Dieter Kluenter wrote:
Jaap Winius<jwinius@umrk.nl> writes:Hi all, This question has to do with syncrepl and the use of the rootdn option in slapd.conf. My understanding is that on a provider server (where writes are possible), it is not necessary to use the rootdn option in slapd.conf. Instead it is enough to have an account that only exists in the directory, with ACLs that give it the same unrestricted access. This works fine for me.Any database requires a rootdn but not a rootpw. If no rootdn is defined in slapd.conf it defaults to cn=manager,$suffix, AFAIK.
No, and no. The only database that has a rootdn by default is back-config.
Your question should be "what is the function of rootdn?"
On syncrepl consumers a rootdn in the local slapd.conf is apparently required (according to the man page for slapd.conf). Why is this, and
Because the consumer needs to be able to store anything it receives, regardless of ACLs.
does it make a difference what the name of the account is?
No.
For example, should it be the same as the binddn for syncrepl?
No.
For that matter, should rootpw also be set,
No, that's not required.
and should it then be the same as the credentials value used for syncrepl?
No.
The binddn within syncrepl has to have read access to the provider database and this should not be rootdn of the provider, rootdn of the consumer manages the consumer database only.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/