Hi list,
I've been using openldap for a few years but yesterday I compiled slapd from
git head
for the first time. To my supprise that:
root@my-machine:/root#: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config
does not work. It took me a while to find out that by default the cn=config
database
has 'olcAccess: {0}to * by * none' and 'olcRootDN: cn=config' with no
olcRootPW, so
all access from ldap is denied. Once I know I used slapmodify to change
olcRootDN to
'gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth' and everything works
as
expected afterward.
My argument is why isn't it the default? I think debian packages already did
that.
cn=config is stored as plain text on the local file system so local root can
read
and change anyway. Changing cn=config is the first thing to do for any admin,
and
I am not exactly a newbie yet I still stumbled on it.
By the way, if we really want people to use cn=config exclusively, I suggest to
remove all mentioning of slapd.conf from the latest documentation. Old admins
appreciate cn=config more and there will be less distraction for newbies.
Derek
