[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Can domain admins be filtered out with ACLs?
--On Thursday, April 16, 2015 9:28 PM +0200 Igor Shmukler
<igor.shmukler@gmail.com> wrote:
Hi,
For those, for mind find this thread through google and like me
overwhelmed with information won't understand the documentation.
The RootDN cannot be restricted from having privileges under OpenLDAP
2.4. Hence, ACLs won't do anything for RootDN. This is documented.
From the slapd.access(5) man page:
Be warned: the rootdn can always read and write EVERYTHING!
From the OpenLDAP 2.4 Admin Guide section on Access Control:
<http://www.openldap.org/doc/admin24/access-control.html>
The default access control policy is allow read by all clients. Regardless
of what access control policy is defined, the rootdn is always allowed full
rights (i.e. auth, search, compare, read and write) on everything and
anything.
So, it seems to me, it is quite clearly documented in multiple locations.
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration