[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication for on the fly configuration updates in OpenLDAP 2.4

Dan White wrote:

I have discovered this myself, and I personally just rebuild from my own
slapd.conf. I just took a look at the debian/slapd.conf template file in
squeeze, which presumably is what the package installation uses to
ultimately generate the slapd.d config backend. I've copied it here:

http://web.olp.net/dwhite/openldap/slapd-squeeze-default.conf

This config is missing two pretty important items in my opinion:

authz-regexp
    "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
    "cn=admin,@SUFFIX@"

and

database        config
rootdn          "cn=admin,@SUFFIX@"

See:

http://www.openldap.org/lists/openldap-technical/201101/msg00047.html
Your recommendation assumes that a typical slapd installation has only one main database, and the local host sysadmin is also the LDAP DB admin. In other scenarios where there are multiple databases, it's more appropriate to leave the cn=config rootdn at its default and separate the role of slapd administrator from regular database admin. 

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/