Hi,
With slapd.conf you had to be root on the host to reconfigure slapd. However, with cn=config anyone who can authenticate as rootdn for cn=config can reconfigure slapd.
Is it in anyway possible to set up cn=config, so only root on the host can make changes?
/Peter
On Tue, 17 Feb 2009, Peter Mogensen wrote:
With slapd.conf you had to be root on the host to reconfigure slapd. However, with cn=config anyone who can authenticate as rootdn for cn=config can reconfigure slapd.
Is it in anyway possible to set up cn=config, so only root on the host can make changes?
Same as with a "real" backend; don't set a rootpw, and ACL it so that only a suitably-permissioned ldapi:/// listener has write access. Note that this will likely involve some combination of OpenLDAP ACL and OS permissions both.
Aaron Richton wrote:
On Tue, 17 Feb 2009, Peter Mogensen wrote:
With slapd.conf you had to be root on the host to reconfigure slapd. However, with cn=config anyone who can authenticate as rootdn for cn=config can reconfigure slapd.
Is it in anyway possible to set up cn=config, so only root on the host can make changes?
Same as with a "real" backend; don't set a rootpw, and ACL it so that only a suitably-permissioned ldapi:/// listener has write access. Note that this will likely involve some combination of OpenLDAP ACL and OS permissions both.
Having tried an endless number of configurations, I simply cannot get this to work. I have no problem getting this procedure to work in other databases: http://www.openldap.org/faq/data/cache/761.html
But limiting cn=config access to ldapi:/// ... no luck.
Do someone have a working example of this?
/Peter
Peter Mogensen wrote:
Is it in anyway possible to set up cn=config, so only root on the host can make changes?
You probably want a peername ACL.
http://www.openldap.org/doc/admin24/access-control.html#Controlling%20rootdn...
Carl
Carl Johnstone writes:
Peter Mogensen wrote:
Is it in anyway possible to set up cn=config, so only root on the host can make changes?
You probably want a peername ACL.
Or authz-regexp.
authz-regexp ^gidNumber=[0-9]*[+]uidNumber=0,cn=peercred,cn=external,cn=auth$ cn=admin database config rootdn cn=admin
(The [] is because + is a special regexp character and I never remember how many backslashes I need for quoting in slapd.conf.)
openldap-software@openldap.org