Abdelhamid Meddeb wrote:
Be careful with this kind of change and keep in mind that after deleting olcRooPW you don't have a true rootdn at all. A true rootdn don't need any explicitly right access by the ACLs, but the pseudo (new) rootdn need it, and if no rule grant him the access the operation fail.
There is no such thing as a pseudo rootdn.
1. Either you have rootdn directive set or not. Note: It is needed for some overlays.
2. Either you have rootpw directive set or not.
I always use slapd -h "ldapi://.." omit rootpw and have the following directive:
authz-regexp "gidnumber=0\+uidnumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com"
Then user root can always locally authenticate without a password like this:
ldawhoami -H ldapi:// -Y EXTERNAL
Ciao, Michael.