Howard Chu hyc@symas.com wrote on Thu, 12 Dec 2013 15:24:00 +0400:
Igor Zinovik wrote:
2013/12/12 Howard Chu <hyc@symas.com mailto:hyc@symas.com>
You should upgrade to get the fix for #7662.
I upgraded my slapd to 2.4.38, but I still see error message when I execute slapacl. I also removed data.mdb and lock.mdb, imported data back to ldap using backup copy and I still see error message.
Post your config, sample data, and the exact slapacl command you used.
I started with empty config and empty database with slapd-2.4.38: # sudo slapadd -F /etc/openldap/slapd.d -n0 -l config.ldif _#################### 100.00% eta none elapsed none fast! Closing DB...
I import single object into my catalog: # cat initial-import.ldif dn: dc=example,dc=org dc: example objectClass: organization objectClass: dcObject o: Example
# sudo slapadd -F /etc/openldap/slapd.d -b dc=example,dc=org -l config.ldif _#################### 100.00% eta none elapsed none fast! Closing DB...
Trying to check access: # sudo slapacl -F /etc/openldap/slapd.d -D uid=zinovik,ou=people,dc=example,dc=org \ -b dc=example,dc=org o/read authcDN: "uid=zinovik,ou=people,dc=example,dc=org" 52abd7bc mdb_opinfo_get: err MDB_BAD_RSLOT: Invalid reuse of reader locktable slot(-30783) read access to o: ALLOWED
Here is my config (with omitted cn=schema,cn=config): dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: slapd.conf.bak olcConfigDir: slapd.d olcArgsFile: /var/run/slapd/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcPidFile: /var/run/slapd/slapd.pid olcReadOnly: FALSE olcSaslSecProps: noplain,noanonymous olcServerID: 1 ldap://ldap1.example.org olcServerID: 2 ldap://ldap2.example.org olcServerID: 3 ldap://ldap3.example.org olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 8 olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateKeyFile: /etc/openldap/ldap.key olcTLSCRLCheck: none olcTLSVerifyClient: allow olcToolThreads: 1 olcWriteTimeout: 0 olcTLSCACertificateFile: /etc/ssl/example-ca-bundle.crt olcTLSCertificateFile: /etc/openldap/ldap.crt olcLogLevel: config sync
dn: cn=schema,cn=config ... [omitted] ...
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/openldap/modules olcModuleLoad: {0}accesslog olcModuleLoad: {1}memberof olcModuleLoad: {2}pcache olcModuleLoad: {3}refint olcModuleLoad: {4}syncprov olcModuleLoad: {5}unique
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to dn.base="" by * read olcAccess: {1}to dn.base="cn=subschema" by * read olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 0 olcReadOnly: FALSE olcSchemaDN: cn=Subschema olcSyncUseSubentry: FALSE olcMonitoring: FALSE
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by group/groupOfNames/member.exact="cn=ldap admins,ou=grou ps,dc=example,dc=org" write olcAddContentAcl: TRUE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=admin,cn=config olcRootPW:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX olcSyncUseSubentry: FALSE olcMirrorMode: TRUE olcMonitoring: FALSE olcSyncrepl: {0}rid=001 provider=ldap://ldap1.example.org binddn="cn=admin,cn=co nfig" bindmethod=simple credentials="XXXXXXXXXXXXXXXXX" searchbase="cn=con fig" type=refreshAndPersist retry="5 5 30 +" timeout=1 starttls=yes tls_cert= "/etc/openldap/ldap.crt" tls_key="/etc/openldap/ldap.key" tls_cacert="/etc/ss l/example-ca-bundle.crt" tls_reqcert=demand tls_crlcheck=none olcSyncrepl: {1}rid=002 provider=ldap://ldap2.example.org binddn="cn=admin,cn=co nfig" bindmethod=simple credentials="XXXXXXXXXXXXXXXXX" searchbase="cn=con fig" type=refreshAndPersist retry="5 5 30 +" timeout=1 starttls=yes tls_cert= "/etc/openldap/ldap.crt" tls_key="/etc/openldap/ldap.key" tls_cacert="/etc/ss l/example-ca-bundle.crt" tls_reqcert=demand tls_crlcheck=none olcSyncrepl: {2}rid=003 provider=ldap://ldap3.example.org binddn="cn=admin,cn=co nfig" bindmethod=simple credentials="XXXXXXXXXXXXXXXXX" searchbase="cn=con fig" type=refreshAndPersist retry="5 5 30 +" timeout=1 starttls=yes tls_cert= "/etc/openldap/ldap.crt" tls_key="/etc/openldap/ldap.key" tls_cacert="/etc/ss l/example-ca-bundle.crt" tls_reqcert=demand tls_crlcheck=none
dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov
dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=org olcAddContentAcl: FALSE olcLastMod: TRUE olcLimits: {0}group/groupOfNames/member="cn=ldap admins,ou=groups,dc=example,dc =ru" size=unlimited olcLimits: {1}group/groupOfNames/member="cn=ldap admins,ou=groups,dc=example,dc =ru" time=unlimited olcLimits: {2}group/groupOfNames/member="cn=admins,ou=mail,ou=groups,dc=example ,dc=ru" size=unlimited olcLimits: {3}group/groupOfNames/member="cn=replicators,ou=groups,dc=example,dc =ru" size=unlimited time=unlimited olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=admin,dc=example,dc=org olcRootPW:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX olcSyncUseSubentry: FALSE olcSyncrepl: {0}rid=004 provider=ldap://ldap1.example.org bindmethod=simple bind dn="uid=mirrormode,ou=services,dc=example,dc=org" credentials="XXXXXXXXXXXXXXXX XX" keepalive=0:0:0 starttls=yes tls_cert="/etc/openldap/ldap.crt" tls_key="/ etc/openldap/ldap.key" tls_cacert="/etc/ssl/example-ca-bunle.crt" tls_reqcert= demand tls_crlcheck=none filter="(objectclass=*)" searchbase="dc=example,dc=org " schemachecking=on type=refreshAndPersist retry="60 +" olcSyncrepl: {1}rid=005 provider=ldap://ldap2.example.org bindmethod=simple bind dn="uid=mirrormode,ou=services,dc=example,dc=org" credentials="XXXXXXXXXXXXXXXX XX" keepalive=0:0:0 starttls=yes tls_cert="/etc/openldap/ldap.crt" tls_key="/ etc/openldap/ldap.key" tls_cacert="/etc/ssl/example-ca-bundle.crt" tls_reqcert =demand tls_crlcheck=none filter="(objectclass=*)" searchbase="dc=example,dc=r u" schemachecking=on type=refreshAndPersist retry="60 +" olcSyncrepl: {2}rid=006 provider=ldap://ldap3.example.org bindmethod=simple bind dn="uid=mirrormode,ou=services,dc=example,dc=org" credentials="XXXXXXXXXXXXXXXX XX" keepalive=0:0:0 starttls=yes tls_cert="/etc/openldap/ldap.crt" tls_key="/ etc/openldap/ldap.key" tls_cacert="/etc/ssl/example-ca-bundle.crt" tls_reqcert =demand tls_crlcheck=none filter="(objectclass=*)" searchbase="dc=example,dc=r u" schemachecking=on type=refreshAndPersist retry="60 +" olcMirrorMode: TRUE olcMonitoring: TRUE olcDbNoSync: FALSE olcDbIndex: objectClass eq olcDbIndex: cn pres,eq,approx,sub olcDbIndex: uid pres,eq,sub olcDbIndex: memberUid eq olcDbIndex: member eq olcDbIndex: sudoUser eq,sub olcDbIndex: uniqueMember eq olcDbIndex: uidNumber eq olcDbIndex: rfc822MailMember eq olcDbIndex: gidNumber eq olcDbIndex: mail eq,sub olcDbIndex: zoneName eq olcDbIndex: relativeDomainName eq olcDbIndex: dlzHostName,dlzZoneName,dlzRecordID,dlzType eq,pres olcDbIndex: dhcpHWAddress,dhcpClassData eq olcDbIndex: sudoHost eq,sub olcDbIndex: accountStatus eq olcDbIndex: dc eq olcDbMaxReaders: 0 olcDbMaxSize: 1073741824 olcDbMode: 0600 olcDbSearchStack: 16 olcAccess: {0}to attrs=userPassword by self write by anonymous auth olcAccess: {1}to * by * read
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: {0}memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member
dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRefintConfig olcOverlay: {1}refint olcRefintAttribute: seeAlso olcRefintAttribute: uniqueMember olcRefintAttribute: member olcRefintNothing: cn=EMPTY
dn: olcOverlay={2}unique,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcUniqueConfig olcOverlay: {2}unique olcUniqueURI: ldap:///ou=Hosts,dc=example,dc=org?ipHostNumber?sub olcUniqueURI: ldap:///ou=People,dc=example,dc=org?uid,uidNumber?sub olcUniqueURI: ldap:///ou=Groups,dc=example,dc=org?cn,gidNumber?sub olcUniqueURI: ldap:///ou=Mail,dc=example,dc=org?mail,mailLocalAddress?sub
dn: olcOverlay={3}syncprov,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {3}syncprov olcSpCheckpoint: 100 10 olcSpSessionlog: 100
dn: olcDatabase={2}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {2}monitor olcAccess: {0}to * by group/groupOfNames/member.exact="cn=ldap admins,ou=grou ps,dc=example,dc=org" read olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: FALSE