[Pkg-openldap-devel] OpenLDAP and cn=config.
Mathias Gug
mathiaz at ubuntu.com
Thu Jun 5 01:16:49 UTC 2008
On Mon, Jun 02, 2008 at 11:45:14PM -0400, Mathias Gug wrote:
> > I don't like the idea of adding 'rootpw somesecret' to the slapd.conf,
> > maybe there is another way to set it. Quanah / Russ can you comment on
> > this ?
> >
>
> AFAIR you have to set a rootpw in slapd.conf in order to get slapd to
> generate the configuration directory /etc/ldap/slapd.d/. Howard Chu
> mentioned during a discussion at the Ubuntu Developer Summit that the
> slapd.d directory won't be created if you don't set a username for the
> config database. I haven't tested that either.
I've played a little bit with this and was able to generate a slapd.d/
directory using the admin password without setting the rootpw in
slapd.conf.
The idea is to get the value of userPassword for the rootdn in the
existing database before starting the upgrade (with slapcat), migrate
from slapd.conf to slapd.d using a random password, and update the value
of the olcRootPW attribute in the file
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif with the value of
userPassword.
That way the administrator should be able to modify the cn=config tree
with the same password he entered when slapd was installed. Of course
applying this logic shouldn't be done for every install. There are other
issues to consider such as which database should be used to get the root
password and how to get the rootdn for the database.
Another option would be to ask the administrator to enter a new password
for the cn=config tree.
--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com
More information about the Pkg-openldap-devel
mailing list