2:30 a.m.
Hi,
I have deployed a new OpenLDAP server (RHEL 7.1 / openldap-2.4) and have read Matt
Butcher's 'Mastering ...' book and the OpenLDAP-Admin-Guide but I'm
continuing to struggle to find the information I need to satisfactorily configure using
the dynamic way of working instead of using the legacy slapd.conf method. (Any reference
to administering ldap using dynamic method would be appreciated)
I have OpenLDAP basically configured to answer queries using the Manager object, but I
want to remove current privileges and have just two accounts in the system ou - one with
read only to the users ou and all objects therein, and one with the equivalent of Manager
rights to the users OU that I can give to my devs to create their own users.
I would retain the Manager account for full access, but would just like to give out the
readonly and readwrite accounts in system OU permissions to users OU, and remove users
permissions to anything but themselves.
My intention is to delete the existing olcAccess rules and implement a new set, but I
can't get rid of the old rules as it's not letting me.
When I try 'ldapmodify -x -W -H "ldap://HOSTNAME" -D
"cn=Manager,dc=SUBDOMAIN,dc=DOMAIN,dc=TLD" -f acl_delete_file.ldif' I
receive :-
'modifying entry "olcDatabase={2}hdb,cn=config"
ldap_modify: Insufficient access (50)'
The delete ldif looks like this :-
# {2}hdb, config
dn: olcDatabase={2}hdb,cn=config
delete: olcAccess
I am using the default hdb database.
I understood 'Manager' had full access to everything regardless, can anyone shed
any light on why this request would be refused ?
Gary Spencer
Infrastructure Project Engineer
[http://www.sis.tv/contentAsset/raw-data/369d823c-5153-4089-a9b6-4d868930a...
**********************************************************************
Satellite Information Services Limited. Registered Office: Whitehall Avenue, Kingston,
Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 4243307
The information in this email (which includes any files transmitted with it) is
confidential and is intended for the addressee only. Unauthorized recipients are required
to maintain confidentiality. If you have received this email in error please notify the
sender immediately, destroy any copies and delete it from your computer system.
**********************************************************************
10:19 a.m.
Am Wed, 23 Dec 2015 10:30:41 +0000
schrieb Gary Spencer <gspencer(a)sis.tv>:
Hi,
I have deployed a new OpenLDAP server (RHEL 7.1 / openldap-2.4) and
have read Matt Butcher's 'Mastering ...' book and the
OpenLDAP-Admin-Guide but I'm continuing to struggle to find the
information I need to satisfactorily configure using the dynamic way
of working instead of using the legacy slapd.conf method. (Any
reference to administering ldap using dynamic method would be
appreciated)
I have OpenLDAP basically configured to answer queries using the
Manager object, but I want to remove current privileges and have just
two accounts in the system ou - one with read only to the users ou
and all objects therein, and one with the equivalent of Manager
rights to the users OU that I can give to my devs to create their own
users.
I would retain the Manager account for full access, but would just
like to give out the readonly and readwrite accounts in system OU
permissions to users OU, and remove users permissions to anything but
themselves. My intention is to delete the existing olcAccess rules
and implement a new set, but I can't get rid of the old rules as it's
not letting me.
When I try 'ldapmodify -x -W -H "ldap://HOSTNAME" -D
"cn=Manager,dc=SUBDOMAIN,dc=DOMAIN,dc=TLD" -f
acl_delete_file.ldif' I receive :- 'modifying entry
"olcDatabase={2}hdb,cn=config" ldap_modify: Insufficient access (50)'
Please note that the config database should have a rootDN set, if not
set, it defaults to cn=config, see slapd-config(5).
Thus, MANAGER has no write access to config database.
[...]
I understood 'Manager' had full access to everything
regardless, can
anyone shed any light on why this request would be refused ?
No, rootDN only hase manage access to the configured database. every
database should have a rootdn declaration. For more information see
slapd.conf(5), section general database options.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
2341
days inactive
2341
days old
openldap-technical@openldap.org
1 comments
2 participants
participants (2)
-
Dieter Klünter -
Gary Spencer