[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP permissions question

To: Dan White <dwhite@cafedemocracy.org>
Subject: Re: OpenLDAP permissions question
From: Igor Shmukler <igor.shmukler@gmail.com>
Date: Thu, 19 Mar 2015 23:35:52 +0200
Cc: Dieter Klünter <dieter@dkluenter.de>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2Fr+jlnVieIpOkiqAYtcxHW2qSCN9LnYMDRFwHp0zZM=; b=hiLkIctnF/o7WNUQO/zp+cZmcboLnu2fybZvHIl3OZTwPOgqLAvH8+gMNwj7vacduA jk/PEc5TZGhSv9yUvi/YhVb9Onryy9MPNWVP8zHH10WHk96bNmlAJ4ZfwP+EgKX1ZNKb v41zJqcYyahbxcg1RrGhdq1lGF1LYYgrQbASFskBk2N90StEmw9pnZkXm+vLlZv4V7jY 7lTNFs4LN7hnEDiigG9Ux6hrG4xC18w19h44dpJLN5pBqQRAE1CDNJycD+Q3YC4nmMIH 3866AB7M1CNzyD9vqDrpEGXGX7uDV2NUJdxjKd62H1ZoSs8OZhS88wwsP1rxWZRLbvwt EnYw==
In-reply-to: <20150319211654.GJ3930@dan.olp.net>
References: <CAA1SNA35_XD61coDn73c+qqSk7=LrpfZs7HqT0oxDG3s3b8TZw@mail.gmail.com> <20150319211315.2165743c@pink.avci.de> <CAA1SNA0KAdgDQHP7myB6bW4awa1OAM3z1u2DcVrZEw62GT3BFA@mail.gmail.com> <20150319204234.GI3930@dan.olp.net> <CAA1SNA1tKprXQ4gKO08_kpBrOGV1h0iiQ3hqaqKhiTVaUTimnA@mail.gmail.com> <20150319211654.GJ3930@dan.olp.net>

Hello Dan and Michael,

I have a server with a config database and a few DIT databases. I use
online configuration. A little white ago, I knew nothing about
OpenLDAP. Now, your help, I understand a lot more, yet still little
and able to achieve even less..

I want individual administrators [those from within each DIT] to be
able  to browse within their tree, and cn=config administrator to be
able to search through all records on the server, across DITs. If this
is too difficult, I would go for LDAPI.
As a temporary workaround, LDAPI would be amazing.

None of it working, yet. I tried a bunch of suggestions, many of which
I don't fully understand. Nothing worked so far.

Specifically, I cannot understand why should not the below applied to
the config database does not work, if I did set the password.
olcAccess: {0}to * by dn="cn=config" manage

Sincerely,

Igor Shmukler

On Thu, Mar 19, 2015 at 11:16 PM, Dan White <dwhite@cafedemocracy.org> wrote:
> On 03/19/15 23:05 +0200, Igor Shmukler wrote:
>>
>> Hello Dan,
>>
>> I must have done something wrong, yet this thing did not work either.
>> One: the delete still failed with the usual error, and second - I got
>> an error concerning my olcs:
>>
>> 550b380f /etc/ldap/slapd.d: line 1: rootdn is always granted unlimited
>> privileges.
>> 550b380f olcRootPW: value #0: <olcRootPW> can only be set when rootdn
>> is under suffix
>
>
> You don't need to set olcRootPW in this case. See slapd-config(5).
>
> --
> Dan White

Follow-Ups:
- Re: OpenLDAP permissions question
  - From: Brendan Kearney <bpk678@gmail.com>

References:
- OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Dan White <dwhite@cafedemocracy.org>

Prev by Date: Re: OpenLDAP permissions question
Next by Date: Re: OpenLDAP permissions question
Index(es):
- Chronological
- Thread