Peter Mogensen writes:
Hallvard B Furuseth wrote:
Or (temporarily?) change rootdn for the HDB database to cn=config,
Isn't the rootdn required to be under the database suffix?
No, use of rootpw requires rootdn to be under the database suffix.
Our site's slapd.conf uses authz-regexp to rewrite the root ldapi:// DN to "cn=admin". Works fine.
Remember that rootdn has two functions: authentication (if there is a rootpw) and authorization (providing unlimited access to the database).
Authentication: Simple Bind is dispatched to the database whose suffix is a suffix of the Bind DN. Only that database's rootdn and rootpw is checked against the Bind DN and Bind password.
Authorization: Once you are successfully bound as some DN, that DN is checked against the rootdn and access controls of the database you are accessing.