[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Monitor Backend



Hi, 
On Tuesday 07 January 2003 08:51, Pierangelo Masarati wrote:
> > Hi,
> > I'm using OpenLDAP-2.1.3 and i have added a "database monitor"
> > directive to my slapd.conf, which works fine. But when adding a rootdn
> > and rootpw directive, slapd complains with "rootpw can only
> > be set when rootdn is under suffix", but the README says:
> > -.-.-.-.-.-.-.--.-.-.-.-.-.-.-.-.-.-.-.-
> >  the backend supports the rootdn/rootpw
> > directives (only simple bind at present).
> > -.--.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
> > and
> > -.-.-.-.-.-.--.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
> > The suffix "cn=Monitor" is implicitly activated (it cannot be given  as
> > a suffix of the database as usually done for conventional
> > backends).
> > -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
> >
> > How can i bind to the backend, as i dont't want world read access.
>
> Dunno about 2.1.3, didn't go that far; with 2.1.10/HEAD
> it works fine:
>
> <slap.conf>
> database monitor
> rootdn  "cn=administrator,cn=monitor"
> rootpw  secret
> </slap.conf>
>
> BTW, note that you don't need to use the rootdn to protect
> your monitor backend; sinte it supports regular ACL, you can
> add "access" directives that refer to entries in other
> databases (assuming your configuration includes other databases).

IIRC there has been a small change in one of the 2.1.x versions:
Previously you could have more than one rootdn / rootpw pairs
even with the same DN
With the actual versions you are only allowed a rootpw directive 
then the rootdn is below the suffix of the named database

So PMs example will not work any more with a DN of "cn=Administrator,c=DE".
You can make it work again if youd define the rootdn / rootpw pait where
it belongs and only have the rootdn directive elsewhere

<slapd.conf>
database ldbm
suffix "c=DE"
directory /var/lib/openldap/DE
rootdn "cn=Administrator,c=DE"
rootpw secret

database monitor
rootdn "cn=Administrator,c=DE"
</slapd.conf>

For me this works even with more than one ldbm database and other databases.

Yours
Peter

-- 
Peter Marschall     |   eMail: peter.marschall@mayn.de
Scheffelstraße 15   |          peter.marschall@adpm.de
D-97072 Würzburg    |   Tel:   +49 931 14721
PGP: 0BB1 04A3 0FB0 E27F 8018 52BA A286 7B23 9C22 2C83