On 06.03.2014 09:40, Rodrigo Coutinho wrote:
Still in shock though, that the root user can mess up the other users data.
This I find strange. "Root" or "the superuser" or whatever having full access it the norm in many systems, like Unix, and is for "special use" by qualified personnel only.
My understanding at least is that the rootdn account, (don't confuse it with the unix root account, we're talking about the special rootdn account with total control of the OpenLDAP server only), is there so you can use it while setting up the system since there is no LDAP user to use, and no access rights to give, before you have created it.
Then, when you have set up the LDAP server database and a user with sufficient access right, you should disable the rootdn user.
But there are many guides out there in google-land (and maybe in openldap.org too) that might confuse people. The rootdn account is a special "virtual" account. It doesn't even exist in the LDAP data tree (though you can duplicate it). Actually, I usually set its name to the same as the suffix since I find that making it clearer that it is not a real user account than if you use the common rootdn "cn=Manager,dc=<MY-DOMAIN>,dc=<COM>".
--- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com