RE: restrict rootdn binds by connection source IP address?

["Clowser, Jeff (Contractor)" <jeff_clowser@fanniemae.com>]

I believe you can just not create a rootdn (or not define a password for
it?  Or maybe define a password like {crypt}*NOLOGIN* (or an
md5/sha/ssha equivalent) that can't be used (not a valid hash)?), so you
effectively disable the rootdn, but create a normal account that has
full access to everything (except for the restrictions you want to
implement) to do what you would otherwise have used the rootdn for.  Not
*quite* the same, but it may fit your needs?

Is there anything the rootdn can do that you can't grant via acls to a
"normal" account (other than ignore acls)?

 - Jeff


-----Original Message-----
From: openldap-software-bounces+jeff_clowser=fanniemae.com@openldap.org
[mailto:openldap-software-bounces+jeff_clowser=fanniemae.com@openldap.or
g] On Behalf Of Aaron Richton
Sent: Monday, November 19, 2007 11:48 AM
To: Aleksander Adamowski
Cc: openldap-software@openldap.org
Subject: Re: restrict rootdn binds by connection source IP address?

Only way to stop rootdn is to stop it from getting in in the first
place: 
tcp wrappers/iptables/etc. Which of course do a lot more than rootdn, 
though...

On Mon, 19 Nov 2007, Aleksander Adamowski wrote:

> Hi!
>
> Knowing that rootdn always bypasses ACLs, is there any other way to
restrict 
> BIND operations that use rootdn to certain source IP addresses for
clients?
>
> --