Am Wed, 23 Dec 2015 10:30:41 +0000
schrieb Gary Spencer <gspencer(a)sis.tv>:
Hi,
I have deployed a new OpenLDAP server (RHEL 7.1 / openldap-2.4) and
have read Matt Butcher's 'Mastering ...' book and the
OpenLDAP-Admin-Guide but I'm continuing to struggle to find the
information I need to satisfactorily configure using the dynamic way
of working instead of using the legacy slapd.conf method. (Any
reference to administering ldap using dynamic method would be
appreciated)
I have OpenLDAP basically configured to answer queries using the
Manager object, but I want to remove current privileges and have just
two accounts in the system ou - one with read only to the users ou
and all objects therein, and one with the equivalent of Manager
rights to the users OU that I can give to my devs to create their own
users.
I would retain the Manager account for full access, but would just
like to give out the readonly and readwrite accounts in system OU
permissions to users OU, and remove users permissions to anything but
themselves. My intention is to delete the existing olcAccess rules
and implement a new set, but I can't get rid of the old rules as it's
not letting me.
When I try 'ldapmodify -x -W -H "ldap://HOSTNAME" -D
"cn=Manager,dc=SUBDOMAIN,dc=DOMAIN,dc=TLD" -f
acl_delete_file.ldif' I receive :- 'modifying entry
"olcDatabase={2}hdb,cn=config" ldap_modify: Insufficient access (50)'
Please note that the config database should have a rootDN set, if not
set, it defaults to cn=config, see slapd-config(5).
Thus, MANAGER has no write access to config database.
[...]
I understood 'Manager' had full access to everything
regardless, can
anyone shed any light on why this request would be refused ?
No, rootDN only hase manage access to the configured database. every
database should have a rootdn declaration. For more information see
slapd.conf(5), section general database options.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E