[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: root-only configuration

To: Aaron Richton <richton@nbcs.rutgers.edu>
Subject: Re: root-only configuration
From: Peter Mogensen <apm@mutex.dk>
Date: Wed, 11 Mar 2009 14:32:07 +0100
Cc: openldap-software@openldap.org
In-reply-to: <Pine.SOC.4.64.0902171030460.10372@toolbox.rutgers.edu>
References: <499A8550.5000200@mutex.dk> <Pine.SOC.4.64.0902171030460.10372@toolbox.rutgers.edu>
User-agent: Thunderbird 2.0.0.19 (X11/20090105)

Aaron Richton wrote:

On Tue, 17 Feb 2009, Peter Mogensen wrote:
With slapd.conf you had to be root on the host to reconfigure slapd. However, with cn=config anyone who can authenticate as rootdn for cn=config can reconfigure slapd.

Is it in anyway possible to set up cn=config, so only root on the host can make changes?
Same as with a "real" backend; don't set a rootpw, and ACL it so that only a suitably-permissioned ldapi:/// listener has write access. Note that this will likely involve some combination of OpenLDAP ACL and OS permissions both.

Having tried an endless number of configurations, I simply cannot get this to work. I have no problem getting this procedure to work in other databases: http://www.openldap.org/faq/data/cache/761.html

But limiting cn=config access to ldapi:///  ... no luck.

Do someone have a working example of this?

/Peter

Prev by Date: solaris slapadd "Value too large for defined data type"
Next by Date: Re: OpenLdap - trigger
Index(es):
- Chronological
- Thread