(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Configuration : (Category) SLAPD Configuration : (Category) Access Control : (Answer) What access is the rootdn allowed?
Regardless of what access control policy is defined, the rootdn is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything.

As a consequence, it's useless (and results in a performance penalty) to explicitly list the rootdn among the <by> clauses.

Alternatively, you can specify rootdn in slapd.conf without specifying a rootpw. Then you have to add an actual directory entry with the same dn, e.g.: 

dn: cn=Manager,o=MyOrganization
cn: Manager
sn: Manager
objectClass: person
objectClass: top
userPassword: {SSHA}someSSHAdata

Then binding as the rootdn will require a regular bind to that DN, which in turn requires auth access to that entry's DN and userPassword, and this can be restricted via ACLs. E.g.: 

access to dn.base="cn=Manager,o=MyOrganization"
  by peername.regex=127\.0\.0\.1 auth
  by peername.regex=192\.168\.0\..* auth
  by users none
  by anonymous none

The ACLs above will only allow binding using rootdn from localhost and 192.168.0.0/24.

[Append to This Answer]
Previous: (Answer) What is the default access control policy?
Next: (Answer) How do I use the defaultaccess directive?
This document is: http://www.openldap.org/faq/index.cgi?file=761
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org