Bug#952501: slapd: README.Debian does not note that databases are created
Ryan Tandy
ryan at nardis.ca
Tue Feb 25 19:07:57 GMT 2020
Hello Karl,
Thank you for your feedback, and for providing a patch.
I made a few adjustments to your text, and noted a couple of other
things that tend to surprise new users.
I wonder if you have any feedback on this version (below).
Thank you,
Ryan
--
diff --git a/debian/slapd.README.Debian b/debian/slapd.README.Debian
index a5e307f24..3afd57ca9 100644
--- a/debian/slapd.README.Debian
+++ b/debian/slapd.README.Debian
@@ -11,7 +11,39 @@ Notes about Debian's slapd package
the OpenLDAP Admin Guide for more information, including configuration
examples for common use cases. <http://www.openldap.org/doc/admin24/>
-The OpenLDAP configuration
+Initial slapd configuration
+
+ Upon installation, the slapd package initializes the configuration
+ database (cn=config) and creates an initial database with its suffix
+ derived from the DNS domain configured in debconf (e.g.
+ dc=example,dc=com). An administrative identity (cn=admin,<suffix>) is
+ created to manage this database, using the password configured in
+ debconf, or a randomly generated password if none was set.
+
+ If desired, the configuration and database can be re-configured by
+ running, as root:
+
+ dpkg-reconfigure slapd
+
+ Note that this command will completely reset the configuration and
+ data (saving a backup in /var/backups), restoring slapd to the default
+ initial state.
+
+ The permissions for the configuration database (cn=config) and
+ directory database (dc=<domain>,dc=<tld>) are different. Upon
+ installation, the Unix root user is granted access to manage the slapd
+ configuration (cn=config database) and the directory administrator
+ (cn=admin,<suffix>) is granted access to manage the directory
+ (dc=<domain>,dc=<tld> database). This is a Debian-specific default.
+
+ The directory administrator's password is stored in two places: in the
+ olcRootPW attribute of the database configuration
+ (olcDatabase={1}mdb,cn=config) and in the userPassword attribute of
+ the administrator identity itself (cn=admin,<suffix>). If the password
+ needs to be changed, both of those should be updated, using
+ ldapmodify(1) and ldappasswd(1) respectively.
+
+Maintaining the slapd configuration
Since version 2.4.23-3 the configuration of OpenLDAP has been changed to
/etc/ldap/slapd.d by default. The OpenLDAP packages in Debian provide an
More information about the Pkg-openldap-devel
mailing list