Hi Ferenc,
I am still getting the same error with both by and your versions. Please advise:
$ cat set_config_passwd.ldif dn: olcDatabase={0}config,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to * by dn.exact=cn=config
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f set_config_passwd.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"
$ ldapdelete -x -D cn=config -W cn=john,dc=directory,dc=com ldap_delete: Insufficient access (50) additional info: no write access to parent
I even tried stripping the first line, so the rule was: {0}to * by dn.exact=cn=config Still gives me the same error.
Please advise,
Igor Shmukler
On Thu, Mar 19, 2015 at 2:54 PM, Ferenc Wagner wferi@niif.hu wrote:
Igor Shmukler igor.shmukler@gmail.com writes:
I want it to be something like: olcAccess: {1}to * by dn="cn=config" manage
Basically, I want dn=cn=config to have full root access over everything. I also want this password ideally to be password protected.
Does it make sense? Can it be done?
Sure. Add this olcAccess attribute to all the databases. Or to the frontend database, but check man slapd.access for the priorities and defaults. For what it's worth, I use the syntax
to * by dn.exact=cn=config
(which should be equivalent to yours).
Feri.