Hi list,
I've been using openldap for a few years but yesterday I compiled slapd from git head for the first time. To my supprise that:
root@my-machine:/root#: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config
does not work. It took me a while to find out that by default the cn=config database has 'olcAccess: {0}to * by * none' and 'olcRootDN: cn=config' with no olcRootPW, so all access from ldap is denied. Once I know I used slapmodify to change olcRootDN to 'gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth' and everything works as expected afterward.
My argument is why isn't it the default? I think debian packages already did that. cn=config is stored as plain text on the local file system so local root can read and change anyway. Changing cn=config is the first thing to do for any admin, and I am not exactly a newbie yet I still stumbled on it.
By the way, if we really want people to use cn=config exclusively, I suggest to remove all mentioning of slapd.conf from the latest documentation. Old admins appreciate cn=config more and there will be less distraction for newbies.
Derek