[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl and rootdn

Dieter Kluenter wrote:
Jaap Winius<jwinius@umrk.nl>  writes:

Hi all,

This question has to do with syncrepl and the use of the rootdn option
in slapd.conf.

My understanding is that on a provider server (where writes are
possible), it is not necessary to use the rootdn option in slapd.conf.
Instead it is enough to have an account that only exists in the
directory, with ACLs that give it the same unrestricted access. This
works fine for me.

Any database requires a rootdn but not a rootpw. If no rootdn is
defined in slapd.conf it defaults to cn=manager,$suffix, AFAIK.

No, and no. The only database that has a rootdn by default is back-config.

Your question should be "what is the function of rootdn?"

On syncrepl consumers a rootdn in the local slapd.conf is apparently
required (according to the man page for slapd.conf). Why is this, and

Because the consumer needs to be able to store anything it receives, regardless of ACLs.

does it make a difference what the name of the account is?


example, should it be the same as the binddn for syncrepl?


For that
matter, should rootpw also be set,

No, that's not required.

and should it then be the same as
the credentials value used for syncrepl?


The binddn within
syncrepl has to have read access to the provider database and this
should not be rootdn of the provider, rootdn of the consumer manages
the consumer database only.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/