Re: Authentication for on the fly configuration updates in OpenLDAP 2.4

[Dan White <dwhite@olp.net>]

On 28/01/11 12:06 -0800, Howard Chu wrote:
> Dan White wrote:
> > This config is missing two pretty important items in my opinion:
> >
> > authz-regexp
> >    "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
> >    "cn=admin,@SUFFIX@"
> >
> > and
> >
> > database        config
> > rootdn          "cn=admin,@SUFFIX@"
>
> Your recommendation assumes that a typical slapd installation has 
> only one main database, and the local host sysadmin is also the LDAP 
> DB admin. In other scenarios where there are multiple databases, it's 
> more appropriate to leave the cn=config rootdn at its default and 
> separate the role of slapd administrator from regular database admin.

I now understand that reasoning.

The approach that package maintainers, like Debian, have taken is:

  Answer these 3 basic questions and you've got a minimally functioning
  server.

  If you like, customize slapd.conf to your heart's content, and restart.

But that approach no longer works with the move to the config backend. To
be fair, it's not really feasible to have a one-size-fits-all config within
the package that's going to lead to a robust installation.

I suppose the correct approach would be for the package to offer to
configure a rootdn and rootpw for the config backend on installation,
however, since the package that will be released with squeeze will probably
not have those options, it's inevitable that the OP's question is going to
be posted here a lot, and generally annoy list members.

--
Dan White