This totally stinks for now but you're right it's the only way currently.  I could expose an API to just request a context without authentication however this would allow stored procedures in the server to do that as well and assume any user. 
 
SPs will use JNDI too to work on the server while emebedded in it via the server side JNDI (core context factory) provider.  We need to figure out something better but for you SASL effort this may not happen in time.  We should use this workaround for now and consider revamping this design issue sometime later in the 1.5 branch.
 
WDYT?
 
Alex

 
On 3/13/07, Enrique Rodriguez <enriquer9@gmail.com> wrote:
Hi, Directory developers,

Each of the protocol providers needs to access the DIT for purposes of
looking up users, principals, DNS records, etc.  What's the best way,
currently, for authenticating?  Is the current and only option to use
the admin DN and password with "simple" authentication?

Enrique