Running Openldap 2.4.40 under RHEL 6.10
Trying to get this to work without success (from the slapd.access man page):
" One useful application is to easily grant write privileges to an updatedn that is different from the rootdn. In this case, since the updatedn needs write access to (almost) all data, one can use
access to * by dn.exact="cn=The Update DN,dc=example,dc=com" write by * break "
I have this as the only access rule in slapd.conf but any write operation using this dn gives me insufficient access, and slapacl verifies that read access only is permitted.
access to dn.subtree="dc=university,dc=edu" by dn.exact="cn=grouper-admin,dc=university,dc=edu" write by * break
Standard rootdn works fine. This system is a master for two consumers, but there's no external access to the master so a stripped-down acl list is appropriate.
Thanks for any direction for what I've missed.
Peter
Hi Peter,
--On Tuesday, October 23, 2018 2:48 PM +0000 "Heinemann, Peter G" phei@isc.upenn.edu wrote:
access to dn.subtree="dc=university,dc=edu" by dn.exact="cn=grouper-admin,dc=university,dc=edu" write by * break
Why do you have by * break if it is the only acl? Should just be:
access to dn.subtree="dc=university,dc=edu" by dn.exact="cn=grouper-admin,dc=university,dc=edu" write
However, if this is your only ACL, I'm not clear how you're going to be able to authenticate as the user unless you're doing some SASL regexp mapping? Otherwise, anonymous *must* have auth access to the userPassword attribute for simple binds to function.
Also unclear to me how slapacl would result in "read" access vs "none" if that is your only ACL. It sounds like there's more at play here than the snippets you've provided.
Warm regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Heinemann, Peter G -
Quanah Gibson-Mount