn.base= permissions? (Or do you just need a new bug related to the permissions issue?) -- olcAccess are options broken on upgrade in {-1}frontend.ldif https://bugs.launchpad.net/bugs/563829 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 563829] Re: olcAccess are options broken on upgrade in {-1}frontend.ldif
On Tue, Apr 27, 2010 at 19:10:03 -, Mathias Gug wrote: A bug for each separate problem as it makes things simpler to track and to focus on. I guess my question is whether you consider the issue raised in comment 11 to be a separate problem from this bug (LP#563829), thus requiring a newly-created bug for that, too. (I will go ahead and create a new bug for the other permission issues.) Nathan -- olcAccess are options broken on upgrade in {-1}frontend.ldif https://bugs.launchpad.net/bugs/563829 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 563829] Re: olcAccess are options broken on upgrade in {-1}frontend.ldif
On Tue, Apr 27, 2010 at 02:40:11 -, Mathias Gug wrote: The issue with deleting the old configuration is that it's hard (if not impossible) to figure out if the olcAuthzRegexp and relevant olcAccess options have been added by the package or manually by the local sysadmin. Having the old rules doesn't break the new configuration either. So I'd rather keep them around. I think it would be helpful if there were some explaination somewhere (NEWS.Debian, README.Debian, or perhaps some new file with Ubuntu in the name?) spelling out exactly what the expected configuration is, so that users have some idea how to properly clean things up manually if necessary Nathan -- olcAccess are options broken on upgrade in {-1}frontend.ldif https://bugs.launchpad.net/bugs/563829 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 563829] Re: olcAccess are options broken on upgrade in {-1}frontend.ldif
I took a quick look through the new slapd.postinst script found in: lp:~mathiaz/ubuntu/lucid/openldap/fix-root-olcaccess-upgrade Am I correct that you no longer attempt to delete the olcAccess: {0}to * by * none line from the olcDatabase={0}config.ldif file (i.e the line that is generated automatically by the slapd.conf - slapd.d conversion, e.g. during a Hardy-Lucid upgrade)? In my quick testing, I found that having that line still in the file prevented me from accessing that part of the tree (even though it appeared after the new gidNumber=0 line). For example, when grep olcAccess olcDatabase\=\{0\}config.ldif returned these two lines: olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {0}to * by * none , then an ldapsearch returned: = [...] # LDAPv3 # base olcDatabase={0}config,cn=config with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 = But, when I stopped slapd, removed the olcAccess: {0}to * by * none line by hand, and restarted slapd, then the exact same ldapsearch command returned data: = # LDAPv3 # base olcDatabase={0}config,cn=config with scope subtree # filter: (objectclass=*) # requesting: ALL # # {0}config, config dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break [...] # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 = (On the other hand, I didn't find much explanation about using the gidNumber=0 form of authentication, other than the very brief mention of the switch to it in the openldap 2.4.17-1ubuntu3 release notes entry, so perhaps I missed something when running these tests The command line I ended up using was # ldapsearch -Y EXTERNAL -Hldapi:/// -b olcDatabase={0}config,cn=config , run as root... but let me know if that wasn't actually testing what I should have been testing) -- olcAccess are options broken on upgrade in {-1}frontend.ldif https://bugs.launchpad.net/bugs/563829 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 563829] Re: olcAccess are options broken on upgrade in {-1}frontend.ldif
(Obviously, that should be LP: #427842 .) -- olcAccess are options broken on upgrade in {-1}frontend.ldif https://bugs.launchpad.net/bugs/563829 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
Using this new version of the slapd.postinst script, the cn=config database ends up with these two oldAccess attributes: $ sudo slapcat -bcn=config -solcDatabase={0}config,cn=config | grep olcAccess olcAccess: {0}to * by * none olcAccess: {1}to * by dn.exact=cn=localroot,cn=config manage by * break As far as I understand the OpenLDAP Access Control documentation, in this scenario the {0} line will always take precedence over the {1} line (so that the later will just be ignored). It seems like the two separate directives should instead be combined into one, something like: olcAccess: {0}to * by dn.exact=cn=localroot,cn=config manage by * none I haven't yet managed to find any discussion of the exact goals behind adding the various localroot access directives into the slapd configuration, so I'm not sure what sort of testing I can do to confirm that my understanding is correct. But I figured I would go ahead and submit this comment now, in hopes that someone who knows more about why this logic was added to the script in version 2.4.17-1ubuntu3 can check to see if this new version of the script is still having the desired effect -- slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/538516 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 526230] Re: existing olcAccess line conflicts with new one added by jaunty - karmic upgrade
(A few days ago) I unpacked the /etc/ldap tar archive attached to this bug, and found that the slapd.d/cn=config/olcDatabase={0}config.ldif file inside it does contain just one olcAccess line, so I went ahead and updated the title of this bug to more precisely describe the situation. -- existing olcAccess line conflicts with new one added by jaunty - karmic upgrade https://bugs.launchpad.net/bugs/526230 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 526230] Re: existing olcAccess line conflicts with new one added by jaunty - karmic upgrade
For what it's worth, I'm attaching here the (plain text) olcDatabase={0}config.ldif file, as pulled out of the tar file ldap.tar.gz file that Stephen attached to this bug. In particular, the olcAccess line found there is indeed the same as the one that is created by the cn=config backend conversion during a Hardy - Lucid upgrade (bug #538516). ** Attachment added: olcDatabase={0}config.ldif file http://launchpadlibrarian.net/43320123/olcDatabase%3D%7B0%7Dconfig.ldif -- existing olcAccess line conflicts with new one added by jaunty - karmic upgrade https://bugs.launchpad.net/bugs/526230 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 450645] Re: Problem install slapd
Jay, I don't believe your problem is actually the same as the one described in this bug report (which involves a chown: cannot access `olcDbDirectory\nolcDbDirectory': No such file or directory error message). Instead, I think your particular problem is described in bug #526230 -- Problem install slapd https://bugs.launchpad.net/bugs/450645 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 450645] Re: error during slapd configuration: chown: cannot access `olcDbDirectory\nolcDbDirectory'
** Summary changed: - Problem install slapd + error during slapd configuration: chown: cannot access `olcDbDirectory\nolcDbDirectory' -- error during slapd configuration: chown: cannot access `olcDbDirectory\nolcDbDirectory' https://bugs.launchpad.net/bugs/450645 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 450645] Re: error during slapd configuration: chown: cannot access `olcDbDirectory\nolcDbDirectory'
Md. Afzalur Rashid, If you are still having this problem, please post the output of the following commands: $ sudo sh -c ls -l /etc/ldap/slapd.d/cn=config/olcDatabase* $ sudo sh -c grep olcSuffix: /etc/ldap/slapd.d/cn=config/olcDatabase* and $ sudo sh -c grep olcDbDirectory: /etc/ldap/slapd.d/cn=config/olcDatabase* (I'm guessing that the chown error is triggered when the install script is unable to extract the olcDbDirectory line(s) from the olcDatabase file(s), for some reason.) -- error during slapd configuration: chown: cannot access `olcDbDirectory\nolcDbDirectory' https://bugs.launchpad.net/bugs/450645 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 526230] Re: existing olcAccess line conflicts with new one added by jaunty - karmic upgrade
** Summary changed: - On upgrade modifies multiple olcAccess definition are not handled correclty + existing olcAccess line conflicts with new one added by jaunty - karmic upgrade -- existing olcAccess line conflicts with new one added by jaunty - karmic upgrade https://bugs.launchpad.net/bugs/526230 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 536958] Re: slapd package configuration aborts with Program version 4.7 doesn't match environment version 0.44 error during Hardy - Lucid upgrade
I just did another hardy - lucid upgrade run (on a test machine running an as-installed-by-the-package slapd configuration), and can confirm that the new version of the slapd.postinst was able to complete without triggering the Program version 4.7 doesn't match environment version error. -- slapd package configuration aborts with Program version 4.7 doesn't match environment version 0.44 error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/536958 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
I will try to actually run a test of this scenario sometime in the next few days, but at first glance it appears to me that simply adding {1} to both the grep and the sed lines of the postinst script will fix Hardy - Lucid upgrades, but will cause new problems for other upgrade paths. In particular, if the slapd package was upgraded 2.4.17/2.4.18 timeframe, an oldAccess line without any index would have already been added to the .ldif file, and then upon upgrade to Lucid, this updated postinst script would add the new {1} version of the line as well -- slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/538516 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
Ah, never mind. I was thinking that if the user upgraded from jaunty up to karmic and then again to lucid, both copies of the oldAccess line would be added to the file (i.e. one with no index, by the karmic upgrade, and one with {1}, by the lucid upgrade) -- but I see now the postinst script checks to see what version of the package we're upgrading from before adding the lines, which would prevent the lucid upgrade from trying to edit the file a second time. -- slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/538516 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 536958] Re: slapd package configuration aborts with Program version 4.7 doesn't match environment version 0.44 error during Hardy - Lucid upgrade
I took a closer look at the slapd.postinst script, and I believe I see what is causing this issue. In the postinst_upgrade_configuration function, the script first checks to see if the configuration info needs to be converted from slapd.conf to slapd.d format, and if so it runs the slaptest command to perform that conversion. The script then checks to see if the previous version of the of package used a different Berkeley DB version, and if so it actually moves the old BDB files out of the way and creates new database files using the slapadd program (based on the export of the directory data that was saved using the prior version of slapcat in the slapd.preinst script). This arrangement worked fine for the Hardy - Intrepid - Jaunty upgrade path, because the two conversions did not happen during the same run of the postinst script. (The configuration was converted when going to Intrepid, and the BDB version was changed during the upgrade to Jaunty.) However, the direct Hardy - Lucid upgrade does need to perform both conversions in the same postinst run -- but in the existing arrangement, the script tries to run slapadd before the BDB files have been regenerated, and thus triggering the Program version 4.7 doesn't match environment version error So, it appears that the solution to this problem is to perform the conversions in the opposite order. Currently, the load_databases function assumes that the configuration information is in the directory format, so it can't be used until after that conversion has happened. However, it seems like it should be fairly easy to tweak it to work with either configuration format (e.g. using the same logic as is currently found in the dump_databases function). The two conversion steps in postinst_upgrade_configuration could then be switched, which would (hopefully) allow both to be performed successfully during the same upgrade -- slapd package configuration aborts with Program version 4.7 doesn't match environment version 0.44 error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/536958 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 536958] Re: slapd package configuration aborts with Program version 4.7 doesn't match environment version 0.44 error during Hardy - Lucid upgrade
(As a side note, I noticed that the actual version number printed out in the doesn't match environment version 0.XXX message was not consistent -- when I did the original upgrade it was 0.44, but in my later testing it started out at 0.143 and then kept getting larger. It turns out that the format of the Berkeley DB environment file changed between BDB 4.3 and 4.4, and in particular the location of the bytes that encode the database version number changed. In the the case of lucid's OpenLDAP tools (which use DBD v4.7) looking at the environment file left over from hardy (v4.2), the bytes that are interpreted as the minor version number actually contains the Locks granted without waiting count. So, for example, if I run db4.2_stat -e -N | head | grep without waiting from within the BDB directory, the count shown will match the XXX printed in the environment version 0.XXX message from slaptest. This means that running some other command that changes the locks- granted count [e.g. db4.2_stat -e , without the -N ] will actually cause the XXX number to change between different attempts to run slaptest . It seems like the header format of the environment file was stabilized as of db4.4, so db4.7 tools shouldn't have the same problem with files generated by 4.4 and later. ) -- slapd package configuration aborts with Program version 4.7 doesn't match environment version 0.44 error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/536958 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 536958] Re: slapd package configuration aborts with Program version 4.7 doesn't match environment version 0.44 error during Hardy - Lucid upgrade
I did some more investigation into this issue, and it looks like this bug will affect all Hardy - Lucid upgrades. To test this I went through the following steps: On a machine running Hardy (and which had never had slapd installed before): 1a) installed the slapd package, allowed the postinst script to configure the installation in the normal manner, and then ran /etc/init.d/slapd stop to cleanly shut down the daemon process. 1b) ran slaptest -f /etc/ldap/slapd.conf and confirmed that the BDB v4.2 database files did not cause any errors on that machine. Back on the server recently upgraded to Lucid, I made a simple test directory: 2a) Created a test directory /root/ldap_hardy_test, and under that an empty subdirectory libldap. 2b) copied /etc/ldap/slapd.conf.old to ldap_hardy_test/slapd.conf, and edited the directory line to point to the /root/ldap_hardy_test/libldap directory. 2c) copied all files in /var/lib/ldap/ into /root/ldap_hardy_test/libldap/ 2d) ran slaptest -f slapd.conf -d 1 to confirm that the slaptest run completed without errors, and that it opened the files in ldap_hardy_test/libldap instead of /var/lib/ldap . Then I tested the BDB files from the Hardy install: 3a) deleted all files in /root/ldap_hardy_test/libldap, and then copied all the files from the Hardy machine's /var/lib/ldap/ directory into the Lucid machine's libldap directory. 3b) ran slaptest -f slapd.conf again... and got the Program version 4.7 doesn't match environment version error message. So, it appears that the BDB database files from even the simplest Hardy slapd install with trigger this error -- slapd package configuration aborts with Program version 4.7 doesn't match environment version 0.44 error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/536958 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538848] [NEW] slapd.postinst doesn't mention configuration conversion step
Public bug reported: When I upgrade the slapd package from Hardy to Lucid, the slapd.postinst script automatically attempts to convert from the slapd.conf file to the slapd.d configuration directory. If that conversion attempt fails, a notification message is printed (Migrating slapd.conf file (/etc/ldap/slapd.conf) to slapd.d failed with the following error while running slaptest:). And the postinst script prints other notices about its activities: Backing up /etc/ldap/slapd.conf, Moving old database directories, Loading from /var/backups/, etc. However, if the configuation-conversion succeeds, the script currently does not print any message at all to notifiy the user that the conversion has taken place. Attached is a one-line patch to generate such a message. (The patch is pretty simple, but I don't currently have an environment in which I can actually test it.) ** Affects: openldap (Ubuntu) Importance: Undecided Status: New ** Tags: hardy2lucid -- slapd.postinst doesn't mention configuration conversion step https://bugs.launchpad.net/bugs/538848 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538848] Re: slapd.postinst doesn't mention configuration conversion step
** Patch added: slapd.postinst.diff http://launchpadlibrarian.net/40935969/slapd.postinst.diff -- slapd.postinst doesn't mention configuration conversion step https://bugs.launchpad.net/bugs/538848 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538848] Re: slapd.postinst doesn't mention configuration conversion step
Attaching corrected patch file. ** Patch removed: slapd.postinst.diff http://launchpadlibrarian.net/40935969/slapd.postinst.diff ** Patch added: slapd.postinst.diff http://launchpadlibrarian.net/40936137/slapd.postinst.diff -- slapd.postinst output doesn't mention configuration conversion step https://bugs.launchpad.net/bugs/538848 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538848] Re: slapd.postinst output doesn't mention configuration conversion step
** Summary changed: - slapd.postinst doesn't mention configuration conversion step + slapd.postinst output doesn't mention configuration conversion step -- slapd.postinst output doesn't mention configuration conversion step https://bugs.launchpad.net/bugs/538848 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] [NEW] slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
Public bug reported: I recently upgraded my server from Hardy to Lucid, using do-release- upgrade -d from the command line. When the upgrade process attempted to install the new version of the slapd package, the package installation/configuration failed due to problems with the DBD database files (as I reported in bug #536958). Once I resolved that problem, I re-ran dpkg --pending --configure, and the configuration script was able to successfully convert my slapd.conf file to the slapd.d configuration directory. However, a second later, I received the following error message: Starting OpenLDAP: slapd - failed. The operation failed but no output was produced. For hints on what went wrong please refer to the system's logfiles (e.g. /var/log/syslog) or [...] invoke-rc.d: initscript slapd, action start failed. dpkg: error processing slapd (--configure): Sure enough, the syslog file contained the following: Mar 11 20:43:23 suza slapd[7087]: @(#) $OpenLDAP: slapd 2.4.21 (Feb 18 2010 06:12:56) $#012#011bui...@yellow:/build/buildd/openldap-2.4.21/debian/build/servers/slapd Mar 11 20:43:23 suza slapd[7087]: config error processing olcDatabase={0}config,cn=config: ordered_value_sort failed on attr olcAccess#012 Mar 11 20:43:23 suza slapd[7087]: slapd stopped. Since the slapd.postinst returns an exit status in this situation, the slapd package is left in half-configured status. ** Affects: openldap (Ubuntu) Importance: Undecided Status: New ** Tags: hardy2lucid -- slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/538516 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
I found that running slaptest -F /etc/ldap/slapd.d generated that same error message. To investigate further, I used the command line slaptest -F /etc/ldap/slapd.d -d 1 21 | grep \.ldif to track down the full path of the file that contained the offending line, which turned out to be /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif I am attaching a copy of that file, as it was created by the slapd.postinst script. Eventually I was able to track the error down to the following line from that file: olcAccess: to * by dn.exact=cn=localroot,cn=config manage by * break When I edited that line to read: olcAccess: {1}to * by dn.exact=cn=localroot,cn=config manage by * break and then re-ran the slaptest command, the error went away. I then tried running dpkg --pending --configure again... but the postinst script errored out because /var/backups/*-2.4.9-0ubuntu0.8.04.2.ldapdb already existed. I moved the old backup file out of the way and tried again... only to get the Starting OpenLDAP: slapd - failed. message again. It turned out that the postinst script had re-converted the slapd.conf file and then re-added the oldAccess line back to the config file, and so slapd was still erroring out. So I went ahead and edited the grep and sed lines in /var/lib/dpkg/info/slapd.postinst (inside the if previous_version_older 2.4.11-0ubuntu1 block) so that the text of the line added there used there included the {1}. Then I moved the backup file out of the way and reran dpkg --pending --configure... and this time slapd started up successfully, and the slapd package was left in the installed state. ** Attachment added: slapd.postinst-generated version of the *{0}config.ldif file http://launchpadlibrarian.net/40912615/olcDatabase%3D%7B0%7Dconfig.ldif_generated_by_2.4.21-0ubuntu1_postinst -- slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/538516 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
I did some additional testing and believe that all Hardy - Lucid upgrades will hit this bug. Specifically, I installed the slapd package on Hardy box, one that had never had any openldap packages installed. I let the package installation script create the default slapd.conf file there, and then copied the resulting file over to the machine that is now running Lucid. I then created an empty slapd.d directory, ran slaptest -f slapd.conf -F slapd.d, and compared the new slapd.d directory tree with the /etc/ldap/slapd.d tree that was generated from my system local slapd.conf file. Sure enough, the *{0}config.ldif file generated from the stock slapd.conf fle contained the same olcAccess: {0}to * by * none line that was causing the conflict with the olcAccess: to * by ... line being added by the slapd.postinst script.(So in other words, even a stock, uncustomized slapd.conf file would trigger this error upon upgrade to Lucid's slapd.) I see from the changelog.Debian.gz file for slapd that the postinst script started edited this config file in the Karmic timeframe: openldap (2.4.17-1ubuntu3) karmic; urgency=low [...] * Add cn=localroot,cn=config authz mapping on upgrades. -- Mathias Gug math...@ubuntu.com Tue, 11 Aug 2009 14:48:56 -0400 Out of curiousity, I ran slaptest -f slapd.conf -F ... on my Hardy box, and then compared the *{0}config.ldif file generated there with the one generated on Lucid.. and saw that the olcAccess: {0}to * by * none line was NOT generated there. So, I think that the issue here is that between 2.4.17 and 2.4.21, the *{0}config.ldif file generated by slaptest -f ... -F ... changed in such a way that it's no longer compatible with the cn=localroot lines that the postinst script is adding. There was no problem for machines that were upgraded first to Intrepid (when the configuration data migration took place) and then to Karmic (when the cn=localroot lines were added to the previously-generated *{0}config.ldif file)... but anyone migrating directly from Hardy will run into problems since by openldap 2.4.21 the two steps are incompatible -- slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/538516 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 538516] Re: slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade
A few other notes: Bug #526230 On upgrade modifies multiple olcAccess definition are not handled correclty is definitely related to this one. However, #526230 deals with a Jaunty-Karmic upgrade, and specifically mentions that the pre-upgrade configuration had multiple oldAccess lines (so presumably it had been customized locally). I created a separate bug here in case there is simple tweak to the slapd.postinst script that would allow the Hardy-Lucid upgrade to work, but which wouldn't fix #526230. On the other hand, a more comprensive solution of some sort could certainly resolve both bugs at the same time. Also, I should mention that my goal when I added the {1} to the text of the new dn.exact=cn=localroot line was simply to make the smallest possible change needed get dpkg to think that the package installation had succeeded (so that it would stop trying to reconfigure the package every time I installed some other package, etc.). I haven't actually tried doing anything with my LDAP database yet, but I as far as I understand the workings of the oldAccess lines, the dn.exact=cn=localroot line as it now exists is actually completely ignored, since the {0}to * by * none line will prevent any lines with higher sequence numbers from being processed So presumably the actual fix will have to take some other approach to getting past this error -- slapd package configuration aborts due to ordered_value_sort failed on attr olcAccess error during Hardy - Lucid upgrade https://bugs.launchpad.net/bugs/538516 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs