[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Authentication for on the fly configuration updates in OpenLDAP 2.4
On 28/01/11 12:06 -0800, Howard Chu wrote:
Dan White wrote:
This config is missing two pretty important items in my opinion:
authz-regexp
"gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=admin,@SUFFIX@"
and
database config
rootdn "cn=admin,@SUFFIX@"
Your recommendation assumes that a typical slapd installation has
only one main database, and the local host sysadmin is also the LDAP
DB admin. In other scenarios where there are multiple databases, it's
more appropriate to leave the cn=config rootdn at its default and
separate the role of slapd administrator from regular database admin.
I now understand that reasoning.
The approach that package maintainers, like Debian, have taken is:
Answer these 3 basic questions and you've got a minimally functioning
server.
If you like, customize slapd.conf to your heart's content, and restart.
But that approach no longer works with the move to the config backend. To
be fair, it's not really feasible to have a one-size-fits-all config within
the package that's going to lead to a robust installation.
I suppose the correct approach would be for the package to offer to
configure a rootdn and rootpw for the config backend on installation,
however, since the package that will be released with squeeze will probably
not have those options, it's inevitable that the OP's question is going to
be posted here a lot, and generally annoy list members.
--
Dan White