[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: root-only configuration

Howard Chu wrote:
$ ldapwhoami -YEXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Only question now is if this is enough to prevent people from binding as cn=config on ldap://<public-IP>/, where the server is also listening.

Without any other authz-regexps in place, the only other possibility is to use a client cert that slapd trusts, whose subject DN is "cn=config". Aside from that, no, there is no other way anyone can bind to this identity.

Alright... So I guess that would be the way to do it if I wanted cn=config syncrepl-icated from another server.