On Tue, 17 Feb 2009, Peter Mogensen wrote:
With slapd.conf you had to be root on the host to reconfigure slapd.
However, with cn=config anyone who can authenticate as rootdn for cn=config
can reconfigure slapd.
Is it in anyway possible to set up cn=config, so only root on the host can
Same as with a "real" backend; don't set a rootpw, and ACL it so that only
a suitably-permissioned ldapi:/// listener has write access. Note that
this will likely involve some combination of OpenLDAP ACL and OS