Hello Ferenc,
Thank you for the email. Yes, I want to delete an entry inside DIT. You are correct.
I try the below: $ sudo ldapdelete -Y external -H ldapi:/// cn=john,dc=directory,dc=com SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldap_delete: Insufficient access (50) additional info: no write access to parent
As you suggested, this is not working. Can this work somehow? I would rather just cn=config with a password, which I am able to set. LDAPI is work too, although not my preferred route.
Sincerely,
Igor Shmukler
On Thu, Mar 19, 2015 at 1:30 AM, Ferenc Wagner wferi@niif.hu wrote:
Igor Shmukler igor.shmukler@gmail.com writes:
I understood that manage is the LDIF version of full permissions.
Yes, that goes further than write permission by allowing (eg.) the relax rules control. I couldn't find definitive documentation on this.
dn: olcDatabase={0}config,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to * by self write by dn="cn=config" write by * read
Note that this rule allows generic write access to cn=config inside the config database only. http://www.openldap.org/devel/admin/slapdconf2.html#Access%20Control%20Evalu...
when ldapdelete(1) is invoked, I get: ldap_delete: Insufficient access (50) additional info: no write access to parent
You don't tell, but your latest question suggests that you're trying to delete an entry outside of cn=config, which is not covered by the above olcAccess line. What was your exact ldapdelete command? -- Feri.