Re: Authentication for on the fly configuration updates in OpenLDAP 2.4

[Dan White <dwhite@olp.net>]

On 28/01/11 16:34 +0100, Pierangelo Masarati wrote:
> You can't set the "rootpw" for a "rootdn" outside the naming context 
> of a database.  Either set

Ok, I'm finally starting to get a grasp on cn=config. If I understand
correctly, there will always be a rootdn for cn=config, regardless if one
one specified in the original slapd.conf. If one was not, the rootdn will
default to 'cn=config' (or is it cn=admin,dc=config?).

> database        config
> rootdn          "cn=admin,dc=example,dc=org"
>
> or
>
> database        config
> rootdn          "cn=admin,cn=config"
> rootpw          xxx
>
> In the first case, the user "cn=admin,dc=example,dc=org" will need to 
> authenticate otherwise (e.g. from within another database, or using 
> SASL).

Is there a supported way to generate or modify the appropriate authz-regexp
config for SASL authentication, assuming that one did not exist within the
original slapd.conf?

I've heard mention of a slapmodify command in a future version, so I'm
assuming that's going to be the supported solution.

--
Dan White