← Back to team overview

touch-packages team mailing list archive

[Bug 1003854] Re: Database upgrade/migration fails with nested db directories (lucid to precise)

 

This bug was fixed in the package openldap - 2.4.40+dfsg-1ubuntu1

---------------
openldap (2.4.40+dfsg-1ubuntu1) wily; urgency=low

  * Merge from Debian testing (LP: #1395098, LP: #1316124). Remaining changes:
    - Enable AppArmor support:
      - d/apparmor-profile: add AppArmor profile
      - d/rules: use dh_apparmor
      - d/control: Build-Depends on dh-apparmor
      - d/slapd.README.Debian: add note about AppArmor
    - Enable GSSAPI support:
      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
        - Add --with-gssapi support
        - Make guess_service_principal() more robust when determining
          principal
      - d/configure.options: Configure with --with-gssapi
      - d/control: Added heimdal-dev as a build depend
    - Enable ufw support:
      - d/control: suggest ufw.
      - d/rules: install ufw profile.
      - d/slapd.ufw.profile: add ufw profile.
    - Enable nss overlay:
      - d/{patches/nssov-build,rules}: Apply, build and package the
        nss overlay.
    - d/{rules,slapd.py}: Add apport hook.
    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
      either the default DIT nor via an Authn mapping.
    - d/slapd.scripts-common:
      - add slapcat_opts to local variables.
      - Remove unused variable new_conf.
      - Fix backup directory naming for multiple reconfiguration.
    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
      in the openldap library, as required by Likewise-Open
    - Show distribution in version:
      - d/control: added lsb-release
      - d/patches/fix-ldap-distribution.patch: show distribution in version
  * Drop patches included upstream:
    - d/patches/0001-ITS-7430-GnuTLS-Avoid-use-of-deprecated-function.patch
    - d/patches/bdb-deadlock.patch
    - d/patches/its-7354-fix-delta-sync-mmr.diff
  * Drop hardening-wrapper as Debian now sets PIE and bindnow flags.
  * debian/patches/nssov-build: Adjust for upstream changes.
  * debian/apparmor-profile:
    - Change 'r' to 'rw' for ldapi and nslcd sockets, required for apparmor
      kernel ABI v7 (utopic and later). (LP: #1392018)
    - Reduce permissions on /run/nslcd to just the nslcd socket.
  * Enable the mdb backend again on ppc64el, fixed upstream in ITS#7713.
    (LP: #1293250)

openldap (2.4.40+dfsg-1) unstable; urgency=medium

  * Remove inetorgperson.schema from the upstream source. Replace it with a
    copy stripped of RFC text. (Closes: #780283)
  * Adjust debian/watch for +dfsg versioning.
  * debian/patches/ITS7975-fix-mdb-onelevel-search.patch: Import upstream
    patch to fix scope=onelevel searches wrongly including the search base in
    results under the MDB backend. (ITS#7975) (Closes: #782212)

openldap (2.4.40-4) unstable; urgency=medium

  * debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream
    patch to fix a crash when a search includes the Deref control with an
    empty attribute list. (ITS#8027) (CVE-2015-1545, Closes: #776988)
  * debian/patches/ITS8046-fix-vrFilter_free-crash.patch: Import upstream
    patch to fix a double free triggered by certain search queries using the
    Matched Values control. (ITS#8046) (CVE-2015-1546, Closes: #776991)

openldap (2.4.40-3) unstable; urgency=medium

  * Remove trailing spaces from slapd.templates.
  * Update Vietnamese debconf translation.
    Thanks to Trần Ngọc Quân.
  * Update Danish debconf translation.
    Thanks to Joe Hansen. (Closes: #766848)
  * Update Japanese debconf translation.
    Thanks to Kenshi Muto. (Closes: #766824)
  * Update Russian debconf translation.
    Thanks to Yuri Kozlov. (Closes: #766825)
  * Update Basque translation.
    Thanks to Iñaki Larrañaga Murgoitio. (Closes: #767070)
  * Update French debconf translation.
    Thanks to Christian Perrier. (Closes: #767634)
  * Update German debconf translation.
    Thanks to Helge Kreutzmann. (Closes: #767686)
  * Update Portuguese debconf translation.
    Thanks to Ricardo Silva. (Closes: #768085)
  * Update Italian debconf translation.
    Thanks to Luca Monducci. (Closes: #768195)
  * Update Turkish debconf translation.
    Thanks to Atila KOÇ. (Closes: #768409)
  * Update Czech debconf translation.
    Thanks to Miroslav Kure. (Closes: #768591)
  * Update Catalan debconf translation.
    Thanks to Innocent De Marchi. (Closes: #768605)
  * Update Dutch debconf translation.
    Thanks to Frans Spiesschaert. (Closes: #769024)
  * Update Brazilian Portuguese debconf translation.
    Thanks to Adriano Rafael Gomes. (Closes: #769717)
  * Update Galician debconf translation.
    Thanks to Jorge Barreiro.
  * Update Swedish debconf translation.
    Thanks to Martin Bagge / brother. (Closes: #769867)
  * Update Spanish debconf translation.
    Thanks to Camaleón. (Closes: #770715)
  * Fix doubled spaces in po files, caused by trailing spaces in the templates
    file.
  * Run debconf-updatepo to refresh PO files.

openldap (2.4.40-2) unstable; urgency=medium

  * Fix typo (chmod/chgrp) in previous changelog, spotted by Ferenc Wagner.
  * debian/patches/contrib-modules-use-dpkg-buildflags: Also use CPPFLAGS from
    dpkg-buildflags. Spotted by Lintian.
  * debian/slapd.init.ldif: Don't bother explicitly granting rights to the
    rootdn, since it already has unlimited privileges. Thanks Ferenc Wagner.
  * Recommend MDB for new installations, per upstream's recommendation.
  * Don't re-create the default DB_CONFIG if there wasn't one in the backup,
    for example if the active backend doesn't use it. Thanks Ferenc Wagner.
  * On upgrade, if an access rule begins with "to * by self write", show a
    debconf note warning that it should be changed. (Closes: #761406)
  * Build and install the lastbind contrib module. (Closes: #701111)
  * Build and install the passwd/sha2 contrib module. (Closes: #746727)

openldap (2.4.40-1) unstable; urgency=low

  [ Ryan Tandy ]
  * New upstream release.
    - fixed ldap_get_dn(3) ldap_ava definition (ITS#7860) (Closes: #465024)
    - fixed slapcat with external schema (ITS#7895) (Closes: #599235)
    - fixed double free with invalid ciphersuite (ITS#7500) (Closes: #640384)
    - fixed modrdn crash on naming attr with no matching rule (ITS#7850)
      (Closes: #666515)
    - fixed slapacl causing unclean database (ITS#7827) (Closes: #741248)
  * slapd.scripts-common:
    - Anchor grep patterns to avoid matching commented lines in ldif files
      under cn=config. (Closes: #723957)
    - Don't silently ignore nonexistent directories that should be dumped.
    - Invoke find, chown, and chgrp with -H in case /var/lib/ldap is a
      symlink. (Closes: #742862)
    - When upgrading a database, ignore extra nested directories as they might
      contain other databases. Patch from Kenny Millington. (LP: #1003854)
    - Fix dumping and reloading when multiple databases hold the same suffix,
      thanks Peder Stray. (Closes: #759596, LP: #1362481)
    - Remove trailing dot from slapd/domain. (Closes: #637996)
  * debian/rules:
    - Enable parallel building.
    - Copy libldap-2.4-2.shlibs into place manually, as a workaround for
      #676168. (Closes: #742841)
  * debian/slapd.README.Debian: Add a note about database format upgrades and
    the consequences of missing one. (Closes: #594711)
  * Build with GnuTLS 3 (Closes: #745231, #760559).
  * Drop debian/patches/fix-ftbfs-binutils-gold, no longer needed.
  * Drop debconf-utils from Build-Depends, no longer used (replaced by
    po-debconf). Thanks Johannes Schauer.
  * Acknowledge NMU fixing #729367, thanks to Michael Gilbert.
  * Offer the MDB backend as a choice during initial configuration. (Closes:
    #750022)
  * debian/slapd.init.ldif:
    - Disallow modifying one's own entry by default, except specific
      attributes. (Closes: #761406)
    - Index some more common search attributes by default. (Closes: #762111)
  * Introduce a symbols file for libldap-2.4-2.
  * debian/schema/pmi.schema: Add a copyright clarification. There does not
    appear to be any copyrighted text in this file, only ASN.1 assignments and
    LDAP schema definitions. Fixes a Lintian error on the original.
  * debian/schema/duaconf.schema: Strip Internet-Draft text from
    duaconf.schema.
  * Drop debian/patches/CVE-2013-4449.patch, applied upstream.
  * Update debian/patches/no-AM_INIT_AUTOMAKE with upstream changes.
  * debian/schema/ppolicy.schema: Update with ordering rules added in
    draft-behera-ldap-password-policy-11.
  * Suggest GSSAPI SASL modules. (Closes: #762424)
  * debian/patches/ITS6035-olcauthzregex-needs-restart.patch: Document in
    slapd-config.5 the fact that changes to olcAuthzRegexp only take effect
    after the server is restarted. (Closes: #761407)
  * Add myself to Uploaders.

  [ Jelmer Vernooij ]
  * Depend on heimdal-multidev rather than heimdal-dev. (Closes: #745356,
    #706123)

  [ Updated debconf translations ]
  * Turkish, thanks to Atila KOÇ <akoc@xxxxxxxxxxxxxxxxxxxxx>.
    (Closes: #661641)

openldap (2.4.39-1.1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix CVE-2013-4449: reference counting logic issue (closes: #729367).

openldap (2.4.39-1) unstable; urgency=low

  [ Peter Marschall ]
  * debian/patches/wrong-database-location: fix database location in
    doc/man/man5/slapd-mdb.5
  * debian/configure.options: add info on --enable-mdb

  [ Russ Allbery ]
  * Remove myself from Uploaders.

  [ Steve Langasek ]
  * Remove Stephen Frost from Uploaders, per discussion with him.  Thanks for
    your contributions, Stephen!
  * Adjust dh_autoreconf usage to update all config.sub/config.guess
    instances in the source, so that we can be forwards-compatible with new
    ports.  Thanks to Colin Watson <cjwatson@xxxxxxxxxx> for the patch.
    Closes: #725824.
  * Add Timo to Uploaders.
  * Update Vcs-* fields to point at the new git repo; thanks to Timo for
    driving this migration!
  * Rebuild against db5.3, with a corresponding dump/restore of the database
    on upgrade.  Closes: #738641.

  [ Timo Aaltonen ]
  * contrib-modules-use-dpkg-buildflags, autogroup-makefile,
    smbk5pwd-makefile:
    - Updated for current upstream.
  * Refresh patches to apply cleanly.
  * rules: Use dpkg-parsechangelog to determine the upstream version for
    get-orig-source.
  * source: Add lintian overrides for non-transatable internal
    templates.

 -- Ryan Tandy <ryan@xxxxxxxxx>  Mon, 25 May 2015 19:49:21 -0700

** Changed in: openldap (Ubuntu)
       Status: Confirmed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-4449

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1545

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1546

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1003854

Title:
  Database upgrade/migration fails with nested db directories (lucid to
  precise)

Status in openldap package in Ubuntu:
  Fix Released
Status in openldap source package in Precise:
  Confirmed
Status in openldap package in Debian:
  Fix Released

Bug description:
  Hi,

  I've just performed an upgrade of our LDAP server on Ubuntu 10.04.4
  LTS to Ubuntu 12.04 (I acknowledge this upgrade path is not officially
  supported yet).

  The incompatible database upgrading process in the preinst/postinst
  files failed in the following scenario.

  We have two suffixes/databases at the following paths:-

   * /var/lib/ldap
   * /var/lib/ldap/accesslog

  The preinst database dumping part of the process worked just fine and
  created the appropriate LDIF files under
  /var/backup/slapd-2.4.21-0ubuntu5.7, however the restore failed
  stating:-

  """
    Loading from /var/backups/slapd-2.4.21-0ubuntu5.7:
    - directory dc=REDACTEDs,dc=co,dc=uk... failed.

  Loading the database from the LDIF dump failed with the following
  error while running slapadd:
      4fbdfebf olcDbDirectory: value #0: invalid path: No such file or directory
      4fbdfebf config error processing olcDatabase={2}hdb,cn=config: olcDbDirectory: value #0: invalid path: No such file or directory
      slapadd: bad configuration directory!
  """

  This is because when move_incompatible_databases_away() runs it finds
  the main database first (/var/lib/ldap) and moves all top level
  entries (find -mindepth 1 -maxdepth 1 ...) into the backup directory
  and this includes the accesslog subdirectory which then no longer
  exists. When slapadd runs it checks config specifying that directory
  and bails with the above error given it is indeed missing.

  I've tested a tentative fix and that's to patch the two find commands
  (one in is_empty_dir() one in move_old_database_away to also specify
  -type f so that the directory structure is preserved when moving the
  old database away (accesslog will be backed up separately when its
  suffx is iterated over in move_incompatible_databases_away()).

  The simple and very tentative patch for this is:-

  """
  # diff -u slapd.scripts-common.old slapd.scripts-common
  --- slapd.scripts-common.old	2012-05-24 10:33:01.746206585 +0100
  +++ slapd.scripts-common	2012-05-24 10:33:23.967902747 +0100
  @@ -391,7 +391,7 @@
     echo -n "  - directory $suffix... " >&2
     mkdir -p "$backupdir"
     find "$databasedir" -mindepth 1 -maxdepth 1	\
  -			-exec mv {} "$backupdir" \;
  +			-type f -exec mv {} "$backupdir" \;
     echo done. >&2
    else
     cat >&2 <<EOF
  @@ -728,7 +728,7 @@
   # (i.e., contains no files except for an optional DB_CONFIG).
   # Usage: if is_empty_dir "$dir"; then ... fi

  -	output=`find "$1" -mindepth 1 -maxdepth 1 \! -name DB_CONFIG 2>/dev/null`
  +	output=`find "$1" -mindepth 1 -maxdepth 1 -type f \! -name DB_CONFIG 2>/dev/null`
    if [ -n "$output" ]; then
         return 1
    else
  """

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1003854/+subscriptions