How to set a user as RootDN in OpenLDAP

Question

I have installed OpenLDAP and phpLDAPadmin on Ubuntu 14.04.

I have a default RootDN which is something like:

Then I have created some users and groups organizational units like that:

I have also created a Main Admin user which will be the admin for all my services:

Now I would like to have the Main Admin as the RootDN (so, just one admin for all services included the LDAP service).

Is it possible to do that and how ? Just by changing the olcRootDN value ?

What's happened for the password ? Should I set the olcRootPW to be the same as the Main Admin password ?

You don't want to do this. You want to use the RootDN *only* for the server itself. Any action carried out by a human or an application should be done as a user registered in the DIT and having appropriate permissions. The reason is that the RootDN bypasses many checks internally, for example it completely bypasses the password policy overlay. — user207421, Oct 02 '14 at 22:55

score 2 · Accepted Answer · answered Sep 24 '14 at 10:12

Apparently is it possible to do this just by changing the olcRootDN. The password which is taken into account is the Main Admin password.

To do this create a file called rootdn.ldif this way:

dn:  olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Main Admin,ou=users,dc=example,dc=com

And run:

ldapmodify -Y EXTERNAL -H ldapi:/// -f ./rootdn.ldif

This way you can have something like that (after deleting the cn=admin,dc=example,dc=com):

I suggest to add SUDO before the ldapmodify, or you'll get 50 - Insufficient Access — DDS, Aug 31 '20 at 10:48

1 Answers1