--O
How would one then add the initial database? What you suggest is all fine and good if someone has a known good LDIF to start from, a beginner isn't going to and will need to be able to get the error checking that slapadd does not provide.
Hmm, being the author of a generic LDAP client I can say that it's really hard to guide a newbie user to do the right thing when starting with an *empty* DB.
But I appreciate any hints how to do that, even if it requires to set rootpw. ;-)
The only viable solution is to provide decent tooling for setting up a DB with presets. If going this route you can also setup an admin group with decent ACLs right from the start. And the setup process can run as root connecting via LDAPI and using SASL/EXTERNAL for authc. Then running the setup as system user root is the initial trust anchor for boot-strapping the directory. Well, *you* already know all this and you probably guessed it: That's how Æ-DIR setup is doing it (and all automated setups I do for customers).
Yeah, I prefer the ldapi:// + EXTERNAL route as well, but that becomes somewhat more complicated (but of course not impossible) if you're using different rootdns for cn=config vs the other databases. Some sites require a high level of separation.
--Quanah