Hello,
Sorry. I need help, again!
I am trying to configure my OpenLDAP so that cn=config has full over-the-network write-access with a password.I thought at one point that I got the permissions working. It turns out, those are not working, now. Please say what I am doing wrong.
Last time, I had a similar problem with policy. Michael S. saved me a bunch of time by advising to load ppolicy.ldif [with the appropriate schema]. This is obviously no indicator of any kind, yet the problem might be not in the LDIFs or ...
I understood that manage is the LDIF version of full permissions. Found olcAccess syntax as "olcAccess: to <what> [ by <who> [<accesslevel>] [<control>] ]+" My OLC directives for ldapmodify(1) are below: dn: olcDatabase={0}config,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to * by self write by dn="cn=config" write by * read
dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}HyVltU836iL4aR0P0C6O8eHkOJt8nYGK
I tried various combinations, like: olcAccess: {1}to * by dn=cn=config manage by * read
The old commands are valid, yet do not result in the desired configuration. Instead, when ldapdelete(1) is invoked, I get: ldap_delete: Insufficient access (50) additional info: no write access to parent
Please advise.
I thank everyone on who has been reading my messages. People on this list have been extremely helpful.
Sincerely,
Igor Shmukler
Igor Shmukler igor.shmukler@gmail.com writes:
I understood that manage is the LDIF version of full permissions.
Yes, that goes further than write permission by allowing (eg.) the relax rules control. I couldn't find definitive documentation on this.
dn: olcDatabase={0}config,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to * by self write by dn="cn=config" write by * read
Note that this rule allows generic write access to cn=config inside the config database only. http://www.openldap.org/devel/admin/slapdconf2.html#Access%20Control%20Evalu...
when ldapdelete(1) is invoked, I get: ldap_delete: Insufficient access (50) additional info: no write access to parent
You don't tell, but your latest question suggests that you're trying to delete an entry outside of cn=config, which is not covered by the above olcAccess line. What was your exact ldapdelete command?
Hello Ferenc,
Thank you for the email. Yes, I want to delete an entry inside DIT. You are correct.
I try the below: $ sudo ldapdelete -Y external -H ldapi:/// cn=john,dc=directory,dc=com SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldap_delete: Insufficient access (50) additional info: no write access to parent
As you suggested, this is not working. Can this work somehow? I would rather just cn=config with a password, which I am able to set. LDAPI is work too, although not my preferred route.
Sincerely,
Igor Shmukler
On Thu, Mar 19, 2015 at 1:30 AM, Ferenc Wagner wferi@niif.hu wrote:
Igor Shmukler igor.shmukler@gmail.com writes:
I understood that manage is the LDIF version of full permissions.
Yes, that goes further than write permission by allowing (eg.) the relax rules control. I couldn't find definitive documentation on this.
dn: olcDatabase={0}config,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to * by self write by dn="cn=config" write by * read
Note that this rule allows generic write access to cn=config inside the config database only. http://www.openldap.org/devel/admin/slapdconf2.html#Access%20Control%20Evalu...
when ldapdelete(1) is invoked, I get: ldap_delete: Insufficient access (50) additional info: no write access to parent
You don't tell, but your latest question suggests that you're trying to delete an entry outside of cn=config, which is not covered by the above olcAccess line. What was your exact ldapdelete command? -- Feri.
Igor Shmukler igor.shmukler@gmail.com writes:
$ sudo ldapdelete -Y external -H ldapi:/// cn=john,dc=directory,dc=com SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldap_delete: Insufficient access (50) additional info: no write access to parent
As you suggested, this is not working. Can this work somehow? I would rather just cn=config with a password, which I am able to set. LDAPI is work too, although not my preferred route.
Add your olcAccess rules to the right database. Or to the frontend database. It's explained in the link I gave you: http://www.openldap.org/devel/admin/slapdconf2.html#Access%20Control%20Evalu...
Hi Ferenc,
Thank you for help. I did look at the link, and even tried to understand rules earlier. Hence, we see albeit poorly written something.... I also appreciate you helping me earlier, when I was just starting with OpenLDAP.
I want it to be something like: olcAccess: {1}to * by dn="cn=config" manage
Basically, I want dn=cn=config to have full root access over everything. I also want this password ideally to be password protected.
Does it make sense? Can it be done?
Sincerely,
Igor Shmukler
On Thu, Mar 19, 2015 at 2:13 PM, Ferenc Wagner wferi@niif.hu wrote:
Igor Shmukler igor.shmukler@gmail.com writes:
$ sudo ldapdelete -Y external -H ldapi:/// cn=john,dc=directory,dc=com SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldap_delete: Insufficient access (50) additional info: no write access to parent
As you suggested, this is not working. Can this work somehow? I would rather just cn=config with a password, which I am able to set. LDAPI is work too, although not my preferred route.
Add your olcAccess rules to the right database. Or to the frontend database. It's explained in the link I gave you: http://www.openldap.org/devel/admin/slapdconf2.html#Access%20Control%20Evalu... -- Regards, Feri.
Igor Shmukler igor.shmukler@gmail.com writes:
I want it to be something like: olcAccess: {1}to * by dn="cn=config" manage
Basically, I want dn=cn=config to have full root access over everything. I also want this password ideally to be password protected.
Does it make sense? Can it be done?
Sure. Add this olcAccess attribute to all the databases. Or to the frontend database, but check man slapd.access for the priorities and defaults. For what it's worth, I use the syntax
to * by dn.exact=cn=config
(which should be equivalent to yours).
Hi Ferenc,
I am still getting the same error with both by and your versions. Please advise:
$ cat set_config_passwd.ldif dn: olcDatabase={0}config,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to * by dn.exact=cn=config
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f set_config_passwd.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"
$ ldapdelete -x -D cn=config -W cn=john,dc=directory,dc=com ldap_delete: Insufficient access (50) additional info: no write access to parent
I even tried stripping the first line, so the rule was: {0}to * by dn.exact=cn=config Still gives me the same error.
Please advise,
Igor Shmukler
On Thu, Mar 19, 2015 at 2:54 PM, Ferenc Wagner wferi@niif.hu wrote:
Igor Shmukler igor.shmukler@gmail.com writes:
I want it to be something like: olcAccess: {1}to * by dn="cn=config" manage
Basically, I want dn=cn=config to have full root access over everything. I also want this password ideally to be password protected.
Does it make sense? Can it be done?
Sure. Add this olcAccess attribute to all the databases. Or to the frontend database, but check man slapd.access for the priorities and defaults. For what it's worth, I use the syntax
to * by dn.exact=cn=config
(which should be equivalent to yours).
Feri.
Further, I just unsuccessfully tried one more thing: Adding another line to olcAccess for individual DIT databases, [i.e. dn: olcDatabase={1}hdb,cn=config and dn: olcDatabase={2}hdb,cn=config ] olcAccess: {3}to * by dn.exact=cn=config
I am still getting an error: no write access to parent.
A fragment from my slapcat(8) output: olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=directory,dc=com" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=directory,,dc=com " write by * read olcAccess: {3}to * by dn.exact=cn=config olcLastMod: TRUE olcRootDN: cn=admin,dc=directory,dc=com
On Thu, Mar 19, 2015 at 4:03 PM, Igor Shmukler igor.shmukler@gmail.com wrote:
Hi Ferenc,
I am still getting the same error with both by and your versions. Please advise:
$ cat set_config_passwd.ldif dn: olcDatabase={0}config,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to * by dn.exact=cn=config
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f set_config_passwd.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"
$ ldapdelete -x -D cn=config -W cn=john,dc=directory,dc=com ldap_delete: Insufficient access (50) additional info: no write access to parent
I even tried stripping the first line, so the rule was: {0}to * by dn.exact=cn=config Still gives me the same error.
Please advise,
Igor Shmukler
On Thu, Mar 19, 2015 at 2:54 PM, Ferenc Wagner wferi@niif.hu wrote:
Igor Shmukler igor.shmukler@gmail.com writes:
I want it to be something like: olcAccess: {1}to * by dn="cn=config" manage
Basically, I want dn=cn=config to have full root access over everything. I also want this password ideally to be password protected.
Does it make sense? Can it be done?
Sure. Add this olcAccess attribute to all the databases. Or to the frontend database, but check man slapd.access for the priorities and defaults. For what it's worth, I use the syntax
to * by dn.exact=cn=config
(which should be equivalent to yours).
Feri.
Igor Shmukler igor.shmukler@gmail.com writes:
Further, I just unsuccessfully tried one more thing: Adding another line to olcAccess for individual DIT databases, [i.e. dn: olcDatabase={1}hdb,cn=config and dn: olcDatabase={2}hdb,cn=config ] olcAccess: {3}to * by dn.exact=cn=config
Yes, that's needed.
I am still getting an error: no write access to parent.
A fragment from my slapcat(8) output: olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=directory,dc=com" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=directory,,dc=com " write by * read
There is a double comma here. But the problem is that this line will always terminate the ACL processing, because "to * ... by * read" always matches.
olcAccess: {3}to * by dn.exact=cn=config
This line is never reached. Move it to the front instead:
olcAccess: {0}to * by dn.exact=cn=config olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by self write by * read
For the consistency's sake you may want to stick either to dn.base or dn.exact (they are the same). Also, the rootDN is unaffected by ACLs, so its pointless to mention it in the rules.
Hello Ferenc,
There is a double comma here. But the problem is that this line will always terminate the ACL processing, because "to * ... by * read" always matches.
olcAccess: {3}to * by dn.exact=cn=config
This line is never reached. Move it to the front instead:
olcAccess: {0}to * by dn.exact=cn=config olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by self write by * read
I am still confused why script terminates and the line is never reached. Either way, I am still getting the error: ldap_delete: Insufficient access (50) additional info: no write access to parent
Is there something that I could check to figure what is wrong?
Sincerely,
Igor Shmukler
openldap-technical@openldap.org
-
Ferenc Wagner -
Igor Shmukler