[Date Prev][Date Next]
Re: (ITS#3819) Strange slapd.conf diagnostic after authz-regexp
Pierangelo Masarati wrote:
> firstname.lastname@example.org wrote:
> > Well, rootpw makes no sense for the frontendDB. The question about
> > rootdn is still open.
> I do not quite understand this comment. In principle (never thought
> about it so I'm just trying to form a consistent thought) we could
> have a "global rootdn", which would be the frontend's rootdn, whose
> authority spans the entire system, unless a "rootdn" is defined for a
> database; in the latter case, that "local rootdn" would prevail. If
> we implement something like this, a "rootpw" for the frontendDB would
> make as much sense as it does for each database (with the same pros
> and cons, I mean).
I see what you're saying. I was thinking about it from a simpler
perspective: the rootDN has to be associated with a particular backend's
suffix in order for the Bind to be processed, and there is no suffix for
the frontendDB. But I guess if it's global then that consideration
doesn't need to apply.
If we want to go down this path, it might make sense to get that "user
class" implementation going. It would be better if things like
be_isroot() just needed to check one or two flags (userclass &
SLAP_GLOBAL_ROOT) instead of all the ber_bvcmp's that would be needed in
all the right places.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support