Aleksander Adamowski wrote:
Knowing that rootdn always bypasses ACLs, is there any other way to restrict BIND operations that use rootdn to certain source IP addresses for clients?
You can define a rootdn with no rootpw, and create an entry with the rootdn's DN. Then binding as the rootdn would require a regular bind to that DN, which in turn requires auth access to that entry's DN and userPassword, and this can be restricted via ACLs including ACLs on source IP address and so. As soon as that bind succeeds, that connection would have complete rootdn privileges and thus bypass further ACL checking.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------