[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: rootpw ignored if userPassword exists



On Fri, Jun 15, 2007 at 04:31:48PM +0200, Hallvard B Furuseth wrote:
> Andreas Hasenack writes:
> > I was just wondering if this is expected behaviour.
> 
> It's intended behavour that rootdn can be the name of an entry and you
> can use that entry's password.

Agreed

> When both an entry and rootpw exist, backends are currently inconsistent
> about which one is used.  (Which backend are you using?  I thought it
> happened just with the LDIF backend.)

BDB

> > I find this a bit unexpected. Suppose someone manages to create an
> > entry matching rootdn. Then this person would be able to become
> > rootdn, bypassing the rootpw setting in slapd.conf.
> 
> I'll note that as an argument for having rootpw override the entry's
> dn:-)

Yes, exactly my thought.