Re: root-only configuration

[Peter Mogensen <apm@mutex.dk>]

Pierangelo Masarati wrote:
> Peter Mogensen wrote:
>
> > Only question now is if this is enough to prevent people from binding 
> > as cn=config on ldap://<public-IP>/,  where the server is also listening.
>
> Omit rootpw in config database and no one will be able to bind as 
> cn=config.

Yes... that one was obvious.
But that was not what I wanted.
What I wanted was to "simulate" the old slapd.conf situation where only 
root (or who ever the OS gave permissions) could configure slapd.

So I wanted to prevent binds to cn=config from anywhere but ldapi:///

In an ordinary database I can do that with ACL's and create an object 
for the rootdn to which I limit auth priviledges.

But the cn=config database is obviously not normal.

Using SASL/EXTERNAL and authz-regexp seems to do the trick (as I described).

/Peter

PS: Only now I'm struggling to make cn=config binds possible remotely 
with TLS client ceritifcates. GNUTLS seems to complain:
"TLS: can't accept: A TLS packet with unexpected length was received.."
But that's another story.