[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cn=config default access control



--On Saturday, November 17, 2018 8:40 AM +0800 Derek Zhou <derek@shannon-data.com> wrote:

On November 17, 2018 7:37:40 AM GMT+08:00, Quanah Gibson-Mount
<quanah@symas.com> wrote:
--On Friday, November 16, 2018 10:11 AM +0800 Derek Zhou
<derek@shannon-data.com> wrote:

My argument is why isn't it the default?
A couple of immediate answers come to mind, there are probably more:

a) OpenLDAP is used on numerous operating systems.  Not all of those
operating systems support UNIX sockets.

b) Not everyone configures slapd for use with ldapi

I see. But is it the most recommended way to review and edit cn=config on
a unix like platform? If so, that should earn itself a spot on the quick
start guide. If not, and simple auth is the way, that should be mentioned
instead. Been able to edit config on a live system is a great feature, it
is a shame that people only read the quick start guide dont know about it.

There are any number of ways to authenticate to cn=config. There is no "recommended" or "best" way to do it. The "recommended" way to do it is what works best for the end admin's requirements. That could be a simple bind, it could be SASL/EXTERNAL, it could be via SASL/GSSAPI, it could be via certificate authentication, etc. I've encountered any number of ways that end sites configure access based on the requirements of their organization.


Once cn=config is the only way to configure OpenLDAP, such
documentation
will be removed.  However, that won't be occurring in OpenLDAP 2.5,
which
is the next major release, so it is valid for this documentation to
remain
in OpenLDAP master for the time being.

you guys are really stingy on version numbers. just an observation.

Because the project follows long established software versioning practices?

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>