Hi Ryan,

On Tue, 25 Feb 2020 11:07:57 -0800
Ryan Tandy <r...@nardis.ca> wrote:

> I made a few adjustments to your text, and noted a couple of other 
> things that tend to surprise new users.
> 
> I wonder if you have any feedback on this version (below).

I've attached a new patch, based on yours.

Mentioned that MDB is the default backend.

Tweaked various sentences, in various ways.  Tried to simplify
and shorten sentences.  This necessarily makes the document
a little longer, but friendlier.

Used the word "entry" and in general made more clear that
it's all about altering ldap entry/attributes in various
ldap databases.

Got rid of extra words.

Got rid of "will".  It is rarely useful in technical docs.

Made a practice of putting dn-s in double quotes, to set them
off from the other text.  What do you think?

Consistently use "configuration database" and "directory database" as
the identifiers for the 2 initial ldap dbs.  Use "directory
administrator" to identify the admin entry.

Tried to make a distinction between an administrator, a person,
and a the directory administrator LDAP entry in the DIT.
Let me know how well this worked.

Note that the dn of the entry in the configuration DIT
defaults to "olcDatabase={1}mdb,cn=config", but is not
_always_ this.  (It would be different if you chose a different
back-end.)  This is only mentioned and not elaborated on.

Made clear (hopefully) the options used by the Unix root user
to maintain the database.

Regards,

Karl <k...@karlpinc.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein
--- README.Debian	2020-02-24 21:24:25.635042167 -0600
+++ slapd.README.Debian	2020-02-25 17:27:55.126748802 -0600
@@ -11,15 +11,75 @@
   the OpenLDAP Admin Guide for more information, including configuration
   examples for common use cases. <http://www.openldap.org/doc/admin24/>
 
-The OpenLDAP configuration
+Initial slapd configuration
 
-  Since version 2.4.23-3 the configuration of OpenLDAP has been changed to
-  /etc/ldap/slapd.d by default.  The OpenLDAP packages in Debian provide an
+  Upon installation the slapd package performs a number of tasks.  It
+  initializes the configuration database, stored in LDAP and rooted at
+  the dn "cn=config".  It creates an initial directory database with a
+  dn rooted at a suffix derived from the DNS domain configured in
+  debconf (e.g.  "dc=example,dc=com").  The default backend for the
+  directory database is the MDB backend.  An administrative identity
+  LDAP entry, with a dn of "cn=admin,<suffix>", is added to the
+  directory database.  This LDAP entry for the directory administrator
+  is given the password configured in debconf, or a randomly generated
+  password if none was set.
+
+  If desired, a new configuration and directory database can be
+  created by running, as root:
+
+    dpkg-reconfigure slapd
+
+  Caution: this command completely resets the configuration and all
+  LDAP directory data (saving a backup in /var/backups), resetting
+  slapd to a new initial state.
+
+  The configuration database ("cn=config") and directory database
+  ("dc=<domain>,dc=<tld>") have different permissions. Upon
+  installation, the Unix root user has permission to manage the slapd
+  configuration ("cn=config") database.  The LDAP directory
+  administrator entry ("cn=admin,<suffix>") has permission to manage
+  the directory database ("dc=<domain>,dc=<tld>"). This policy is
+  specific to Debian.
+
+  The directory administrator's password is stored in two places. The
+  password is in the olcRootPW attribute of the LDAP configuration
+  database's LDAP entry describing the directory database; the default
+  dn of this configuration entry is "olcDatabase={1}mdb,cn=config".
+  And the password is also in the userPassword attribute of the
+  LDAP directory administrator entry itself; the default dn of the
+  directory administrator entry is "cn=admin,<suffix>".
+
+  If the administrator password needs to be changed it should be
+  updated in both places.  The ldapmodify(1) and ldappasswd(1)
+  commands may be used, to update the "olcDatabase={1}mdb,cn=config"
+  entry and the "cn=admin,<suffix>" entry, respectively.  These
+  commands are found in the ldap-utils package.
+
+  Should you change the directory administrator's identity be sure to
+  update the database's configuration, the olcRootDN and olcRootPW
+  attributes of the "olcDatabase={1}mdb,cn=config" entry, as well as
+  add a directory administrator entry for the new administrator to the
+  "dc=<domain>,dc=<tld>" directory.
+
+Maintaining the slapd configuration
+
+  Since version 2.4.23-3 the default configuration of OpenLDAP has
+  been changed to "/etc/ldap/slapd.d"; configuration is stored in an
+  LDAP directory.  The OpenLDAP packages in Debian provide an
   automatic migration to the new configuration style. With the new
-  configuration style it is possible to change values on the fly without
-  restarting slapd.  Changes are made through the use of ldif files and
-  ldap{add,modify}.  In Debian you can use the following command to search
-  the configuration:
+  configuration style it is possible to change values on the fly
+  without restarting slapd.  Changes are made through the use of ldif
+  files and ldap{add,modify}.
+
+  Debian defaults to granting the Unix root user, and only the Unix
+  root user, administrative privileges to the configuration database.
+  The configuration database is stored in LDAP.  Administrative
+  privileges to the configuration database are granted to root when
+  the special SASL mechanism "EXTERNAL" is used for authentication.
+  The OpenLDAP client command option for this is "-Y EXTERNAL".
+
+  You can use the following shell command, as root, to search the
+  configuration:
 
       ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
 

Reply via email to