[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Monitor Backend
> Hi,
>
> On Tuesday 07 January 2003 19:27, you wrote:
>> I disagree. I'm currently using HEAD code, and I can have
>> rootdn/rootpw pairs in monitor database with other databases
>> defined as well.
>
> I had multiple rootpw/rootdn pairs, all pointing to the same DN.
> After an upgrade (I do not remember the exact version)
> slapd complained about rootpw being only allowed with
> rootdn below the database's suffix (the same message
> the original poster received) and diod not want to start.
> The only remedy I found was to delete the rootpw directive
> where the DN of the rootdn directive was not below the
> database suffix.
>
> Have a try:
>
> <slapd.conf>
> database ldbm
> suffix "c=DE"
> directory /var/lib/openldap/DE
> rootdn "cn=Administrator,c=DE"
> rootpw secret
>
> database monitor
> rootdn "cn=Administrator,c=DE"
> </slapd.conf>
>
> and
>
> <slapd.conf>
> database ldbm
> suffix "c=DE"
> directory /var/lib/openldap/DE
> rootdn "cn=Administrator,c=DE"
> rootpw secret
>
> database monitor
> rootdn "cn=Administrator,cn=monitor"
> rootpw secret
> </slapd.conf>
>
> will work while
>
> <slapd.conf>
> database ldbm
> suffix "c=DE"
> directory /var/lib/openldap/DE
> rootdn "cn=Administrator,c=DE"
> rootpw secret
>
> database monitor
> rootdn "cn=Administrator,c=DE"
> rootpw secret
> </slapd.conf>
>
> will fail and give the error message cited above.
> The reason for failing is that in the last example the DN of the rootdn
> directive is not in cn=Monitor. Thus rootpw is forbiddden in this
> database / suffix.
Sorry, I misunderstood. What I meant in a previous posting,
is that there's no need to have a monitor database rootdn
(which must be in the "cn=monitor" naming context) if what's
required is access control; one can do
database <smtg>
suffix "dc=my,dc=org"
rootdn "cn=root,dc=my,dc=org"
rootpw secret
database monitor
access to dn.subtree=cn=monitor
by dn.exact=cn=root,dc=my,dc=org write
by dn.subtree=dc=my,dc=org read
by * none
P.M.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it