diff --git a/Doc/Sdi/ldap.xml b/Doc/Sdi/ldap.xml
index 219014dab0815ab219052f270387263446f63423..c4c3a8bc9ee27d4df4ba2c767c929427ec6dc8b0 100644
--- a/Doc/Sdi/ldap.xml
+++ b/Doc/Sdi/ldap.xml
@@ -249,7 +249,8 @@ dpkg-reconfigure slapd
<listitem>
<para>Depending on your systems installation state you may want to
add the dialog package which allows for feeding additional
- parameters during package installations (e.g. credentials).</para>
+ parameters during package installations (e.g. admin's credentials
+ and base <xref linkend="glo_DN"/>).</para>
</listitem>
<listitem>
@@ -274,7 +275,7 @@ dpkg-reconfigure slapd
</section>
<section xml:id="ldapCompanyLdif">
- <title>The <filename>.ldif</filename> file</title>
+ <title>Adding some content file</title>
<para>The following file defines a part of our <code>betrayer.com</code>
directory structure:</para>
@@ -334,8 +335,8 @@ mail: beam@betrayer.com</programlisting>
<para>You may use <uri
xlink:href="http://directory.apache.org/studio">Apache Directory
Studio</uri> for testing a bind to your new <acronym>LDAP</acronym>
- server by using <code>cn=Manager,dc=...</code> using your already
- configured password.</para>
+ server by using <code>cn=admin,dc=...</code> using your server
+ installation password.</para>
<para>After successful connecting the previously established
<acronym>LDIF</acronym> file may be used to populate the server with
@@ -382,7 +383,7 @@ mail: beam@betrayer.com</programlisting>
</section>
<section xml:id="sdiLdapConfig">
- <title><xref linkend="glo_LDAP"/></title>
+ <title><xref linkend="glo_LDAP"/> configuration</title>
<para>In contrast to many other server configurations OpenLdap supports
parameter configuration within its own database backend. In other words:
@@ -403,23 +404,53 @@ mail: beam@betrayer.com</programlisting>
xlink:href="http://www.openldap.org/software/man.cgi?query=ldapmodify&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html">ldapmodify</command>
using <filename>.ldif</filename> files. An alternate way requires
altering the server's configuration
- <filename>/etc/ldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif</filename>
- by e.g. a file <filename>olcDatabaseAdd.ldif</filename>:</para>
-
- <programlisting language="none">dn: olcDatabase={0}config,cn=config
-changetype: modify
-add: olcRootDN
-olcRootDN: cn=admin,cn=config
--
+ <filename>/etc/ldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif</filename>.
+ We start by gathering required information:</para>
+
+ <programlisting language="none">ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
+
+# {0}config, config
+dn: olcDatabase={0}config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: {0}config
+olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
+ ,cn=auth manage by * break
+<emphasis role="bold">olcRootDN: cn=admin,cn=config</emphasis>
+
+# {1}mdb, config
+dn: olcDatabase={1}mdb,cn=config
+...
+<emphasis role="bold">olcRootDN: cn=admin,dc=hdm-stuttgart,dc=de
+olcRootPW: {SSHA}7M0gUyHOH7cfK1z9amqgK0uQcn84AuYw</emphasis>
+...</programlisting>
+
+ <para>The above lines appear near in the tail section. We see two
+ databases representing two different <xref linkend="glo_DIT"/>s namely
+ <code>cn=config</code> (the configuration database) and
+ <code>dc=hdm-stuttgart,dc=de</code> (containing actual directory
+ data).</para>
+
+ <para>The configuration database does have an <code>admin</code> entry
+ <code>olcRootDN: cn=admin,cn=config</code> but a corresponding
+ <parameter>olcRootPW</parameter> attribute is yet missing. This limits
+ configuration access to <code>localhost</code>.</para>
+
+ <para>External access requires adding this credential attribute value.
+ This first-time configuration change must be done locally by means of an
+ <xref linkend="glo_LDIF"/> file:</para>
+
+ <programlisting language="none">root@sdi8a:~# cat ~/add_olcRootPW.ldif
+dn: olcDatabase={0}config,cn=config
add: olcRootPW
-olcRootPW: secret
+olcRootPW: {SSHA}7M0gUyHOH7cfK1z9amqgK0uQcn84AuYw
</programlisting>
<para>Activating this configuration my be effected by using <command
xlink:href="http://www.openldap.org/software/man.cgi?query=ldapmodify&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html">ldapmodify</command>:</para>
- <programlisting language="none">root: ldapmodify -Y EXTERNAL -H ldapi:/// -f olcDatabaseAdd.ldif</programlisting>
+ <programlisting language="none">root@sdi8a:~# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f ~/add_olcRootPW.ldif
+modifying entry "olcDatabase={0}config,cn=config"</programlisting>
<para>This activation in turn enables a new account:</para>
@@ -449,8 +480,9 @@ olcRootPW: secret
</glossentry>
</glosslist>
- <para>We may now dynamically alter configuration parameters using e.g.
- <link xlink:href="https://directory.apache.org/studio">Apache directory
+ <para>We may now dynamically alter server configuration parameters
+ remotely using e.g. <link
+ xlink:href="https://directory.apache.org/studio">Apache directory
studio</link>:</para>
<mediaobject>
@@ -458,6 +490,14 @@ olcRootPW: secret
<imagedata fileref="Ref/Screen/ldapConfig.png"/>
</imageobject>
</mediaobject>
+
+ <para>A prominent configuration change candidate is our server's log
+ level: Depending on your success during subsequent exercises you may
+ want to adjust <parameter
+ xlink:href="http://www.zytrax.com/books/ldap/ch6/#loglevel">olcLogLevel</parameter>
+ appropriately. Mind <link
+ xlink:href="http://serverfault.com/questions/324608/how-do-i-get-openldap-on-centos-6-to-write-anything-to-its-log-files#answer-499902">using
+ olcLogFile</link>.</para>
</section>
<section xml:id="ldapFilter">