Hi,Be careful with this kind of change and keep in mind that after deleting olcRooPW you don't have a true rootdn at all. A true rootdn don't need any explicitly right access by the ACLs, but the pseudo (new) rootdn need it, and if no rule grant him the access the operation fail.
IMHO, a carefully way to do this is:1/ with truerootdn bind, add a (pseudo) rootdn entry (dn:cn=pseudorootdn,o=organization) who different from true rootdn (dn:cn=trueroodn,o=organization and olcRootDN=cn=trueroodn,o=organization) 2/ with truerootdn bind, grant all access to all database and config database. A bit of test is welcome at this level
3/ With pseudorootdn bind, delete olcRootPW4/ Restrict access to cn=pseudorootdn,o=organization by peer as indicated in the linked page.
Cheers Le 05/11/2015 07:55, Michael Hierweck a écrit :
Hi all, I'm trying to improve security by restricting rootdn access to localhost. See: http://www.openldap.org/doc/admin24/access-control.html#Controlling%20rootdn%20access But I can't delete the olcRootPW attribute from the olcDatabase object: ldap_modify: Inappropriate matching (18) additional info: modify/delete: olcRootPW: no equality matching rule I suppose the access restriction to the rootdn's userPassword attribute does not take effect as the provided password will be compared against the olcRootPW attribute (directly). Thanks in advance Michael
-- *Abdelhamid Meddeb* http://www.meddeb.net
Attachment:
smime.p7s
Description: Signature cryptographique S/MIME