Salutations OpenLDAP-Technical,
I am thinking of rootDN and how I'm not a big fan of it. You don't need rootDN to configure OpenLDAP (assuming you first load OLC with slapadd). You don't need it to configure OLC if you've set up access to it for admin accounts. It ends up being one shared password that rules everything. Would it not be best to always give elevated access to specific accounts? Yes I understand without privileged admin access in the first place it's a chicken or egg situation to give access to admins but that can be solved with slapadd or slaptest to generate the initial configuration from a text file.
And in some extreme cases, it's best to not evaluate access at all. This is the only reason I can think of for rootDN.
It seems that syncrepl depends on it though, because when I try to configure a server without rootdn, rootpw and set up syncrepl, I get
Other (e.g., implementation specific) error (80) additional info: rootDN must be defined before syncrepl may be used.
What do people think about the need, utility, implications of having a password based root account?
And why would rootDN need to be defined for syncrepl to work?
Many thanks,
--
Chris Paul Rex Consulting, Inc https://www.rexconsulting.net