Le 07/11/2015 11:38, Michael Ströder a écrit :
Abdelhamid Meddeb wrote:
> Be careful with this kind of change and keep in mind that after deleting
> olcRooPW you don't have a true rootdn at all.
> A true rootdn don't need any explicitly right access by the ACLs, but the
> pseudo (new) rootdn need it, and if no rule grant him the access the operation
There is no such thing as a pseudo rootdn.
"pseudo rootdn" is not a thing of openldap or ldap, it's a term used
simpify explanation. I'm sorry for my explanation which was not detailed
enough. a "thing" designed by "pseudo root dn" is an arbitrary dn
who has *full* access to all "things" of database and config database.
1. Either you have rootdn directive set or not.
Note: It is needed for some overlays.
2. Either you have rootpw directive set or not.
I always use slapd -h "ldapi://.." omit rootpw and have the following
Can work also if the *change* of configuration follows the indicated
step by step approach .
Then user root can always locally authenticate without a password like this:
ldawhoami -H ldapi:// -Y EXTERNAL