[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP permissions question

To: openldap-technical@openldap.org
Subject: Re: OpenLDAP permissions question
From: Dieter Klünter <dieter@dkluenter.de>
Date: Thu, 19 Mar 2015 21:13:15 +0100
In-reply-to: <CAA1SNA35_XD61coDn73c+qqSk7=LrpfZs7HqT0oxDG3s3b8TZw@mail.gmail.com>
Organization: AVCI
References: <CAA1SNA35_XD61coDn73c+qqSk7=LrpfZs7HqT0oxDG3s3b8TZw@mail.gmail.com>

Am Wed, 18 Mar 2015 23:28:35 +0200
schrieb Igor Shmukler <igor.shmukler@gmail.com>:

> Hello,
> 
> I have been spamming this list, looking for insights into why I cannot
> configure OpenLDAP to use cn=config to delete an entry inside a DIT.
> Sorry.
> 
> Just now thought of and conducted another experiment. The results
> surprised me. If someone can please explain why OpenLDAP behaves this
> way, and whether this can be altered through configuration, it would
> certainly get me further on my way.
> 
> When I try to delete an entry using LDAPI as below:
> $ sudo ldapdelete -Y external -H ldapi:/// cn=john,dc=directory,dc=com
> ldap_delete: Insufficient access (50)
>     additional info: no write access to parent
> 
> I do the same using domain administrator credentials and below and it
> works fine:
> $ ldapdelete -D cn=admin,dc=directory,dc=google,dc=com -W -x
> cn=john,dc=directory,dc=com
> 
> Why LDAPI does not work? What can be done?

probably because of unsufficient authz-regexp ?

What is the result of ldapwhoami -Y EXTERNAL -H ldapi:///
or sudo ldapwhoami -Y EXTERNAL -H ldapi:///

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>

References:
- OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>

Prev by Date: Re: what is wrong with my permissions?
Next by Date: Re: OpenLDAP permissions question
Index(es):
- Chronological
- Thread