[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How do I allow root to edit mdb database? [SOLVED]



On 08/05/2016 07:42 AM, John Lewis wrote:
> On 08/02/2016 11:43 AM, Ryan Tandy wrote:
>> On Tue, Aug 02, 2016 at 12:37:58AM -0400, John Lewis wrote:
>>> How do I allow root aka
>>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external to edit
>>> olcDatabase={1}mdb,cn=config.
>> Besides olcAuthRegex mentioned by other posters, setting up an
>> explicit access control entry for that DN is another option.
>>
>> If you installed slapd from the Debian archive, the default access
>> rules for the config database include:
>>
>> # Config db settings
>> dn: olcDatabase=config,cn=config
>> objectClass: olcDatabaseConfig
>> olcDatabase: config
>> # Allow unlimited access to local connection from the local root user
>> olcAccess: to * by
>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> manage by * break
>>
>> You could grant root-like access to the root user by copying that
>> access line to your mdb database.
> Root can read, but it can't write.
>
> dictator@soothsayer:~$ sudo ldapadd  -H ldapi:/// -f
> add_ldap-connect1.ldif  -Y EXTERNAL
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> adding new entry "cn=ldap-connect1,ou=People,dc=d,dc=oflameo,dc=com"
> ldap_add: Insufficient access (50)
>         additional info: no write access to parent
>
> I am guessing that it has something to do with the order of the ACLs.
>
> olcAccess: {0}to dn.base="" by * read
> olcAccess: {1}to * by * read
> olcAccess: {2}to attrs=userPassword,shadowLastChange by self write by
> anonymou
>  s auth by * none
> olcAccess: {3}to * by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
>  ,cn=auth manage by * break
>
>

I reorganized the olcAccess and now root can write to the directory.

olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by * break
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
olcAccess: {3}to attrs=userPassword,shadowLastChange by self write by
anonymous auth by * none