[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap newbie - olcAccess ACL configuration

To: openldap-technical@openldap.org
Subject: Re: openldap newbie - olcAccess ACL configuration
From: Dieter Klünter <dieter@dkluenter.de>
Date: Wed, 23 Dec 2015 19:19:31 +0100
In-reply-to: <VI1PR03MB1389457F51B76D9BD60F825BA4E60@VI1PR03MB1389.eurprd03.prod.outlook.com>
Organization: AVCI
References: <VI1PR03MB1389457F51B76D9BD60F825BA4E60@VI1PR03MB1389.eurprd03.prod.outlook.com>

Am Wed, 23 Dec 2015 10:30:41 +0000
schrieb Gary Spencer <gspencer@sis.tv>:

> Hi,
> 
> 
> I have deployed a new OpenLDAP server (RHEL 7.1 / openldap-2.4) and
> have read Matt Butcher's 'Mastering ...' book and the
> OpenLDAP-Admin-Guide but I'm continuing to struggle to find the
> information I need to satisfactorily configure using the dynamic way
> of working instead of using the legacy slapd.conf method.  (Any
> reference to administering ldap using dynamic method would be
> appreciated)
> 
> I have OpenLDAP basically configured to answer queries using the
> Manager object, but I want to remove current privileges and have just
> two accounts in the system ou - one with read only to the users ou
> and all objects therein, and one with the equivalent of Manager
> rights to the users OU that I can give to my devs to create their own
> users.
> 
> I would retain the Manager account for full access, but would just
> like to give out the readonly and readwrite accounts in system OU
> permissions to users OU, and remove users permissions to anything but
> themselves. My intention is to delete the existing olcAccess rules
> and implement a new set, but I can't get rid of the old rules as it's
> not letting me.
> 
> 
> When I try 'ldapmodify -x -W -H "ldap://HOSTNAME"; -D
> "cn=Manager,dc=SUBDOMAIN,dc=DOMAIN,dc=TLD" -f
> acl_delete_file.ldif'        I receive :- 'modifying entry
> "olcDatabase={2}hdb,cn=config" ldap_modify: Insufficient access (50)'

Please note that the config database should have a rootDN set, if not
set, it defaults to cn=config, see slapd-config(5).
Thus, MANAGER has no write access to config database.
[...]
> I understood 'Manager' had full access to everything regardless, can
> anyone shed any light on why this request would be refused ?

No, rootDN only hase manage access to the configured database. every
database should have a rootdn declaration. For more information see
slapd.conf(5), section general database options. 

-Dieter

 
-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

References:
- openldap newbie - olcAccess ACL configuration
  - From: Gary Spencer <gspencer@sis.tv>

Prev by Date: RE: Issue while changing user password by self
Next by Date: LMDB many dup fixed size elements
Index(es):
- Chronological
- Thread