Hello,
I am using OpenLDAP 2.4.40 on CentOS 7.6. I tried to remove 2 ACL entries and failed. I must missed something so please help me.
I now have: dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=van,dc=company,dc=com olcRootDN: cn=Manager,dc=van,dc=company,dc=com olcRootPW:: e1NTSEF9cEpWbEIzOEh4UXJpcjNVSUl2enZz0sm1akt4Nnd6OTk= olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub structuralObjectClass: olcHdbConfig entryUUID: 3b7e5722-d26f-1035-8835-91213c5bb357 creatorsName: cn=config createTimestamp: 20160629180122Z olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn.ba se="cn=Manager,dc=van,dc=company,dc=com" write by * none olcAccess: {1}to * by self write by dn="cn=Manager,dc=van,dc=company,dc= com" write by * read entryCSN: 20200427230612.038641Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20200427230612Z
Then I created a LDIF file:
# cat delete_acl.ldif dn: olcDatabase={2}hdb,cn=config
changetype: modify delete: olcAccess olcAccess: {0} olcAccess: {1}
Now try to delete the ACL: # ldapmodify -Y EXTERNAL -H ldapi:/// -f delete_acl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={2}hdb,cn=config"
#
When I check with "slapcat -n 0" I see the 2 olcAssess entires is still exist.
Please help. Thanks.
Gao
On Mon, Apr 27, 2020 at 04:23:20PM -0700, Gao wrote:
# cat delete_acl.ldif dn: olcDatabase={2}hdb,cn=config
changetype: modify delete: olcAccess olcAccess: {0} olcAccess: {1}
Is the blank line actually part of it? Then you're making a no-op change on that entry, plus submitting some invalid stuff (which gets ignored) afterwards.
Delete the blank line and it ought to work.
--On Monday, April 27, 2020 5:23 PM -0700 Gao gao@pztop.com wrote:
Hello,
I am using OpenLDAP 2.4.40 on CentOS 7.6. I tried to remove 2 ACL entries and failed. I must missed something so please help me.
I would strongly advise updating to a current release of OpenLDAP. 2.4.40 is 5.5 years old and numerous bugs, including some deadlocks in cn=config when doing modifications, have been fixed since that release.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 2020-04-27 16:32, Ryan Tandy wrote:
On Mon, Apr 27, 2020 at 04:23:20PM -0700, Gao wrote:
# cat delete_acl.ldif dn: olcDatabase={2}hdb,cn=config
changetype: modify delete: olcAccess olcAccess: {0} olcAccess: {1}
Is the blank line actually part of it? Then you're making a no-op change on that entry, plus submitting some invalid stuff (which gets ignored) afterwards.
Delete the blank line and it ought to work.
Removed the blank line and it works.
Thanks for the quick help.
Cheers,
Gao
openldap-technical@openldap.org