--On Friday, August 16, 2019 6:10 PM +0200 Marc Roos M.Roos@f1-outsourcing.eu wrote:
Why use a rootpw at all?
I though I cannot get around using this when changing the log level or acls during runtime for instance?
You can't get around having a way to write to cn=config. RedHat/CentOS and Debian and Ubuntu all provide ways to do this via connecting with the SASL/EXTERNAL mechanism over the ldapi:/// socket as the root user as a part of their default configuration for cn=config.
I.e.,
[root@c7 ~]# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config 1.1 dn: cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}inetorgperson,cn=schema,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}monitor,cn=config
dn: olcDatabase={2}hdb,cn=config
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com