Re: OpenLDAP permissions question

[Dan White <dwhite@cafedemocracy.org>]

On 03/19/15 22:33 +0200, Igor Shmukler wrote:
> Hello Dieter,
>
> $ sudo ldapwhoami -Y EXTERNAL -H ldapi:///
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>
> I have been trying to delete a record using LDAPI as well as -D
> cn=config with a password. I have also added commands olcAccess to
> both dn: olcDatabase={0}config,cn=config as well as dn:
> olcDatabase={1}hdb,cn=config [DIT] databases.
>
> The result is always the same: ldap_delete: Insufficient access (50)
> additional info: no write access to parent

If your goal is to manage your server using EXTERNAL over ldapi:///,
configuring a olcAuthzRegexp is a far simpler approach. Map
'gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth' to your rootdn
identity and you'll bypass acl restrictions altogether. 

--
Dan White