[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap newbie - olcAccess ACL configuration

Am Wed, 23 Dec 2015 10:30:41 +0000
schrieb Gary Spencer <gspencer@sis.tv>:

> Hi,
> I have deployed a new OpenLDAP server (RHEL 7.1 / openldap-2.4) and
> have read Matt Butcher's 'Mastering ...' book and the
> OpenLDAP-Admin-Guide but I'm continuing to struggle to find the
> information I need to satisfactorily configure using the dynamic way
> of working instead of using the legacy slapd.conf method.  (Any
> reference to administering ldap using dynamic method would be
> appreciated)
> I have OpenLDAP basically configured to answer queries using the
> Manager object, but I want to remove current privileges and have just
> two accounts in the system ou - one with read only to the users ou
> and all objects therein, and one with the equivalent of Manager
> rights to the users OU that I can give to my devs to create their own
> users.
> I would retain the Manager account for full access, but would just
> like to give out the readonly and readwrite accounts in system OU
> permissions to users OU, and remove users permissions to anything but
> themselves. My intention is to delete the existing olcAccess rules
> and implement a new set, but I can't get rid of the old rules as it's
> not letting me.
> When I try 'ldapmodify -x -W -H "ldap://HOSTNAME"; -D
> "cn=Manager,dc=SUBDOMAIN,dc=DOMAIN,dc=TLD" -f
> acl_delete_file.ldif'        I receive :- 'modifying entry
> "olcDatabase={2}hdb,cn=config" ldap_modify: Insufficient access (50)'

Please note that the config database should have a rootDN set, if not
set, it defaults to cn=config, see slapd-config(5).
Thus, MANAGER has no write access to config database.
> I understood 'Manager' had full access to everything regardless, can
> anyone shed any light on why this request would be refused ?

No, rootDN only hase manage access to the configured database. every
database should have a rootdn declaration. For more information see
slapd.conf(5), section general database options. 


Dieter Klünter | Systemberatung
GPG Key ID: E9ED159B