Full_Name: Andrew Bartlett Version: CVS HEAD OS: Fedora 9 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (59.167.251.137)

From thread on opendlap-technical:

Hmm, I have the module loaded globally - perhaps I need a global rootdn of some kind defined?

I have one per-database (now), but the documentation strongly encourages one not to have a rootdn at all.

The fix was to define rootdn globally (as the module operates globally), and then to give it explicit manage access in an ACL. eg

access to dn.subtree="${DOMAINDN}" by dn=cn=samba-admin,cn=samba manage by dn=cn=manager manage by * none

rootdn cn=Manager

Adding a rootdn to each database then quashed the warnings about 'rootdn can always manage'.

Otherwise, if I had 'by * read' then this also allowed the module to operate correctly (but without the secrecy I desired)