Ubuntu
openldap package

Upgrade from hardy (8.04) to lucid (10.04) sets bad permissions on olcDatabase={-1}frontend,cn=config

Bug #675052 reported by AlainKnaff
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

When upgrading from hardy to lucid, the following permissions are set on the frontend :

# {-1}frontend, config
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break

instead of:

dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to * by dn.exact="dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external" manage by * break
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read

The result of this is that the rootDse cannot be loaded by the anon user (testable using ldapsearch -x -b "" -s base "+"), which prevents SASL binds with Unix user from working (ldapsearch -U user ....)

Revision history for this message
Mathias Gug (mathiaz) wrote :

Similar to bug 571752.

Changed in openldap (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

In hardy:

# ldapsearch -x -b "" -s base "+"
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#

#
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=nodomain
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
entryDN:
subschemaSubentry: cn=Subschema

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

After dist-upgrade:

# ldapsearch -x -b "" -s base "+"
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Marking Confirmed, still exists after upgrading to precise

Changed in openldap (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.