Bug#761407: slapd: changes of cn=config become effective only after restarting slapd

2014-10-20 Thread Ryan Tandy 
Control: reopen -1

On 16/09/14 11:48 AM, Dietrich Clauss wrote:
 Please, add a big fat warning in slapd-config(5).

Done; but keeping the bug open to track the fact that this is not really
resolved upstream.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#761407: [Pkg-openldap-devel] Bug#761407: slapd: changes of cn=config become effective only after restarting slapd

2014-09-16 Thread Dietrich Clauss 
Hi Ryan,

Ryan Tandy schrieb:
 Thanks for the report. This is ITS#6035 upstream. In that report the
 developer wrote:
 
 This is a known limitation in authz regexp support. There are no
 plans to change this any time soon.

Please, add a big fat warning in slapd-config(5).

Especially because online changes of most (all?) other config attributes
work fine, it is difficult to guess that in case of AuthzRegexp the
things are different.  I don't think that the limitation per se is
problematic, but it should be documented somewhere.

 Concerning attributes other than olcAuthzRegexp, in my tests on
 wheezy olcAccess changes did take effect immediately. Can you
 double-check that or provide a test case demonstrating it?

Confirmed.  Changes of olcAccess work fine here, too.

Best regards,
- Dietrich


signature.asc
Description: Digital signature

Bug#761407: slapd: changes of cn=config become effective only after restarting slapd

2014-09-13 Thread Dietrich Clauss 
Package: slapd
Version: 2.4.31-1+nmu2
Severity: normal

I use the following ACLs:

| dn: cn=config
| changetype: modify
| replace: olcAuthzRegexp
| olcAuthzRegexp: uid=([^,]+),cn=gssapi,cn=auth
|   uid=$1,ou=People,dc=example,dc=org
| 
| dn: olcDatabase={1}hdb,cn=config
| changetype: modify
| replace: olcAccess
| olcAccess: to attrs=loginShell,gecos
|   by ssf=56 self write
|   by ssf=56 * read
| olcAccess: to * by ssf=56 * read

An authenticated user can change the gecos field then, using the
following ldif:

| dn: uid=hugo,ou=People,dc=example,dc=org
| changetype: modify
| replace: gecos
| gecos: some_new_value

When I replace the olcAuthzRegexp by a wrong value, say:

| dn: cn=config
| changetype: modify
| replace: olcAuthzRegexp
| olcAuthzRegexp: uid=([^,]+),cn=gssapi,cn=auth
|   uid=$1,ou=People,dc=example,dc=xorg

write access by the user should now be forbidden.  But it isn't.  I need
to service slapd force-reload for the config change to become
effective.  The same happens when I change olcAccess or when I change
those attributes back to their right values.  I can reproduce this
behavior on a fresh-installed wheezy.

-- System Information:
Debian Release: 7.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages slapd depends on:
ii  adduser 3.113+nmu3
ii  coreutils   8.13-3.5
ii  debconf [debconf-2.0]   1.5.49
ii  libc6   2.13-38+deb7u4
ii  libdb5.15.1.29-5
ii  libgcrypt11 1.5.0-5+deb7u1
ii  libgnutls26 2.12.20-8+deb7u2
ii  libldap-2.4-2   2.4.31-1+nmu2
ii  libltdl72.4.2-1.1
ii  libodbc12.2.14p2-5
ii  libperl5.14 5.14.2-21+deb7u1
ii  libsasl2-2  2.1.25.dfsg1-6+deb7u1
ii  libslp1 1.2.1-9
ii  libwrap07.6.q-24
ii  lsb-base4.1+Debian8+deb7u1
ii  multiarch-support   2.13-38+deb7u4
ii  perl [libmime-base64-perl]  5.14.2-21+deb7u1
ii  psmisc  22.19-1+deb7u1

Versions of packages slapd recommends:
ii  libsasl2-modules  2.1.25.dfsg1-6+deb7u1

Versions of packages slapd suggests:
ii  ldap-utils  2.4.31-1+nmu2

-- Configuration Files:
/etc/default/slapd changed:
SLAPD_CONF=
SLAPD_USER=openldap
SLAPD_GROUP=openldap
SLAPD_PIDFILE=
SLAPD_SERVICES=ldap:/// ldapi:///
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
export KRB5_KTNAME=/etc/ldap/ldap.keytab
SLAPD_OPTIONS=


-- debconf information:
  slapd/allow_ldap_v2: false
  slapd/password_mismatch:
  slapd/invalid_config: true
  shared/organization: example.org
  slapd/upgrade_slapcat_failure:
  slapd/no_configuration: false
  slapd/move_old_database: true
  slapd/dump_database_destdir: /var/backups/slapd-VERSION
  slapd/purge_database: false
  slapd/domain: example.org
  slapd/backend: HDB
  slapd/dump_database: when needed


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#761407: [Pkg-openldap-devel] Bug#761407: slapd: changes of cn=config become effective only after restarting slapd

2014-09-13 Thread Ryan Tandy 

Control: found -1 2.4.39-1
Control: forwarded -1 http://www.openldap.org/its/?findid=6035
Control: tags -1 upstream

Hi Dietrich,

Thanks for the report. This is ITS#6035 upstream. In that report the 
developer wrote:



This is a known limitation in authz regexp support. There are no
plans to change this any time soon.


Concerning attributes other than olcAuthzRegexp, in my tests on wheezy 
olcAccess changes did take effect immediately. Can you double-check that 
or provide a test case demonstrating it?


thanks,
Ryan


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org