At 07:12 PM 7/28/2005, Michael Ströder wrote: >> back-config only allows its rootdn user to access it, and a mechanism is >> needed to configure authentication credentials for this rootdn. (The >> rootdn itself is hardcoded to "cn=config" of course.) One possibility is >> to use a SASL Bind and use sasl-regexp/authz-regexp to map an admin's >> SASL username to the cn=config DN. > >In case of using ldapi:// with SASL EXTERNAL I'd vote for mapping user >'root' (UID 0) and the user under which slapd was started (-u) to cn=config.
I would be against implicitly mapping an "...,cn=auth" ID to any DN. If the directory admin wants 'root' or whatever to be the rootdn of any database, including cn=config, the admin should set rootdn appropriate (and, if desired, use authz-regexp mapping). Note that the rootdn does not have to name an entry with the database. I think it a problem to hardcode rootdn in slapd(8) to anything other than "" (disabled). The admin should be setting it either a rootdn at/under cn=config and provide a rootpw, or should set it to a rootdn of some other identity. >Err...are sasl-regexp/authz-regexp global or backend-specific directives?
