On 4/29/22 23:21, Quanah Gibson-Mount wrote:
--On Friday, April 29, 2022 10:40 PM +0200 Michael Ströder michael@stroeder.com wrote:
This change was done to address the issue where the admin's password was stored in two places (olcRootPW and the entry's userPassword), which occasionally caused confusion if only one of the two was changed.
Makes perfect sense to me.
I'd even avoid setting a rootpw value at all.
How would one then add the initial database? What you suggest is all fine and good if someone has a known good LDIF to start from, a beginner isn't going to and will need to be able to get the error checking that slapadd does not provide.
Hmm, being the author of a generic LDAP client I can say that it's really hard to guide a newbie user to do the right thing when starting with an *empty* DB.
But I appreciate any hints how to do that, even if it requires to set rootpw. ;-)
The only viable solution is to provide decent tooling for setting up a DB with presets. If going this route you can also setup an admin group with decent ACLs right from the start. And the setup process can run as root connecting via LDAPI and using SASL/EXTERNAL for authc. Then running the setup as system user root is the initial trust anchor for boot-strapping the directory. Well, *you* already know all this and you probably guessed it: That's how Æ-DIR setup is doing it (and all automated setups I do for customers).
Ciao, Michael.