Upgrade from hardy (8.04) to lucid (10.04) sets bad permissions on olcDatabase={-1}frontend,cn=config
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| openldap (Ubuntu) |
Medium
|
Unassigned |
Bug Description
When upgrading from hardy to lucid, the following permissions are set on the frontend :
# {-1}frontend, config
dn: olcDatabase=
olcAccess: {0}to * by dn.exact=
,cn=auth manage by * break
instead of:
dn: olcDatabase=
olcAccess: {0}to * by dn.exact=
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.base=
The result of this is that the rootDse cannot be loaded by the anon user (testable using ldapsearch -x -b "" -s base "+"), which prevents SASL binds with Unix user from working (ldapsearch -U user ....)
Clint Byrum (clint-fewbar) wrote : | #2 |
In hardy:
# ldapsearch -x -b "" -s base "+"
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#
#
dn:
structuralObjec
configContext: cn=config
namingContexts: dc=nodomain
supportedControl: 2.16.840.
supportedControl: 2.16.840.
supportedControl: 1.3.6.1.
supportedControl: 1.2.840.
supportedControl: 1.2.826.
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.
supportedExtension: 1.3.6.1.
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.
supportedFeatures: 1.3.6.1.
supportedFeatures: 1.3.6.1.
supportedFeatures: 1.3.6.1.
supportedFeatures: 1.3.6.1.
supportedLDAPVe
supportedSASLMe
supportedSASLMe
supportedSASLMe
entryDN:
subschemaSubentry: cn=Subschema
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
After dist-upgrade:
# ldapsearch -x -b "" -s base "+"
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#
# search result
search: 2
result: 0 Success
# numResponses: 1
Marking Confirmed, still exists after upgrading to precise
Changed in openldap (Ubuntu): | |
status: | New → Confirmed |
Similar to bug 571752.