On 3/20/19 7:22 PM, Quanah Gibson-Mount wrote: > --On Tuesday, March 19, 2019 12:43 PM -0400 Bob Hund > <[email protected]> wrote: > >> My gut feeling is that I should reset the hashes and discard the >> cleartext to prevent misuse of these credentials. Is there any reason >> not to do this? > > You have a few options: > > a) Use slappasswd to generate a hash of the password rather than using a > cleartext value. > b) Do something like debian & redhat do, and use SASL/EXTERNAL plus a > regexp map for the local "root" user to be able to be the rootdn, and > have no password value set > c) Or just delete it entirely. I'd suggest (a) or (b) instead, in case > you ever needed elevated privileges that are not subject to ACLs.
I usually recommend to do (b) and (c). Ciao, Michael.
