Re: viewing cn=config

[Howard Chu <hyc@symas.com>]

E.S. Rosenberg wrote:
> Hi, sorry that it took me a while to reply.
>
> So I do have the config backend, since debian moved me over automatically.
> So far the slapcat method has been working very nicely for me.
>
> Another question I ran into is how do you edit cn=config, by default I have
> not been able to figure out.
> I have so far seen two methods that work for me but they both feel a bit
> 'hacky' so I was wondering if there is another 'official' method.
>
> The two things I have done:
> 1. edit the files in slapd.d (after stopping the openldap server to be on the
> safe side).

Never do that.

> 2. using ldapmodify, but this was only possible after I added a olcRootPW
> attribute to the olcDatabase object of the config backend by editing the file
> as described here:
> http://www.zarafa.com/wiki/index.php/OpenLdap:_Switch_to_dynamic_config_backend_%28cn%3Dconfig%29#Add_or_Change_password_of_RootDN
>
> It confused me at first since the configdb entry has the following acl:
> olcAccess: {0}to * by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
> I didn't understand how I could get access, it looked like I had to be root
> but even as root ldapmodify would refuse duty.
>
> I guess after seeing these mails I should have been using something like -Y
> EXTERNAL?

Yes, from your description, you should have used "ldapmodify -Y EXTERNAL -H 
ldapi:///" while running as root.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/