Amending slapd config access

Doc/Sdi/ldap.xml

@@ -249,7 +249,8 @@ dpkg-reconfigure slapd
           <listitem>
             <para>Depending on your systems installation state you may want to
             add the dialog package which allows for feeding additional
-            parameters during package installations (e.g. credentials).</para>
+            parameters during package installations (e.g. admin's credentials
+            and base <xref linkend="glo_DN"/>).</para>
           </listitem>
 
           <listitem>
@@ -274,7 +275,7 @@ dpkg-reconfigure slapd
     </section>
 
     <section xml:id="ldapCompanyLdif">
-      <title>The <filename>.ldif</filename> file</title>
+      <title>Adding some content file</title>
 
       <para>The following file defines a part of our <code>betrayer.com</code>
       directory structure:</para>
@@ -334,8 +335,8 @@ mail: beam@betrayer.com</programlisting>
       <para>You may use <uri
       xlink:href="http://directory.apache.org/studio">Apache Directory
       Studio</uri> for testing a bind to your new <acronym>LDAP</acronym>
-      server by using <code>cn=Manager,dc=...</code> using your already
-      configured password.</para>
+      server by using <code>cn=admin,dc=...</code> using your server
+      installation password.</para>
 
       <para>After successful connecting the previously established
       <acronym>LDIF</acronym> file may be used to populate the server with
@@ -382,7 +383,7 @@ mail: beam@betrayer.com</programlisting>
     </section>
 
     <section xml:id="sdiLdapConfig">
-      <title><xref linkend="glo_LDAP"/></title>
+      <title><xref linkend="glo_LDAP"/> configuration</title>
 
       <para>In contrast to many other server configurations OpenLdap supports
       parameter configuration within its own database backend. In other words:
@@ -403,23 +404,53 @@ mail: beam@betrayer.com</programlisting>
       xlink:href="http://www.openldap.org/software/man.cgi?query=ldapmodify&amp;apropos=0&amp;sektion=0&amp;manpath=OpenLDAP+2.4-Release&amp;format=html">ldapmodify</command>
       using <filename>.ldif</filename> files. An alternate way requires
       altering the server's configuration
-      <filename>/etc/ldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif</filename>
-      by e.g. a file <filename>olcDatabaseAdd.ldif</filename>:</para>
-
-      <programlisting language="none">dn: olcDatabase={0}config,cn=config
-changetype: modify
-add: olcRootDN
-olcRootDN: cn=admin,cn=config
--
+      <filename>/etc/ldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif</filename>.
+      We start by gathering required information:</para>
+
+      <programlisting language="none">ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
+
+# {0}config, config
+dn: olcDatabase={0}config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: {0}config
+olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
+ ,cn=auth manage by * break
+<emphasis role="bold">olcRootDN: cn=admin,cn=config</emphasis>
+
+# {1}mdb, config
+dn: olcDatabase={1}mdb,cn=config
+...
+<emphasis role="bold">olcRootDN: cn=admin,dc=hdm-stuttgart,dc=de
+olcRootPW: {SSHA}7M0gUyHOH7cfK1z9amqgK0uQcn84AuYw</emphasis>
+...</programlisting>
+
+      <para>The above lines appear near in the tail section. We see two
+      databases representing two different <xref linkend="glo_DIT"/>s namely
+      <code>cn=config</code> (the configuration database) and
+      <code>dc=hdm-stuttgart,dc=de</code> (containing actual directory
+      data).</para>
+
+      <para>The configuration database does have an <code>admin</code> entry
+      <code>olcRootDN: cn=admin,cn=config</code> but a corresponding
+      <parameter>olcRootPW</parameter> attribute is yet missing. This limits
+      configuration access to <code>localhost</code>.</para>
+
+      <para>External access requires adding this credential attribute value.
+      This first-time configuration change must be done locally by means of an
+      <xref linkend="glo_LDIF"/> file:</para>
+
+      <programlisting language="none">root@sdi8a:~# cat ~/add_olcRootPW.ldif
+dn: olcDatabase={0}config,cn=config
 add: olcRootPW
-olcRootPW: secret
+olcRootPW: {SSHA}7M0gUyHOH7cfK1z9amqgK0uQcn84AuYw
 
 </programlisting>
 
       <para>Activating this configuration my be effected by using <command
       xlink:href="http://www.openldap.org/software/man.cgi?query=ldapmodify&amp;apropos=0&amp;sektion=0&amp;manpath=OpenLDAP+2.4-Release&amp;format=html">ldapmodify</command>:</para>
 
-      <programlisting language="none">root: ldapmodify -Y EXTERNAL -H ldapi:/// -f olcDatabaseAdd.ldif</programlisting>
+      <programlisting language="none">root@sdi8a:~# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f ~/add_olcRootPW.ldif 
+modifying entry "olcDatabase={0}config,cn=config"</programlisting>
 
       <para>This activation in turn enables a new account:</para>
 
@@ -449,8 +480,9 @@ olcRootPW: secret
         </glossentry>
       </glosslist>
 
-      <para>We may now dynamically alter configuration parameters using e.g.
-      <link xlink:href="https://directory.apache.org/studio">Apache directory
+      <para>We may now dynamically alter server configuration parameters
+      remotely using e.g. <link
+      xlink:href="https://directory.apache.org/studio">Apache directory
       studio</link>:</para>
 
       <mediaobject>
@@ -458,6 +490,14 @@ olcRootPW: secret
           <imagedata fileref="Ref/Screen/ldapConfig.png"/>
         </imageobject>
       </mediaobject>
+
+      <para>A prominent configuration change candidate is our server's log
+      level: Depending on your success during subsequent exercises you may
+      want to adjust <parameter
+      xlink:href="http://www.zytrax.com/books/ldap/ch6/#loglevel">olcLogLevel</parameter>
+      appropriately. Mind <link
+      xlink:href="http://serverfault.com/questions/324608/how-do-i-get-openldap-on-centos-6-to-write-anything-to-its-log-files#answer-499902">using
+      olcLogFile</link>.</para>
     </section>
 
     <section xml:id="ldapFilter">