Migration from 2.4 to 2.5: problem with using "olcPPolicyDefault" in ACL duriung slapadd
Hi!
I'm about to migrate openLDAP 2.4 from SLES12 SP5 to openLDAP 2.5 from SLES15 SP6, following the rather terse https://www.openldap.org/doc/admin25/appendix-upgrading.html. I've removed the policy schema as advised from the LDIF export of cn=config, but now it seems that slapadd cannot use "olcPPolicyDefault" in an ACL:
# slapadd -v -n0 -F /etc/openldap/slapd.d -S 1 -w -l 0.ldif added: "cn=config" (00000001) added: "cn=module{0},cn=config" (00000001) added: "cn=schema,cn=config" (00000001) added: "cn={0}core,cn=schema,cn=config" (00000001) added: "cn={1}cosine,cn=schema,cn=config" (00000001) added: "cn={2}inetorgperson,cn=schema,cn=config" (00000001) added: "cn={3}rfc2307bis,cn=schema,cn=config" (00000001) added: "cn={4}yast,cn=schema,cn=config" (00000001) added: "cn={5}sudo,cn=schema,cn=config" (00000001) added: "olcDatabase={-1}frontend,cn=config" (00000001) olcAccess: value #1: unknown attr "olcPPolicyDefault" in to clause. <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+ <what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>] <attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::= <attr> [ , <attrlist> ] <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children <who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ] [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ] [dnattr=<attrname>] [realdnattr=<attrname>] [group[/<objectclass>[/<attrname>]][.<style>]=<group>] [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] <style> ::= exact | regex | base(Object) <dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex <attrstyle> ::= exact | regex | base(Object) | one(level) | sub(tree) | children <peernamestyle> ::= exact | regex | ip | ipv6 | path <domainstyle> ::= exact | regex | base(Object) | sub(tree) <access> ::= [[real]self]{<level>|<priv>} <level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+ <control> ::= [ stop | continue | break ]
slapadd: could not add entry dn="olcDatabase={0}config,cn=config" (line=908): ▒5=▒ Closing DB...
(Also note the garbage in the error message that seems to appear for any slapadd error) As noted Openldap is SUSE's version (openldap2_5-2.5.18+31-150500.11.12.1.x86_64) they re-introduced in SLES15 SP5 (maybe due to failing to provide a working migration tool to 389-DS and a proper administration manual)
So is it a bug that the attribute cannot be used in ACL, or is it a configuration error on my side? (line 908 is "dn: olcDatabase={0}config,cn=config")
The actual line in question is like this: olcAccess: {1}to attrs=olcPPolicyDefault by dn.exact="uid=PP-Checker,ou=system,dc=domain,dc=org" read by * break
Kind regards, Ulrich Windl
Do you have the ppolicy overlay in your database configured and is the module loaded? I tried your acl (with my settings) and it worked fine for me in OpenLDAP 2.6
Am 20.02.25 um 12:05 schrieb Windl, Ulrich:
Hi!
I’m about to migrate openLDAP 2.4 from SLES12 SP5 to openLDAP 2.5 from SLES15 SP6, following the rather terse https://www.openldap.org/doc/ admin25/appendix-upgrading.html <https://www.openldap.org/doc/admin25/ appendix-upgrading.html>.
I’ve removed the policy schema as advised from the LDIF export of cn=config, but now it seems that slapadd cannot use "olcPPolicyDefault" in an ACL:
# slapadd -v -n0 -F /etc/openldap/slapd.d -S 1 -w -l 0.ldif
added: "cn=config" (00000001)
added: "cn=module{0},cn=config" (00000001)
added: "cn=schema,cn=config" (00000001)
added: "cn={0}core,cn=schema,cn=config" (00000001)
added: "cn={1}cosine,cn=schema,cn=config" (00000001)
added: "cn={2}inetorgperson,cn=schema,cn=config" (00000001)
added: "cn={3}rfc2307bis,cn=schema,cn=config" (00000001)
added: "cn={4}yast,cn=schema,cn=config" (00000001)
added: "cn={5}sudo,cn=schema,cn=config" (00000001)
added: "olcDatabase={-1}frontend,cn=config" (00000001)
olcAccess: value #1: unknown attr "olcPPolicyDefault" in to clause.
<access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+
<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]
<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] |
<attrlist>
<attrlist> ::= <attr> [ , <attrlist> ]
<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children
<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]
[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]
[dnattr=<attrname>]
[realdnattr=<attrname>]
[group[/<objectclass>[/<attrname>]][.<style>]=<group>]
[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]
[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]
[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]
<style> ::= exact | regex | base(Object) <dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex <attrstyle> ::= exact | regex | base(Object) | one(level) | sub(tree) | children <peernamestyle> ::= exact | regex | ip | ipv6 | path <domainstyle> ::= exact | regex | base(Object) | sub(tree) <access> ::= [[real]self]{<level>|<priv>} <level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+ <control> ::= [ stop | continue | break ] slapadd: could not add entry dn="olcDatabase={0} config,cn=config" (line=908): ▒5=▒ Closing DB... (Also note the garbage in the error message that seems to appear for any slapadd error) As noted Openldap is SUSE’s version (openldap2_5-2.5.18+31-150500.11.12.1.x86_64) they re-introduced in SLES15 SP5 (maybe due to failing to provide a working migration tool to 389-DS and a proper administration manual) So is it a bug that the attribute cannot be used in ACL, or is it a configuration error on my side? (line 908 is “dn: olcDatabase={0} config,cn=config”) The actual line in question is like this: olcAccess: {1}to attrs=olcPPolicyDefault by dn.exact="uid=PP- Checker,ou=system,dc=domain,dc=org" read by * break Kind regards, Ulrich Windl
Stefan,
You saved my life 😉 It seems SLES12 had policy compiled in statically while SLES15 did not:
# /usr/lib/openldap/slapd -VVV @(#) $OpenLDAP: slapd 2.4.41 $ opensuse-buildservice@opensuse.org
Included static overlays: ppolicy syncprov Included static backends: config ldif monitor bdb hdb ldap mdb relay
# slapd -VVV @(#) $OpenLDAP: slapd 2.5.X (Nov 6 2024 12:00:00) $ openldap
Included static backends: config ldif monitor
Kind regards, Ulrich Windl
-----Original Message----- From: Stefan Kania stefan@kania-online.de Sent: Thursday, February 20, 2025 3:43 PM To: openldap-technical@openldap.org Subject: [EXT] Re: Migration from 2.4 to 2.5: problem with using "olcPPolicyDefault" in ACL duriung slapadd
Do you have the ppolicy overlay in your database configured and is the module loaded? I tried your acl (with my settings) and it worked fine for me in OpenLDAP 2.6
Am 20.02.25 um 12:05 schrieb Windl, Ulrich:
Hi!
I’m about to migrate openLDAP 2.4 from SLES12 SP5 to openLDAP 2.5 from SLES15 SP6, following the rather terse https://www.openldap.org/doc/ admin25/appendix-upgrading.html
<https://www.openldap.org/doc/admin25/
appendix-upgrading.html>.
I’ve removed the policy schema as advised from the LDIF export of cn=config, but now it seems that slapadd cannot use "olcPPolicyDefault" in an ACL:
# slapadd -v -n0 -F /etc/openldap/slapd.d -S 1 -w -l 0.ldif
added: "cn=config" (00000001)
added: "cn=module{0},cn=config" (00000001)
added: "cn=schema,cn=config" (00000001)
added: "cn={0}core,cn=schema,cn=config" (00000001)
added: "cn={1}cosine,cn=schema,cn=config" (00000001)
added: "cn={2}inetorgperson,cn=schema,cn=config" (00000001)
added: "cn={3}rfc2307bis,cn=schema,cn=config" (00000001)
added: "cn={4}yast,cn=schema,cn=config" (00000001)
added: "cn={5}sudo,cn=schema,cn=config" (00000001)
added: "olcDatabase={-1}frontend,cn=config" (00000001)
olcAccess: value #1: unknown attr "olcPPolicyDefault" in to clause.
<access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+
<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]
<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] |
<attrlist>
<attrlist> ::= <attr> [ , <attrlist> ]
<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children
<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]
[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]
[dnattr=<attrname>]
[realdnattr=<attrname>]
[group[/<objectclass>[/<attrname>]][.<style>]=<group>]
[peername[.<peernamestyle>]=<peer>]
[sockname[.<style>]=<name>]
[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]
[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]
<style> ::= exact | regex | base(Object) <dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex <attrstyle> ::= exact | regex | base(Object) | one(level) | sub(tree) | children <peernamestyle> ::= exact | regex | ip | ipv6 | path <domainstyle> ::= exact | regex | base(Object) | sub(tree) <access> ::= [[real]self]{<level>|<priv>} <level> ::=
none|disclose|auth|compare|search|read|{write|add|delete}|manage
<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+
<control> ::= [ stop | continue | break ]
slapadd: could not add entry dn="olcDatabase={0} config,cn=config" (line=908): ▒5=▒
Closing DB...
(Also note the garbage in the error message that seems to appear for any slapadd error)
As noted Openldap is SUSE’s version (openldap2_5-2.5.18+31-150500.11.12.1.x86_64) they re-introduced in SLES15 SP5 (maybe due to failing to provide a working migration tool to 389-DS and a proper administration manual)
So is it a bug that the attribute cannot be used in ACL, or is it a configuration error on my side? (line 908 is “dn: olcDatabase={0} config,cn=config”)
The actual line in question is like this:
olcAccess: {1}to attrs=olcPPolicyDefault by dn.exact="uid=PP- Checker,ou=system,dc=domain,dc=org" read by * break
Kind regards,
Ulrich Windl
-- Stefan Kania Landweg 13 25693 St. Michaelisdonn
Es gibt keine WOLKE, nur die Computer fremder Leute
openldap-technical@openldap.org
-
Stefan Kania -
Windl, Ulrich