[Pkg-openldap-devel] RFR: Preliminary patch for cn=config support: new installs
Steve Langasek
vorlon at debian.org
Wed Jul 16 09:46:37 UTC 2008
On Mon, Jul 14, 2008 at 11:37:37AM -0700, Quanah Gibson-Mount wrote:
> --On Monday, July 14, 2008 7:23 PM +0100 Steve Langasek
> <vorlon at debian.org> wrote:
>> There's an option to make slapd autoconvert between slapd.conf and
>> cn=config, isn't there? ISTR Howard mentioning this at UDS. If so, it
>> would be helpful to see the diff between this LDIF file and the
>> auto-generated stuff, for review.
> slaptest -F <config dir> -f <config file>
Ok, right.
> Will do it, IIRC. I'm guessing this LDIF file is for new installs that
> have no existing slapd.conf?
Correct.
>> +# Ensure read access to the base for things like
>> +# supportedSASLMechanisms. Without this you may
>> +# have problems with SASL not knowing what
>> +# mechanisms are available and the like.
>> +# Note that this is covered by the 'access to *'
>> +# ACL below too but if you change that as people
>> +# are wont to do you'll still need this if you
>> +# want SASL (and possible other things) to work
>> +# happily.
>> +olcAccess: to dn.base="" by * read
>> This seems to be set as an attribute on the database - is that right?
>> dn.base="" isn't part of this database definition, surely?
> The "" base always exists in every database, AKA the "RootDSE". The
> point of this ACL is to allow read access to the rootDSE by anything.
> Some (broken IMHO) software reports readability on the rootDSE as a
> security issue.
I think what confuses me is that this should be an attribute of the database
when AFAIK you can only have one rootDSE per server.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
More information about the Pkg-openldap-devel
mailing list