I believe you can just not create a rootdn (or not define a password for it? Or maybe define a password like {crypt}*NOLOGIN* (or an md5/sha/ssha equivalent) that can't be used (not a valid hash)?), so you effectively disable the rootdn, but create a normal account that has full access to everything (except for the restrictions you want to implement) to do what you would otherwise have used the rootdn for. Not *quite* the same, but it may fit your needs?
Is there anything the rootdn can do that you can't grant via acls to a "normal" account (other than ignore acls)?
- Jeff
-----Original Message----- From: openldap-software-bounces+jeff_clowser=fanniemae.com@openldap.org [mailto:openldap-software-bounces+jeff_clowser=fanniemae.com@openldap.or g] On Behalf Of Aaron Richton Sent: Monday, November 19, 2007 11:48 AM To: Aleksander Adamowski Cc: openldap-software@openldap.org Subject: Re: restrict rootdn binds by connection source IP address?
Only way to stop rootdn is to stop it from getting in in the first place: tcp wrappers/iptables/etc. Which of course do a lot more than rootdn, though...
On Mon, 19 Nov 2007, Aleksander Adamowski wrote:
Hi!
Knowing that rootdn always bypasses ACLs, is there any other way to
restrict
BIND operations that use rootdn to certain source IP addresses for
clients?
--