[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: replace: olcAccess



Hi Igor,

On Tue, Jan 06, 2015 at 01:56:23PM +0100, Igor Shmukler wrote:
I install the server with apptitude and have LDIFs to change the root
password and suffix.

You might consider preseeding those prior to installation, using debconf-set-selections(1). If you do want to reconfigure the suffix after installation, dpkg-reconfigure(8) is a safe way to do that.

In particular, if you do this:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

and start loading new data into the existing database without deleting the old files first, you risk running into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546368 .

The olcAccess is the part that is not working as I expected. My LDIF
runs just fine changing the name, and domain suffix. Yet, after the
operation is complete, ldapsearch(1) start returning errors. When the
suffix was nodomain [default left by the install] searches worked.

Please provide an example ldapsearch(1) command and its output, and the access rules currently in use (as per ldapsearch/slapcat of cn=config). I don't see anything obviously wrong in what you posted.

olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com"
write by * read

Consider the 'by self write' part of that carefully. You may not want users modifying their own uidNumber and gidNumber, for example. (Newer versions of the package stopped including 'by self write' in the default ACL because of that.)

hope that helps,
Ryan

Attachment: signature.asc
Description: Digital signature