olcAccess syntax

[Igor Shmukler <igor.shmukler@gmail.com>]

Hello,

Sorry. This is repost. I was unable to figure out what is wrong my
olcAccess configuration!

I am trying to configure my OpenLDAP so that cn=config has full
over-the-network write-access with a password.I thought at one point
that I got the permissions working. It turns out, those are not
working, now. Please say what I am doing wrong.

Last time, I had a similar problem with policy. Michael S. saved me a
bunch of time by advising to load ppolicy.ldif [with the appropriate
schema].
This is obviously no indicator of any kind, yet the problem might be
not in the LDIFs or ...

I understood that manage is the LDIF version of full permissions.
Found olcAccess syntax as "olcAccess: to <what> [ by <who>
[<accesslevel>] [<control>] ]+"
My OLC directives for ldapmodify(1) are below:
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
olcAccess: {1}to * by self write by dn="cn=config" write by * read

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}HyVltU836iL4aR0P0C6O8eHkOJt8nYGK

I tried various combinations, like: olcAccess: {1}to * by dn=cn=config
manage by * read

The command syntax is valid. Yet my configuration not result in the desired
access rights. Instead, when ldapdelete(1) is invoked with -D
cn=config on records inside non-config databases, I get:
ldap_delete: Insufficient access (50)
additional info: no write access to parent

Please advise.

I thank everyone on the openldap-technical who has been reading my
messages. People on this list have been extremely helpful. Sorry to
continue being a nag.

Sincerely,

Igor Shmukler