--On Saturday, February 12, 2022 8:00 PM +0100 Felix Natter fnatter@gmx.net wrote:
hello,
I am trying to setup PPs using this guide: https://tylersguides.com/guides/openldap-password-policy-overlay/
Everything went fine up to adding the OU for the PP:
policyou.ldif:
dn: ou=policies,dc=company,dc=com objectClass: organizationalUnit ou: policies
ldapadd -Y EXTERNAL -Q -H ldapi:/// -f policyou.ldif (1)
On most configurations, this gives access to the config database, not the binary storage backend (like back-mdb).
which results in https://ldapwiki.com/wiki/LDAP_INSUFFICIENT_ACCESS (with "additional info: no write access to parent")
So I would expect this.
Now I tried _several_ commands to fix this, then I did:
ldapadd -H ldapi:/// -D cn=admin,cn=config -W -f policyou.ldif (2)
which works. But I have to fix this on the production server now, and I don't know whether (2) fixed this or some other command.
It seems like this user has permission to your binary storage backend, although that's an odd DN to give access to it with.
What could be the problem with (1)?
I would say generally the problem is not understanding that different databases in slapd can have different privilege separations. Also there's no one rule to how a system is configured. You have to understand how your *specific* instance is configured, some random HOWTO (generally I call them HOW NOT TO) on the internet is not going to know your specific configuration.
--Quanah