On Monday, 27 September 2010 11:56:47 Angel L. Mateo wrote:
Hello,
I'm migrating from an old openldap 2.3.30 to a 2.4.21 running in an ubuntu server, so I'm new with cn=config database.
The problem I have is that I want to create a user under cn=config, so I could configure the server without providing the password for cn=config (I want to restrict the IPs from that user could be used).
[...]
Could anybody help me?
Add access controls to the database, allowing your existing user accounts write access to cn=config.
The config database is for configuration, not for data (e.g. users).
Here is my access rule:
$ ldapsearch -LLL -b cn=config "(olcDatabase={0}config)" olcAccess SASL/GSSAPI authentication started SASL username: bgmilne@RANGER.DNSALIAS.COM SASL SSF: 56 SASL data security layer installed. dn: olcDatabase={0}config,cn=config olcAccess: {0}to * by group="cn=LDAP Admins,ou=System Groups,dc=ranger,dc=dnsa lias,dc=com" ssf=112 write olcAccess: {1}to * by * none
This shows how my account managed to see the configuration above:
$ ldapwhoami SASL/GSSAPI authentication started SASL username: bgmilne@RANGER.DNSALIAS.COM SASL SSF: 56 SASL data security layer installed. dn:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com
$ ldapcompare 'cn=LDAP Admins,ou=System Groups,dc=ranger,dc=dnsalias,dc=com' member:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com SASL/GSSAPI authentication started SASL username: bgmilne@RANGER.DNSALIAS.COM SASL SSF: 56 SASL data security layer installed. TRUE
This can be done without SASL, but since I have SASL setup, it is so more convenient to show with SASL than without.
Regards, Buchan