Re: LDAP Crafted Search Request Access Allowed

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Thu, Oct 30, 2014 at 09:54:57AM -0300, Net Warrior wrote:

> >I suspect that you do not want that. It would force every client to
> >have a client-side X.509 certificate. Good for secure authentication,
> >but more effort to manage than most people are prepared to handle.
> 
> Is it because of the certificte expiration or something like that tha's hard to
> mantain?

Yes. It is worth considering though, provided you have a well-organised
system for distributing and installing new client-side certificates.
You will also need to make sure that the admin tools you use can work with
client-side certs.

> >That is because you tried to add it to a database but it is a global option.
> I added to the global section cn=config and do not see it.

Odd. If you use ldapadd to do this then it should either work or return an error code.

> >Are you really using the BDB database? It has been deprecated for some time
> now.
> >I would suggest using MDB
> 
> Yes my bad, after I went to production, I was told that backend was
> deprecated,  is there any doc related to migrate from one backend to another or
> should I reconfigure the whole database from scratch ?

The safest approach is to slapcat each of your databases into LDIF files
then configure new MDB databases and slapadd the data. You will find
that loading MDB with slapadd -q is extremely fast.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------