[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Advertising configcontext in Root-DSE

On Thursday 16 February 2006 19:00, Howard Chu wrote:
> Ralf Haferkamp wrote:
> > On Thursday 16 February 2006 16:41, Pierangelo Masarati wrote:
> >>> Ralf Haferkamp wrote:
> >>>> Hi,
> >>>>
> >>>> I just recognized that current slapd advertises the
> >>>> config-context in root-dse, even if back-config is not used
> >>>> (e.g. no config directory exists). To me it seems useful to hide
> >>>> the
> >>>> "configContext" Attribute in such cases and deny searches below
> >>>> cn=config with "no such object".
> >>>
> >>> No. The cn=config tree is always present; just that any changes
> >>> made when no backing directory exists will not persist.
> >>
> >> but if no "database config" directive is present, it's not
> >> accessible.  I think this is what Ralf meant.
> >
> > Yes. It's just confusing that you see "configContext" in the
> > Root-DSE but can't access it in any way.
> I don't consider this a condition worth testing for. You could have a
> sasl-regexp that maps some other identity to the cn=config DN.
Btw, while we are at it. For easy bootstrapping of back-config we could 
add an implicit sasl-regexp that maps  
"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" to 
"cn=config". This would allow root to configure slapd through ldapi.
I just played around a little with this and it seems to work with some 
additional tweaks in bconfig.c.

Ralf Haferkamp
SUSE LINUX Products GmbH, Maxfeldstrasse 5, D-90409 Nuernberg
T: +49-911-74053-0
F: +49-911-74053575 - Ralf.Haferkamp@suse.com