[Date Prev][Date Next]
Re: root-only configuration
- To: Mike Malsman <email@example.com>
- Subject: Re: root-only configuration
- From: Peter Mogensen <firstname.lastname@example.org>
- Date: Tue, 17 Mar 2009 10:42:59 +0100
- Cc: email@example.com
- In-reply-to: <89492A86-A1D9-4996-98EC-4D3658E737D9@ni.enate.org>
- References: <499A8550.firstname.lastname@example.org> <Pine.SOC.email@example.com> <49B7BD57.firstname.lastname@example.org> <89492A86-A1D9-4996-98EC-4D3658E737D9@ni.enate.org>
- User-agent: Thunderbird 18.104.22.168 (X11/20090105)
Mike Malsman wrote:
On 11.Mar.2009, at 9:32 AM, Peter Mogensen wrote:
But limiting cn=config access to ldapi:/// ... no luck.
Do someone have a working example of this?
What does your 'access' directive look like?
access to dn.exact="cn=config"
by peername.path="/var/run/slapd/ldapi" auth
by * none
I've used this method before in "normal" databases, to control who can
become rootdn, but it just won't work for cn=config.
Of course, I have to add a "userPassword" attribute to cn=config.ldif,
but it seems to be ignored.
I've also tried to create a cn=root,cn=config object, but I have a
problem finding a schema which is loaded which allows me to set
If people on this list hadn't said that it was possible, I would
probably have concluded by now that it is simply not possible to limit
rootdn access to cn=config to ldapi:///.