[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3819) Strange slapd.conf diagnostic after authz-regexp

Pierangelo Masarati wrote:
>  hyc@symas.com wrote:
> > Well, rootpw makes no sense for the frontendDB. The question about
> > rootdn is still open.

>  I do not quite understand this comment.  In principle (never thought
>  about it so I'm just trying to form a consistent thought) we could
>  have a "global rootdn", which would be the frontend's rootdn, whose
>  authority spans the entire system, unless a "rootdn" is defined for a
>  database; in the latter case, that "local rootdn" would prevail.  If
>  we implement something like this, a "rootpw" for the frontendDB would
>  make as much sense as it does for each database (with the same pros
>  and cons, I mean).

I see what you're saying. I was thinking about it from a simpler 
perspective: the rootDN has to be associated with a particular backend's 
suffix in order for the Bind to be processed, and there is no suffix for 
the frontendDB. But I guess if it's global then that consideration 
doesn't need to apply.

If we want to go down this path, it might make sense to get that "user 
class" implementation going. It would be better if things like 
be_isroot() just needed to check one or two flags (userclass & 
SLAP_GLOBAL_ROOT) instead of all the ber_bvcmp's that would be needed in 
all the right places.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support