Comment 19 for bug 563829

To follow up on my comment #2: I did some more testing and determined that the behavior I was seeing related to the olcAccess lines in the olcDatabase={0}config.ldif file was due to the "localroot"-related lines left over from earlier versions of the slapd.posting script. Once I removed all those references, then everything worked as expected even when the two lines
  olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
  olcAccess: {0}to * by * none
were both found in the config.ldif file.

I will add a comment on bug 571057 related to the manual cleanup steps that should be mentioned in the release notes.

(In case any else is following this trail of crumbs, the issue I had was that the olcAuthzRegexp line that mapped the UID=0 user to "cn=localroot,cn=config" was still found in my slapd.d/cn=config.ldif file. This meant that the "dn.exact=gidNumber=0" line mentioned above was not matched. Thus, the permission check would fall to the "olcAccess: {0}to * by * none" line and access would be denied.

When the "olcAccess: {0}to * by * none" line was removed from the {0}config.ldif file, the access control search continued on through to the olcAccess lines found in the olcDatabase={-1}frontend.ldif file... and that file still contained a line granting "localroot" access, so my ldapsearch succeeded.)