--O
How would one then add the initial database? What you suggest is all
fine and good if someone has a known good LDIF to start from, a beginner
isn't going to and will need to be able to get the error checking that
slapadd does not provide.
Hmm, being the author of a generic LDAP client I can say that it's really
hard to guide a newbie user to do the right thing when starting with an
*empty* DB.
But I appreciate any hints how to do that, even if it requires to set
rootpw. ;-)
The only viable solution is to provide decent tooling for setting up a DB
with presets. If going this route you can also setup an admin group with
decent ACLs right from the start. And the setup process can run as root
connecting via LDAPI and using SASL/EXTERNAL for authc. Then running the
setup as system user root is the initial trust anchor for boot-strapping
the directory. Well, *you* already know all this and you probably guessed
it: That's how Æ-DIR setup is doing it (and all automated setups I do
for customers).
Yeah, I prefer the ldapi:// + EXTERNAL route as well, but that becomes
somewhat more complicated (but of course not impossible) if you're using
different rootdns for cn=config vs the other databases. Some sites require
a high level of separation.
--Quanah
