[Pkg-openldap-devel] OpenLDAP and cn=config.

Mathias Gug mathiaz at ubuntu.com
Thu Jun 26 00:47:42 UTC 2008 

Hi Matthijs,

On Fri, Jun 06, 2008 at 11:13:32AM +0200, Matthijs Mohlmann wrote:
> Mathias Gug wrote:
> > On Mon, Jun 02, 2008 at 11:45:14PM -0400, Mathias Gug wrote:
> >>> I don't like the idea of adding 'rootpw somesecret' to the slapd.conf,
> >>> maybe there is another way to set it. Quanah / Russ can you comment on
> >>> this ?
> >>>
> >> AFAIR you have to set a rootpw in slapd.conf in order to get slapd to
> >> generate the configuration directory /etc/ldap/slapd.d/. Howard Chu
> >> mentioned during a discussion at the Ubuntu Developer Summit that the
> >> slapd.d directory won't be created if you don't set a username for the
> >> config database. I haven't tested that either.
> > 
> > I've played a little bit with this and was able to generate a slapd.d/
> > directory using the admin password without setting the rootpw in
> > slapd.conf. 
> > 
> > The idea is to get the value of userPassword for the rootdn in the
> > existing database before starting the upgrade (with slapcat), migrate
> > from slapd.conf to slapd.d using a random password, and update the value
> > of the olcRootPW attribute in the file
> > /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif with the value of
> > userPassword.
> > 
> > That way the administrator should be able to modify the cn=config tree
> > with the same password he entered when slapd was installed. Of course
> > applying this logic shouldn't be done for every install. There are other
> > issues to consider such as which database should be used to get the root
> > password and how to get the rootdn for the database.
> > 
> > Another option would be to ask the administrator to enter a new password
> > for the cn=config tree.
> > 
> 
> I was thinking of that last option too, getting the rootdn for a
> database can be pretty hard. As it is not always in the slapd.conf.
> 

AFICS the only way to set a rootdn is by using the rootdn option in
slapd.conf. What are the other ways to specify a rootdn ? Is there a
special attribute internal to openldap to flag an entry as being a
rootdn ?

> See the flow diagram for the procedure, anyone to comment on it ?

What about asking for the cn=config password only if a rootdn hasn't
been found or if multiple rootdn have been found ?

-- 
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20080625/f0dc3819/attachment.pgp

More information about the Pkg-openldap-devel mailing list