Hi list,
I've been using openldap for a few years but yesterday I compiled slapd from git head for the first time. To my supprise that:
root@my-machine:/root#: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config
does not work. It took me a while to find out that by default the cn=config database has 'olcAccess: {0}to * by * none' and 'olcRootDN: cn=config' with no olcRootPW, so all access from ldap is denied. Once I know I used slapmodify to change olcRootDN to 'gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth' and everything works as expected afterward.
My argument is why isn't it the default? I think debian packages already did that. cn=config is stored as plain text on the local file system so local root can read and change anyway. Changing cn=config is the first thing to do for any admin, and I am not exactly a newbie yet I still stumbled on it.
By the way, if we really want people to use cn=config exclusively, I suggest to remove all mentioning of slapd.conf from the latest documentation. Old admins appreciate cn=config more and there will be less distraction for newbies.
Derek
--On Friday, November 16, 2018 10:11 AM +0800 Derek Zhou derek@shannon-data.com wrote:
My argument is why isn't it the default?
A couple of immediate answers come to mind, there are probably more:
a) OpenLDAP is used on numerous operating systems. Not all of those operating systems support UNIX sockets.
b) Not everyone configures slapd for use with ldapi
By the way, if we really want people to use cn=config exclusively, I suggest to remove all mentioning of slapd.conf from the latest documentation. Old admins appreciate cn=config more and there will be less distraction for newbies.
Once cn=config is the only way to configure OpenLDAP, such documentation will be removed. However, that won't be occurring in OpenLDAP 2.5, which is the next major release, so it is valid for this documentation to remain in OpenLDAP master for the time being.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On November 17, 2018 7:37:40 AM GMT+08:00, Quanah Gibson-Mount quanah@symas.com wrote:
--On Friday, November 16, 2018 10:11 AM +0800 Derek Zhou derek@shannon-data.com wrote:
My argument is why isn't it the default?
A couple of immediate answers come to mind, there are probably more:
a) OpenLDAP is used on numerous operating systems. Not all of those operating systems support UNIX sockets.
b) Not everyone configures slapd for use with ldapi
I see. But is it the most recommended way to review and edit cn=config on a unix like platform? If so, that should earn itself a spot on the quick start guide. If not, and simple auth is the way, that should be mentioned instead. Been able to edit config on a live system is a great feature, it is a shame that people only read the quick start guide dont know about it.
Once cn=config is the only way to configure OpenLDAP, such documentation will be removed. However, that won't be occurring in OpenLDAP 2.5, which is the next major release, so it is valid for this documentation to remain in OpenLDAP master for the time being.
you guys are really stingy on version numbers. just an observation.
derek
--On Saturday, November 17, 2018 8:40 AM +0800 Derek Zhou derek@shannon-data.com wrote:
On November 17, 2018 7:37:40 AM GMT+08:00, Quanah Gibson-Mount quanah@symas.com wrote:
--On Friday, November 16, 2018 10:11 AM +0800 Derek Zhou derek@shannon-data.com wrote:
My argument is why isn't it the default?
A couple of immediate answers come to mind, there are probably more:
a) OpenLDAP is used on numerous operating systems. Not all of those operating systems support UNIX sockets.
b) Not everyone configures slapd for use with ldapi
I see. But is it the most recommended way to review and edit cn=config on a unix like platform? If so, that should earn itself a spot on the quick start guide. If not, and simple auth is the way, that should be mentioned instead. Been able to edit config on a live system is a great feature, it is a shame that people only read the quick start guide dont know about it.
There are any number of ways to authenticate to cn=config. There is no "recommended" or "best" way to do it. The "recommended" way to do it is what works best for the end admin's requirements. That could be a simple bind, it could be SASL/EXTERNAL, it could be via SASL/GSSAPI, it could be via certificate authentication, etc. I've encountered any number of ways that end sites configure access based on the requirements of their organization.
Once cn=config is the only way to configure OpenLDAP, such documentation will be removed. However, that won't be occurring in OpenLDAP 2.5, which is the next major release, so it is valid for this documentation to remain in OpenLDAP master for the time being.
you guys are really stingy on version numbers. just an observation.
Because the project follows long established software versioning practices?
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Derek Zhou -
Quanah Gibson-Mount