[Date Prev][Date Next]
Re: Creating database, catch-22
Peter Mogensen writes:
>Hallvard B Furuseth wrote:
>> Or (temporarily?) change rootdn for the HDB database to cn=config,
> Isn't the rootdn required to be under the database suffix?
No, use of rootpw requires rootdn to be under the database suffix.
Our site's slapd.conf uses authz-regexp to rewrite the root ldapi:// DN
to "cn=admin". Works fine.
Remember that rootdn has two functions: authentication (if there is a
rootpw) and authorization (providing unlimited access to the database).
Authentication: Simple Bind is dispatched to the database whose suffix
is a suffix of the Bind DN. Only that database's rootdn and rootpw is
checked against the Bind DN and Bind password.
Authorization: Once you are successfully bound as some DN, that DN is
checked against the rootdn and access controls of the database you are