[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Creating database, catch-22

To: Peter Mogensen <apm@mutex.dk>
Subject: Re: Creating database, catch-22
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Wed, 16 Sep 2009 14:35:01 +0200
Cc: openldap-software@openldap.org, masarati@aero.polimi.it
In-reply-to: <4AB0D522.3060906@mutex.dk>
References: <4AB087E4.9010105@mutex.dk> <4AB0C09C.5060809@aero.polimi.it> <hbf.20090916pyc3@bombur.uio.no> <4AB0D522.3060906@mutex.dk>

Peter Mogensen writes:
>Hallvard B Furuseth wrote:
>> Or (temporarily?) change rootdn for the HDB database to cn=config,
> 
> Isn't the rootdn required to be under the database suffix?

No, use of rootpw requires rootdn to be under the database suffix.

Our site's slapd.conf uses authz-regexp to rewrite the root ldapi:// DN
to "cn=admin".  Works fine.

Remember that rootdn has two functions: authentication (if there is a
rootpw) and authorization (providing unlimited access to the database).

Authentication: Simple Bind is dispatched to the database whose suffix
is a suffix of the Bind DN.  Only that database's rootdn and rootpw is
checked against the Bind DN and Bind password.

Authorization: Once you are successfully bound as some DN, that DN is
checked against the rootdn and access controls of the database you are
accessing.

-- 
Hallvard

Follow-Ups:
- Re: Creating database, catch-22
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- Creating database, catch-22
  - From: Peter Mogensen <apm@mutex.dk>
- Re: Creating database, catch-22
  - From: Pierangelo Masarati <masarati@aero.polimi.it>
- Re: Creating database, catch-22
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: Creating database, catch-22
  - From: Peter Mogensen <apm@mutex.dk>

Prev by Date: Re: Wired issue with slurpd
Next by Date: Re: Creating database, catch-22
Index(es):
- Chronological
- Thread