[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: The RootDN



Hi Joseph,

I'm definitely no LDAP expert so I may be totally off with my answer but here's some information that's hopefully correct and may help you move forward.

On 08/29/2013 04:56 AM, Joseph D Carroll Jr wrote:
It's been 3 days since I first started reading and playing with
openLDAP.  Prior to this, I have had no ldap experience of any kind, so
please bear with me.  (Hopefully this doesn't reach a new low... )

Welcome to the wonderful world of (Open)LDAP.

I am working on setting up my first ldap server for a demo environment,

Make sure you use the latest version, even if that means you will need to compile it yourself or build packages. If you use CentOS then you can find the latest 2.4.36 RPMs at: http://ltb-project.org/wiki/

and I can't seem to wrap my head around what a rootdn is.  I have read
several articles, even much of the Zytrax book, and I still cannot
figure out what this rootdn is.

No need to read the Zytrax book. It's based on the OpenLDAP Admin Guide anyway so consider the OpenLDAP Admin Guide and OpenLDAP man pages your primary source of information.

The rootdn is in power similar to the root user on a Linux system. As rootdn you can do anything you want to the database for which it was defined and ACLs do not apply. So the rootdn is limited to the database for which it was defined. If you want to mess with for example the global settings of your OpenLDAP config then use cn=config which is kinda like the true root of the entire OpenLDAP config.

Although dated, I found the O'Reilly book LDAP System Administration
and the Packt book Mastering OpenLDAP quite useful to grasp some concepts and basic understanding. Be warned though, they only cover the old way of configuring OpenLDAP using slapd.conf and not the new OLC aka on-line configuration way as used in 2.4.36.

I get that it is a user, so maybe better stated, I don't understand
where the user exists.  Is it an OS user with filesystem privileges?

No, it exists solely in OpenLDAP.

Is it a user that exists in every DIT?

If you have a database defined in your DIT then I would say yes.

If so, when/where is it used

You can use it to manage a configured database kinda like the root user on a regular Linux system. The difference is that the root user has access to everything (scope is the entire box) while the rootdn user's scope is the database for which it was defined. If use the same name and password for each rootdn in each database definition then you can use those credentials to access all those databases. Sorta one rootdn to rule them all (databases that is).

can you have multiple,

AFAIK there is only one per database definition. Just like there is only one root account per server/VM. If you have multiple database definitions then you can have multiple rootdn accounts, one for each database.

is it only usuable/accesible when you "include" the
core.schema, .. ?

AFAIK schemas have nothing to do with it. The rootdn account is usable when it is part of the database definition.

If I had to guess, I would say:
   - A rootdn exists in the DIT as a completely arbitrary user
(absolutely no relation to the OS)

Yes.

   - There can only be one rootdn per DIT

No, if you have multiple databases defined then you can have one rootdn for each database.

   - (Consquently) If a parent defines a rootdn, any referral cannot
   - The rootdn is used for some kind of system action (who knows what)

Not sure what you mean here (sorry, English is not my first language).

I know this is the "technical" forum, but I am more so interested in the
"why to's" and "reasons behind" than the "how to's".

I guess you could read the RFCs for that information.

Any clarity would be greatly appreciated.

Hope this provides some clarity and that my answers are correct so to be of any actual help. If not, hopefully the guru's on this list will correct me.

Regards,
Patrick