Hi,
Be careful with this kind of change and keep in mind that after deleting olcRooPW you don't have a true rootdn at all. A true rootdn don't need any explicitly right access by the ACLs, but the pseudo (new) rootdn need it, and if no rule grant him the access the operation fail. IMHO, a carefully way to do this is: 1/ with truerootdn bind, add a (pseudo) rootdn entry (dn:cn=pseudorootdn,o=organization) who different from true rootdn (dn:cn=trueroodn,o=organization and olcRootDN=cn=trueroodn,o=organization) 2/ with truerootdn bind, grant all access to all database and config database. A bit of test is welcome at this level 3/ With pseudorootdn bind, delete olcRootPW 4/ Restrict access to cn=pseudorootdn,o=organization by peer as indicated in the linked page.
Cheers
Le 05/11/2015 07:55, Michael Hierweck a écrit :
Hi all,
I'm trying to improve security by restricting rootdn access to localhost.
See:
http://www.openldap.org/doc/admin24/access-control.html#Controlling%20rootdn...
But I can't delete the olcRootPW attribute from the olcDatabase object:
ldap_modify: Inappropriate matching (18) additional info: modify/delete: olcRootPW: no equality matching rule
I suppose the access restriction to the rootdn's userPassword attribute does not take effect as the provided password will be compared against the olcRootPW attribute (directly).
Thanks in advance
Michael