[Date Prev][Date Next]
Re: Ang. RE: Bdb defaults - WAS: problem importing entries.
--On Tuesday, June 15, 2004 4:21 PM +0200 Buchan Milne
# Protect passwords, using a regex so we can have generic accounts with
# write access
# Openldap will not authenticate against non-userPassword attributes
# but we would have to duplicate most rules ...
access to dn="(.+,)?,ou=.+,(dc=.+,?)+$$"
~ by self write
~ by dn="uid=root,ou=People,$2" write
~ by group="cn=Domain Controllers,ou=Group,$2" write
~ by anonymous auth
~ by * none
Several problems here:
1) It makes assumptions about where the ldap database is installed.
2) It makes assumptions about the underlying schema's that are loaded.
3) It makes assumptions about the data loaded.
For example, our database is in /db
For example, we do not populate userPassword. There is no reason to, as
everything is done via SASL/GSSAPI with K5.
OpenLDAP is a massively flexible piece of software. So are the underlying
software components that plug in. I think the premise that a person can
just install and go is flawed, and I think the premise that people can just
"set up" OpenLDAP while skipping on the documentation is flawed as well.
The quantity and quality of the documentation available in the FAQ, Admin
guide, and man pages has increased substantially since I've been working
with OpenLDAP, and I think it is more valuable to put energy into those
areas than to try and come up with "defaults" that in the end are most
likely to cause more confusion that in people had simply taken the time to
read the documentation. Of course, we live in a society that expects 30
second infomercials to tell them how to do everything, so I suppose this
thread shouldn't be too surprising. ;)
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html