[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: back-config design considerarions - Admin Guide fodder
At 07:12 PM 7/28/2005, Michael Ströder wrote:
>> back-config only allows its rootdn user to access it, and a mechanism is
>> needed to configure authentication credentials for this rootdn. (The
>> rootdn itself is hardcoded to "cn=config" of course.) One possibility is
>> to use a SASL Bind and use sasl-regexp/authz-regexp to map an admin's
>> SASL username to the cn=config DN.
>
>In case of using ldapi:// with SASL EXTERNAL I'd vote for mapping user
>'root' (UID 0) and the user under which slapd was started (-u) to cn=config.
I would be against implicitly mapping an "...,cn=auth" ID to
any DN. If the directory admin wants 'root' or whatever to be the rootdn
of any database, including cn=config, the admin should set rootdn
appropriate (and, if desired, use authz-regexp mapping).
Note that the rootdn does not have to name an entry with the
database.
I think it a problem to hardcode rootdn in slapd(8) to anything
other than "" (disabled). The admin should be setting it either
a rootdn at/under cn=config and provide a rootpw, or should
set it to a rootdn of some other identity.
>Err...are sasl-regexp/authz-regexp global or backend-specific directives?