Salutations OpenLDAP-Technical,
I am thinking of rootDN and how I'm not a big fan of it. You don't need rootDN to configure OpenLDAP (assuming you first load OLC with slapadd). You don't need it to configure OLC if you've set up access to it for admin accounts. It ends up being one shared password that rules everything. Would it not be best to always give elevated access to specific accounts? Yes I understand without privileged admin access in the first place it's a chicken or egg situation to give access to admins but that can be solved with slapadd or slaptest to generate the initial configuration from a text file.
And in some extreme cases, it's best to not evaluate access at all. This is the only reason I can think of for rootDN.
It seems that syncrepl depends on it though, because when I try to configure a server without rootdn, rootpw and set up syncrepl, I get
Other (e.g., implementation specific) error (80) additional info: rootDN must be defined before syncrepl may be used.
What do people think about the need, utility, implications of having a password based root account?
And why would rootDN need to be defined for syncrepl to work?
Many thanks,
--
Chris Paul Rex Consulting, Inc https://www.rexconsulting.net
--On Wednesday, September 16, 2020 9:05 PM -0700 Christopher Paul chris.paul@rexconsulting.net wrote:
Salutations OpenLDAP-Technical,
I am thinking of rootDN and how I'm not a big fan of it. You don't need rootDN to configure OpenLDAP (assuming you first load OLC with slapadd). You don't need it to configure OLC if you've set up access to it for admin accounts. It ends up being one shared password that rules everything.
The rootdn does not require a password, and most deployments don't set one, so your understanding here is deeply flawed.
Rootdn is required for some overlays and databases for internal operations. This still doesn't require a root password to be set.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Thursday, September 17, 2020 9:04 AM -0700 Quanah Gibson-Mount quanah@symas.com wrote:
The rootdn does not require a password, and most deployments don't set one, so your understanding here is deeply flawed.
Rootdn is required for some overlays and databases for internal operations. This still doesn't require a root password to be set.
As a side note, it's also entirely possible to simply add a mapping rule for a SASL mechanism to the rootdn, whether that's via certificates, LDAPI mapping with external, etc. But there is no requirement for a root password to be set/configured.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Christopher Paul -
Quanah Gibson-Mount