After hours of searching through mailing lists, reading man pages and FAQs and the admin-guide and trying every possible combination I can think of, I still can't find the answer on how to secure cn=config
The FAQ says that in slapd 2.4 cn=config respects ACLs, but I can't even limit auth against the rootdn with an ACL.
There has to be a recommended way, but I can't find it. I guess a lot pf people would have benefit from a FAQ example on how to do it.
I would have expected this to work:
database config rootpw config access to dn.exact="cn=config" by peername="127.0.0.1" auth by * none
but not...
/Peter
Michael Ströder wrote:
Peter Mogensen wrote:
The FAQ says that in slapd 2.4 cn=config respects ACLs, but I can't even limit auth against the rootdn with an ACL.
Binding as rootdn always circumvents all ACLs.
Not all. It usually works not set "rootpw", but create a real object for the rootdn and limit auth priviledged to it. http://www.openldap.org/faq/data/cache/761.html
But I can't get it to work with cn=config. My usually trick don't work, since I can't find a structural objectclass for the object, since schemas are not loaded when slapd reads the cn=config slapd.d directory.
/Peter
openldap-software@openldap.org
-
Michael Ströder -
Peter Mogensen