Hi, sorry that it took me a while to reply.
So I do have the config backend, since debian moved me over automatically. So far the slapcat method has been working very nicely for me.
Another question I ran into is how do you edit cn=config, by default I have not been able to figure out. I have so far seen two methods that work for me but they both feel a bit 'hacky' so I was wondering if there is another 'official' method.
The two things I have done:
- edit the files in slapd.d (after stopping the openldap server to be on
the safe side). 2. using ldapmodify, but this was only possible after I added a olcRootPW attribute to the olcDatabase object of the config backend by editing the file as described here: http://www.zarafa.com/wiki/index.php/OpenLdap:_Switch_to_dynamic_config_back...
This is not necessary, see below.
It confused me at first since the configdb entry has the following acl: olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by
break I didn't understand how I could get access, it looked like I had to be root but even as root ldapmodify would refuse duty.
You need to start slapd with -h ldapi:/// and bind on that URI using SASL external from the machine where slapd is running on, while logged into a shell as root. That ACL is giving access to the user whose DN results from this bind.
I guess after seeing these mails I should have been using something like -Y EXTERNAL?
Exactly. Something like
login: root password: ***** # slapd -h ldapi:/// # ldapmodify -H ldapi:/// -Y EXTERNAL
p.