hello, thanks for the security advice. I already have the "authz-regexp for LDAPI access with SASL/EXTERNAL bind of user root" for local access.
I mainly use command line, but I kept the rootpw for when I'm lazy and use the gui. well, I guess one don't easily change for the better :-) Fortunately, I'm rarely that lazy... anyway, I'll follow your advice Thanks again. see ya 2015-02-23 13:29 GMT+04:00 Michael Ströder <[email protected]>: > Jephte Clain wrote: >> I have an ldap server with rootdn cn=admin,dc=domain,dc=tld and password set >> in cn=config (this is openldap 2.4.40 on debian squeeze) >> >> I have also the ldap objet cn=admin,dc=domain,dc=tld in the database, with a >> *different* password >> >> both password seem to authenticate. is this expected? > > IIRC it always worked like this. > >> Being able to regularly change the root dn password looks like a good thing >> to me. > > If you want security then avoid using rootpw. There is no serious use-case > where you have to bind as rootdn via remote LDAP. And for repairing defects > locally use a authz-regexp for LDAPI access with SASL/EXTERNAL bind of user > root. > > Ciao, Michael. > -- cordialement, Jephté Clain Direction des Systèmes d'Information et des Usages Numériques - 2IG Tél. 0262 93 86 31 Fax. 0262 93 81 06
