[Date Prev][Date Next]
Re: root-only configuration
- To: Aaron Richton <firstname.lastname@example.org>
- Subject: Re: root-only configuration
- From: Peter Mogensen <email@example.com>
- Date: Wed, 11 Mar 2009 14:32:07 +0100
- Cc: firstname.lastname@example.org
- In-reply-to: <Pine.SOC.email@example.com>
- References: <499A8550.firstname.lastname@example.org> <Pine.SOC.email@example.com>
- User-agent: Thunderbird 126.96.36.199 (X11/20090105)
Aaron Richton wrote:
On Tue, 17 Feb 2009, Peter Mogensen wrote:
With slapd.conf you had to be root on the host to reconfigure slapd.
However, with cn=config anyone who can authenticate as rootdn for
cn=config can reconfigure slapd.
Is it in anyway possible to set up cn=config, so only root on the host
can make changes?
Same as with a "real" backend; don't set a rootpw, and ACL it so that
only a suitably-permissioned ldapi:/// listener has write access. Note
that this will likely involve some combination of OpenLDAP ACL and OS
Having tried an endless number of configurations, I simply cannot get
this to work.
I have no problem getting this procedure to work in other databases:
But limiting cn=config access to ldapi:/// ... no luck.
Do someone have a working example of this?