[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Creating database, catch-22



Peter Mogensen writes:
>Hallvard B Furuseth wrote:
>> Or (temporarily?) change rootdn for the HDB database to cn=config,
> 
> Isn't the rootdn required to be under the database suffix?

No, use of rootpw requires rootdn to be under the database suffix.

Our site's slapd.conf uses authz-regexp to rewrite the root ldapi:// DN
to "cn=admin".  Works fine.

Remember that rootdn has two functions: authentication (if there is a
rootpw) and authorization (providing unlimited access to the database).

Authentication: Simple Bind is dispatched to the database whose suffix
is a suffix of the Bind DN.  Only that database's rootdn and rootpw is
checked against the Bind DN and Bind password.

Authorization: Once you are successfully bound as some DN, that DN is
checked against the rootdn and access controls of the database you are
accessing.

-- 
Hallvard