UDS Maverick: Call for Blueprints for Ubuntu Server
Mathias Gug
mathias.gug at canonical.com
Wed Apr 28 18:24:21 UTC 2010
Hi Andreas,
On Wed, Apr 28, 2010 at 02:32:27PM -0300, Andreas Hasenack wrote:
>
> In fact, one of the things we talked about in the past UDSs, and which
> was done on the slapd package, is to make it so that other packages
> could hook into slapd and fill it with their schema and trees. This is
> possible because of the LDAPI authentication we have in place, which
> maps root (unix id 0) to the ldap admin, so any client that runs as root
> and connects to the LDAPI socket will be the ldap admin. Thus a package
> would be able to, say, inspect the existing schema, upload its own, etc.
I've slightly changed the behavior in Lucid: there isn't a mapping anymore (and
thus cn=localroot,cn=config has gone away).
The actual sasl dn is used in the olcAccess for cn=config and the frontend database:
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
> Think about that pdns-backend-ldap package asking in its postinst
> permission to configure the locally running ldap server for its needs,
> for example (with the default answer being "no, don't do that").
>
Exactly. That's the main goal of moving to cn=config and adding an olcAccess
for the local root user:
any package will be able to stick schemas and configure things in the local
slapd instance.
--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com
More information about the ubuntu-server
mailing list