Lucid (or karmic) slapd upgrade does not really allow localroot cn=config manage rights

Bug #559070 reported by Thierry Carrez on 2010-04-09
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)

Bug Description

Lucid upgrade results in editing the /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif configuration to change from:
olcAccess: {0}to * by * none

olcAccess: {0}to * by * none
olcAccess: {1}to * by dn.exact=cn=localroot,cn=config manage by * break

As pointed out by Nathan Stratton Treadway on bug 538516 (which introduced this incomplete fix), the {0} line will always be matched and therefore the {1} line will never be evaluated.

Combining the two lines into:
olcAccess: {0}to * by dn.exact=cn=localroot,cn=config manage by * none
or even (since access is implicitely denied when no clause match):
olcAccess: {0}to * by dn.exact=cn=localroot,cn=config manage
should solve it.

Thierry Carrez (ttx) on 2010-04-09
Changed in openldap (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Mathias Gug (mathiaz) wrote :

You need to inject only one line:

{0}to * by dn.exact=cn=localroot,cn=config manage by * break

Mathias Gug (mathiaz) wrote :

As documented in slapd.access man page:

       Lists of access directives are evaluated in the order they appear in
       slapd.conf. When a <what> clause matches the datum whose access is
       being evaluated, its <who> clause list is checked. When a <who> clause
       matches the accessor's properties, its <access> and <control> clauses
       are evaluated. Access control checking stops at the first match of the
       <what> and <who> clause, unless otherwise dictated by the <control>
       clause. Each <who> clause list is implicitly terminated by a

            by * none stop

This is why there needs to be a "by * break" at the end of the access control line - otherwise access will always be denied even if additional ACLs are added to the cn=config tree.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.21-0ubuntu4

openldap (2.4.21-0ubuntu4) lucid; urgency=low

  [ Simon Olofsson ]
  * debian/slapd.postinst:
    - Show a message after successful migration (LP: #538848)

  [ Jorgen Rosink ]
  * debian/slapd.init: add simple status checking with LSB compatible exit
    codes (LP: #562377)
  * debian/slapd.init.ldif:
    - remove admin user in default config database (LP: #556176)
    - in default config, add olcAccess entries giving access to controls
      available and cn=subschema (LP: #427842)

  [ Scott Moser ]
  * debian/slapd.scripts-common: Do not create /nonexistent directory
     for openldap user's home (LP: #556176)
  * debian/slapd.postinst: fix cn=config olcAccess migration (LP: #559070)
 -- Scott Moser <email address hidden> Mon, 12 Apr 2010 16:16:47 -0400

Changed in openldap (Ubuntu Lucid):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers