Hi,
Le 07/11/2015 11:38, Michael Ströder a écrit :
Abdelhamid Meddeb wrote:
Be careful with this kind of change and keep in mind that after deleting olcRooPW you don't have a true rootdn at all. A true rootdn don't need any explicitly right access by the ACLs, but the pseudo (new) rootdn need it, and if no rule grant him the access the operation fail.
There is no such thing as a pseudo rootdn.
"pseudo rootdn" is not a thing of openldap or ldap, it's a term used to simpify explanation. I'm sorry for my explanation which was not detailed enough. a "thing" designed by "pseudo root dn" is an arbitrary dn entry who has *full* access to all "things" of database and config database.
- Either you have rootdn directive set or not.
Note: It is needed for some overlays.
- Either you have rootpw directive set or not.
I always use slapd -h "ldapi://.." omit rootpw and have the following directive:
authz-regexp "gidnumber=0\+uidnumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com"
Can work also if the *change* of configuration follows the indicated step by step approach .
Then user root can always locally authenticate without a password like this:
ldawhoami -H ldapi:// -Y EXTERNAL
Ciao, Michael.
Cheers.