[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication for on the fly configuration updates in OpenLDAP 2.4



On 01/28/2011 05:24 PM, Dan White wrote:
> On 28/01/11 16:54 +0200, Razvan Deaconescu wrote:
>> Hi!
>>
>> I've browsed the configuration page for slapd[1] and it mentions that,
>> for starting from version 2.3, "The LDAP configuration engine allows all
>> of slapd's configuration options to be changed on the fly, generally
>> without requiring a server restart for the changes to take effect."
>>
>> What is the user and password required to update the LDAP configuration
>> database?
>>
>> I'm using slapd 2.4.23-7 on a Debian Squeeze (testing). I've tried using
>> the admin user (cn=admin,dc=...,dc=...) and it fails. This link[2]
>> mentions using the cn=admin,dc=config account and a password found in
>> ldap.secret. I've not found that file and don't know what is the
>> password for the cn=admin,dc=config account.
> 
> Try 'slapcat -n0', and see what, if any, olcRootDN and olcRootPW settings
> you have listed under olcDatabase={0}config,cn=config. The config backend
> maintains it's own rootdn and rootpw settings.

There is only the olcRootDN setting:
---
# slapcat -n0 | grep -C 5 '^\(olcRootDN\|olcRootPW\)'
olcAccess: {0}to *  by * none
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=config
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: ed743d3a-adc6-102f-9a18-f1967b980507
creatorsName: cn=config
---

> If those options are missing, you could try rebuilding your config from
> scratch from your own slapd.conf, by explicitly setting those options with
> this config snippet:
> 
> database        config
> rootdn          "cn=admin,dc=example,dc=org"
> rootpw          xxx
> 
> That would involve moving your existing /etc/ldap/slapd.d and /var/lib/ldap
> directories out of the way and regenerating them.

So I have to regenerate all configuration and database files?

I might have done something wrong, but it seems pretty strange that a
default Debian installation wouldn't provide the config user/password
for this.

Razvan