Be careful with this kind of change and keep in mind that after deleting
olcRooPW you don't have a true rootdn at all.
A true rootdn don't need any explicitly right access by the ACLs, but
the pseudo (new) rootdn need it, and if no rule grant him the access the
IMHO, a carefully way to do this is:
1/ with truerootdn bind, add a (pseudo) rootdn entry
(dn:cn=pseudorootdn,o=organization) who different from true rootdn
(dn:cn=trueroodn,o=organization and olcRootDN=cn=trueroodn,o=organization)
2/ with truerootdn bind, grant all access to all database and config
database. A bit of test is welcome at this level
3/ With pseudorootdn bind, delete olcRootPW
4/ Restrict access to cn=pseudorootdn,o=organization by peer as
indicated in the linked page.
Le 05/11/2015 07:55, Michael Hierweck a écrit :
I'm trying to improve security by restricting rootdn access to localhost.
But I can't delete the olcRootPW attribute from the olcDatabase object:
ldap_modify: Inappropriate matching (18)
additional info: modify/delete:
olcRootPW: no equality matching rule
I suppose the access restriction to the rootdn's userPassword attribute
does not take effect as the provided password will be compared against
the olcRootPW attribute (directly).
Thanks in advance