Hi,
I have deployed a new OpenLDAP server (RHEL 7.1 / openldap-2.4) and have read Matt Butcher's 'Mastering ...' book and the OpenLDAP-Admin-Guide but I'm continuing to struggle to find the information I need to satisfactorily configure using the dynamic way of working instead of using the legacy slapd.conf method. (Any reference to administering ldap using dynamic method would be appreciated)
I have OpenLDAP basically configured to answer queries using the Manager object, but I want to remove current privileges and have just two accounts in the system ou - one with read only to the users ou and all objects therein, and one with the equivalent of Manager rights to the users OU that I can give to my devs to create their own users.
I would retain the Manager account for full access, but would just like to give out the readonly and readwrite accounts in system OU permissions to users OU, and remove users permissions to anything but themselves. My intention is to delete the existing olcAccess rules and implement a new set, but I can't get rid of the old rules as it's not letting me.
When I try 'ldapmodify -x -W -H "ldap://HOSTNAME" -D "cn=Manager,dc=SUBDOMAIN,dc=DOMAIN,dc=TLD" -f acl_delete_file.ldif' I receive :- 'modifying entry "olcDatabase={2}hdb,cn=config" ldap_modify: Insufficient access (50)'
The delete ldif looks like this :-
# {2}hdb, config dn: olcDatabase={2}hdb,cn=config delete: olcAccess
I am using the default hdb database.
I understood 'Manager' had full access to everything regardless, can anyone shed any light on why this request would be refused ?
Gary Spencer Infrastructure Project Engineer [http://www.sis.tv/contentAsset/raw-data/369d823c-5153-4089-a9b6-4d868930a68e...]http://www.sis.tv/contact/streaming-from-sis.html
**********************************************************************
Satellite Information Services Limited. Registered Office: Whitehall Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 4243307
The information in this email (which includes any files transmitted with it) is confidential and is intended for the addressee only. Unauthorized recipients are required to maintain confidentiality. If you have received this email in error please notify the sender immediately, destroy any copies and delete it from your computer system.
**********************************************************************
Am Wed, 23 Dec 2015 10:30:41 +0000 schrieb Gary Spencer gspencer@sis.tv:
Hi,
I have deployed a new OpenLDAP server (RHEL 7.1 / openldap-2.4) and have read Matt Butcher's 'Mastering ...' book and the OpenLDAP-Admin-Guide but I'm continuing to struggle to find the information I need to satisfactorily configure using the dynamic way of working instead of using the legacy slapd.conf method. (Any reference to administering ldap using dynamic method would be appreciated)
I have OpenLDAP basically configured to answer queries using the Manager object, but I want to remove current privileges and have just two accounts in the system ou - one with read only to the users ou and all objects therein, and one with the equivalent of Manager rights to the users OU that I can give to my devs to create their own users.
I would retain the Manager account for full access, but would just like to give out the readonly and readwrite accounts in system OU permissions to users OU, and remove users permissions to anything but themselves. My intention is to delete the existing olcAccess rules and implement a new set, but I can't get rid of the old rules as it's not letting me.
When I try 'ldapmodify -x -W -H "ldap://HOSTNAME" -D "cn=Manager,dc=SUBDOMAIN,dc=DOMAIN,dc=TLD" -f acl_delete_file.ldif' I receive :- 'modifying entry "olcDatabase={2}hdb,cn=config" ldap_modify: Insufficient access (50)'
Please note that the config database should have a rootDN set, if not set, it defaults to cn=config, see slapd-config(5). Thus, MANAGER has no write access to config database. [...]
I understood 'Manager' had full access to everything regardless, can anyone shed any light on why this request would be refused ?
No, rootDN only hase manage access to the configured database. every database should have a rootdn declaration. For more information see slapd.conf(5), section general database options.
-Dieter
openldap-technical@openldap.org
-
Dieter Klünter -
Gary Spencer