ok. How can i place restrictions for admin access to cn=config db? According to docs i must add a user to a db to do this.
I suggest looking at what Debian does in their default configurations, which restricts the admin user to using the ldapi:/// socket and the root user only, which meets your criteria for locking it down to localhost and even goes beyond that to locking down the user that is mapped to the rootdn as well.
--Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration