[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: root-only configuration

To: Mike Malsman <zep@ni.enate.org>
Subject: Re: root-only configuration
From: Peter Mogensen <apm@mutex.dk>
Date: Tue, 17 Mar 2009 10:42:59 +0100
Cc: openldap-software@openldap.org
In-reply-to: <89492A86-A1D9-4996-98EC-4D3658E737D9@ni.enate.org>
References: <499A8550.5000200@mutex.dk> <Pine.SOC.4.64.0902171030460.10372@toolbox.rutgers.edu> <49B7BD57.4050307@mutex.dk> <89492A86-A1D9-4996-98EC-4D3658E737D9@ni.enate.org>
User-agent: Thunderbird 2.0.0.19 (X11/20090105)

Mike Malsman wrote:

On 11.Mar.2009, at 9:32 AM, Peter Mogensen wrote:
But limiting cn=config access to ldapi:///  ... no luck.
Do someone have a working example of this?
/Peter
What does your 'access' directive look like?


access to dn.exact="cn=config"
       by peername.path="/var/run/slapd/ldapi" auth
       by * none

I've used this method before in "normal" databases, to control who can become rootdn, but it just won't work for cn=config. Of course, I have to add a "userPassword" attribute to cn=config.ldif, but it seems to be ignored. I've also tried to create a cn=root,cn=config object, but I have a problem finding a schema which is loaded which allows me to set userPassword.

If people on this list hadn't said that it was possible, I would probably have concluded by now that it is simply not possible to limit rootdn access to cn=config to ldapi:///.

/Peter

Follow-Ups:
- Re: root-only configuration
  - From: Howard Chu <hyc@symas.com>

References:
- Re: root-only configuration
  - From: Peter Mogensen <apm@mutex.dk>

Prev by Date: slapo-autogroup?
Next by Date: Re: root-only configuration
Index(es):
- Chronological
- Thread