[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Updatedn questions

To: John Dalbec <jpdalbec@cc.ysu.edu>
Subject: Re: Updatedn questions
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Mon, 12 Aug 2002 20:50:10 +0100
Cc: "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>
Content-disposition: inline
In-reply-to: <3D57FFA5.E2E03559@cc.ysu.edu>
References: <3D540072.B2BBC4C5@cc.ysu.edu> <20020811173333.GA31722@brick.skills-1st.co.uk> <3D57FFA5.E2E03559@cc.ysu.edu>
User-agent: Mutt/1.3.27i

On Mon, Aug 12, 2002 at 02:34:13PM -0400, John Dalbec wrote:
> > 
> > >  How should I define the updatedn in the
> > > directory?  What object class(es) should I use?
> > 
> > Any objectclass you think appropriate. organizationalRole would be a
> > good choice, though if you want to store the password in the directory
> > you will need to add simpleSecurityObject. Here is an example:
> > 
> > dn: cn=SLURPD,dc=example,dc=org
> > objectclass: organizationalRole
> > objectclass: simpleSecurityObject
> > cn: SLURPD
> > userPassword: {SSHA}2bpnVaAE7taF2R94VARqeflaw3uWI6dm
> 
> Thanks.  Hopefully this is not a real password...

It comes from an example in one of the courses I teach, so it is a
valid hash but I don't mind if you crack it :-)

> > > Also: is it sufficient to add
> > >
> > > access to *
> > >       by dn.exact=<updatedn> write
> > >       by * none continue
> > >
> > > at the top of my ACLs?
> > 
> > You don't need to do that. updatedn is 'special' in the same way that
> > rootdn is special: it can do anything at all to the backend under its
> > control.
> 
> If this is true, then the Admin Guide needs to be updated.
> 
> >From the 2.0 Admin Guide:
> 
> 10.4.2. Set up the slave slapd
> 
> ...
> 
>    4.Make sure the DN given in the updatedn directive has permission to
> write the database (e.g., it is listed as rootdn or is
>      allowed access by one or more access directives). 

Good point - I should have included more of the slave slapd.conf in my
reply, which would have shown that I normally make updatedn and rootdn
the same on slaves. This policy also allows the bind password to be
given in slapd.conf thus avoiding the need for updatedn to be listed
in the directory.

Here is part of slapd.conf from my example-slave config:

> database        ldbm
> suffix          "dc=example,dc=org"
> rootdn          "cn=SLURPD,dc=example,dc=org"
> rootpw          {SSHA}2bpnVaAE7taF2R94VARqeflaw3uWI6dm
> 
> # The DN used by the remote SLURPD
> updatedn        "cn=SLURPD,dc=example,dc=org"
> # Where to refer updates to if anyone tries to make changes here
> updateref       ldap://localhost:3389/

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|        Andrew.Findlay@skills-1st.co.uk       +44 1628 782565        |
-----------------------------------------------------------------------

Follow-Ups:
- Re: Updatedn questions
  - From: John Dalbec <jpdalbec@cc.ysu.edu>
- Re: Updatedn questions
  - From: John Dalbec <jpdalbec@cc.ysu.edu>

References:
- Updatedn questions
  - From: John Dalbec <jpdalbec@cc.ysu.edu>
- Re: Updatedn questions
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: Updatedn questions
  - From: John Dalbec <jpdalbec@cc.ysu.edu>

Prev by Date: Re: Updateref Ignored, Part Duex: The Final Chapter
Next by Date: Re: mod_ldap_userdir
Index(es):
- Chronological
- Thread