Hello Ferenc,
Thank you for the answer. This is even more confusing. I am going to slightly rephrase what you were suggesting, only to confirm that I understood you. I am not at all sure I did
I have an OpenLDAP server with multiple databases: a config database - {0)config,cn=config plus several for DITs {1}hdb,cn=config and also {2}hdb,cn=config ... {n}hdb,cn=config
Are you saying that I could pick an administrator associated with database X [last say 2] for some domain dc=example,dc=com and give this user identified by DN: cn=admin,dc=example,com rights to manage records in all DITs? Basically, something like "$ldapdelete -x -D cn=admin,dc=example,dc=com -W cn=john,dc=directory,dc=com" would successfully delete an entry from a DIT with index Y [say 1].
I apologize for asking these questions, but I have been given a lot of advice some of which was aimed to solve other problems. Apparently, my ability to clearly explain what I need is not much better than the ability to comprehend OpenLDAP docs.
Sincerely,
Igor Shmukler
On Fri, Mar 20, 2015 at 10:19 AM, Ferenc Wagner wferi@niif.hu wrote:
Igor Shmukler igor.shmukler@gmail.com writes:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=ldap,dc=com" write by dn="cn=config" wri te by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=ldap,dc=com" wr ite by * read
OK, I think I understand your problem now. As Brendan mentioned, cn=config is not a user object, you can't set a userPassword on it. It's still possible to bind to it, because it's your RootDN, and RootPW is set. But this will give it access to its own database only, and skip ACL processing anyway. So the idea I gave you is good, but you have to use a normal user object with userPassword instead of cn=config. You can't create such an object in the config database, but anything else goes; let's say its cn=root,dc=example,dc=com. Use this in your ACLs for each database (cn=config included, if you want):
olcAccess: {0}to * by dn.base=cn=root,dc=example,dc=com manage [...]
and you should be set. So to correct my answer to your original question: what you want (use cn=config with simple bind to manage all your databases) is not possible. Using any normal user object instead of cn=config should work, though. At least according to my limited understanding. Sorry for mistaking this earlier. -- Regards, Feri.