Upgrade from hardy (8.04) to lucid (10.04) sets bad permissions on olcDatabase={-1}frontend,cn=config

Bug #675052 reported by AlainKnaff on 2010-11-13
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Medium
Unassigned

Bug Description

When upgrading from hardy to lucid, the following permissions are set on the frontend :

# {-1}frontend, config
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break

instead of:

dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to * by dn.exact="dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external" manage by * break
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read

The result of this is that the rootDse cannot be loaded by the anon user (testable using ldapsearch -x -b "" -s base "+"), which prevents SASL binds with Unix user from working (ldapsearch -U user ....)

Mathias Gug (mathiaz) wrote :

Similar to bug 571752.

Changed in openldap (Ubuntu):
importance: Undecided → Medium
Clint Byrum (clint-fewbar) wrote :

In hardy:

# ldapsearch -x -b "" -s base "+"
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#

#
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=nodomain
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
entryDN:
subschemaSubentry: cn=Subschema

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

After dist-upgrade:

# ldapsearch -x -b "" -s base "+"
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Marking Confirmed, still exists after upgrading to precise

Changed in openldap (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers