[Date Prev][Date Next] [Chronological] [Thread] [Top]

cn=config default access control



Hi list,

I've been using openldap for a few years but yesterday I compiled slapd from git head
for the first time. To my supprise that:

    root@my-machine:/root#: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config

does not work. It took me a while to find out that by default the cn=config database
has 'olcAccess: {0}to *  by * none' and 'olcRootDN: cn=config' with no olcRootPW, so
all access from ldap is denied. Once I know I used slapmodify to change olcRootDN to
'gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth' and everything works as
expected afterward.

My argument is why isn't it the default? I think debian packages already did that.
cn=config is stored as plain text on the local file system so local root can read
and change anyway. Changing cn=config is the first thing to do for any admin, and
I am not exactly a newbie yet I still stumbled on it.

By the way, if we really want people to use cn=config exclusively, I suggest to
remove all mentioning of slapd.conf from the latest documentation. Old admins 
appreciate cn=config more and there will be less distraction for newbies.   

Derek