[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: what is wrong with my permissions?

To: Ferenc Wagner <wferi@niif.hu>
Subject: Re: what is wrong with my permissions?
From: Igor Shmukler <igor.shmukler@gmail.com>
Date: Thu, 19 Mar 2015 18:33:14 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vFqx+t+JKD93kZVPytIjOLvwEoMOlnPCIlLxajdtDo8=; b=GnUzwfWm2KiRi5J0b2DBICcA2aQLFxUWm/OWoJWGr51ZWOHAvhEz/Ub92Ze6qCsjMl CaVbby6w2NOjB3bwZGrtYa/rP/JyTsNLxkZdmgeOIA0tFJbWwuj4z/4moKoLGgj64nNd VrHftEx/nkqPsycqfO+ArLfFOzW3wwglVJuCNOrnlbUlPnyvAC2sxSrynPrLYm+Flb3f 9NFgWDa/qnPlLgsIOqscPn+U44KCsMl1dKMyCnarY0cXkUUnuFlpGcoRohensZxqq6Lp ewpb1Yo9GX+hfjm0JMC30yd3qAAj6upGasujWstL2NNRkcCiB4p6ob2L1Vck70eN95Kk UbBw==
In-reply-to: <CAA1SNA1h-FRxM=+MHqnTVncZscj-CS5avHbT4NvqcRMnh+_zMA@mail.gmail.com>
References: <CAA1SNA3S1dySN1BWw7fHv2f21ZU6i4pG0rPWHaJ9LpnuUbYNig@mail.gmail.com> <873851j33t.fsf@lant.ki.iif.hu> <CAA1SNA1aVtzJqAYnXZX5YrchgFwFgREE7wyR=PwjKe5AcNYG1g@mail.gmail.com> <87oanpfanj.fsf@lant.ki.iif.hu> <CAA1SNA2rh4Wz9Yh7ksb8XkwjEgjjLqgQWDjw--j3WSiwRVR3BQ@mail.gmail.com> <874mphf8r8.fsf@lant.ki.iif.hu> <CAA1SNA1h-FRxM=+MHqnTVncZscj-CS5avHbT4NvqcRMnh+_zMA@mail.gmail.com>

Further, I just unsuccessfully tried one more thing: Adding another
line to olcAccess for individual DIT databases, [i.e. dn:
olcDatabase={1}hdb,cn=config and dn: olcDatabase={2}hdb,cn=config ]
olcAccess: {3}to * by dn.exact=cn=config

I am still getting an error: no write access to parent.

A fragment from my slapcat(8) output:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
 s auth by dn="cn=admin,dc=directory,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=directory,,dc=com
 " write by * read
olcAccess: {3}to * by dn.exact=cn=config
olcLastMod: TRUE
olcRootDN: cn=admin,dc=directory,dc=com

On Thu, Mar 19, 2015 at 4:03 PM, Igor Shmukler <igor.shmukler@gmail.com> wrote:
> Hi Ferenc,
>
> I am still getting the same error with both by and your versions. Please advise:
>
> $ cat set_config_passwd.ldif
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> replace: olcAccess
> olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
>  ,cn=auth manage by * break
> olcAccess: {1}to * by dn.exact=cn=config
>
> $ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f set_config_passwd.ldif
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> modifying entry "olcDatabase={0}config,cn=config"
>
> $ ldapdelete -x -D cn=config -W cn=john,dc=directory,dc=com
> ldap_delete: Insufficient access (50)
>   additional info: no write access to parent
>
> I even tried stripping the first line, so the rule was: {0}to * by
> dn.exact=cn=config
> Still gives me the same error.
>
> Please advise,
>
> Igor Shmukler
>
>
> On Thu, Mar 19, 2015 at 2:54 PM, Ferenc Wagner <wferi@niif.hu> wrote:
>> Igor Shmukler <igor.shmukler@gmail.com> writes:
>>
>>> I want it to be something like:
>>> olcAccess: {1}to * by dn="cn=config" manage
>>>
>>> Basically, I want dn=cn=config to have full root access over
>>> everything. I also want this password ideally to be password
>>> protected.
>>>
>>> Does it make sense? Can it be done?
>>
>> Sure.  Add this olcAccess attribute to all the databases.  Or to the
>> frontend database, but check man slapd.access for the priorities and
>> defaults.  For what it's worth, I use the syntax
>>
>> to * by dn.exact=cn=config
>>
>> (which should be equivalent to yours).
>> --
>> Feri.

Follow-Ups:
- Re: what is wrong with my permissions?
  - From: Ferenc Wagner <wferi@niif.hu>

References:
- what is wrong with my permissions?
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: what is wrong with my permissions?
  - From: Ferenc Wagner <wferi@niif.hu>
- Re: what is wrong with my permissions?
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: what is wrong with my permissions?
  - From: Ferenc Wagner <wferi@niif.hu>
- Re: what is wrong with my permissions?
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: what is wrong with my permissions?
  - From: Ferenc Wagner <wferi@niif.hu>
- Re: what is wrong with my permissions?
  - From: Igor Shmukler <igor.shmukler@gmail.com>

Prev by Date: Re: back-meta: dependency on ldap.conf
Next by Date: Re: what is wrong with my permissions?
Index(es):
- Chronological
- Thread