[Pkg-openldap-devel] RFR: Preliminary patch for cn=config support: new installs

Quanah Gibson-Mount quanah at zimbra.com
Wed Jul 16 20:37:32 UTC 2008


--On Wednesday, July 16, 2008 10:46 AM +0100 Steve Langasek 
<vorlon at debian.org> wrote:

> On Mon, Jul 14, 2008 at 11:37:37AM -0700, Quanah Gibson-Mount wrote:
>> --On Monday, July 14, 2008 7:23 PM +0100 Steve Langasek
>> <vorlon at debian.org> wrote:
>>> There's an option to make slapd autoconvert between slapd.conf and
>>> cn=config, isn't there?  ISTR Howard mentioning this at UDS.  If so, it
>>> would be helpful to see the diff between this LDIF file and the
>>> auto-generated stuff, for review.
>
>> slaptest -F <config dir> -f <config file>
>
> Ok, right.
>
>> Will do it, IIRC.  I'm guessing this LDIF file is for new installs that
>> have no existing slapd.conf?
>
> Correct.
>
>>> +# Ensure read access to the base for things like
>>> +# supportedSASLMechanisms.  Without this you may
>>> +# have problems with SASL not knowing what
>>> +# mechanisms are available and the like.
>>> +# Note that this is covered by the 'access to *'
>>> +# ACL below too but if you change that as people
>>> +# are wont to do you'll still need this if you
>>> +# want SASL (and possible other things) to work
>>> +# happily.
>>> +olcAccess: to dn.base="" by * read
>
>>> This seems to be set as an attribute on the database - is that right?
>>> dn.base="" isn't part of this database definition, surely?
>
>> The "" base always exists in every database, AKA the "RootDSE".  The
>> point of this ACL is to allow read access to the rootDSE by anything.
>> Some (broken IMHO) software reports readability on the rootDSE as a
>> security issue.
>
> I think what confuses me is that this should be an attribute of the
> database when AFAIK you can only have one rootDSE per server.

Well, it depends what your database root is.  Zimbra's is "", for example. 
But this looks more to me like a global ACL than a database ACL, which I 
think is what you're getting at.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration



More information about the Pkg-openldap-devel mailing list