Hello,
Sorry. This is repost. I was unable to figure out what is wrong my olcAccess configuration!
I am trying to configure my OpenLDAP so that cn=config has full over-the-network write-access with a password.I thought at one point that I got the permissions working. It turns out, those are not working, now. Please say what I am doing wrong.
Last time, I had a similar problem with policy. Michael S. saved me a bunch of time by advising to load ppolicy.ldif [with the appropriate schema]. This is obviously no indicator of any kind, yet the problem might be not in the LDIFs or ...
I understood that manage is the LDIF version of full permissions. Found olcAccess syntax as "olcAccess: to <what> [ by <who> [<accesslevel>] [<control>] ]+" My OLC directives for ldapmodify(1) are below: dn: olcDatabase={0}config,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to * by self write by dn="cn=config" write by * read
dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}HyVltU836iL4aR0P0C6O8eHkOJt8nYGK
I tried various combinations, like: olcAccess: {1}to * by dn=cn=config manage by * read
The command syntax is valid. Yet my configuration not result in the desired access rights. Instead, when ldapdelete(1) is invoked with -D cn=config on records inside non-config databases, I get: ldap_delete: Insufficient access (50) additional info: no write access to parent
Please advise.
I thank everyone on the openldap-technical who has been reading my messages. People on this list have been extremely helpful. Sorry to continue being a nag.
Sincerely,
Igor Shmukler