Full_Name: Quanah Gibson-Mount Version: RE24 OS: NA URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.111.29.239)
In OpenLDAP 2.3, it was possible to set the rootdn of the main database to be cn=config. This no longer works in OpenLDAP 2.4, but seems like it should be valid to me.
Example config:
include /opt/zimbra/openldap-2.4.12/etc/openldap/schema/core.schema include "/opt/zimbra/openldap-2.4.12/etc/openldap/schema/cosine.schema" include "/opt/zimbra/openldap-2.4.12/etc/openldap/schema/inetorgperson.schema" pidfile /opt/zimbra/openldap-2.4.12/var/run/slapd.pid argsfile /opt/zimbra/openldap-2.4.12/var/run/slapd.args modulepath /opt/zimbra/openldap-2.4.12/libexec/openldap moduleload back_hdb.la moduleload back_monitor.la moduleload syncprov.la moduleload accesslog.la database config rootpw secret database monitor rootdn "cn=config" access to dn.children="cn=monitor" by * read database hdb suffix cn=accesslog directory /opt/zimbra/data/openldap/accesslog/db rootdn cn=accesslog index default eq index entryCSN index objectClass index reqEnd index reqResult index reqStart access to dn.subtree="cn=accesslog" by dn.exact="cn=config" read by dn.exact="uid=zmreplica,cn=admins,cn=zimbra" read
# Checkpoint the database to prevent transaction loss in unclean shutdowns, and speed up slapd shutdowns. checkpoint 64 5
cachesize 10000 timelimit unlimited sizelimit unlimited
overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE database hdb suffix "" rootdn "cn=config" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /opt/zimbra/data/openldap/db # Indices to maintain index objectClass eq index cn pres,eq,sub index displayName pres,eq,sub index sn pres,eq,sub index gn pres,eq,sub # recommended for replication index entryUUID eq index entryCSN eq sizelimit unlimited timelimit unlimited overlay syncprov syncprov-checkpoint 20 10 syncprov-sessionlog 500 overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE logpurge 07+00:00 01+00:00
Slaptest fails with:
line 74 (suffix "")
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> line 75 (rootdn "cn=config")
dnPrettyNormal: <cn=config>
<<< dnPrettyNormal: <cn=config>, <cn=config> line 79 (rootpw ***) /opt/zimbra/openldap-2.4.12/etc/openldap/slapd.conf: line 79: <rootpw> can only be set when rootdn is under suffix slaptest: bad configuration file!
cn=config is *clearly* under "", and changing it to "cn=config,dc=junk" works. So it's specific to the term "cn=config". Changing it to "cn=joe" works just fine. It also doesn't seem to care that I use "cn=config" with back-monitor...