Comment 2 for bug 563829
Revision history for this message
| Nathan Stratton Treadway (nathanst) wrote | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
I took a quick look through the new slapd.postinst script found in:
lp:~mathiaz/ubuntu/lucid/openldap/fix-root-olcaccess-upgrade
Am I correct that you no longer attempt to delete the
olcAccess: {0}to * by * none
line from the olcDatabase=
In my quick testing, I found that having that line still in the file prevented me from accessing that part of the tree (even though it appeared after the new gidNumber=0 line). For example, when "grep olcAccess olcDatabase\
olcAccess: {0}to * by dn.exact=
olcAccess: {0}to * by * none
, then an ldapsearch returned:
=======
[...]
# LDAPv3
# base <olcDatabase=
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
=======
But, when I stopped slapd, removed the "olcAccess: {0}to * by * none" line by hand, and restarted slapd, then the exact same ldapsearch command returned data:
=======
# LDAPv3
# base <olcDatabase=
# filter: (objectclass=*)
# requesting: ALL
#
# {0}config, config
dn: olcDatabase=
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=
,cn=auth manage by * break
[...]
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
=======
(On the other hand, I didn't find much explanation about using the "gidNumber=0" form of authentication, other than the very brief mention of the switch to it in the openldap 2.4.17-1ubuntu3 release notes entry, so perhaps I missed something when running these tests.... The command line I ended up using was
# ldapsearch -Y EXTERNAL -Hldapi:/// -b "olcDatabase=
, run as root... but let me know if that wasn't actually testing what I should have been testing....)