This directive specifies the DN that is not subject to
access control or administrative limit restrictions for
operations on this database. The DN need not refer to
-an entry in the directory. The DN may refer to a SASL
-identity.
+an entry in this database or even in the directory. The
+DN may refer to a SASL identity.
Entry-based Example:
> rootdn "uid=root,cn=example.com,cn=digest-md5,cn=auth"
+See the {{SECT:SASL Authentication}} section for information on
+SASL authentication identities.
+
H4: rootpw <password>
-This directive specifies a password for the DN given above that
-will always work, regardless of whether an entry with the given
-DN exists or has a password.
-This directive is deprecated in favor of SASL based authentication.
+This directive can be used to specifies a password for the DN for
+the rootdn (when the rootdn is set to a DN within the database).
\Example:
> rootpw secret
+It is also permissible to provide hash of the password in RFC 2307
+form. {{slappasswd}}(8) may be used to generate the password hash.
+
+\Example:
+
+> rootpw {SSHA}ZKKuqbEKJfKSXhUbHG3fG8MDn9j1v4QN
+
+The hash was generated using the command {{EX:slappasswd -s secret}}.
+
H4: suffix <dn suffix>
H3: BDB Database Directives
-Directives in this category only apply to a BDB database. That is,
-they must follow a "database bdb" line and come before any
-subsequent "backend" or "database" line.
+Directives in this category only apply to a {{TERM:BDB}} database.
+That is, they must follow a "database bdb" line and come before any
+subsequent "backend" or "database" line. For a complete reference
+of BDB configuration directives, see {{slapd-bdb}}(5).
H4: directory <directory>
H3: LDBM Database Directives
-Directives in this category only apply to a LDBM database. That is,
-they must follow a "database ldbm" line and come before any
-subsequent "backend" or "database" line.
+Directives in this category only apply to a {{TERM:LDBM}} database.
+That is, they must follow a "database ldbm" line and come before
+any subsequent "backend" or "database" line. For a complete reference
+of LDBM configuration directives, see {{slapd-ldbm}}(5).
H4: cachesize <integer>
> attrs=<attribute list>
-Access to the entry itself must be granted or denied using the
-special attribute name "{{EX:entry}}". Note that giving access to an
-attribute is not enough; access to the entry itself through the
-{{EX:entry}} attribute is also required. The complete examples at
-the end of this section should help clear things up.
+There are two special {{psuedo}} attributes {{EX:entry}} and
+{{EX:children}}. To read (and hence return) an target entry, the
+subject must have {{EX:read}} access to the target's {{entry}}
+attribute. To add or delete an entry, the subject must have
+{{EX:write}} access to the entry's parent's {{EX:children}} attribute.
+To rename an entry, the subject must have {{EX:write}} access to
+both the old parent's and new parent's {{EX:children}} attributes.
+The complete examples at the end of this section should help clear
+things up.
Lastly, there is a special entry selector {{EX:"*"}} that is used to
select any entry. It is used when no other {{EX:<what>}}
> by anonymous auth
> by * read
-This directive allows users to modify their own entries,
-allows authenticate, and allows all others to read.
-Note that only the first {{EX:by <who>}} clause which matches applies.
-Hence, the anonymous users are granted {{EX:auth}}, not {{EX:read}}.
-The last clause could just as well have been "{{EX:by users read}}".
+This directive allows users to modify their own entries, allows
+authenticate, and allows all others to read. Note that only the
+first {{EX:by <who>}} clause which matches applies. Hence, the
+anonymous users are granted {{EX:auth}}, not {{EX:read}}. The last
+clause could just as well have been "{{EX:by users read}}".
+
+It is often desirable to restrict operations based upon the level
+of protection in place. The following shows how security strength
+factors (SSF) can be used.
+
+> access to *
+> by ssf=128 self write
+> by ssf=64 anonymous auth
+> by ssf=64 users read
+
+This directive allows users to modify their own entries if security
+protections have of strength 128 or better have been established,
+allows simple authentication and read access when 64 or better
+security protections have been established.
The following example shows the use of a regular expression
to select the entries by DN in two access directives where
projects / openldap / blobdiff