[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Controlling rootdn access

To: openldap-technical@openldap.org
Subject: Re: Controlling rootdn access
From: Michael Hierweck <michael@hierweck.de>
Date: Mon, 09 Nov 2015 08:14:26 +0100
In-reply-to: <563DD4BE.8010001@stroeder.com>
References: <563AFD46.9080806@hierweck.de> <563DBE76.2070502@meddeb.net> <563DD4BE.8010001@stroeder.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.8.0

On 07.11.2015 11:38, Michael Ströder wrote:
>
> There is no such thing as a pseudo rootdn.
> 
> 1. Either you have rootdn directive set or not.
> Note: It is needed for some overlays.
> 
> 2. Either you have rootpw directive set or not.
> 
> I always use slapd -h "ldapi://.." omit rootpw and have the following directive:
> 
> authz-regexp
>   "gidnumber=0\\+uidnumber=0,cn=peercred,cn=external,cn=auth"
>   "cn=root,dc=example,dc=com"
> 
> Then user root can always locally authenticate without a password like this:
> 
> ldawhoami -H ldapi:// -Y EXTERNAL

Thank you. How do you prevent remote logins as cn=root,dc=example,dc=com
in that setup?

Michael

Follow-Ups:
- Re: Controlling rootdn access
  - From: Michael Ströder <michael@stroeder.com>

References:
- Controlling rootdn access
  - From: Michael Hierweck <michael@hierweck.de>
- Re: Controlling rootdn access
  - From: Abdelhamid Meddeb <abdelhamid@meddeb.net>
- Re: Controlling rootdn access
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: OpenLDAP & SSSD Question
Next by Date: Re: OTP broken?
Index(es):
- Chronological
- Thread