On 08/05/2016 07:42 AM, John Lewis wrote:
On 08/02/2016 11:43 AM, Ryan Tandy wrote:
On Tue, Aug 02, 2016 at 12:37:58AM -0400, John Lewis wrote:
How do I allow root aka dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external to edit olcDatabase={1}mdb,cn=config.
Besides olcAuthRegex mentioned by other posters, setting up an explicit access control entry for that DN is another option.
If you installed slapd from the Debian archive, the default access rules for the config database include:
# Config db settings dn: olcDatabase=config,cn=config objectClass: olcDatabaseConfig olcDatabase: config # Allow unlimited access to local connection from the local root user olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
You could grant root-like access to the root user by copying that access line to your mdb database.
Root can read, but it can't write.
dictator@soothsayer:~$ sudo ldapadd -H ldapi:/// -f add_ldap-connect1.ldif -Y EXTERNAL SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=ldap-connect1,ou=People,dc=d,dc=oflameo,dc=com" ldap_add: Insufficient access (50) additional info: no write access to parent
I am guessing that it has something to do with the order of the ACLs.
olcAccess: {0}to dn.base="" by * read olcAccess: {1}to * by * read olcAccess: {2}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by * none olcAccess: {3}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break
I reorganized the olcAccess and now root can write to the directory.
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcAccess: {3}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none