[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fresh (distro's) installation and cn=config password

To: "lejeczek" <peljasz@yahoo.co.uk>
Subject: Re: fresh (distro's) installation and cn=config password
From: "Ralf Mattes" <rm@mh-freiburg.de>
Date: Tue, 24 Jan 2017 14:44:14 +0100
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mh-freiburg.de; s=mail; t=1485265454; bh=Gqjz1El6lxxjEl6AsMT7171Fc1GjxvPKTGSBKnmoLH0=; h=in-reply-to:to:from:subject:date:cc:From; b=IomhWT8idzgSXD8hpwEp9ziioClR6vDv/mROrefdcrACnaQy7QpUwQgDuQFVjTqtu uNdQn3wiNx49MdDlC8awsYcKnT0hfpM3oLoejrH4opLimvEDJkGkm4rUqBSPlS5CBy 1Iy8VN5MOW20HK7m1N3CKuSSrvIQDnwqJ/7D4h1U=
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mh-freiburg.de; s=mail; t=1485265454; bh=W53WcixnnQwNFZOTRIcIc7MZ7e511q2NZSZRH/E3zy8=; h=in-reply-to:to:from:subject:date:cc:From; b=VyY7E8lEE9i/JzzdJPDCpCs1al9QoDa1baLrUMcaVxgFleEadL/IXE++i+boB/kk2 HilUmYRVCegMbmEnt5VnEp5jzk45SFeNVC0Odzdq+TjQ9+4QVqFYecFYCqyK+ICz0X vxUdZxmQfmMPF5+JX4n19ud+5dKG6jl2VHorpqyI=
In-reply-to: <ff479edd-d352-2357-9275-9a66ed520be0@yahoo.co.uk>
User-agent: SOGoMail 2.3.17

Am Montag, 23. Januar 2017 17:59 CET, lejeczek <peljasz@yahoo.co.uk> schrieb:

> hi everybody,
> this must be one of the most ancient questions - but
> browsing (centos') local docs reveal nothing.
> I'd imagine passwords is that first & most important thing
> everybody does to make sure slapd is secured, something like
> "mysql_secure_installation"

No, why? There's a multitude of ways to restrict access to the server, password based
access is just one of them.

> I'm trying to do something I'd think is simple and should
> just work, but, I'm wrong, so I do:
>
> slapadd -v -n0 <<EOL
> dn: olcDatabase={0}config,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config


What does this have to do with setting up passwords?
This looks like you are trying to bootstrap a server installation ex nihilo.
You'd need quite a bit more than "browsing (centos') local docs" to do this.

>
> olcRootDN: cn=admin,cn=config
> olcRootPW:: exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
> EOL
>
> and I get in return:
> slapadd: could not add entry
> dn="olcDatabase={0}config,cn=config" (line=1): autocreation 
> of "olcDatabase={-1}frontend" failed

That error is pretty clear, isn't it? You seem to have forgotten to add a frontend database.
Do yourself a favour and have a look at the distributions bootstrap ldif.

> So that question - how does one secure ldap installation?

This has nothig whatsoever todo with "secire ldap installation"

> But I'd insist on not referring something like "slaptest and
> convert old school to ..." or .. edit config file(s)

This is borderline rude ....

> What I think is - I have a clean installation which is
> configured in probably best possible way but missing is:

Looking at your error output it really does not at all look like you have
a "clean installation". It looks more like a steaming pile of trial-and-error
installation leftovers.
On a clean installation you'd just need to set the olcRootPW attribute of
the olcDatabase={0}config,cn=config entry (iff you really insist on using
password based access and not the way more flexible ACL based security).

 HTH Ralf Mattes



> olcRootDN, olcRootPW
> How to use slapadd for it? Is slapadd not the right tool for
> this?
>
> many thanks,
> L.
>

References:
- fresh (distro's) installation and cn=config password
  - From: lejeczek <peljasz@yahoo.co.uk>

Prev by Date: Re: MDB map size = maxsize ?
Next by Date: Re: organizationIdentifier ATTRIBUTE mapping
Index(es):
- Chronological
- Thread