Re: root-only configuration

[Peter Mogensen <apm@mutex.dk>]

Howard Chu wrote:
> Peter Mogensen wrote:
> > Howard Chu wrote:
> > > Do it right, use SASL/EXTERNAL and use authz-regexp to map Unix
> > > credentials to LDAP credentials.
> > >
> > > And don't mess around with "userPassword" when "rootpw" is what you 
> > > need.
> >
> > won't setting a rootpw allow anyone being able to guess it to connect on
> > any socket (TCP/UNIX) that slapd is listening on an bind as cn=config?
>
> Then just use SASL/EXTERNAL and don't use any passwords at all.

Ok. It seems this does what I want:

authz-regexp
  "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
  "cn=config"
database config
rootdn "cn=config"
#rootpw none

$ ldapwhoami -YEXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:cn=config


Only question now is if this is enough to prevent people from binding as 
cn=config on ldap://<public-IP>/,  where the server is also listening.

/Peter