Re: viewing cn=config

[masarati@aero.polimi.it]

> Hi, sorry that it took me a while to reply.
>
> So I do have the config backend, since debian moved me over automatically.
> So far the slapcat method has been working very nicely for me.
>
> Another question I ran into is how do you edit cn=config, by default I
> have
> not been able to figure out.
> I have so far seen two methods that work for me but they both feel a bit
> 'hacky' so I was wondering if there is another 'official' method.
>
> The two things I have done:
> 1. edit the files in slapd.d (after stopping the openldap server to be on
> the safe side).
> 2. using ldapmodify, but this was only possible after I added a olcRootPW
> attribute to the olcDatabase object of the config backend by editing the
> file as described here:
> http://www.zarafa.com/wiki/index.php/OpenLdap:_Switch_to_dynamic_config_backend_%28cn%3Dconfig%29#Add_or_Change_password_of_RootDN

This is not necessary, see below.

> It confused me at first since the configdb entry has the following acl:
> olcAccess: {0}to * by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by
> *
> break
> I didn't understand how I could get access, it looked like I had to be
> root
> but even as root ldapmodify would refuse duty.

You need to start slapd with -h ldapi:/// and bind on that URI using SASL
external from the machine where slapd is running on, while logged into a
shell as root.  That ACL is giving access to the user whose DN results
from this bind.

> I guess after seeing these mails I should have been using something like
> -Y
> EXTERNAL?

Exactly.  Something like

login: root
password: *****
# slapd -h ldapi:///
# ldapmodify -H ldapi:/// -Y EXTERNAL

p.