On 21/02/15 17:21, Michael Ströder wrote:
hi, it's a bit confusing to a beginner, TLD term occurs so often when one reads about openldap. My configs for both databases are pretty basic, I'm away from that ldap system but I'll get a snapshot of it tomorrow It all felt to me so natural to have a rootdn of one database able to do do the same, manage another database, this I thought would be so helpful in GUIs like Apache's LDAP browser, particularly coping objects between databases trees, that idea that one "root" type of user can manage them all. thanks Michael, I'll try some more reading on access subject, but the fact that I have that:lejeczek wrote:Having multiple top level domainsLet's use clear terminology. You probably mean the naming context, DB suffix.
to * by dn="cn=manger,dc=B,dc=topdom" manage and still cannot write, just perplexed me.
I wanted to allow rootdn from other domain (say B) to have similar access rights to rootdn of home domain (say A) and i put this into config of A domain to * by dn="cn=manger,dc=B,dc=topdom" manage but I get infamous: Insufficient access (50) additional info: no write access to parent Is possible what I try to do, does LDAP allow, i prepared for such a scenario? If yes can I get some light shed on what I got wrong or did not get at all.This is definitely possible but I would not use the rootdn of a DB suffix for this. I'd rather define a group (in any naming context) and assign rights to this group. Also we have to see your complete config to see whether things are complete. Make sure to read and understand slapd-access(5): http://www.openldap.org/software/man.cgi?query=slapd.access Ciao, Michael.