[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: root-only configuration

Mike Malsman wrote:
On 11.Mar.2009, at 9:32 AM, Peter Mogensen wrote:
But limiting cn=config access to ldapi:///  ... no luck.

Do someone have a working example of this?


What does your 'access' directive look like?

access to dn.exact="cn=config" by peername.path="/var/run/slapd/ldapi" auth by * none

I've used this method before in "normal" databases, to control who can become rootdn, but it just won't work for cn=config.
Of course, I have to add a "userPassword" attribute to cn=config.ldif, but it seems to be ignored.
I've also tried to create a cn=root,cn=config object, but I have a problem finding a schema which is loaded which allows me to set userPassword.

If people on this list hadn't said that it was possible, I would probably have concluded by now that it is simply not possible to limit rootdn access to cn=config to ldapi:///.