Re: restrict rootdn binds by connection source IP address?

[Howard Chu <hyc@symas.com>]

Aaron Richton wrote:
> > I'm new and stupid, but why not just put an admin account in ldap and ditch
> > the rootdn?

> Many sites choose to do exactly this. It depends whether you consider an
> ACL override capability more useful (which it argubly is) or dangerous
> (which it argubly is).

> One question I pose to the list in light of recent features: Let's say you
> use (2.4, ACL-aware) back-config and totally flub the ACL config. This
> should be correctable with the rootdn (which will trump the broken ACL
> config). If you choose to not configure a rootdn, do you find yourself in
> a mandatory restart situation that might otherwise be avoided?

That seems pretty obvious.

You can also lock yourself out by turning on the olcReadOnly attribute of the 
frontend DB. At that point, write operations are no longer accepted anywhere, 
so you cannot reset it without a manual edit and restart.
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/