[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP browsers and cn=config



Hi Torsten,

Thanks for your help!

On 07/03/11 17:37, Torsten Schlabach (Tascel eG) wrote:
Take a look at the olcAccess attribute values of your cn=config database.
This should tell you who's allowed to read it or not.

I did add a value to try and make this work (see below), but perhaps I haven't done all that's necessary.

It depends where your cn=config data comes from, but in many examples you
will find an olcAccess attribute granting write access to a DN called
cn=admin,cn=config. You need to have that object in your cn=config database
then and it should have the password attribute set.

Post the olcAccess sections of your LDIF here, I think this may help.

Here is my olcDatabase={0}config.ldif, with some comments:

dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
# This one added by me recently:
olcAccess: {0}to * by dn.exact=cn=admin,cn=config manage by * break
structuralObjectClass: olcDatabaseConfig
entryUUID: 9dfea13e-dd1c-102f-8cc4-2fe95e0d0dbe
creatorsName: cn=config
createTimestamp: 20110307153755Z
entryCSN: 20110307153755.993390Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110307153755Z
# These two added by me recently:
oldRootDN: cn=admin,cn=config
olcRootPW: config

So it looks like I just need to make sure I have the cn=admin,cn=config object in my database. And I think I can probably add it using the magic -Y EXTERNAL method and ldapadd. However, I don't know how to construct it - what objectClass should it have?

Gerv