Hi Ryan,
On Tue, 25 Feb 2020 11:07:57 -0800
Ryan Tandy <r...@nardis.ca> wrote:
> I made a few adjustments to your text, and noted a couple of other
> things that tend to surprise new users.
>
> I wonder if you have any feedback on this version (below).
I've attached a new patch, based on yours.
Mentioned that MDB is the default backend.
Tweaked various sentences, in various ways. Tried to simplify
and shorten sentences. This necessarily makes the document
a little longer, but friendlier.
Used the word "entry" and in general made more clear that
it's all about altering ldap entry/attributes in various
ldap databases.
Got rid of extra words.
Got rid of "will". It is rarely useful in technical docs.
Made a practice of putting dn-s in double quotes, to set them
off from the other text. What do you think?
Consistently use "configuration database" and "directory database" as
the identifiers for the 2 initial ldap dbs. Use "directory
administrator" to identify the admin entry.
Tried to make a distinction between an administrator, a person,
and a the directory administrator LDAP entry in the DIT.
Let me know how well this worked.
Note that the dn of the entry in the configuration DIT
defaults to "olcDatabase={1}mdb,cn=config", but is not
_always_ this. (It would be different if you chose a different
back-end.) This is only mentioned and not elaborated on.
Made clear (hopefully) the options used by the Unix root user
to maintain the database.
Regards,
Karl <k...@karlpinc.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
--- README.Debian 2020-02-24 21:24:25.635042167 -0600
+++ slapd.README.Debian 2020-02-25 17:27:55.126748802 -0600
@@ -11,15 +11,75 @@
the OpenLDAP Admin Guide for more information, including configuration
examples for common use cases. <http://www.openldap.org/doc/admin24/>
-The OpenLDAP configuration
+Initial slapd configuration
- Since version 2.4.23-3 the configuration of OpenLDAP has been changed to
- /etc/ldap/slapd.d by default. The OpenLDAP packages in Debian provide an
+ Upon installation the slapd package performs a number of tasks. It
+ initializes the configuration database, stored in LDAP and rooted at
+ the dn "cn=config". It creates an initial directory database with a
+ dn rooted at a suffix derived from the DNS domain configured in
+ debconf (e.g. "dc=example,dc=com"). The default backend for the
+ directory database is the MDB backend. An administrative identity
+ LDAP entry, with a dn of "cn=admin,<suffix>", is added to the
+ directory database. This LDAP entry for the directory administrator
+ is given the password configured in debconf, or a randomly generated
+ password if none was set.
+
+ If desired, a new configuration and directory database can be
+ created by running, as root:
+
+ dpkg-reconfigure slapd
+
+ Caution: this command completely resets the configuration and all
+ LDAP directory data (saving a backup in /var/backups), resetting
+ slapd to a new initial state.
+
+ The configuration database ("cn=config") and directory database
+ ("dc=<domain>,dc=<tld>") have different permissions. Upon
+ installation, the Unix root user has permission to manage the slapd
+ configuration ("cn=config") database. The LDAP directory
+ administrator entry ("cn=admin,<suffix>") has permission to manage
+ the directory database ("dc=<domain>,dc=<tld>"). This policy is
+ specific to Debian.
+
+ The directory administrator's password is stored in two places. The
+ password is in the olcRootPW attribute of the LDAP configuration
+ database's LDAP entry describing the directory database; the default
+ dn of this configuration entry is "olcDatabase={1}mdb,cn=config".
+ And the password is also in the userPassword attribute of the
+ LDAP directory administrator entry itself; the default dn of the
+ directory administrator entry is "cn=admin,<suffix>".
+
+ If the administrator password needs to be changed it should be
+ updated in both places. The ldapmodify(1) and ldappasswd(1)
+ commands may be used, to update the "olcDatabase={1}mdb,cn=config"
+ entry and the "cn=admin,<suffix>" entry, respectively. These
+ commands are found in the ldap-utils package.
+
+ Should you change the directory administrator's identity be sure to
+ update the database's configuration, the olcRootDN and olcRootPW
+ attributes of the "olcDatabase={1}mdb,cn=config" entry, as well as
+ add a directory administrator entry for the new administrator to the
+ "dc=<domain>,dc=<tld>" directory.
+
+Maintaining the slapd configuration
+
+ Since version 2.4.23-3 the default configuration of OpenLDAP has
+ been changed to "/etc/ldap/slapd.d"; configuration is stored in an
+ LDAP directory. The OpenLDAP packages in Debian provide an
automatic migration to the new configuration style. With the new
- configuration style it is possible to change values on the fly without
- restarting slapd. Changes are made through the use of ldif files and
- ldap{add,modify}. In Debian you can use the following command to search
- the configuration:
+ configuration style it is possible to change values on the fly
+ without restarting slapd. Changes are made through the use of ldif
+ files and ldap{add,modify}.
+
+ Debian defaults to granting the Unix root user, and only the Unix
+ root user, administrative privileges to the configuration database.
+ The configuration database is stored in LDAP. Administrative
+ privileges to the configuration database are granted to root when
+ the special SASL mechanism "EXTERNAL" is used for authentication.
+ The OpenLDAP client command option for this is "-Y EXTERNAL".
+
+ You can use the following shell command, as root, to search the
+ configuration:
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
