[Date Prev][Date Next]
Re: (ITS#4962) inconsistent Bind(rootdn) behavior
> The "right" solution would be to protect the identity of the rootdn
> with ACLs, so that regular users cannot add/modify it.
Good idea, but that too depends on your policy. If you you have a cron
job or whatever which updates entries, including that of the rootdn, you
may not want it to have full rootdn access. If nothing else, it's a bit
like logging in as root instead of as a regular user - if you screw up
you have the opportunity to create much more havoc.
I wonder if we need a rootpolicy config parameter to tune the details of
all this. Then we can set a fairly paranoid default, and people who
need it to work differently can override.
(Another thing I remember someone asked about was to only accept rootdn
login from some specific IP address. But now that I think of it, normal
ACLs could ensure that if he had the password in an entry instead of in