Marc,
Thank you for explanations. I appreciate your time. I also appreciate people on list have given me, including Michael, Ferenc and others. I don't even recall everyone's name. I am thinking about giving up, though.
I even have hard time understanding your messages, let alone OpenLDAP configuration steps.
I do have entries for each database. If my suffix is, for example dc=test,dc=org, administrator would be cn=admin,dc=test,dc=org Administrators have manage access to their databases. This part is working fine. I add and remove records as needed. You also wrote one per database - this is exactly what I have. Unfortunately, despite all the help, I don't see how this is relevant.
The advice to read documentation is great. In fact, i never hurt.
I am happy to offer a bounty to person who can configure this. I need to keep my setup with one config databases with multiple DITs. I need each DIT database to work as today - be managed by an authenticated local/suffix root user. I need a way to alter records in any/every DIT database using another root - one that would work on ALL DITs. If someone could do this before Sunday morning, please contact me to discuss compensation. If I don't get to a result by Sunday morning, I have to start changing the architecture so I can show something on Monday. :)
Sincerely,
Igor Shmukler
On Fri, Mar 20, 2015 at 1:09 PM, Marc Patermann hans.moser@ofd-z.niedersachsen.de wrote:
Igor,
Igor Shmukler schrieb (20.03.2015 11:59 Uhr):
- or make your first steps with ACLs and another user entry.
What do I do here?
read about ACL in the man pages and the admin guide!?
Do you need multiple mappings?
I understand that config database would allow me to have unto fifty mapping. I just don't understand those could work for my need.
As you are one user on your system, this maps to one user in ldap with olcAuthzRegexp. As Micheal already posted:
authz-regexp "gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com"
uid 0 (from your system) maps to ldap entry cn=root,dc=example,dc=com.
I don't understand how this COULD work. Please explain why admin in DIT 1 would have manage right to DIT 2.
He don't have to! But he can.
Go back to:
- Configure a rootdn with rootpw for each database. Use this to authenticate to slapd und modify things. This works? Fine, go on.
- Create a user entry inside your DIT _for every database admin you want_. Use _these entries_ as rootdn (one per database!). This works? Fine, go on.
- Delete the rootdn from config and make the user entry admin by an ACL.
Marc