Re: Changing rootdn password while it's in the db (not in slapd.conf)?

["m h" <sesquile@gmail.com>]

I'll answer my own question!

On 2/8/07, m h <sesquile@gmail.com> wrote:
> So, now back to my original issue.  Updating the rootdn password.
> When I try the following it fails::
>  ldappasswd -x -v -S -w secret -D cn=Manager,dc=example,dc=com
> cn=Manager,dc=example,dc=com
> New password:
> Re-enter new password:
> ldap_initialize( <DEFAULT> )
> Result: Insufficient access (50)

You silly person!  You haven't set any ACLs!  If you would have read here [1]
you would see how to create a group and set acl's in the slapd.conf file.

Here I'll give you an example, add the following to your ldif::

#add groups for acl
# create FIRST Level groups branch

dn: ou=groups,dc=example,dc=com
objectclass:organizationalunit
ou: groups
description: generic groups branch

# create the admin entry under groups
dn: cn=admin,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: admin
description: Admin group
member: cn=Manager,dc=example,dc=com


Noticed how we made our rootdn user (cn=Manager,dc=example,dc=com) a member
of the admin group.

Now in slapd.conf add the following::

##let admin user change everything
# ACL1 see http://www.zytrax.com/books/ldap/ch5/step2.html
access to attr=userpassword
      by self       write
      by anonymous  auth
      by group.exact="cn=admin,ou=groups,dc=example,dc=com"
                    write
      by *          none

good luck!

-matt

1 - http://www.zytrax.com/books/ldap/ch5/step2.html