Understanding dynamic configuration

[Ori Bani <oribani@gmail.com>]

Hello,

I'm struggling a little with understanding the dynamic configuration
system (sorry, but wanted to say my vote is for file-based config; the
way some of this config has been put into LDAP feels forced and
unnecessarily convoluted).  Specifically, I'm having a hard time
getting my mind around how to manage and secure the configuration
database.

What's tripping me up is how to reconcile the separate ldif files that
contain global server-level configuation settings and config database
level settings with what I understand to be the recommended way to
manage those things -- using OpenLDAP client tools.

When starting a fresh server (CentOS6.3, installed from yum if that
matters here), it's not clear to me how I can bind using ldapadd in
order to modify global server settings.  Right now, I suspect the
trouble is that the default databases have been created without a
olcRootPw.  Do I have to violate best practices just long enough to
add that setting to the cn=config/olcDatabase={0}config.ldif file?

After that, do I bind to "cn=config" in order to change global
configuration settings using the base DN "cn=config"? (The olcRootDN
is in the config database ldif file is "cn=config")

To modify settings for the configuration database itself, do I also
use the same bind ("cn=config") but use a base DN of
"olcDatabase={0}config.ldif,cn=config"?

I'm also curious, many of the examples I see for things like
cn=Modules don't use the full DN, which I think is
cn=Modules,cn=config.  Why is this?

I've read the website docs, the man pages, but I don't see any
information that addresses how to initially bind to and start
configuring the server in the Right Way.  The quick start guide would
be a good place for that, but it still talks about slapd.conf.

Thanks for the help and for the good software