[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticating against slapd installed from package



Dennis Misc wrote:
> It seems that the binddn is listed on the database. Here is the relevant
> output from the slapcat command:


I do hope that binddn is not rootdn, otherwise it would be a rather
bad idea.
[...]

Pardon my ignorance, what is the problem using the rootdn as binddn?


rootdn has full access to everything, you can't set acls to limit it's scope. It's like logging onto your server as "root"; you can do everything, but you could do anything. There is no protection against acidentally deleteing your entire system.


So you want to use a different account that has limited scope, especially if you are using a script to bind to the directory. Bugs in scripts == potentially destroyed data.

--
Perfection is just a word I use occasionally with mustard.
--Atom Powers--
Systems Administrator
DigiPen Institute of Technology
(425) 895-4443