[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Creating database, catch-22

To: Peter Mogensen <apm@mutex.dk>
Subject: Re: Creating database, catch-22
From: Pierangelo Masarati <masarati@aero.polimi.it>
Date: Wed, 16 Sep 2009 12:40:28 +0200
Cc: openldap-software@openldap.org
In-reply-to: <4AB087E4.9010105@mutex.dk>
References: <4AB087E4.9010105@mutex.dk>
User-agent: Thunderbird 2.0.0.19 (X11/20090107)

Peter Mogensen wrote:

Hi,

I've been trying to script database creation via cn=config.
Creating the HDB database works fine, but when I try to add the LDIF forthe root node, I get:
# ldapadd -YEXTERNAL -H ldapi:/// -f ./bootstrap.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "dc=app,dc=example,dc=com"
ldap_add: Insufficient access (50)
        additional info: no write access to parent
... which is understandable. However, I would prefer not to set atemporary rootpw for the database. Is there any way around that?
I considered Proxy authorization, but the root DN for the database I'mcreating is in the LDIF I'm trying to add.
/Peter
PS: As you can probably see, all access goes through SASL EXTERNAL. UNIXroot maps to cn=config via ldapi:/// , remote access uses x509certificates.

Add an ACL (either global, if there aren't any in that database, orlocal) that allows the identity you trust to write to that database.

p.

Follow-Ups:
- Re: Creating database, catch-22
  - From: Peter Mogensen <apm@mutex.dk>
- Re: Creating database, catch-22
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- Creating database, catch-22
  - From: Peter Mogensen <apm@mutex.dk>

Prev by Date: Creating database, catch-22
Next by Date: Re: Creating database, catch-22
Index(es):
- Chronological
- Thread