--On Thursday, August 16, 2007 12:37 PM +0000 h.b.furuseth@usit.uio.no wrote:

A few icky issues:

• if you've got rootdn from a SASL/EXTERNAL DN and rewrite it to inside the database's DIT, it would be possible to create such an entry with a password. We could advise people to use a DN outside the database suffix in this case, and/or accept 'rootpw' with no parameter as explicitly refusing Simple Bind with the rootdn.

Or in the case of SASL/GSSAPI, there can be a straight SASL rewrite to an internal DN for the rootdn as well. There is no requirement for the rootdn to have to have a rootpw associated with it, and there needn't be.

--Quanah

--

Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration