Using this new version of the slapd.postinst script, the "cn=config"
database ends up with these two oldAccess attributes:
$ sudo slapcat -b"cn=config" -s"olcDatabase={0}config,cn=config" | grep
olcAccess
olcAccess: {0}to * by * none
olcAccess: {1}to * by dn.exact=cn=localroot,cn=config manage by * break
As far as I understand the OpenLDAP Access Control documentation, in
this scenario the {0} line will always take precedence over the {1} line
(so that the later will just be ignored). It seems like the two
separate directives should instead be combined into one, something like:
olcAccess: {0}to * by dn.exact=cn=localroot,cn=config manage by * none
I haven't yet managed to find any discussion of the exact goals behind
adding the various "localroot" access directives into the slapd
configuration, so I'm not sure what sort of testing I can do to confirm
that my understanding is correct.
But I figured I would go ahead and submit this comment now, in hopes
that someone who knows more about why this logic was added to the script
in version 2.4.17-1ubuntu3 can check to see if this new version of the
script is still having the desired effect....
--
slapd package configuration aborts due to "ordered_value_sort failed on attr
olcAccess" error during Hardy -> Lucid upgrade
https://bugs.launchpad.net/bugs/538516
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
