[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: rootpw ignored if userPassword exists

To: openldap-software@openldap.org
Subject: Re: rootpw ignored if userPassword exists
From: Andreas Hasenack <ahasenack@terra.com.br>
Date: Fri, 15 Jun 2007 12:53:27 -0300
Content-disposition: inline
In-reply-to: <hbf.20070615odv8@bombur.uio.no>
References: <20070615140000.GE10308@mandriva.com.br> <hbf.20070615odv8@bombur.uio.no>
User-agent: Mutt/1.5.15 (2007-04-06)

On Fri, Jun 15, 2007 at 04:31:48PM +0200, Hallvard B Furuseth wrote:
> Andreas Hasenack writes:
> > I was just wondering if this is expected behaviour.
> 
> It's intended behavour that rootdn can be the name of an entry and you
> can use that entry's password.

Agreed

> When both an entry and rootpw exist, backends are currently inconsistent
> about which one is used.  (Which backend are you using?  I thought it
> happened just with the LDIF backend.)

BDB

> > I find this a bit unexpected. Suppose someone manages to create an
> > entry matching rootdn. Then this person would be able to become
> > rootdn, bypassing the rootpw setting in slapd.conf.
> 
> I'll note that as an argument for having rootpw override the entry's
> dn:-)

Yes, exactly my thought.

References:
- rootpw ignored if userPassword exists
  - From: Andreas Hasenack <ahasenack@terra.com.br>
- Re: rootpw ignored if userPassword exists
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: Replication: 1 DN for all slaves.
Next by Date: Apparent character loss in Windows implementation
Index(es):
- Chronological
- Thread