Re: Adding entries to cn=config

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Monday, 27 September 2010 11:56:47 Angel L. Mateo wrote:
> Hello,
> 
> 	I'm migrating from an old openldap 2.3.30 to a 2.4.21 running in an
> ubuntu server, so I'm new with cn=config database.
> 
> 	The problem I have is that I want to create a user under cn=config, so
> I could configure the server without providing the password for
> cn=config (I want to restrict the IPs from that user could be used).

[...]

> 	Could anybody help me?

Add access controls to the database, allowing your existing user accounts 
write access to cn=config.

The config database is for configuration, not for data (e.g. users).

Here is my access rule:

$ ldapsearch -LLL -b cn=config "(olcDatabase={0}config)" olcAccess
SASL/GSSAPI authentication started
SASL username: bgmilne@RANGER.DNSALIAS.COM
SASL SSF: 56
SASL data security layer installed.
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by group="cn=LDAP Admins,ou=System Groups,dc=ranger,dc=dnsa
 lias,dc=com" ssf=112 write
olcAccess: {1}to *  by * none

This shows how my account managed to see the configuration above:

$ ldapwhoami 
SASL/GSSAPI authentication started
SASL username: bgmilne@RANGER.DNSALIAS.COM
SASL SSF: 56
SASL data security layer installed.
dn:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com

$ ldapcompare 'cn=LDAP Admins,ou=System Groups,dc=ranger,dc=dnsalias,dc=com' 
member:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com
SASL/GSSAPI authentication started
SASL username: bgmilne@RANGER.DNSALIAS.COM
SASL SSF: 56
SASL data security layer installed.
TRUE

This can be done without SASL, but since I have SASL setup, it is so more 
convenient to show with SASL than without.

Regards,
Buchan