Re: Updatedn questions

[John Dalbec <jpdalbec@cc.ysu.edu>]

Andrew Findlay wrote:
> 
> On Fri, Aug 09, 2002 at 01:48:34PM -0400, John Dalbec wrote:
> >
> > I've seen various statements that using the rootdn as an updatedn is bad
> > and that another DN should be used.  In the absence of an "updatepw"
> > slapd.conf option I assume I need to add a directory entry in order to
> > assign an update password.
> 
> Yes, that is the right thing to do.
> 
> >  How should I define the updatedn in the
> > directory?  What object class(es) should I use?
> 
> Any objectclass you think appropriate. organizationalRole would be a
> good choice, though if you want to store the password in the directory
> you will need to add simpleSecurityObject. Here is an example:
> 
> dn: cn=SLURPD,dc=example,dc=org
> objectclass: organizationalRole
> objectclass: simpleSecurityObject
> cn: SLURPD
> userPassword: {SSHA}2bpnVaAE7taF2R94VARqeflaw3uWI6dm

Thanks.  Hopefully this is not a real password...
> 
> > Also: is it sufficient to add
> >
> > access to *
> >       by dn.exact=<updatedn> write
> >       by * none continue
> >
> > at the top of my ACLs?
> 
> You don't need to do that. updatedn is 'special' in the same way that
> rootdn is special: it can do anything at all to the backend under its
> control.

If this is true, then the Admin Guide needs to be updated.

>From the 2.0 Admin Guide:

10.4.2. Set up the slave slapd

...

   4.Make sure the DN given in the updatedn directive has permission to
write the database (e.g., it is listed as rootdn or is
     allowed access by one or more access directives). 

Thanks,
John Dalbec