Re: root dn password: which one is the reference?

[Jephte Clain <jephte.clain@univ-reunion.fr>]

hello,

thanks for the security advice.
I already have the "authz-regexp for LDAPI access with SASL/EXTERNAL
bind of user root" for local access.

I mainly use command line, but I kept the rootpw for when I'm lazy and
use the gui.
well, I guess one don't easily change for the better :-)
Fortunately, I'm rarely that lazy...

anyway, I'll follow your advice
Thanks again. see ya

2015-02-23 13:29 GMT+04:00 Michael Ströder <michael@stroeder.com>:
> Jephte Clain wrote:
>> I have an ldap server with rootdn cn=admin,dc=domain,dc=tld and password set
>> in cn=config (this is openldap 2.4.40 on debian squeeze)
>>
>> I have also the ldap objet cn=admin,dc=domain,dc=tld in the database, with a
>> *different* password
>>
>> both password seem to authenticate. is this expected?
>
> IIRC it always worked like this.
>
>> Being able to regularly change the root dn password looks like a good thing
>> to me.
>
> If you want security then avoid using rootpw.  There is no serious use-case
> where you have to bind as rootdn via remote LDAP.  And for repairing defects
> locally use a authz-regexp for LDAPI access with SASL/EXTERNAL bind of user root.
>
> Ciao, Michael.
>



-- 
cordialement,
Jephté Clain
Direction des Systèmes d'Information
et des Usages Numériques - 2IG
Tél. 0262 93 86 31
Fax. 0262 93 81 06