LDAP setup and access to cn=config

MCMic · September 8, 2018, 1:38pm

Hello,

I’m trying to understand the openldap configuration in yunohost.
If I have a look at the result of “ps aux|grep slapd” and the /etc/ldap/slapd.d folder it seems the LDAP is running with cn=config, but I also have a slapd.conf file, not sure why?
Is it a left-over from upgrade to stretch that I can delete or is it used for something?

And I cannot access cn=config through ldapsearch using “sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config” it gives no result.
After some troubleshooting I’d say this is because of a missing ACL, are the ACLs different from the default debian ones? (the debian default setup allows access to cn=config)

Also, it seems yunohost does not fill /etc/ldap/ldap.conf with the ldap base and uri, could this be added?

MCMic · September 27, 2018, 8:54am

So, in a standard Debian stretch, if I look into /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif I see:

olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth manage by * break
olcRootDN: cn=admin,cn=config

In my Yunohost, I have:

olcAccess: {0}to *  by * none                                                                                                                                                                  
olcAddContentAcl: TRUE                                                                                                                                                                         
olcLastMod: TRUE                                                                                                                                                                               
olcMaxDerefDepth: 15                                                                                                                                                                           
olcReadOnly: FALSE                                                                                                                                                                             
olcRootDN: cn=config                                                                                                                                                                           
olcSyncUseSubentry: FALSE                                                                                                                                                                      
olcMonitoring: FALSE

So it does seem access by root has been removed on purpose, and I’m not sure also why the rootdn is different, and what are all these other options for.
I tried to look into yunohost sources but I can’t find stuff specific to slapd except the slapd.conf, maybe these options are the result of some automatic conversion from slapd.conf, but then I’m not sure why the ACL would be preventing configuration edition.