Package: slapd Version: 2.4.47+dfsg-3+deb10u1 Severity: normal Tags: patch Hello,
The slapd package creates an ldap database, by default. This can be completely opaque, depending upon how debconf is configured. The README.Debian should describe how the Debian installation differs from upstream. Automatically creating a database, and configuring access, is an important difference. Attached is a patch to the README.Debian describing the initial setup. -- System Information: Debian Release: 10.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages slapd depends on: ii adduser 3.118 ii coreutils 8.30-3 ii debconf [debconf-2.0] 1.5.71 ii libc6 2.28-10 ii libdb5.3 5.3.28+dfsg1-0.5 ii libgnutls30 3.6.7-4+deb10u2 ii libldap-2.4-2 2.4.47+dfsg-3+deb10u1 ii libltdl7 2.4.6-9 ii libodbc1 2.3.6-0.1 ii libperl5.28 5.28.1-6 ii libsasl2-2 2.1.27+dfsg-1+deb10u1 ii libwrap0 7.6.q-28 ii lsb-base 10.2019051400 ii perl [libmime-base64-perl] 5.28.1-6 ii psmisc 23.2-1 Versions of packages slapd recommends: ii libsasl2-modules 2.1.27+dfsg-1+deb10u1 Versions of packages slapd suggests: ii ldap-utils 2.4.47+dfsg-3+deb10u1 pn libsasl2-modules-gssapi-mit | libsasl2-modules-gssap <none> -- debconf information excluded
--- /tmp/README.Debian 2020-02-24 21:24:25.635042167 -0600 +++ /tmp/README.Debian.new 2020-02-24 22:54:03.401642325 -0600 @@ -11,7 +11,35 @@ the OpenLDAP Admin Guide for more information, including configuration examples for common use cases. <http://www.openldap.org/doc/admin24/> -The OpenLDAP configuration +The initial databases + + Upon installation the Debian package uses debconf to create a + regular OpenLDAP database for storage of directory information, by + default using the MDB backend. An initial database root user and + password is created to administer this database. And the OpenLDAP + configuration database is created. + + Re-create the initial databases and their configuration, as the Unix + root user, with: + + dpkg-reconfigure slapd + + The installed configuration requires the Unix root user to use the + options "-Y EXTERNAL -H ldapi:///", when using the OpenLDAP client + command line tools, to obtain root-level access to the OpenLDAP + configuration database. This database is rooted, as per the + pre-defined stock OpenLDAP DIT, at "cn=config". The configuration + database contains the password and access permissions of the regular + database's root-user, as well as access permissions to the + configuration database itself, should changes be required. + + The root user created to administer the regular database has a dn + starting with "cn=admin," followed by the base dn (olcSuffix) of the + database. This root user's password, set when the initial database + is created, allows the root user to bind to the regular database + with password authentication and grants root-level access. + +Maintaining the OpenLDAP configuration Since version 2.4.23-3 the configuration of OpenLDAP has been changed to /etc/ldap/slapd.d by default. The OpenLDAP packages in Debian provide an
