[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: what is wrong with my permissions?
Further, I just unsuccessfully tried one more thing: Adding another
line to olcAccess for individual DIT databases, [i.e. dn:
olcDatabase={1}hdb,cn=config and dn: olcDatabase={2}hdb,cn=config ]
olcAccess: {3}to * by dn.exact=cn=config
I am still getting an error: no write access to parent.
A fragment from my slapcat(8) output:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=directory,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=directory,,dc=com
" write by * read
olcAccess: {3}to * by dn.exact=cn=config
olcLastMod: TRUE
olcRootDN: cn=admin,dc=directory,dc=com
On Thu, Mar 19, 2015 at 4:03 PM, Igor Shmukler <igor.shmukler@gmail.com> wrote:
> Hi Ferenc,
>
> I am still getting the same error with both by and your versions. Please advise:
>
> $ cat set_config_passwd.ldif
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> replace: olcAccess
> olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
> ,cn=auth manage by * break
> olcAccess: {1}to * by dn.exact=cn=config
>
> $ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f set_config_passwd.ldif
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> modifying entry "olcDatabase={0}config,cn=config"
>
> $ ldapdelete -x -D cn=config -W cn=john,dc=directory,dc=com
> ldap_delete: Insufficient access (50)
> additional info: no write access to parent
>
> I even tried stripping the first line, so the rule was: {0}to * by
> dn.exact=cn=config
> Still gives me the same error.
>
> Please advise,
>
> Igor Shmukler
>
>
> On Thu, Mar 19, 2015 at 2:54 PM, Ferenc Wagner <wferi@niif.hu> wrote:
>> Igor Shmukler <igor.shmukler@gmail.com> writes:
>>
>>> I want it to be something like:
>>> olcAccess: {1}to * by dn="cn=config" manage
>>>
>>> Basically, I want dn=cn=config to have full root access over
>>> everything. I also want this password ideally to be password
>>> protected.
>>>
>>> Does it make sense? Can it be done?
>>
>> Sure. Add this olcAccess attribute to all the databases. Or to the
>> frontend database, but check man slapd.access for the priorities and
>> defaults. For what it's worth, I use the syntax
>>
>> to * by dn.exact=cn=config
>>
>> (which should be equivalent to yours).
>> --
>> Feri.