Hello Dan,
I must have done something wrong, yet this thing did not work either. One: the delete still failed with the usual error, and second - I got an error concerning my olcs:
550b380f /etc/ldap/slapd.d: line 1: rootdn is always granted unlimited privileges. 550b380f olcRootPW: value #0: <olcRootPW> can only be set when rootdn is under suffix 550b380f config error processing olcDatabase={0}config,cn=config: <olcRootPW> can only be set when rootdn is under suffix slapcat: bad configuration file!
After running the above command, I actually dropped my OpenLDAP server and rebuilt in by running a bunch of prepared scripts, so go back to the point where my settings made more sense. I have been experimenting for a bit too long without refreshing the environment. I am concerned that something stale is causing my problems.
Sincerely,
Igor Shmukler
On Thu, Mar 19, 2015 at 10:42 PM, Dan White dwhite@cafedemocracy.org wrote:
On 03/19/15 22:33 +0200, Igor Shmukler wrote:
Hello Dieter,
$ sudo ldapwhoami -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
I have been trying to delete a record using LDAPI as well as -D cn=config with a password. I have also added commands olcAccess to both dn: olcDatabase={0}config,cn=config as well as dn: olcDatabase={1}hdb,cn=config [DIT] databases.
The result is always the same: ldap_delete: Insufficient access (50) additional info: no write access to parent
If your goal is to manage your server using EXTERNAL over ldapi:///, configuring a olcAuthzRegexp is a far simpler approach. Map 'gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth' to your rootdn identity and you'll bypass acl restrictions altogether. -- Dan White