[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
cn=config default access control
Hi list,
I've been using openldap for a few years but yesterday I compiled slapd from git head
for the first time. To my supprise that:
root@my-machine:/root#: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config
does not work. It took me a while to find out that by default the cn=config database
has 'olcAccess: {0}to * by * none' and 'olcRootDN: cn=config' with no olcRootPW, so
all access from ldap is denied. Once I know I used slapmodify to change olcRootDN to
'gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth' and everything works as
expected afterward.
My argument is why isn't it the default? I think debian packages already did that.
cn=config is stored as plain text on the local file system so local root can read
and change anyway. Changing cn=config is the first thing to do for any admin, and
I am not exactly a newbie yet I still stumbled on it.
By the way, if we really want people to use cn=config exclusively, I suggest to
remove all mentioning of slapd.conf from the latest documentation. Old admins
appreciate cn=config more and there will be less distraction for newbies.
Derek