[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: what is wrong with my permissions?
Hi Ferenc,
I am still getting the same error with both by and your versions. Please advise:
$ cat set_config_passwd.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
olcAccess: {1}to * by dn.exact=cn=config
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f set_config_passwd.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
$ ldapdelete -x -D cn=config -W cn=john,dc=directory,dc=com
ldap_delete: Insufficient access (50)
additional info: no write access to parent
I even tried stripping the first line, so the rule was: {0}to * by
dn.exact=cn=config
Still gives me the same error.
Please advise,
Igor Shmukler
On Thu, Mar 19, 2015 at 2:54 PM, Ferenc Wagner <wferi@niif.hu> wrote:
> Igor Shmukler <igor.shmukler@gmail.com> writes:
>
>> I want it to be something like:
>> olcAccess: {1}to * by dn="cn=config" manage
>>
>> Basically, I want dn=cn=config to have full root access over
>> everything. I also want this password ideally to be password
>> protected.
>>
>> Does it make sense? Can it be done?
>
> Sure. Add this olcAccess attribute to all the databases. Or to the
> frontend database, but check man slapd.access for the priorities and
> defaults. For what it's worth, I use the syntax
>
> to * by dn.exact=cn=config
>
> (which should be equivalent to yours).
> --
> Feri.