Igor Shmukler igor.shmukler@gmail.com writes:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=ldap,dc=com" write by dn="cn=config" wri te by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=ldap,dc=com" wr ite by * read
OK, I think I understand your problem now. As Brendan mentioned, cn=config is not a user object, you can't set a userPassword on it. It's still possible to bind to it, because it's your RootDN, and RootPW is set. But this will give it access to its own database only, and skip ACL processing anyway. So the idea I gave you is good, but you have to use a normal user object with userPassword instead of cn=config. You can't create such an object in the config database, but anything else goes; let's say its cn=root,dc=example,dc=com. Use this in your ACLs for each database (cn=config included, if you want):
olcAccess: {0}to * by dn.base=cn=root,dc=example,dc=com manage [...]
and you should be set. So to correct my answer to your original question: what you want (use cn=config with simple bind to manage all your databases) is not possible. Using any normal user object instead of cn=config should work, though. At least according to my limited understanding. Sorry for mistaking this earlier.