[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: using cn=config to retrieve DIT records

Igor Shmukler wrote:
> Hello Michael,
> Thank you for reading my email and replying to the thread.
> I don't believe that you answered my question. I was probably unclear.
> Sorry. I will rephrase, as I am still looking for information.
> Is there a reason why I should not be able to, or just should not, do the below:
> 1. change my OpenLDAP server configuration so cn=config can be
> successfully authenticated using password.
> 2. retrieve records from non-config database[s] [over network, for
> example giving ldapsearch -D cn=config -W]

AFAICS it's all possible. Basically the client authenticates, maybe the
authc-DN is mapped to an authz-DN depending on the authc mech used, and then
the client is authorized to access different parts of your whole LDAP data.

But you have to dive into those docs I pointed out.

> On Mon, Mar 2, 2015 at 12:26 PM, Michael Ströder <michael@stroeder.com> wrote:
>> You should start to read about access control:
>> slapd.access(5)
>> http://www.openldap.org/doc/admin24/access-control.html
>> http://www.openldap.org/faq/data/cache/189.html
>> Don't claim to have a multi-tenant service before you really understood all of
>> the above.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature