[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ang. RE: Bdb defaults - WAS: problem importing entries.

--On Tuesday, June 15, 2004 4:21 PM +0200 Buchan Milne <bgmilne@obsidian.co.za> wrote:

# Protect passwords, using a regex so we can have generic accounts with
# write access
# Openldap will not authenticate against non-userPassword attributes
# but we would have to duplicate most rules ...
access to dn="(.+,)?,ou=.+,(dc=.+,?)+$$"
~        by self write
~        by dn="uid=root,ou=People,$2" write
~        by group="cn=Domain Controllers,ou=Group,$2" write
~        by anonymous auth
~        by * none

Several problems here:

1) It makes assumptions about where the ldap database is installed.
2) It makes assumptions about the underlying schema's that are loaded.
3) It makes assumptions about the data loaded.

For example, our database is in /db
For example, we do not populate userPassword. There is no reason to, as everything is done via SASL/GSSAPI with K5.

OpenLDAP is a massively flexible piece of software. So are the underlying software components that plug in. I think the premise that a person can just install and go is flawed, and I think the premise that people can just "set up" OpenLDAP while skipping on the documentation is flawed as well. The quantity and quality of the documentation available in the FAQ, Admin guide, and man pages has increased substantially since I've been working with OpenLDAP, and I think it is more valuable to put energy into those areas than to try and come up with "defaults" that in the end are most likely to cause more confusion that in people had simply taken the time to read the documentation. Of course, we live in a society that expects 30 second infomercials to tell them how to do everything, so I suppose this thread shouldn't be too surprising. ;)


Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html