Bug#952501: slapd: README.Debian does not note that databases are created
Karl O. Pinc
kop at karlpinc.com
Tue Feb 25 05:06:38 GMT 2020
Package: slapd
Version: 2.4.47+dfsg-3+deb10u1
Severity: normal
Tags: patch
Hello,
The slapd package creates an ldap database, by default. This can be
completely opaque, depending upon how debconf is configured.
The README.Debian should describe how the Debian installation differs
from upstream. Automatically creating a database, and configuring
access, is an important difference.
Attached is a patch to the README.Debian describing the initial setup.
-- System Information:
Debian Release: 10.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages slapd depends on:
ii adduser 3.118
ii coreutils 8.30-3
ii debconf [debconf-2.0] 1.5.71
ii libc6 2.28-10
ii libdb5.3 5.3.28+dfsg1-0.5
ii libgnutls30 3.6.7-4+deb10u2
ii libldap-2.4-2 2.4.47+dfsg-3+deb10u1
ii libltdl7 2.4.6-9
ii libodbc1 2.3.6-0.1
ii libperl5.28 5.28.1-6
ii libsasl2-2 2.1.27+dfsg-1+deb10u1
ii libwrap0 7.6.q-28
ii lsb-base 10.2019051400
ii perl [libmime-base64-perl] 5.28.1-6
ii psmisc 23.2-1
Versions of packages slapd recommends:
ii libsasl2-modules 2.1.27+dfsg-1+deb10u1
Versions of packages slapd suggests:
ii ldap-utils 2.4.47+dfsg-3+deb10u1
pn libsasl2-modules-gssapi-mit | libsasl2-modules-gssap <none>
-- debconf information excluded
-------------- next part --------------
--- /tmp/README.Debian 2020-02-24 21:24:25.635042167 -0600
+++ /tmp/README.Debian.new 2020-02-24 22:54:03.401642325 -0600
@@ -11,7 +11,35 @@
the OpenLDAP Admin Guide for more information, including configuration
examples for common use cases. <http://www.openldap.org/doc/admin24/>
-The OpenLDAP configuration
+The initial databases
+
+ Upon installation the Debian package uses debconf to create a
+ regular OpenLDAP database for storage of directory information, by
+ default using the MDB backend. An initial database root user and
+ password is created to administer this database. And the OpenLDAP
+ configuration database is created.
+
+ Re-create the initial databases and their configuration, as the Unix
+ root user, with:
+
+ dpkg-reconfigure slapd
+
+ The installed configuration requires the Unix root user to use the
+ options "-Y EXTERNAL -H ldapi:///", when using the OpenLDAP client
+ command line tools, to obtain root-level access to the OpenLDAP
+ configuration database. This database is rooted, as per the
+ pre-defined stock OpenLDAP DIT, at "cn=config". The configuration
+ database contains the password and access permissions of the regular
+ database's root-user, as well as access permissions to the
+ configuration database itself, should changes be required.
+
+ The root user created to administer the regular database has a dn
+ starting with "cn=admin," followed by the base dn (olcSuffix) of the
+ database. This root user's password, set when the initial database
+ is created, allows the root user to bind to the regular database
+ with password authentication and grants root-level access.
+
+Maintaining the OpenLDAP configuration
Since version 2.4.23-3 the configuration of OpenLDAP has been changed to
/etc/ldap/slapd.d by default. The OpenLDAP packages in Debian provide an
More information about the Pkg-openldap-devel
mailing list