[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP permissions question

Ferenc Wagner wrote:
Igor Shmukler <igor.shmukler@gmail.com> writes:

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
  s auth by dn="cn=admin,dc=ldap,dc=com" write by dn="cn=config" wri
  te by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=ldap,dc=com" wr
  ite by * read

OK, I think I understand your problem now.  As Brendan mentioned,
cn=config is not a user object, you can't set a userPassword on it.
It's still possible to bind to it, because it's your RootDN, and RootPW
is set.  But this will give it access to its own database only, and skip
ACL processing anyway.  So the idea I gave you is good, but you have to
use a normal user object with userPassword instead of cn=config.  You
can't create such an object in the config database, but anything else
goes; let's say its cn=root,dc=example,dc=com.  Use this in your ACLs
for each database (cn=config included, if you want):

olcAccess: {0}to * by dn.base=cn=root,dc=example,dc=com manage

and you should be set.  So to correct my answer to your original
question: what you want (use cn=config with simple bind to manage all
your databases) is not possible.  Using any normal user object instead
of cn=config should work, though.  At least according to my limited
understanding.  Sorry for mistaking this earlier.

This is false. You can use cn=config with simple bind just like any other RootDN.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/