I've added a comment in slapadd(8), slapindex(8) about the need to make sure commands are either executed with the right identity, or their ownership is changed after execution.

As a side note, if any of the tools that access the database (slapacl, slapauth, slapcat, slaptest without -u) are run with an empty environment, they'll create the environment, of course owned by the identity they've been run as. This is a known problem; they should rather refuse to operate if the environment is empty, since they need an already set up one.

p.

Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------