[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication for on the fly configuration updates in OpenLDAP 2.4

On 28/01/11 19:10 +0200, Razvan Deaconescu wrote:

# slapcat -n0 | grep -C 5 '^\(olcRootDN\|olcRootPW\)'
olcAccess: {0}to *  by * none
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=config
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: ed743d3a-adc6-102f-9a18-f1967b980507
creatorsName: cn=config
---


If those options are missing, you could try rebuilding your config from
scratch from your own slapd.conf, by explicitly setting those options with
this config snippet:

database        config
rootdn          "cn=admin,dc=example,dc=org"
rootpw          xxx

That would involve moving your existing /etc/ldap/slapd.d and /var/lib/ldap
directories out of the way and regenerating them.


So I have to regenerate all configuration and database files?

I might have done something wrong, but it seems pretty strange that a
default Debian installation wouldn't provide the config user/password
for this.


I have discovered this myself, and I personally just rebuild from my own
slapd.conf. I just took a look at the debian/slapd.conf template file in
squeeze, which presumably is what the package installation uses to
ultimately generate the slapd.d config backend. I've copied it here:

http://web.olp.net/dwhite/openldap/slapd-squeeze-default.conf

This config is missing two pretty important items in my opinion:

authz-regexp
  "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
  "cn=admin,@SUFFIX@"

and

database        config
rootdn          "cn=admin,@SUFFIX@"

See:

http://www.openldap.org/lists/openldap-technical/201101/msg00047.html



--
Dan White