[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How do I allow root to edit mdb database?

To: openldap-technical@openldap.org
Subject: Re: How do I allow root to edit mdb database?
From: John Lewis <oflameo2@gmail.com>
Date: Fri, 5 Aug 2016 07:42:18 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=KR23If2fE0IKbN37BcdCgXadWHfj/uPXT6pGaNGixYc=; b=ytiX6jaXCDMU13aLSMqMMnlXQyeWlQfR3CqvCugfDYs6uOVpgpRvduGGk0XZWLwycO zZTe0Izz/VyuX6/mBCiHoh1mhF5LTO++TKqlOINY4dtd8doKnZSwIX7sLFKVCPqXub+u 8y3RktnU+1DxulQrLqod60Mw2XhjYWVOW5lmtaHRCB9+aZI8bxpusPccfmH5OpKN+gy6 KrGdx7goaxH5v/Wv+I4yN9zLnQLVYuKJd5TuVgfpTlDmX2m9LkYz2JhGaZK9vKROhJZA oHl1+frMvBmiFg9qR7B2BIRAEfaKghbwerNsAfEk3bec19aoOaLEAmBkwh5bb/wHHSKJ xnPw==
In-reply-to: <20160802154323.GA3920@comet>
References: <b96fc521-78e1-7936-08a5-66b304e7f4d0@gmail.com> <20160802154323.GA3920@comet>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.1.0

On 08/02/2016 11:43 AM, Ryan Tandy wrote:
> On Tue, Aug 02, 2016 at 12:37:58AM -0400, John Lewis wrote:
>> How do I allow root aka
>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external to edit
>> olcDatabase={1}mdb,cn=config.
>
> Besides olcAuthRegex mentioned by other posters, setting up an
> explicit access control entry for that DN is another option.
>
> If you installed slapd from the Debian archive, the default access
> rules for the config database include:
>
> # Config db settings
> dn: olcDatabase=config,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: config
> # Allow unlimited access to local connection from the local root user
> olcAccess: to * by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> manage by * break
>
> You could grant root-like access to the root user by copying that
> access line to your mdb database.

Root can read, but it can't write.

dictator@soothsayer:~$ sudo ldapadd  -H ldapi:/// -f
add_ldap-connect1.ldif  -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=ldap-connect1,ou=People,dc=d,dc=oflameo,dc=com"
ldap_add: Insufficient access (50)
        additional info: no write access to parent

I am guessing that it has something to do with the order of the ACLs.

olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to * by * read
olcAccess: {2}to attrs=userPassword,shadowLastChange by self write by
anonymou
 s auth by * none
olcAccess: {3}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break

Follow-Ups:
- Re: How do I allow root to edit mdb database? [SOLVED]
  - From: John Lewis <oflameo2@gmail.com>

References:
- How do I allow root to edit mdb database?
  - From: John Lewis <oflameo2@gmail.com>
- Re: How do I allow root to edit mdb database?
  - From: Ryan Tandy <ryan@nardis.ca>

Prev by Date: RE: openldap-technical Digest, Vol 105, Issue 2
Next by Date: Re: How do I allow root to edit mdb database? [SOLVED]
Index(es):
- Chronological
- Thread