[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Controlling rootdn access



Abdelhamid Meddeb wrote:
> Be careful with this kind of change and keep in mind that after deleting
> olcRooPW you don't have a true rootdn at all.
> A true rootdn don't need any explicitly right access by the ACLs, but the
> pseudo (new) rootdn need it, and if no rule grant him the access the operation
> fail.

There is no such thing as a pseudo rootdn.

1. Either you have rootdn directive set or not.
Note: It is needed for some overlays.

2. Either you have rootpw directive set or not.

I always use slapd -h "ldapi://.." omit rootpw and have the following directive:

authz-regexp
  "gidnumber=0\\+uidnumber=0,cn=peercred,cn=external,cn=auth"
  "cn=root,dc=example,dc=com"

Then user root can always locally authenticate without a password like this:

ldawhoami -H ldapi:// -Y EXTERNAL

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature