Hello Ulrich,
Thank you.
I finally figured out my problem. I did not notice/realize that
permissions were being given in stages: userPassword, dn.base then *.
Once I added dn="cn=config" to the correct line, things started
working.
I appreciate your help. [This is already, at least, the second time.]
Sincerely,
Igor Shmukler
On Mon, Mar 23, 2015 at 4:43 PM, Ulrich Windl
<Ulrich.Windl(a)rz.uni-regensburg.de> wrote:
>>>> Igor Shmukler <igor.shmukler(a)gmail.com> schrieb am 19.03.2015 um 15:03 in
> Nachricht
> <CAA1SNA1h-FRxM=+MHqnTVncZscj-CS5avHbT4NvqcRMnh+_zMA(a)mail.gmail.com>:
>> Hi Ferenc,
>>
>> I am still getting the same error with both by and your versions. Please
>> advise:
>>
>> $ cat set_config_passwd.ldif
>> dn: olcDatabase={0}config,cn=config
>> changetype: modify
>> replace: olcAccess
>> olcAccess: {0}to * by
>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
>> ,cn=auth manage by * break
>> olcAccess: {1}to * by dn.exact=cn=config
>>
>> $ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f set_config_passwd.ldif
>> SASL/EXTERNAL authentication started
>> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> SASL SSF: 0
>> modifying entry "olcDatabase={0}config,cn=config"
>
> Igor,
>
> you allow cn=config to manage the config database, but below you remove an entry from another database with cn=config credentials.
>
>>
>> $ ldapdelete -x -D cn=config -W cn=john,dc=directory,dc=com
>> ldap_delete: Insufficient access (50)
>> additional info: no write access to parent
>>
>> I even tried stripping the first line, so the rule was: {0}to * by
>> dn.exact=cn=config
>> Still gives me the same error.
>
> Check the ACL in the other database!
>
>>
>> Please advise,
>>
>> Igor Shmukler
>>
>>
>> On Thu, Mar 19, 2015 at 2:54 PM, Ferenc Wagner <wferi(a)niif.hu> wrote:
>>> Igor Shmukler <igor.shmukler(a)gmail.com> writes:
>>>
>>>> I want it to be something like:
>>>> olcAccess: {1}to * by dn="cn=config" manage
>>>>
>>>> Basically, I want dn=cn=config to have full root access over
>>>> everything. I also want this password ideally to be password
>>>> protected.
>>>>
>>>> Does it make sense? Can it be done?
>>>
>>> Sure. Add this olcAccess attribute to all the databases. Or to the
>>> frontend database, but check man slapd.access for the priorities and
>>> defaults. For what it's worth, I use the syntax
>>>
>>> to * by dn.exact=cn=config
>>>
>>> (which should be equivalent to yours).
>>> --
>>> Feri.
>
>
>
>