[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: what is wrong with my permissions?

To: Ferenc Wagner <wferi@niif.hu>
Subject: Re: what is wrong with my permissions?
From: Igor Shmukler <igor.shmukler@gmail.com>
Date: Thu, 19 Mar 2015 16:03:12 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=q9N/XWGHeCs1ftKg4GvcJ0hJ7J3PEO4TRY+9gw3RSbo=; b=eu5+A5FIeJMIyKB9gWSZEuIkcQ1Dxc3BycOokf17OE3HSHx3QKCn8/2aCyhkgvXxVv upQyhmGMJlIi3225dilVnEULJrp4M6NFx8MnZo82Si9pTOLtCNRXTvEhoTfxcxDxpV9w Bsmik1VJFHSScoT2a9tJ9hvti6tcXHnSOkJF3Q66CUgxTbEaFCfqBfbWuyj+9Xc4/OFH TL3aQqDNgDofBmisqHKegpxD9ZtQ3pfBqKmE70s9/yXmx1VOUL258jTrVD8vISpElJ54 uzFSQQ7zbZhK92cn9SED2dXWH4RW4CSOel+0UBNQM+lNY8w0nk9Ooag0Qatc56xfkQfd isRg==
In-reply-to: <874mphf8r8.fsf@lant.ki.iif.hu>
References: <CAA1SNA3S1dySN1BWw7fHv2f21ZU6i4pG0rPWHaJ9LpnuUbYNig@mail.gmail.com> <873851j33t.fsf@lant.ki.iif.hu> <CAA1SNA1aVtzJqAYnXZX5YrchgFwFgREE7wyR=PwjKe5AcNYG1g@mail.gmail.com> <87oanpfanj.fsf@lant.ki.iif.hu> <CAA1SNA2rh4Wz9Yh7ksb8XkwjEgjjLqgQWDjw--j3WSiwRVR3BQ@mail.gmail.com> <874mphf8r8.fsf@lant.ki.iif.hu>

Hi Ferenc,

I am still getting the same error with both by and your versions. Please advise:

$ cat set_config_passwd.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
olcAccess: {1}to * by dn.exact=cn=config

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f set_config_passwd.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

$ ldapdelete -x -D cn=config -W cn=john,dc=directory,dc=com
ldap_delete: Insufficient access (50)
  additional info: no write access to parent

I even tried stripping the first line, so the rule was: {0}to * by
dn.exact=cn=config
Still gives me the same error.

Please advise,

Igor Shmukler


On Thu, Mar 19, 2015 at 2:54 PM, Ferenc Wagner <wferi@niif.hu> wrote:
> Igor Shmukler <igor.shmukler@gmail.com> writes:
>
>> I want it to be something like:
>> olcAccess: {1}to * by dn="cn=config" manage
>>
>> Basically, I want dn=cn=config to have full root access over
>> everything. I also want this password ideally to be password
>> protected.
>>
>> Does it make sense? Can it be done?
>
> Sure.  Add this olcAccess attribute to all the databases.  Or to the
> frontend database, but check man slapd.access for the priorities and
> defaults.  For what it's worth, I use the syntax
>
> to * by dn.exact=cn=config
>
> (which should be equivalent to yours).
> --
> Feri.

Follow-Ups:
- Re: what is wrong with my permissions?
  - From: Igor Shmukler <igor.shmukler@gmail.com>

References:
- what is wrong with my permissions?
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: what is wrong with my permissions?
  - From: Ferenc Wagner <wferi@niif.hu>
- Re: what is wrong with my permissions?
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: what is wrong with my permissions?
  - From: Ferenc Wagner <wferi@niif.hu>
- Re: what is wrong with my permissions?
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: what is wrong with my permissions?
  - From: Ferenc Wagner <wferi@niif.hu>

Prev by Date: Re: ppolicy: pwdInHistory attribute
Next by Date: OpenLDAP freeze
Index(es):
- Chronological
- Thread