Bug 712495

Summary: set cn=config database ACLs for user root in default configuration
Product: [Fedora] Fedora Reporter: Jan Vcelak <jvcelak>
Component: openldapAssignee: Jan Vcelak <jvcelak>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jvcelak, obonhomme, rmeggins, tsmetana
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openldap-2.4.25-1.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 712494 Environment:
Last Closed: 2011-06-27 17:27:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Vcelak 2011-06-10 19:07:58 UTC 
+++ This bug was initially created as a clone of Bug #712494 +++

Description of problem:

OpenLDAP server uses it's own LDAP database to keep server configuration (cn=config subtree). The configuration is physically stored in /etc/openldap/slapd.d. Although the configuration is in plain text files in LDIF format, upstream strongly discourages from editing the files manually in text editor. The preferred way is to use regular LDAP commands to change the configuration.

After fresh OpenLDAP server installation, no ACLs are set for cn=config database. This means, that the only way to change the configuration is manual editting.

Following changes should be performed in OpenLDAP default configuration:

1.) enable server slapi:/// interface (IPC socket) (SLAPD_LDAPI=yes in /etc/sysconfig/ldap)

2.) grant management ACLs for cn=config database to user root authenticated using external SASL mechanism available for IPC socket interface (the user is mapped to gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth)

This will allow to work with server configuration using LDAP commands, which should be safer:
ldapadd -H ldapi:/// -Y EXTERNAL ...


Version-Release number of selected component (if applicable):
openldap-2.4.23-15.el6
Comment 1 Jan Vcelak 2011-06-27 17:27:45 UTC 
Resolved in openldap-2.4.25-1.fc16
Comment 2 Jan Vcelak 2011-11-01 09:03:38 UTC 
*** Bug 750082 has been marked as a duplicate of this bug. ***