[Date Prev][Date Next] [Chronological] [Thread] [Top]

cn=config default access control

To: openldap-technical@openldap.org
Subject: cn=config default access control
From: Derek Zhou <derek@shannon-data.com>
Date: Fri, 16 Nov 2018 10:11:30 +0800
Content-disposition: inline
User-agent: NeoMutt/20170113 (1.7.2)

Hi list,

I've been using openldap for a few years but yesterday I compiled slapd from git head
for the first time. To my supprise that:

    root@my-machine:/root#: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config

does not work. It took me a while to find out that by default the cn=config database
has 'olcAccess: {0}to *  by * none' and 'olcRootDN: cn=config' with no olcRootPW, so
all access from ldap is denied. Once I know I used slapmodify to change olcRootDN to
'gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth' and everything works as
expected afterward.

My argument is why isn't it the default? I think debian packages already did that.
cn=config is stored as plain text on the local file system so local root can read
and change anyway. Changing cn=config is the first thing to do for any admin, and
I am not exactly a newbie yet I still stumbled on it.

By the way, if we really want people to use cn=config exclusively, I suggest to
remove all mentioning of slapd.conf from the latest documentation. Old admins 
appreciate cn=config more and there will be less distraction for newbies.   

Derek

Follow-Ups:
- Re: cn=config default access control
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: OpenLDAP thread-safety nowadays
Next by Date: Re: cn=config default access control
Index(es):
- Chronological
- Thread