Howard Chu <[email protected]> writes: > Ferenc Wagner wrote: > >> Igor Shmukler <[email protected]> writes: >> >>> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by >>> anonymou >>> s auth by dn="cn=admin,dc=ldap,dc=com" write by dn="cn=config" wri >>> te by * none >>> olcAccess: {1}to dn.base="" by * read >>> olcAccess: {2}to * by self write by dn="cn=admin,dc=ldap,dc=com" wr >>> ite by * read >> >> OK, I think I understand your problem now. As Brendan mentioned, >> cn=config is not a user object, you can't set a userPassword on it. >> It's still possible to bind to it, because it's your RootDN, and RootPW >> is set. But this will give it access to its own database only, and skip >> ACL processing anyway. So the idea I gave you is good, but you have to >> use a normal user object with userPassword instead of cn=config. You >> can't create such an object in the config database, but anything else >> goes; let's say its cn=root,dc=example,dc=com. Use this in your ACLs >> for each database (cn=config included, if you want): >> >> olcAccess: {0}to * by dn.base=cn=root,dc=example,dc=com manage >> [...] >> >> and you should be set. So to correct my answer to your original >> question: what you want (use cn=config with simple bind to manage all >> your databases) is not possible. Using any normal user object instead >> of cn=config should work, though. At least according to my limited >> understanding. Sorry for mistaking this earlier. > > This is false. You can use cn=config with simple bind just like any > other RootDN.
Sure, I also wrote above that he can (simple) bind to it, because it's the RootDN and RootPW is also set. But will it still participate in ACL processing for other databases? I mean, can you use it in ACLs just like any normal user object with a userPassword? Also, what happens if several databases have the same RootDN? -- Thanks, Feri.
