This directive specifies the DN that is not subject to
access control or administrative limit restrictions for
operations on this database. The DN need not refer to
-an entry in the directory. The DN may refer to a SASL
-identity.
+an entry in this database or even in the directory. The
+DN may refer to a SASL identity.
Entry-based Example:
> rootdn "uid=root,cn=example.com,cn=digest-md5,cn=auth"
+See the {{SECT:SASL Authentication}} section for information on
+SASL authentication identities.
+
H4: rootpw <password>
-This directive specifies a password for the DN given above that
-will always work, regardless of whether an entry with the given
-DN exists or has a password.
-This directive is deprecated in favor of SASL based authentication.
+This directive can be used to specifies a password for the DN for
+the rootdn.
\Example:
> rootpw secret
+It is also permissible to provide hash of the password in
+RFC 2307 form. {{slappasswd}}(8) may be used to generate
+the password hash.
+
+\Example:
+
+> rootpw {SSHA}ZKKuqbEKJfKSXhUbHG3fG8MDn9j1v4QN
+
+The hash was generated using the command {{EX:slappasswd -s secret}}.
+
+This directive is deprecated in favor of SASL based authentication.
+
H4: suffix <dn suffix>
H3: BDB Database Directives
-Directives in this category only apply to a BDB database. That is,
-they must follow a "database bdb" line and come before any
-subsequent "backend" or "database" line.
+Directives in this category only apply to a {{TERM:BDB}} database.
+That is, they must follow a "database bdb" line and come before any
+subsequent "backend" or "database" line. For a complete reference
+of BDB configuration directives, see {{slapd-bdb}}(5).
H4: directory <directory>
H3: LDBM Database Directives
-Directives in this category only apply to a LDBM database. That is,
-they must follow a "database ldbm" line and come before any
-subsequent "backend" or "database" line.
+Directives in this category only apply to a {{TERM:LDBM}} database.
+That is, they must follow a "database ldbm" line and come before
+any subsequent "backend" or "database" line. For a complete reference
+of LDBM configuration directives, see {{slapd-ldbm}}(5).
H4: cachesize <integer>
> by anonymous auth
> by * read
-This directive allows users to modify their own entries,
-allows authenticate, and allows all others to read.
-Note that only the first {{EX:by <who>}} clause which matches applies.
-Hence, the anonymous users are granted {{EX:auth}}, not {{EX:read}}.
-The last clause could just as well have been "{{EX:by users read}}".
+This directive allows users to modify their own entries, allows
+authenticate, and allows all others to read. Note that only the
+first {{EX:by <who>}} clause which matches applies. Hence, the
+anonymous users are granted {{EX:auth}}, not {{EX:read}}. The last
+clause could just as well have been "{{EX:by users read}}".
+
+It is often desirable to restrict operations based upon the level
+of protection in place. The following shows how security strength
+factors (SSF) can be used.
+
+> access to *
+> by ssf=128 self write
+> by ssf=64 anonymous auth
+> by ssf=64 users read
+
+This directive allows users to modify their own entries if security
+protections have of strength 128 or better have been established,
+allows simple authentication and read access when 64 or better
+security protections have been established.
The following example shows the use of a regular expression
to select the entries by DN in two access directives where