[Date Prev][Date Next] [Chronological] [Thread] [Top]

openldap newbie - olcAccess ACL configuration




I have deployed a new OpenLDAP server (RHEL 7.1 / openldap-2.4) and have read Matt Butcher’s ‘Mastering …’ book and the OpenLDAP-Admin-Guide but I’m continuing to struggle to find the information I need to satisfactorily configure using the dynamic way of working instead of using the legacy slapd.conf method.  (Any reference to administering ldap using dynamic method would be appreciated)


I have OpenLDAP basically configured to answer queries using the Manager object, but I want to remove current privileges and have just two accounts in the system ou – one with read only to the users ou and all objects therein, and one with the equivalent of Manager rights to the users OU that I can give to my devs to create their own users.


I would retain the Manager account for full access, but would just like to give out the readonly and readwrite accounts in system OU permissions to users OU, and remove users permissions to anything but themselves.

My intention is to delete the existing olcAccess rules and implement a new set, but I can’t get rid of the old rules as it’s not letting me.



When I try ‘ldapmodify -x -W -H "ldap://HOSTNAME" -D "cn=Manager,dc=SUBDOMAIN,dc=DOMAIN,dc=TLD" -f acl_delete_file.ldif’        I receive :-

modifying entry "olcDatabase={2}hdb,cn=config"

ldap_modify: Insufficient access (50)



The delete ldif looks like this :-


# {2}hdb, config

dn: olcDatabase={2}hdb,cn=config

delete: olcAccess


I am using the default hdb database.



I understood ‘Manager’ had full access to everything regardless, can anyone shed any light on why this request would be refused ?



Gary Spencer
Infrastructure Project Engineer

Satellite Information Services Limited. Registered Office: Whitehall Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 4243307

The information in this email (which includes any files transmitted with it) is confidential and is intended for the addressee only. Unauthorized recipients are required to maintain confidentiality. If you have received this email in error please notify the sender immediately, destroy any copies and delete it from your computer system.