Ubuntu
openldap package

Lucid (or karmic) slapd upgrade does not really allow localroot cn=config manage rights

Bug #559070 reported by Thierry Carrez
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Fix Released
Medium
Unassigned
Lucid
Fix Released
Medium
Unassigned

Bug Description

Lucid upgrade results in editing the /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif configuration to change from:
olcAccess: {0}to * by * none

to:
olcAccess: {0}to * by * none
olcAccess: {1}to * by dn.exact=cn=localroot,cn=config manage by * break

As pointed out by Nathan Stratton Treadway on bug 538516 (which introduced this incomplete fix), the {0} line will always be matched and therefore the {1} line will never be evaluated.

Combining the two lines into:
olcAccess: {0}to * by dn.exact=cn=localroot,cn=config manage by * none
or even (since access is implicitely denied when no clause match):
olcAccess: {0}to * by dn.exact=cn=localroot,cn=config manage
should solve it.

Thierry Carrez (ttx)
Changed in openldap (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Mathias Gug (mathiaz) wrote :

You need to inject only one line:

{0}to * by dn.exact=cn=localroot,cn=config manage by * break

Revision history for this message
Mathias Gug (mathiaz) wrote :

As documented in slapd.access man page:

       Lists of access directives are evaluated in the order they appear in
       slapd.conf. When a <what> clause matches the datum whose access is
       being evaluated, its <who> clause list is checked. When a <who> clause
       matches the accessor's properties, its <access> and <control> clauses
       are evaluated. Access control checking stops at the first match of the
       <what> and <who> clause, unless otherwise dictated by the <control>
       clause. Each <who> clause list is implicitly terminated by a

            by * none stop

This is why there needs to be a "by * break" at the end of the access control line - otherwise access will always be denied even if additional ACLs are added to the cn=config tree.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.21-0ubuntu4

---------------
openldap (2.4.21-0ubuntu4) lucid; urgency=low

  [ Simon Olofsson ]
  * debian/slapd.postinst:
    - Show a message after successful migration (LP: #538848)

  [ Jorgen Rosink ]
  * debian/slapd.init: add simple status checking with LSB compatible exit
    codes (LP: #562377)
  * debian/slapd.init.ldif:
    - remove admin user in default config database (LP: #556176)
    - in default config, add olcAccess entries giving access to controls
      available and cn=subschema (LP: #427842)

  [ Scott Moser ]
  * debian/slapd.scripts-common: Do not create /nonexistent directory
     for openldap user's home (LP: #556176)
  * debian/slapd.postinst: fix cn=config olcAccess migration (LP: #559070)
 -- Scott Moser <email address hidden> Mon, 12 Apr 2010 16:16:47 -0400

Changed in openldap (Ubuntu Lucid):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.