Turbo Fredriksson wrote:
Quoting Pierangelo Masarati ando@sys-net.it:
Pierangelo Masarati wrote:
Turbo Fredriksson wrote:
Also, I have a problem getting 'cn=Monitor' running.
Oops, the internal operation that registers specific per-database monitoring runs an anonymous search in the monitor database, but your ACLs disable anonymous access to the monitor database. That operation obviously needs to be privileged.
Actually, the internal search is run as the rootdn, but you didn't configure any for the monitor database, while you should.
I never liked that part, that's why I started using Kerberos (so i didn't have to have rootdn defined).
But can I have different 'rootdn' in my different places (need one for syncrepl to, right?) with random DN's (that don't exists) without any password defined in the config file?
Will any ACL's still be honored?
If I understand all this (we've had this discussion previously a while back - LOONG way back :) this is only for internal use, right?
The rootdn is the rootdn. back-monitor uses it for the internal use I described earlier and for any other use a rootdn is good for. Of course, if you don't provide any means for anyone to authenticate as the rootdn (e.g. no rootpw and no means to map a SASL identity to the rootdn) it will only be used for internal purposes. "cn=Monitor" is just fine, you don't need any particularly fancy name.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------