root user management ACLs on cn=config

Resolves: #712495
2011-06-27 13:59:06 +02:00 · 2011-06-27 13:59:06 +02:00 · 2ce75ca315
commit 2ce75ca315
parent 356967b885
3 changed files with 12 additions and 4 deletions
--- a/ldap.sysconfig
+++ b/ldap.sysconfig
@ -5,15 +5,15 @@
 #
 # Run slapd with -h "... ldap:/// ..."
 #   yes/no, default: yes
-#SLAPD_LDAP=yes
+SLAPD_LDAP=yes

 # Run slapd with -h "... ldapi:/// ..."
-#   yes/no, default: no
-#SLAPD_LDAPI=no
+#   yes/no, default: yes
+SLAPD_LDAPI=yes

 # Run slapd with -h "... ldaps:/// ..."
 #   yes/no, default: no
-#SLAPD_LDAPS=no
+SLAPD_LDAPS=no

 # Run slapd with -h "... $SLAPD_URLS ..."
 # This option could be used instead of previous three ones, but:
--- a/openldap.spec
+++ b/openldap.spec
@ -653,6 +653,8 @@ exit 0
 * Mon Jun 27 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.25-1
 - rebase to new upstream release
 - change default database type from BDB to HDB
+- enable ldapi:/// interface by default
+- set cn=config management ACLs for root user, SASL external schema (#712495)

 * Fri Mar 18 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.24-2
 - new: system resource limiting for slapd using ulimit
--- a/slapd.conf
+++ b/slapd.conf
@ -95,6 +95,12 @@ argsfile	/var/run/openldap/slapd.args
 #
 # rootdn can always read and write EVERYTHING!

+# enable on-the-fly configuration (cn=config)
+database config
+access to *
+	by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+	by * none
+
 # enable server status monitoring (cn=monitor)
 database monitor
 access to *