[Date Prev][Date Next]
Re: The RootDN
I'm definitely no LDAP expert so I may be totally off with my answer but
here's some information that's hopefully correct and may help you move
On 08/29/2013 04:56 AM, Joseph D Carroll Jr wrote:
It's been 3 days since I first started reading and playing with
openLDAP. Prior to this, I have had no ldap experience of any kind, so
please bear with me. (Hopefully this doesn't reach a new low... )
Welcome to the wonderful world of (Open)LDAP.
I am working on setting up my first ldap server for a demo environment,
Make sure you use the latest version, even if that means you will need
to compile it yourself or build packages. If you use CentOS then you can
find the latest 2.4.36 RPMs at: http://ltb-project.org/wiki/
and I can't seem to wrap my head around what a rootdn is. I have read
several articles, even much of the Zytrax book, and I still cannot
figure out what this rootdn is.
No need to read the Zytrax book. It's based on the OpenLDAP Admin Guide
anyway so consider the OpenLDAP Admin Guide and OpenLDAP man pages your
primary source of information.
The rootdn is in power similar to the root user on a Linux system. As
rootdn you can do anything you want to the database for which it was
defined and ACLs do not apply. So the rootdn is limited to the database
for which it was defined. If you want to mess with for example the
global settings of your OpenLDAP config then use cn=config which is
kinda like the true root of the entire OpenLDAP config.
Although dated, I found the O'Reilly book LDAP System Administration
and the Packt book Mastering OpenLDAP quite useful to grasp some
concepts and basic understanding. Be warned though, they only cover the
old way of configuring OpenLDAP using slapd.conf and not the new OLC aka
on-line configuration way as used in 2.4.36.
I get that it is a user, so maybe better stated, I don't understand
where the user exists. Is it an OS user with filesystem privileges?
No, it exists solely in OpenLDAP.
Is it a user that exists in every DIT?
If you have a database defined in your DIT then I would say yes.
If so, when/where is it used
You can use it to manage a configured database kinda like the root user
on a regular Linux system. The difference is that the root user has
access to everything (scope is the entire box) while the rootdn user's
scope is the database for which it was defined. If use the same name and
password for each rootdn in each database definition then you can use
those credentials to access all those databases. Sorta one rootdn to
rule them all (databases that is).
can you have multiple,
AFAIK there is only one per database definition. Just like there is only
one root account per server/VM. If you have multiple database
definitions then you can have multiple rootdn accounts, one for each
is it only usuable/accesible when you "include" the
core.schema, .. ?
AFAIK schemas have nothing to do with it. The rootdn account is usable
when it is part of the database definition.
If I had to guess, I would say:
- A rootdn exists in the DIT as a completely arbitrary user
(absolutely no relation to the OS)
- There can only be one rootdn per DIT
No, if you have multiple databases defined then you can have one rootdn
for each database.
- (Consquently) If a parent defines a rootdn, any referral cannot
- The rootdn is used for some kind of system action (who knows what)
Not sure what you mean here (sorry, English is not my first language).
I know this is the "technical" forum, but I am more so interested in the
"why to's" and "reasons behind" than the "how to's".
I guess you could read the RFCs for that information.
Any clarity would be greatly appreciated.
Hope this provides some clarity and that my answers are correct so to be
of any actual help. If not, hopefully the guru's on this list will
- The RootDN
- From: Joseph D Carroll Jr <firstname.lastname@example.org>