Re: OpenLDAP permissions question

[Marc Patermann <hans.moser@ofd-z.niedersachsen.de>]

Igor,

Igor Shmukler schrieb (20.03.2015 12:22 Uhr):
> I do have entries for each database. If my suffix is, for example
> dc=test,dc=org, administrator would be cn=admin,dc=test,dc=org
> Administrators have manage access to their databases. This part is
> working fine. I add and remove records as needed. You also wrote one
> per database - this is exactly what I have.
> Unfortunately, despite all the help, I don't see how this is relevant.
I thought, this is what you want!?

> The advice to read documentation is great. In fact, i never hurt.
>
> I am happy to offer a bounty to person who can configure this. I need
> to keep my setup with one config databases with multiple DITs.
This is the basic standard.
You only have one config database.
And one or more data databases.

> I need each DIT database to work as today
whatever this is ...

> - be managed by an authenticated local/suffix root user.
one user per database was what I talked about.
one admin/manange/root user for all databases is even simpler: just use 
the same user in all your databases.

What you cannot do (IMHO), is mapping _one_ system user to _many_ ldap 
users. But I don't think this is necessary.

> I need a way to alter records in any/every DIT
> database using another root - one that would work on ALL DITs.
Use ACL!

> If someone could do this before Sunday morning, please contact me to
> discuss compensation. If I don't get to a result by Sunday morning, I
> have to start changing the architecture so I can show something on
> Monday. :)
Good luck with that!


Marc