--On Thursday, April 16, 2015 9:28 PM +0200 Igor Shmukler igor.shmukler@gmail.com wrote:
Hi,
For those, for mind find this thread through google and like me overwhelmed with information won't understand the documentation. The RootDN cannot be restricted from having privileges under OpenLDAP 2.4. Hence, ACLs won't do anything for RootDN. This is documented.
From the slapd.access(5) man page:
Be warned: the rootdn can always read and write EVERYTHING!
From the OpenLDAP 2.4 Admin Guide section on Access Control:
http://www.openldap.org/doc/admin24/access-control.html
The default access control policy is allow read by all clients. Regardless of what access control policy is defined, the rootdn is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything.
So, it seems to me, it is quite clearly documented in multiple locations.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration