hello,
thanks for the security advice. I already have the "authz-regexp for LDAPI access with SASL/EXTERNAL bind of user root" for local access.
I mainly use command line, but I kept the rootpw for when I'm lazy and use the gui. well, I guess one don't easily change for the better :-) Fortunately, I'm rarely that lazy...
anyway, I'll follow your advice Thanks again. see ya
2015-02-23 13:29 GMT+04:00 Michael Ströder michael@stroeder.com:
Jephte Clain wrote:
I have an ldap server with rootdn cn=admin,dc=domain,dc=tld and password set in cn=config (this is openldap 2.4.40 on debian squeeze)
I have also the ldap objet cn=admin,dc=domain,dc=tld in the database, with a *different* password
both password seem to authenticate. is this expected?
IIRC it always worked like this.
Being able to regularly change the root dn password looks like a good thing to me.
If you want security then avoid using rootpw. There is no serious use-case where you have to bind as rootdn via remote LDAP. And for repairing defects locally use a authz-regexp for LDAPI access with SASL/EXTERNAL bind of user root.
Ciao, Michael.