To follow up on my comment #2: I did some more testing and determined that the
behavior I was seeing related to the olcAccess lines in the
olcDatabase={0}config.ldif file was due to the "localroot"-related lines left
over from earlier versions of the slapd.posting script. Once I removed all
those references, then everything worked as expected even when the two lines
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by *
break
olcAccess: {0}to * by * none
were both found in the config.ldif file.
I will add a comment on bug 571057 related to the manual cleanup steps
that should be mentioned in the release notes.
(In case any else is following this trail of crumbs, the issue I had was
that the olcAuthzRegexp line that mapped the UID=0 user to
"cn=localroot,cn=config" was still found in my slapd.d/cn=config.ldif
file. This meant that the "dn.exact=gidNumber=0" line mentioned above
was not matched. Thus, the permission check would fall to the
"olcAccess: {0}to * by * none" line and access would be denied.
When the "olcAccess: {0}to * by * none" line was removed from the
{0}config.ldif file, the access control search continued on through to
the olcAccess lines found in the olcDatabase={-1}frontend.ldif file...
and that file still contained a line granting "localroot" access, so my
ldapsearch succeeded.)
--
olcAccess are options broken on upgrade in {-1}frontend.ldif
https://bugs.launchpad.net/bugs/563829
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
