8:22 a.m.
When one's Google Foo fails, turn to an appropriate list.
I would like to get rid of these warnings (rootdn is always granted unlimited privileges).
First,
it's annoying that our cron always spits back an email. Second, one assumes that where
there is a
warning, there might be something that should be done differently. I've tried
searching, but it
seems this warning always comes up in conjunction with some other error that someone is
concerned
about. This particular warning is always ignored in the discussion of the error of concern
as far as
I have been able to find.
5b2472a5 /usr/local/etc/openldap/slapd.conf: line 170: rootdn is always granted
unlimited privileges.
5b2472a5 /usr/local/etc/openldap/slapd.conf: line 293: rootdn is always granted
unlimited privileges.
5b2472a5 hdb_monitor_db_open: monitoring disabled; configure monitor database to
enable
5b2472a5 /usr/local/etc/openldap/slapd.conf: line 170: rootdn is always granted
unlimited privileges.
5b2472a5 /usr/local/etc/openldap/slapd.conf: line 293: rootdn is always granted
unlimited privileges.
5b2472a5 hdb_monitor_db_open: monitoring disabled; configure monitor database to
enable
I don't think I need to include anything about my slapd.conf, because this is more a
general
question of what causes this warning, and what is the recommended guidance for avoiding
it.
--
---------------
Chris Hoogendyk
-
O__ ---- Systems Administrator
c/ /'_ --- Biology & Geosciences Departments
(*) \(*) -- 315 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst
<hoogendyk(a)bio.umass.edu>
---------------
Erdös 4
2:28 p.m.
--On Wednesday, June 20, 2018 12:22 PM -0400 Chris Hoogendyk
<hoogendyk(a)bio.umass.edu> wrote:
When one's Google Foo fails, turn to an appropriate list.
I would like to get rid of these warnings (rootdn is always granted
unlimited privileges). First, it's annoying that our cron always spits
back an email. Second, one assumes that where there is a warning, there
might be something that should be done differently. I've tried searching,
but it seems this warning always comes up in conjunction with some other
error that someone is concerned about. This particular warning is always
ignored in the discussion of the error of concern as far as I have been
able to find.
5b2472a5 /usr/local/etc/openldap/slapd.conf: line 170: rootdn is
always granted unlimited privileges.
Hi Chris,
One of the lovely things about open source software is, well, that the
source is open. A 2 second grep discovers that this messages comes from
"aclparse.c". I.e., the portion of the code responsible for parsing ACLs.
Thus it would appear that you have ACLs referencing the rootdn (which as
noted in slapd.access(5) is not subject to ACLs).
Hope that helps!
Warm regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
1:38 p.m.
On 6/20/18 5:28 PM, Quanah Gibson-Mount wrote:
--On Wednesday, June 20, 2018 12:22 PM -0400 Chris Hoogendyk
<hoogendyk(a)bio.umass.edu> wrote:
> When one's Google Foo fails, turn to an appropriate list.
>
> I would like to get rid of these warnings (rootdn is always granted
> unlimited privileges). First, it's annoying that our cron always spits
> back an email. Second, one assumes that where there is a warning, there
> might be something that should be done differently. I've tried searching,
> but it seems this warning always comes up in conjunction with some other
> error that someone is concerned about. This particular warning is always
> ignored in the discussion of the error of concern as far as I have been
> able to find.
>
> 5b2472a5 /usr/local/etc/openldap/slapd.conf: line 170: rootdn is
> always granted unlimited privileges.
Hi Chris,
One of the lovely things about open source software is, well, that the source is open. A
2 second
grep discovers that this messages comes from "aclparse.c". I.e., the portion
of the code
responsible for parsing ACLs. Thus it would appear that you have ACLs referencing the
rootdn
(which as noted in slapd.access(5) is not subject to ACLs).
Hope that helps!
Warm regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
Thank you! It's been a while since I've done much programming, and I'm just
getting into ldap.
With your pointer and a bit of manual reading
(http://www.openldap.org/doc/admin24/guide.html#Access%20Control), I modified our
slapd.conf (which
was originally set up by someone else), as follows:
# THESE ARE DEFAULT BEHAVIORS AND RESULT IN WARNINGS ON STARTUP. Commented out
6/21/2018, CGH.
1st occurance of 2.
#access to *
# by dn="cn=support,dc=bio,dc=nsm" write
# by * read
Earlier in the slapd.conf is the line 'rootdn
"cn=support,dc=bio,dc=nsm"', so that is the rootdn
that was being granted write.
After doing a `sudo service slapd-local force-reload`, the ldap.log shows things starting
up without
a complaint and syncrepl working. Then I checked another server that is a client, and I
can still
use my network login. So, it seems all is well. Now I just have to wait and see if the
cron stops
emailing warnings. I believe it will be cleared up, because the messages didn't show
in the ldap.log
when I reloaded it.
--
---------------
Chris Hoogendyk
-
O__ ---- Systems Administrator
c/ /'_ --- Biology & Geosciences Departments
(*) \(*) -- 315 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst
<hoogendyk(a)bio.umass.edu>
---------------
Erdös 4
1993
days inactive
1994
days old
openldap-technical@openldap.org
2 comments
2 participants
participants (2)
-
Chris Hoogendyk -
Quanah Gibson-Mount