hi everybody, this must be one of the most ancient questions - but browsing (centos') local docs reveal nothing. I'd imagine passwords is that first & most important thing everybody does to make sure slapd is secured, something like "mysql_secure_installation"
I'm trying to do something I'd think is simple and should just work, but, I'm wrong, so I do:
slapadd -v -n0 <<EOL dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config
olcRootDN: cn=admin,cn=config olcRootPW:: exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
EOL
and I get in return: slapadd: could not add entry dn="olcDatabase={0}config,cn=config" (line=1): autocreation of "olcDatabase={-1}frontend" failed
So that question - how does one secure ldap installation? But I'd insist on not referring something like "slaptest and convert old school to ..." or .. edit config file(s) What I think is - I have a clean installation which is configured in probably best possible way but missing is: olcRootDN, olcRootPW How to use slapadd for it? Is slapadd not the right tool for this?
many thanks, L.
On 01/23/2017 11:59 AM, lejeczek wrote:
hi everybody, this must be one of the most ancient questions - but browsing (centos') local docs reveal nothing. I'd imagine passwords is that first & most important thing everybody does to make sure slapd is secured, something like "mysql_secure_installation"
I'm trying to do something I'd think is simple and should just work, but, I'm wrong, so I do:
slapadd -v -n0 <<EOL dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config
olcRootDN: cn=admin,cn=config olcRootPW:: exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
EOL
and I get in return: slapadd: could not add entry dn="olcDatabase={0}config,cn=config" (line=1): autocreation of "olcDatabase={-1}frontend" failed
So that question - how does one secure ldap installation? But I'd insist on not referring something like "slaptest and convert old school to ..." or .. edit config file(s) What I think is - I have a clean installation which is configured in probably best possible way but missing is: olcRootDN, olcRootPW How to use slapadd for it? Is slapadd not the right tool for this?
many thanks, L.
review the package scripts for the rpm:
rpm -q --scripts openldap-servers
there is a post-install section that builds a default database for you. it is based on the info in /usr/share/openldap-servers/slapd.ldif (at least on fedora 24). when you install the package, you should be able to adjust the settings in cn=config and move on.
as root you will have access via the ldapi:// interface because of the default ACL allowing anyone with UID and GID of 0 to access the instance via the socket interface.
Am Montag, 23. Januar 2017 17:59 CET, lejeczek peljasz@yahoo.co.uk schrieb:
hi everybody, this must be one of the most ancient questions - but browsing (centos') local docs reveal nothing. I'd imagine passwords is that first & most important thing everybody does to make sure slapd is secured, something like "mysql_secure_installation"
No, why? There's a multitude of ways to restrict access to the server, password based access is just one of them.
I'm trying to do something I'd think is simple and should just work, but, I'm wrong, so I do:
slapadd -v -n0 <<EOL dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config
What does this have to do with setting up passwords? This looks like you are trying to bootstrap a server installation ex nihilo. You'd need quite a bit more than "browsing (centos') local docs" to do this.
olcRootDN: cn=admin,cn=config olcRootPW:: exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
EOL
and I get in return: slapadd: could not add entry dn="olcDatabase={0}config,cn=config" (line=1): autocreation of "olcDatabase={-1}frontend" failed
That error is pretty clear, isn't it? You seem to have forgotten to add a frontend database. Do yourself a favour and have a look at the distributions bootstrap ldif.
So that question - how does one secure ldap installation?
This has nothig whatsoever todo with "secire ldap installation"
But I'd insist on not referring something like "slaptest and convert old school to ..." or .. edit config file(s)
This is borderline rude ....
What I think is - I have a clean installation which is configured in probably best possible way but missing is:
Looking at your error output it really does not at all look like you have a "clean installation". It looks more like a steaming pile of trial-and-error installation leftovers. On a clean installation you'd just need to set the olcRootPW attribute of the olcDatabase={0}config,cn=config entry (iff you really insist on using password based access and not the way more flexible ACL based security).
HTH Ralf Mattes
olcRootDN, olcRootPW How to use slapadd for it? Is slapadd not the right tool for this?
many thanks, L.
openldap-technical@openldap.org
-
Brendan Kearney -
lejeczek -
Ralf Mattes