Re: Updatedn questions

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Fri, Aug 09, 2002 at 01:48:34PM -0400, John Dalbec wrote:
> 
> I've seen various statements that using the rootdn as an updatedn is bad
> and that another DN should be used.  In the absence of an "updatepw"
> slapd.conf option I assume I need to add a directory entry in order to
> assign an update password.

Yes, that is the right thing to do.

>  How should I define the updatedn in the
> directory?  What object class(es) should I use?

Any objectclass you think appropriate. organizationalRole would be a
good choice, though if you want to store the password in the directory
you will need to add simpleSecurityObject. Here is an example:

dn: cn=SLURPD,dc=example,dc=org
objectclass: organizationalRole
objectclass: simpleSecurityObject
cn: SLURPD
userPassword: {SSHA}2bpnVaAE7taF2R94VARqeflaw3uWI6dm

> Also: is it sufficient to add
> 
> access to *
> 	by dn.exact=<updatedn> write
> 	by * none continue
> 
> at the top of my ACLs?

You don't need to do that. updatedn is 'special' in the same way that
rootdn is special: it can do anything at all to the backend under its
control.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|        Andrew.Findlay@skills-1st.co.uk       +44 1628 782565        |
-----------------------------------------------------------------------