[Pkg-openldap-devel] OpenLDAP and cn=config.

Matthijs Mohlmann matthijs at cacholong.nl
Fri Jun 6 09:13:32 UTC 2008 

Mathias Gug wrote:
> On Mon, Jun 02, 2008 at 11:45:14PM -0400, Mathias Gug wrote:
>>> I don't like the idea of adding 'rootpw somesecret' to the slapd.conf,
>>> maybe there is another way to set it. Quanah / Russ can you comment on
>>> this ?
>>>
>> AFAIR you have to set a rootpw in slapd.conf in order to get slapd to
>> generate the configuration directory /etc/ldap/slapd.d/. Howard Chu
>> mentioned during a discussion at the Ubuntu Developer Summit that the
>> slapd.d directory won't be created if you don't set a username for the
>> config database. I haven't tested that either.
> 
> I've played a little bit with this and was able to generate a slapd.d/
> directory using the admin password without setting the rootpw in
> slapd.conf. 
> 
> The idea is to get the value of userPassword for the rootdn in the
> existing database before starting the upgrade (with slapcat), migrate
> from slapd.conf to slapd.d using a random password, and update the value
> of the olcRootPW attribute in the file
> /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif with the value of
> userPassword.
> 
> That way the administrator should be able to modify the cn=config tree
> with the same password he entered when slapd was installed. Of course
> applying this logic shouldn't be done for every install. There are other
> issues to consider such as which database should be used to get the root
> password and how to get the rootdn for the database.
> 
> Another option would be to ask the administrator to enter a new password
> for the cn=config tree.
> 

I was thinking of that last option too, getting the rootdn for a
database can be pretty hard. As it is not always in the slapd.conf.

See the flow diagram for the procedure, anyone to comment on it ?

Regards,

Matthijs Mohlmann
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SlapdUpgradeProcedure.dia
Type: application/x-dia-diagram
Size: 2397 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20080606/6d317997/attachment-0001.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SlapdUpgradeProcedure.png
Type: image/png
Size: 33111 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20080606/6d317997/attachment-0001.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20080606/6d317997/attachment-0001.pgp

More information about the Pkg-openldap-devel mailing list