[Pkg-openldap-devel] RFR: Preliminary patch for cn=config support: new installs

Quanah Gibson-Mount quanah at zimbra.com
Mon Jul 14 18:37:37 UTC 2008


--On Monday, July 14, 2008 7:23 PM +0100 Steve Langasek <vorlon at debian.org> 
wrote:
> === added file 'debian/slapd.init.ldif'
> --- debian/slapd.init.ldif	1970-01-01 00:00:00 +0000
> +++ debian/slapd.init.ldif	2008-07-11 19:06:51 +0000
>
> Why this particular file name?  I don't understand the significance of
> "slapd.init.ldif".
>
> There's an option to make slapd autoconvert between slapd.conf and
> cn=config, isn't there?  ISTR Howard mentioning this at UDS.  If so, it
> would be helpful to see the diff between this LDIF file and the
> auto-generated stuff, for review.


slaptest -F <config dir> -f <config file>

Will do it, IIRC.  I'm guessing this LDIF file is for new installs that 
have no existing slapd.conf?


> +# Ensure read access to the base for things like
> +# supportedSASLMechanisms.  Without this you may
> +# have problems with SASL not knowing what
> +# mechanisms are available and the like.
> +# Note that this is covered by the 'access to *'
> +# ACL below too but if you change that as people
> +# are wont to do you'll still need this if you
> +# want SASL (and possible other things) to work
> +# happily.
> +olcAccess: to dn.base="" by * read
>
> This seems to be set as an attribute on the database - is that right?
> dn.base="" isn't part of this database definition, surely?

The "" base always exists in every database, AKA the "RootDSE".  The point 
of this ACL is to allow read access to the rootDSE by anything.  Some 
(broken IMHO) software reports readability on the rootDSE as a security 
issue.

Also, directories with multiple suffixes may "glue" their database at the 
"" level (Zimbra does, for example).

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration



More information about the Pkg-openldap-devel mailing list