[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticating against slapd installed from package

To: openldap-software@OpenLDAP.org
Subject: Re: Authenticating against slapd installed from package
From: Atom Powers <apowers@digipen.edu>
Date: Thu, 20 Jul 2006 15:23:38 -0700
In-reply-to: <75c011400607201330v77de02b6x31f6b6098c610afc@mail.gmail.com>
References: <20060720145308.GK5308@localhost.localdomain> <87veps2s9z.fsf@rubin.l4b.de> <75c011400607201330v77de02b6x31f6b6098c610afc@mail.gmail.com>
User-agent: Thunderbird 1.5.0.4 (Windows/20060516)

Dennis Misc wrote:

> It seems that the binddn is listed on the database. Here is the relevant > output from the slapcat command:
I do hope that binddn is not rootdn, otherwise it would be a rather
bad idea.
[...]
Pardon my ignorance, what is the problem using the rootdn as binddn?

rootdn has full access to everything, you can't set acls to limit it's scope. It's like logging onto your server as "root"; you can do everything, but you could do anything. There is no protection against acidentally deleteing your entire system.

So you want to use a different account that has limited scope, especially if you are using a script to bind to the directory. Bugs in scripts == potentially destroyed data.

--
Perfection is just a word I use occasionally with mustard.
--Atom Powers--
Systems Administrator
DigiPen Institute of Technology
(425) 895-4443

References:
- Authenticating against slapd installed from package
  - From: Marc Tardif <marc@interunion.ca>
- Re: Authenticating against slapd installed from package
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: Authenticating against slapd installed from package
  - From: "Dennis Misc" <dennis.misc@gmail.com>

Prev by Date: Re: openldap 2.3.24 segfault on startup
Next by Date: Re: Authenticating against slapd installed from package
Index(es):
- Chronological
- Thread