Re: Admin password (cn=admin,dc=config) for OpenLDAP in Debian Squeeze
On Mon, Jan 31, 2011 at 05:05:56PM +0200, Razvan Deaconescu wrote: Hi! I've browsed the configuration page for slapd[1] and it mentions that, for starting from version 2.3, The LDAP configuration engine allows all of slapd's configuration options to be changed on the fly, generally without requiring a server restart for the changes to take effect. I'm using slapd 2.4.23-7 on a Debian Squeeze (testing). Trying to configure TLS support I've found this page[2] mentions using the cn=admin,dc=config account and a password for it. What is the user and password required to update the LDAP configuration database in a Debian-based configuration? Do you have a file called /etc/libnss-ldap.secret or /etc/pam_ldap.secret? Sometimes the password is stored there. -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110202152459.ga7...@aurora.owens.net
Re: Admin password (cn=admin,dc=config) for OpenLDAP in Debian Squeeze
On 02/02/2011 05:24 PM, Rob Owens wrote: On Mon, Jan 31, 2011 at 05:05:56PM +0200, Razvan Deaconescu wrote: Hi! I've browsed the configuration page for slapd[1] and it mentions that, for starting from version 2.3, The LDAP configuration engine allows all of slapd's configuration options to be changed on the fly, generally without requiring a server restart for the changes to take effect. I'm using slapd 2.4.23-7 on a Debian Squeeze (testing). Trying to configure TLS support I've found this page[2] mentions using the cn=admin,dc=config account and a password for it. What is the user and password required to update the LDAP configuration database in a Debian-based configuration? Do you have a file called /etc/libnss-ldap.secret or /etc/pam_ldap.secret? Sometimes the password is stored there. Both the /etc/libnss-ldap.conf and the /etc/pam_ldap.conf files mention that the *.secret files are to be used as password files for the LDAP account to be used by root: --- # grep -C 3 secret /etc/pam_ldap.conf # The credentials to bind with. # Optional: default is no credential. #bindpw secret # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/pam_ldap.secret (mode 600) rootbinddn cn=manager,dc=example,dc=net # The port. --- I think this is only used for the client side and is not a server configuration. Razvan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d4992cd.5020...@rosedu.org
Admin password (cn=admin,dc=config) for OpenLDAP in Debian Squeeze
Hi!
I've browsed the configuration page for slapd[1] and it mentions that,
for starting from version 2.3, The LDAP configuration engine allows all
of slapd's configuration options to be changed on the fly, generally
without requiring a server restart for the changes to take effect.
I'm using slapd 2.4.23-7 on a Debian Squeeze (testing). Trying to
configure TLS support I've found this page[2] mentions using the
cn=admin,dc=config account and a password for it. What is the user and
password required to update the LDAP configuration database in a
Debian-based configuration?
I found out the password should be stored as olcRootPW in the
olcDatabase={0}config. However, the default configuration lacks this
password:
---
# slapcat -n0 | grep -C 5 '^\(olcRootDN\|olcRootPW\)'
olcAccess: {0}to * by * none
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=config
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: ed743d3a-adc6-102f-9a18-f1967b980507
creatorsName: cn=config
---
I found the easiest way was to add a olcRootPW option to the
olcDatabase={0}config file (password generated using slappasswd) and
then restarting the server. However, manually editing these files is
discouraged, but I didn't find a better way.
How should this be handled. Is there a specialized way of configuring
the above mentioned password?
Razvan
[1] http://www.openldap.org/doc/admin24/slapdconf2.html
[2] http://ilostmynotes.blogspot.com/2009/04/openldap-24-and-tls.html
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4d46cfd4.4000...@rosedu.org
