Hello Ulrich,
Thank you. I finally figured out my problem. I did not notice/realize that permissions were being given in stages: userPassword, dn.base then *. Once I added dn="cn=config" to the correct line, things started working. I appreciate your help. [This is already, at least, the second time.]
Sincerely,
Igor Shmukler
On Mon, Mar 23, 2015 at 4:43 PM, Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
Igor Shmukler igor.shmukler@gmail.com schrieb am 19.03.2015 um 15:03 in
Nachricht CAA1SNA1h-FRxM=+MHqnTVncZscj-CS5avHbT4NvqcRMnh+_zMA@mail.gmail.com:
Hi Ferenc,
I am still getting the same error with both by and your versions. Please advise:
$ cat set_config_passwd.ldif dn: olcDatabase={0}config,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to * by dn.exact=cn=config
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f set_config_passwd.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"
Igor,
you allow cn=config to manage the config database, but below you remove an entry from another database with cn=config credentials.
$ ldapdelete -x -D cn=config -W cn=john,dc=directory,dc=com ldap_delete: Insufficient access (50) additional info: no write access to parent
I even tried stripping the first line, so the rule was: {0}to * by dn.exact=cn=config Still gives me the same error.
Check the ACL in the other database!
Please advise,
Igor Shmukler
On Thu, Mar 19, 2015 at 2:54 PM, Ferenc Wagner wferi@niif.hu wrote:
Igor Shmukler igor.shmukler@gmail.com writes:
I want it to be something like: olcAccess: {1}to * by dn="cn=config" manage
Basically, I want dn=cn=config to have full root access over everything. I also want this password ideally to be password protected.
Does it make sense? Can it be done?
Sure. Add this olcAccess attribute to all the databases. Or to the frontend database, but check man slapd.access for the priorities and defaults. For what it's worth, I use the syntax
to * by dn.exact=cn=config
(which should be equivalent to yours).
Feri.
openldap-technical@openldap.org