[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: accesslog overlay and 'logops all', Can't get get cn=Monitor running and problem with ppolicy (pwdAttribute)

To: Turbo Fredriksson <turbo@bayour.com>
Subject: Re: accesslog overlay and 'logops all', Can't get get cn=Monitor running and problem with ppolicy (pwdAttribute)
From: Pierangelo Masarati <ando@sys-net.it>
Date: Tue, 06 Mar 2007 19:04:03 +0100
Cc: openldap-software@openldap.org
In-reply-to: <873b4is4k3.fsf@pumba.bayour.com>
References: <87fy8jwoak.fsf@pumba.bayour.com> <45EC858A.9050007@sys-net.it> <45ECA29A.9080800@sys-net.it> <873b4is4k3.fsf@pumba.bayour.com>
User-agent: Thunderbird 1.5.0.8 (X11/20061025)

Turbo Fredriksson wrote:

Quoting Pierangelo Masarati <ando@sys-net.it>:

Pierangelo Masarati wrote:

Turbo Fredriksson wrote:

Also, I have a problem getting 'cn=Monitor' running.

Oops, the internal operation that registers specific per-database
monitoring runs an anonymous search in the monitor database, but your
ACLs disable anonymous access to the monitor database.  That operation
obviously needs to be privileged.


Actually, the internal search is run as the rootdn, but you didn't
configure any for the monitor database, while you should.


I never liked that part, that's why I started using Kerberos (so i didn't
have to have rootdn defined).

But can I have different 'rootdn' in my different places (need one for
syncrepl to, right?) with random DN's (that don't exists) without any
password defined in the config file?

Will any ACL's still be honored?


If I understand all this (we've had this discussion previously a while
back - LOONG way back :) this is only for internal use, right?

The rootdn is the rootdn. back-monitor uses it for the internal use I described earlier and for any other use a rootdn is good for. Of course, if you don't provide any means for anyone to authenticate as the rootdn (e.g. no rootpw and no means to map a SASL identity to the rootdn) it will only be used for internal purposes. "cn=Monitor" is just fine, you don't need any particularly fancy name.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Follow-Ups:
- Re: accesslog overlay and 'logops all', Can't get get cn=Monitor running and problem with ppolicy (pwdAttribute)
  - From: Turbo Fredriksson <turbo@bayour.com>

References:
- accesslog overlay and 'logops all', Can't get get cn=Monitor running and problem with ppolicy (pwdAttribute)
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: accesslog overlay and 'logops all', Can't get get cn=Monitor running and problem with ppolicy (pwdAttribute)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: accesslog overlay and 'logops all', Can't get get cn=Monitor running and problem with ppolicy (pwdAttribute)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: accesslog overlay and 'logops all', Can't get get cn=Monitor running and problem with ppolicy (pwdAttribute)
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: Re: syncrepl updates from consumer
Next by Date: Re: Syncrepl with SASL External - SOLVED
Index(es):
- Chronological
- Thread