Hello,
I'm struggling a little with understanding the dynamic configuration system (sorry, but wanted to say my vote is for file-based config; the way some of this config has been put into LDAP feels forced and unnecessarily convoluted). Specifically, I'm having a hard time getting my mind around how to manage and secure the configuration database.
What's tripping me up is how to reconcile the separate ldif files that contain global server-level configuation settings and config database level settings with what I understand to be the recommended way to manage those things -- using OpenLDAP client tools.
When starting a fresh server (CentOS6.3, installed from yum if that matters here), it's not clear to me how I can bind using ldapadd in order to modify global server settings. Right now, I suspect the trouble is that the default databases have been created without a olcRootPw. Do I have to violate best practices just long enough to add that setting to the cn=config/olcDatabase={0}config.ldif file?
After that, do I bind to "cn=config" in order to change global configuration settings using the base DN "cn=config"? (The olcRootDN is in the config database ldif file is "cn=config")
To modify settings for the configuration database itself, do I also use the same bind ("cn=config") but use a base DN of "olcDatabase={0}config.ldif,cn=config"?
I'm also curious, many of the examples I see for things like cn=Modules don't use the full DN, which I think is cn=Modules,cn=config. Why is this?
I've read the website docs, the man pages, but I don't see any information that addresses how to initially bind to and start configuring the server in the Right Way. The quick start guide would be a good place for that, but it still talks about slapd.conf.
Thanks for the help and for the good software