Re: Admin password (cn=admin,dc=config) for OpenLDAP in Debian Squeeze
On Mon, Jan 31, 2011 at 05:05:56PM +0200, Razvan Deaconescu wrote: Hi! I've browsed the configuration page for slapd[1] and it mentions that, for starting from version 2.3, The LDAP configuration engine allows all of slapd's configuration options to be changed on the fly, generally without requiring a server restart for the changes to take effect. I'm using slapd 2.4.23-7 on a Debian Squeeze (testing). Trying to configure TLS support I've found this page[2] mentions using the cn=admin,dc=config account and a password for it. What is the user and password required to update the LDAP configuration database in a Debian-based configuration? Do you have a file called /etc/libnss-ldap.secret or /etc/pam_ldap.secret? Sometimes the password is stored there. -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110202152459.ga7...@aurora.owens.net
Re: Admin password (cn=admin,dc=config) for OpenLDAP in Debian Squeeze
On 02/02/2011 05:24 PM, Rob Owens wrote: On Mon, Jan 31, 2011 at 05:05:56PM +0200, Razvan Deaconescu wrote: Hi! I've browsed the configuration page for slapd[1] and it mentions that, for starting from version 2.3, The LDAP configuration engine allows all of slapd's configuration options to be changed on the fly, generally without requiring a server restart for the changes to take effect. I'm using slapd 2.4.23-7 on a Debian Squeeze (testing). Trying to configure TLS support I've found this page[2] mentions using the cn=admin,dc=config account and a password for it. What is the user and password required to update the LDAP configuration database in a Debian-based configuration? Do you have a file called /etc/libnss-ldap.secret or /etc/pam_ldap.secret? Sometimes the password is stored there. Both the /etc/libnss-ldap.conf and the /etc/pam_ldap.conf files mention that the *.secret files are to be used as password files for the LDAP account to be used by root: --- # grep -C 3 secret /etc/pam_ldap.conf # The credentials to bind with. # Optional: default is no credential. #bindpw secret # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/pam_ldap.secret (mode 600) rootbinddn cn=manager,dc=example,dc=net # The port. --- I think this is only used for the client side and is not a server configuration. Razvan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d4992cd.5020...@rosedu.org
Admin password (cn=admin,dc=config) for OpenLDAP in Debian Squeeze
Hi! I've browsed the configuration page for slapd[1] and it mentions that, for starting from version 2.3, The LDAP configuration engine allows all of slapd's configuration options to be changed on the fly, generally without requiring a server restart for the changes to take effect. I'm using slapd 2.4.23-7 on a Debian Squeeze (testing). Trying to configure TLS support I've found this page[2] mentions using the cn=admin,dc=config account and a password for it. What is the user and password required to update the LDAP configuration database in a Debian-based configuration? I found out the password should be stored as olcRootPW in the olcDatabase={0}config. However, the default configuration lacks this password: --- # slapcat -n0 | grep -C 5 '^\(olcRootDN\|olcRootPW\)' olcAccess: {0}to * by * none olcAddContentAcl: TRUE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=config olcSyncUseSubentry: FALSE olcMonitoring: FALSE structuralObjectClass: olcDatabaseConfig entryUUID: ed743d3a-adc6-102f-9a18-f1967b980507 creatorsName: cn=config --- I found the easiest way was to add a olcRootPW option to the olcDatabase={0}config file (password generated using slappasswd) and then restarting the server. However, manually editing these files is discouraged, but I didn't find a better way. How should this be handled. Is there a specialized way of configuring the above mentioned password? Razvan [1] http://www.openldap.org/doc/admin24/slapdconf2.html [2] http://ilostmynotes.blogspot.com/2009/04/openldap-24-and-tls.html -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d46cfd4.4000...@rosedu.org