[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: root-only configuration

Aaron Richton wrote:
On Tue, 17 Feb 2009, Peter Mogensen wrote:

With slapd.conf you had to be root on the host to reconfigure slapd.
However, with cn=config anyone who can authenticate as rootdn for cn=config can reconfigure slapd.

Is it in anyway possible to set up cn=config, so only root on the host can make changes?

Same as with a "real" backend; don't set a rootpw, and ACL it so that only a suitably-permissioned ldapi:/// listener has write access. Note that this will likely involve some combination of OpenLDAP ACL and OS permissions both.

Having tried an endless number of configurations, I simply cannot get this to work.
I have no problem getting this procedure to work in other databases:

But limiting cn=config access to ldapi:///  ... no luck.

Do someone have a working example of this?