Re: OpenLDAP permissions question

[Igor Shmukler <igor.shmukler@gmail.com>]

Hello Dieter,

$ sudo ldapwhoami -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

I have been trying to delete a record using LDAPI as well as -D
cn=config with a password. I have also added commands olcAccess to
both dn: olcDatabase={0}config,cn=config as well as dn:
olcDatabase={1}hdb,cn=config [DIT] databases.

The result is always the same: ldap_delete: Insufficient access (50)
additional info: no write access to parent

Sincerely,

Igor Shmukler


On Thu, Mar 19, 2015 at 10:13 PM, Dieter Klünter <dieter@dkluenter.de> wrote:
> Am Wed, 18 Mar 2015 23:28:35 +0200
> schrieb Igor Shmukler <igor.shmukler@gmail.com>:
>
>> Hello,
>>
>> I have been spamming this list, looking for insights into why I cannot
>> configure OpenLDAP to use cn=config to delete an entry inside a DIT.
>> Sorry.
>>
>> Just now thought of and conducted another experiment. The results
>> surprised me. If someone can please explain why OpenLDAP behaves this
>> way, and whether this can be altered through configuration, it would
>> certainly get me further on my way.
>>
>> When I try to delete an entry using LDAPI as below:
>> $ sudo ldapdelete -Y external -H ldapi:/// cn=john,dc=directory,dc=com
>> ldap_delete: Insufficient access (50)
>>     additional info: no write access to parent
>>
>> I do the same using domain administrator credentials and below and it
>> works fine:
>> $ ldapdelete -D cn=admin,dc=directory,dc=google,dc=com -W -x
>> cn=john,dc=directory,dc=com
>>
>> Why LDAPI does not work? What can be done?
>
> probably because of unsufficient authz-regexp ?
>
> What is the result of ldapwhoami -Y EXTERNAL -H ldapi:///
> or sudo ldapwhoami -Y EXTERNAL -H ldapi:///
>
> -Dieter
>
> --
> Dieter Klünter | Systemberatung
> http://sys4.de
> GPG Key ID: E9ED159B
> 53°37'09,95"N
> 10°08'02,42"E
>