From 2ce75ca315527c8712aa46973a866fd7c971f2dd Mon Sep 17 00:00:00 2001 From: Jan Vcelak Date: Mon, 27 Jun 2011 13:59:06 +0200 Subject: [PATCH] root user management ACLs on cn=config Resolves: #712495 --- ldap.sysconfig | 8 ++++---- openldap.spec | 2 ++ slapd.conf | 6 ++++++ 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/ldap.sysconfig b/ldap.sysconfig index eec60cc..7bd51e0 100644 --- a/ldap.sysconfig +++ b/ldap.sysconfig @@ -5,15 +5,15 @@ # # Run slapd with -h "... ldap:/// ..." # yes/no, default: yes -#SLAPD_LDAP=yes +SLAPD_LDAP=yes # Run slapd with -h "... ldapi:/// ..." -# yes/no, default: no -#SLAPD_LDAPI=no +# yes/no, default: yes +SLAPD_LDAPI=yes # Run slapd with -h "... ldaps:/// ..." # yes/no, default: no -#SLAPD_LDAPS=no +SLAPD_LDAPS=no # Run slapd with -h "... $SLAPD_URLS ..." # This option could be used instead of previous three ones, but: diff --git a/openldap.spec b/openldap.spec index 45a56e0..5bd9692 100644 --- a/openldap.spec +++ b/openldap.spec @@ -653,6 +653,8 @@ exit 0 * Mon Jun 27 2011 Jan Vcelak 2.4.25-1 - rebase to new upstream release - change default database type from BDB to HDB +- enable ldapi:/// interface by default +- set cn=config management ACLs for root user, SASL external schema (#712495) * Fri Mar 18 2011 Jan Vcelak 2.4.24-2 - new: system resource limiting for slapd using ulimit diff --git a/slapd.conf b/slapd.conf index f07b262..6def6d2 100644 --- a/slapd.conf +++ b/slapd.conf @@ -95,6 +95,12 @@ argsfile /var/run/openldap/slapd.args # # rootdn can always read and write EVERYTHING! +# enable on-the-fly configuration (cn=config) +database config +access to * + by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage + by * none + # enable server status monitoring (cn=monitor) database monitor access to *