[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fresh (distro's) installation and cn=config password

On 01/23/2017 11:59 AM, lejeczek wrote:

hi everybody,
this must be one of the most ancient questions - but browsing (centos') local docs reveal nothing. I'd imagine passwords is that first & most important thing everybody does to make sure slapd is secured, something like "mysql_secure_installation"
I'm trying to do something I'd think is simple and should just work, but, I'm wrong, so I do: 

slapadd -v -n0 <<EOL
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config

olcRootDN: cn=admin,cn=config
olcRootPW:: exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

EOL

and I get in return:
slapadd: could not add entry dn="olcDatabase={0}config,cn=config" (line=1): autocreation of "olcDatabase={-1}frontend" failed 

So that question - how does one secure ldap installation?
But I'd insist on not referring something like "slaptest and convert old school to ..." or .. edit config file(s) What I think is - I have a clean installation which is configured in probably best possible way but missing is: olcRootDN, olcRootPW 
How to use slapadd for it? Is slapadd not the right tool for this?

many thanks,
L.


review the package scripts for the rpm:

rpm -q --scripts openldap-servers
there is a post-install section that builds a default database for you. it is based on the info in /usr/share/openldap-servers/slapd.ldif (at least on fedora 24). when you install the package, you should be able to adjust the settings in cn=config and move on.
as root you will have access via the ldapi:// interface because of the default ACL allowing anyone with UID and GID of 0 to access the instance via the socket interface.