Hi, Le 07/11/2015 11:38, Michael Ströder a écrit :
"pseudo rootdn" is not a thing of openldap or ldap, it's a term used to simpify explanation. I'm sorry for my explanation which was not detailed enough. a "thing" designed by "pseudo root dn" is an arbitrary dn entry who has *full* access to all "things" of database and config database.Abdelhamid Meddeb wrote:Be careful with this kind of change and keep in mind that after deleting olcRooPW you don't have a true rootdn at all. A true rootdn don't need any explicitly right access by the ACLs, but the pseudo (new) rootdn need it, and if no rule grant him the access the operation fail.There is no such thing as a pseudo rootdn.
1. Either you have rootdn directive set or not. Note: It is needed for some overlays. 2. Either you have rootpw directive set or not. I always use slapd -h "ldapi://.." omit rootpw and have the following directive: authz-regexp "gidnumber=0\\+uidnumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com"
Can work also if the *change* of configuration follows the indicated step by step approach .
Then user root can always locally authenticate without a password like this: ldawhoami -H ldapi:// -Y EXTERNAL Ciao, Michael.
Cheers. -- *Abdelhamid Meddeb* http://www.meddeb.net
Attachment:
smime.p7s
Description: Signature cryptographique S/MIME