[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: restrict rootdn binds by connection source IP address?

To: Jonathan Dobbie <jonathan_dobbie@mcad.edu>
Subject: Re: restrict rootdn binds by connection source IP address?
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Mon, 19 Nov 2007 13:26:43 -0500 (EST)
Cc: openldap-software@openldap.org
In-reply-to: <CEB9C675-9614-41F3-B1C5-FC68A940E65C@mcad.edu>
References: <47417C6C.2090401@altkom.pl> <Pine.SOC.4.64.0711191147310.26362@toolbox.rutgers.edu> <CEB9C675-9614-41F3-B1C5-FC68A940E65C@mcad.edu>

I'm new and stupid, but why not just put an admin account in ldap and ditch the rootdn?

Many sites choose to do exactly this. It depends whether you consider an ACL override capability more useful (which it argubly is) or dangerous (which it argubly is).

One question I pose to the list in light of recent features: Let's say you use (2.4, ACL-aware) back-config and totally flub the ACL config. This should be correctable with the rootdn (which will trump the broken ACL config). If you choose to not configure a rootdn, do you find yourself in a mandatory restart situation that might otherwise be avoided?

Follow-Ups:
- Re: restrict rootdn binds by connection source IP address?
  - From: Howard Chu <hyc@symas.com>

References:
- restrict rootdn binds by connection source IP address?
  - From: Aleksander Adamowski <aleksander.adamowski.openldap@altkom.pl>
- Re: restrict rootdn binds by connection source IP address?
  - From: Aaron Richton <richton@nbcs.rutgers.edu>
- Re: restrict rootdn binds by connection source IP address?
  - From: Jonathan Dobbie <jonathan_dobbie@mcad.edu>

Prev by Date: Re: restrict rootdn binds by connection source IP address?
Next by Date: RE: Enabling TLS problem on openldap2-2.3.39
Index(es):
- Chronological
- Thread