ando(a)sys-net.it wrote:
> h.b.furuseth(a)usit.uio.no wrote:
>
>> Backends are quite inconsistent about how Bind treats rootdn/rootpw.
>> After a quick browse of the HEAD code, it looks like this - I'll
>> investigate closer if needed:
>>
>> rootpw supported:
>> Yes: config, bdb, meta, monitor, ldif, HEAD:null, sql, overlay retcode.
>> No: dnssrv, ldap?, RE23:null, perl, relay, shell.
>
> back-ldap doesn't care about rootdn/rootpw; back-meta does mostly for
> historical reasons (could be removed with some work).
>
>> (Bind not supported: passwd).
>>
>> Rootpw vs. normal Bind as rootdn (typically when rootdn names an entry):
>> config, bdb, null, sql, overlay retcode (I think):
>> Try rootpw first, then if failure try normal Bind (even if
>> rootpw exists but the Bind password does not match it).
>> ldif:
>> Do not try rootpw if rootdn names an existing entry.
>> meta:
>> Fail if rootpw is missing or does not match, more complicated
>> otherwise.
>> monitor:
>> Fine - there are no entries with passwords.
>
> (yet :)
>
> I discovered that back-monitor may benefit from having a rootdn because
> this provides a means to easily workaround any ACLs. The availability
> of rootpw is also important because I ran into few cases where no other
> means to authenticate were available, and all in all this feature (I
> mean: rootdn w/ rootpw comes for free from the database infrastructure).
Don't you do this in test043:
"# HACK: use the RootDN of the monitor database as UpdateDN so ACLs apply"