[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Monitor Backend

To: <peter.marschall@mayn.de>
Subject: Re: Monitor Backend
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Tue, 7 Jan 2003 20:53:14 +0100 (CET)
Cc: <ando@sys-net.it>, <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <200301071958.51207.peter.marschall@mayn.de>
References: <m3wuli3za4.fsf@marin.l4b.de> <200301071901.29850.peter.marschall@mayn.de> <48836.131.175.154.56.1041964036.squirrel@webmail.sys-net.it> <200301071958.51207.peter.marschall@mayn.de>

> Hi,
>
> On Tuesday 07 January 2003 19:27, you wrote:
>> I disagree.  I'm currently using HEAD code, and I can have
>> rootdn/rootpw pairs in monitor database with other databases
>> defined as well.
>
> I had multiple rootpw/rootdn pairs, all pointing to the same DN.
> After an upgrade (I do not remember the exact version)
> slapd complained about rootpw being only allowed with
> rootdn below the database's suffix (the same message
> the original poster received) and diod not want to start.
> The only remedy I found was to delete the rootpw directive
> where the DN of the rootdn directive was not below the
> database suffix.
>
> Have a try:
>
> <slapd.conf>
>   database ldbm
>   suffix "c=DE"
>   directory /var/lib/openldap/DE
>   rootdn "cn=Administrator,c=DE"
>   rootpw secret
>
>   database monitor
>   rootdn "cn=Administrator,c=DE"
> </slapd.conf>
>
> and
>
> <slapd.conf>
>   database ldbm
>   suffix "c=DE"
>   directory /var/lib/openldap/DE
>   rootdn "cn=Administrator,c=DE"
>   rootpw secret
>
>   database monitor
>   rootdn "cn=Administrator,cn=monitor"
>   rootpw secret
> </slapd.conf>
>
> will work while
>
> <slapd.conf>
>   database ldbm
>   suffix "c=DE"
>   directory /var/lib/openldap/DE
>   rootdn "cn=Administrator,c=DE"
>   rootpw secret
>
>   database monitor
>   rootdn "cn=Administrator,c=DE"
>   rootpw secret
> </slapd.conf>
>
> will fail and give the error message cited above.
> The reason for failing is that in the last example the DN of the rootdn
> directive is not in cn=Monitor. Thus rootpw is forbiddden in this
> database / suffix.

Sorry, I misunderstood.  What I meant in a previous posting,
is that there's no need to have a monitor database rootdn
(which must be in the "cn=monitor" naming context) if what's
required is access control; one can do

database <smtg>
suffix "dc=my,dc=org"
rootdn "cn=root,dc=my,dc=org"
rootpw secret

database monitor
access to dn.subtree=cn=monitor
    by dn.exact=cn=root,dc=my,dc=org write
    by dn.subtree=dc=my,dc=org read
    by * none

P.M.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Follow-Ups:
- Re: Monitor Backend
  - From: Dieter Kluenter <dieter@dkluenter.de>

References:
- Monitor Backend
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: Monitor Backend
  - From: Peter Marschall <peter.marschall@mayn.de>
- Re: Monitor Backend
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: Monitor Backend
  - From: Peter Marschall <peter.marschall@mayn.de>

Prev by Date: Re: ldap queries for group membership (was: Too many slapd processes)
Next by Date: Re: Monitor Backend
Index(es):
- Chronological
- Thread