[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: what is wrong with my permissions?

To: Igor Shmukler <igor.shmukler@gmail.com>
Subject: Re: what is wrong with my permissions?
From: Ferenc Wagner <wferi@niif.hu>
Date: Thu, 19 Mar 2015 00:30:14 +0100
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <CAA1SNA3S1dySN1BWw7fHv2f21ZU6i4pG0rPWHaJ9LpnuUbYNig@mail.gmail.com> (Igor Shmukler's message of "Mon, 16 Mar 2015 15:27:09 +0200")
References: <CAA1SNA3S1dySN1BWw7fHv2f21ZU6i4pG0rPWHaJ9LpnuUbYNig@mail.gmail.com>
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)

Igor Shmukler <igor.shmukler@gmail.com> writes:

> I understood that manage is the LDIF version of full permissions.

Yes, that goes further than write permission by allowing (eg.) the
relax rules control.  I couldn't find definitive documentation on this.

> dn: olcDatabase={0}config,cn=config
> changetype: modify
> replace: olcAccess
> olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
>  ,cn=auth manage by * break
> olcAccess: {1}to * by self write by dn="cn=config" write by * read

Note that this rule allows generic write access to cn=config inside the
config database only.
http://www.openldap.org/devel/admin/slapdconf2.html#Access%20Control%20Evaluation

> when ldapdelete(1) is invoked, I get:
> ldap_delete: Insufficient access (50)
> additional info: no write access to parent

You don't tell, but your latest question suggests that you're trying to
delete an entry outside of cn=config, which is not covered by the above
olcAccess line.  What was your exact ldapdelete command?
-- 
Feri.

Follow-Ups:
- Re: what is wrong with my permissions?
  - From: Igor Shmukler <igor.shmukler@gmail.com>

References:
- what is wrong with my permissions?
  - From: Igor Shmukler <igor.shmukler@gmail.com>

Prev by Date: Error while integrating OpenLDAP and Kerberos
Next by Date: default behavior of server certificate validation
Index(es):
- Chronological
- Thread