[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back-config design considerarions - Admin Guide fodder



At 07:12 PM 7/28/2005, Michael Ströder wrote:
>> back-config only allows its rootdn user to access it, and a mechanism is
>> needed to configure authentication credentials for this rootdn. (The
>> rootdn itself is hardcoded to "cn=config" of course.) One possibility is
>> to use a SASL Bind and use sasl-regexp/authz-regexp to map an admin's
>> SASL username to the cn=config DN.
>
>In case of using ldapi:// with SASL EXTERNAL I'd vote for mapping user
>'root' (UID 0) and the user under which slapd was started (-u) to cn=config.

I would be against implicitly mapping an "...,cn=auth" ID to
any DN.  If the directory admin wants 'root' or whatever to be the rootdn
of any database, including cn=config, the admin should set rootdn
appropriate (and, if desired, use authz-regexp mapping).

Note that the rootdn does not have to name an entry with the
database.

I think it a problem to hardcode rootdn in slapd(8) to anything
other than "" (disabled).  The admin should be setting it either
a rootdn at/under cn=config and provide a rootpw, or should
set it to a rootdn of some other identity.


>Err...are sasl-regexp/authz-regexp global or backend-specific directives?