Hi Ryan, On Tue, 25 Feb 2020 11:07:57 -0800 Ryan Tandy <r...@nardis.ca> wrote:
> I made a few adjustments to your text, and noted a couple of other > things that tend to surprise new users. > > I wonder if you have any feedback on this version (below). I've attached a new patch, based on yours. Mentioned that MDB is the default backend. Tweaked various sentences, in various ways. Tried to simplify and shorten sentences. This necessarily makes the document a little longer, but friendlier. Used the word "entry" and in general made more clear that it's all about altering ldap entry/attributes in various ldap databases. Got rid of extra words. Got rid of "will". It is rarely useful in technical docs. Made a practice of putting dn-s in double quotes, to set them off from the other text. What do you think? Consistently use "configuration database" and "directory database" as the identifiers for the 2 initial ldap dbs. Use "directory administrator" to identify the admin entry. Tried to make a distinction between an administrator, a person, and a the directory administrator LDAP entry in the DIT. Let me know how well this worked. Note that the dn of the entry in the configuration DIT defaults to "olcDatabase={1}mdb,cn=config", but is not _always_ this. (It would be different if you chose a different back-end.) This is only mentioned and not elaborated on. Made clear (hopefully) the options used by the Unix root user to maintain the database. Regards, Karl <k...@karlpinc.com> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
--- README.Debian 2020-02-24 21:24:25.635042167 -0600 +++ slapd.README.Debian 2020-02-25 17:27:55.126748802 -0600 @@ -11,15 +11,75 @@ the OpenLDAP Admin Guide for more information, including configuration examples for common use cases. <http://www.openldap.org/doc/admin24/> -The OpenLDAP configuration +Initial slapd configuration - Since version 2.4.23-3 the configuration of OpenLDAP has been changed to - /etc/ldap/slapd.d by default. The OpenLDAP packages in Debian provide an + Upon installation the slapd package performs a number of tasks. It + initializes the configuration database, stored in LDAP and rooted at + the dn "cn=config". It creates an initial directory database with a + dn rooted at a suffix derived from the DNS domain configured in + debconf (e.g. "dc=example,dc=com"). The default backend for the + directory database is the MDB backend. An administrative identity + LDAP entry, with a dn of "cn=admin,<suffix>", is added to the + directory database. This LDAP entry for the directory administrator + is given the password configured in debconf, or a randomly generated + password if none was set. + + If desired, a new configuration and directory database can be + created by running, as root: + + dpkg-reconfigure slapd + + Caution: this command completely resets the configuration and all + LDAP directory data (saving a backup in /var/backups), resetting + slapd to a new initial state. + + The configuration database ("cn=config") and directory database + ("dc=<domain>,dc=<tld>") have different permissions. Upon + installation, the Unix root user has permission to manage the slapd + configuration ("cn=config") database. The LDAP directory + administrator entry ("cn=admin,<suffix>") has permission to manage + the directory database ("dc=<domain>,dc=<tld>"). This policy is + specific to Debian. + + The directory administrator's password is stored in two places. The + password is in the olcRootPW attribute of the LDAP configuration + database's LDAP entry describing the directory database; the default + dn of this configuration entry is "olcDatabase={1}mdb,cn=config". + And the password is also in the userPassword attribute of the + LDAP directory administrator entry itself; the default dn of the + directory administrator entry is "cn=admin,<suffix>". + + If the administrator password needs to be changed it should be + updated in both places. The ldapmodify(1) and ldappasswd(1) + commands may be used, to update the "olcDatabase={1}mdb,cn=config" + entry and the "cn=admin,<suffix>" entry, respectively. These + commands are found in the ldap-utils package. + + Should you change the directory administrator's identity be sure to + update the database's configuration, the olcRootDN and olcRootPW + attributes of the "olcDatabase={1}mdb,cn=config" entry, as well as + add a directory administrator entry for the new administrator to the + "dc=<domain>,dc=<tld>" directory. + +Maintaining the slapd configuration + + Since version 2.4.23-3 the default configuration of OpenLDAP has + been changed to "/etc/ldap/slapd.d"; configuration is stored in an + LDAP directory. The OpenLDAP packages in Debian provide an automatic migration to the new configuration style. With the new - configuration style it is possible to change values on the fly without - restarting slapd. Changes are made through the use of ldif files and - ldap{add,modify}. In Debian you can use the following command to search - the configuration: + configuration style it is possible to change values on the fly + without restarting slapd. Changes are made through the use of ldif + files and ldap{add,modify}. + + Debian defaults to granting the Unix root user, and only the Unix + root user, administrative privileges to the configuration database. + The configuration database is stored in LDAP. Administrative + privileges to the configuration database are granted to root when + the special SASL mechanism "EXTERNAL" is used for authentication. + The OpenLDAP client command option for this is "-Y EXTERNAL". + + You can use the following shell command, as root, to search the + configuration: ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"