https://www.openldap.org/doc/admin24/access-control.html says: Regardless of what access control policy is defined, the rootdn is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything. As a consequence, it's useless (and results in a performance penalty) to explicitly list the rootdn among the <by> clauses.
"Well", said I and set olcRootDN to gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth.
Then I've tried to add an entry with $ sudo ldapadd -Y EXTERNAL -H ldapi:/// ....
and OpenLDAP told that I don't have permission to modify the DB.
I had to grant gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth access to everything in the backend's ACL to make it working.
Is it expected that gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth rootdn does not have full rights without explicit permission or I need to recheck because I could get something wrong (didn't restart slapd or something like that)?
--On Thursday, September 27, 2018 2:41 AM +0300 linux nuse nuse.linux@yandex.com wrote:
"Well", said I and set olcRootDN to gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth.
Added it as a rootdn for which database? (cn=config, your data db, etc)
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 28/09/18 02:34, Quanah Gibson-Mount wrote:
--On Thursday, September 27, 2018 2:41 AM +0300 linux nuse nuse.linux@yandex.com wrote:
"Well", said I and set olcRootDN to gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth.
Added it as a rootdn for which database? (cn=config, your data db, etc)
Hmm... cn=config. I've though that rootdn is global.
On 27/09/18 01:41, linux nuse wrote:
Is it expected that gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth rootdn does not have full rights without explicit permission or I need to recheck because I could get something wrong (didn't restart slapd or something like that)?
Ofc I did it wrong. olcRootDN was set to `gidNumber=0+uidNumber=0,cn=peercred,cn=external` (`,cn=auth` was missing). I think I've messed up with copypasting.
Now it works.
openldap-technical@openldap.org
-
linux nuse -
Quanah Gibson-Mount