Terje Trane wrote:
On 07.12.2015 10:22, Paul van der Vlis wrote:
It will be a only in cn=config.
This is the way I create a LDAP admin:
cat <<EOF >slapd-database.ldif dn: olcDatabase={1}hdb,cn=config changeType: modify replace: olcDbConfig olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
replace: olcRootPW olcRootPW: ${LDAP_ADMIN_HASH} EOF ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-database.ldif
The rootdn (with accompanying password) is, at least the way I think it is meant, a full-access-to-everything root account for use when setting up the directory. Only.
No, the rootdn is also used by various internal administrative functions. It is used continuously, not just for setup.
Then, good practice is to make the account(s) you need to administer and run the system in the LDAP tree, with appropriate ACLs, and disable the rootdn. (In slapd.conf it can be done by just commenting out the rootdn/rootpw lines).
Comment out the rootpw, sure. That prevents external clients from using it. But always leave some rootdn defined.
So, for your samba servers you should make an account, e.g. cn=sambaserver, that is only for that use (and is replicated), and with rights only to what it really needs and not to the whole LDAP tree.