[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: requesting clarification of use of config backend



On Mon, Sep 12, 2005 at 03:47:12PM -0700, Howard Chu wrote:
> The config database currently does not honor ACLs; it is hardcoded to 
> only allow access to the rootdn.

I'm having a problem with this (ol-2.3.7). I get back an "insufficient access"
error when attempting to modify an entry under cn=config as its rootdn.

The config portion from slapd.conf is this:
"""
database config
rootdn "uid=andreas,cn=digest-md5,cn=auth"

database        bdb
suffix          "o=company,c=br"
rootdn          "cn=Manager,o=company,c=br"
rootpw          password
(...)
"""

The only acl lines are below the "database bdb" definition and all begin with 
"access to dn.subtree="o=company,c=br" ...

I migrated this file to slapd.d and started slapd. Logging in as the
cn=config rootdn and trying to change a config parameter gives me this
(slapd -d 128 output):

=> access_allowed: search access to "olcDatabase={1}bdb,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "entry" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDatabase" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcSuffix" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcAccess" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcLastMod" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcMaxDerefDepth" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcReadOnly" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcRootDN" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcRootPW" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDbDirectory" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDbCacheSize" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDbCheckpoint" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDbConfig" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDbNoSync" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDbDirtyRead" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDbIDLcacheSize" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDbIndex" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDbLinearIndex" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDbMode" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDbSearchStack" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDbShmKey" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcLimits" requested
<= root access granted
=> access_allowed: backend default write access denied to "uid=andreas,cn=digest-md5,cn=auth"


The client gets back an "insufficient access" error. Is this a bug or am I doing something wrong?
/etc/openldap/slapd.d is mode 0750 owner ldap and all files under it are owned by ldap.