Re: config backend and modifying cn=config

[Eric Irrgang <erici@motown.cc.utexas.edu>]

So it sounds like I can set the root DN for cn=config to something like
cn=config,ou=specialusers,dc=mainsuffix and create an entry for
cn=config,ou=specialusers,dc=mainsuffix with an attribute

authzFrom: group/groupOfNames/member.exact="cn=admin,ou=groups,dc=mainsuffix"

and then use something like the ldap backend to allow simple binds as
users in the admin group and assert the identity of
cn=config,ou=specialusers,dc=mainsuffix.

Does that sound right?  Does the rootDN entry need to include an
additional objectclass to support the authzFrom attribute?  Is this
something that should work?  Is this the kind of thing that back-ldap is
meant to do?

On Sat, 14 Jan 2006, Howard Chu wrote:

>Eric Irrgang wrote:
>> Is there a recommended way to allow a DN other than 'cn=config' write
>> access to cn=config and children?
>
>Not at the moment. You can change the rootdn to something other than
>"cn=config", but it still only allows access to the current rootdn.
>
>> I saw brief reference to SASL in a post
>> by Howard.  Is this something that could be accomplished with slapd-relay
>> and/or slapo-rwm?  Is it an access control issue or something more
>> fundamental to the config backend code?
>
>Currently the config backend does not do ACL checking, it simply checks
>for the rootdn and disallows all other access. Perhaps in a future
>release we'll change it to do regular ACL checking, but still with a
>default ACL of "access to * by * none".

-- 
Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342