hi everybody
I'm just looking at the surface and still have lots to read/lean, but I thought this one should be easy to achieve/set up.
Having multiple top level domains I wanted to allow rootdn from other domain (say B) to have similar access rights to rootdn of home domain (say A) and i put this into config of A domain
to * by dn="cn=manger,dc=B,dc=topdom" manage
but I get infamous:
Insufficient access (50) additional info: no write access to parent
Is possible what I try to do, does LDAP allow, i prepared for such a scenario? If yes can I get some light shed on what I got wrong or did not get at all.
many thanks.
lejeczek wrote:
Having multiple top level domains
Let's use clear terminology. You probably mean the naming context, DB suffix.
I wanted to allow rootdn from other domain (say B) to have similar access rights to rootdn of home domain (say A) and i put this into config of A domain
to * by dn="cn=manger,dc=B,dc=topdom" manage
but I get infamous:
Insufficient access (50) additional info: no write access to parent
Is possible what I try to do, does LDAP allow, i prepared for such a scenario? If yes can I get some light shed on what I got wrong or did not get at all.
This is definitely possible but I would not use the rootdn of a DB suffix for this. I'd rather define a group (in any naming context) and assign rights to this group.
Also we have to see your complete config to see whether things are complete.
Make sure to read and understand slapd-access(5):
http://www.openldap.org/software/man.cgi?query=slapd.access
Ciao, Michael.
On 21/02/15 17:21, Michael Ströder wrote:
lejeczek wrote:
Having multiple top level domains
Let's use clear terminology. You probably mean the naming context, DB suffix.
hi, it's a bit confusing to a beginner, TLD term occurs so often when one reads about openldap. My configs for both databases are pretty basic, I'm away from that ldap system but I'll get a snapshot of it tomorrow It all felt to me so natural to have a rootdn of one database able to do do the same, manage another database, this I thought would be so helpful in GUIs like Apache's LDAP browser, particularly coping objects between databases trees, that idea that one "root" type of user can manage them all. thanks Michael, I'll try some more reading on access subject, but the fact that I have that:
to * by dn="cn=manger,dc=B,dc=topdom" manage
and still cannot write, just perplexed me.
I wanted to allow rootdn from other domain (say B) to have similar access rights to rootdn of home domain (say A) and i put this into config of A domain
to * by dn="cn=manger,dc=B,dc=topdom" manage
but I get infamous:
Insufficient access (50) additional info: no write access to parent
Is possible what I try to do, does LDAP allow, i prepared for such a scenario? If yes can I get some light shed on what I got wrong or did not get at all.
This is definitely possible but I would not use the rootdn of a DB suffix for this. I'd rather define a group (in any naming context) and assign rights to this group.
Also we have to see your complete config to see whether things are complete.
Make sure to read and understand slapd-access(5):
http://www.openldap.org/software/man.cgi?query=slapd.access
Ciao, Michael.
openldap-technical@openldap.org
-
lejeczek -
Michael Ströder