[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How do I allow root to edit mdb database? [SOLVED]

To: openldap-technical@openldap.org
Subject: Re: How do I allow root to edit mdb database? [SOLVED]
From: John Lewis <oflameo2@gmail.com>
Date: Fri, 5 Aug 2016 08:10:36 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=BQT7YJeJC35ixx4F9HoMrxuRg5oT4pIvCEz1SRSBbIk=; b=fnQRir7zsc84KJ8VaR/IXVvdnH7PXhOuohgwl4F+RPgTDVSGAjtV/SMtRf9G7JbfjB W3bHCiUo3hTCgdApUR7j5dTKiEzA8GXhRMGGmZINjGH9rr4pwlwJQupqlLjt/Mpxqes/ cvBj3+ppYzPTGRiqD3oYnFqEbXUl2z4oYP5iUfZZIafSoV9TVLHbV8VHWqT/u4i7dOe1 Xo8zGNrhXhyNEl/XeQFtpyx5iAtcu1g2EvV4CUa2s0e28pLRDY7iBHdlq+4X5O6ljMff w7/aTaNie4n1l6lCqCRhXdS0D5SVWrs18+RNv53/EHcoMpsj4lapLAftdiPpqHl9j23n 9TDg==
In-reply-to: <f4835738-b3c9-1636-6264-c5b761551154@gmail.com>
References: <b96fc521-78e1-7936-08a5-66b304e7f4d0@gmail.com> <20160802154323.GA3920@comet> <f4835738-b3c9-1636-6264-c5b761551154@gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.1.0

On 08/05/2016 07:42 AM, John Lewis wrote:
> On 08/02/2016 11:43 AM, Ryan Tandy wrote:
>> On Tue, Aug 02, 2016 at 12:37:58AM -0400, John Lewis wrote:
>>> How do I allow root aka
>>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external to edit
>>> olcDatabase={1}mdb,cn=config.
>> Besides olcAuthRegex mentioned by other posters, setting up an
>> explicit access control entry for that DN is another option.
>>
>> If you installed slapd from the Debian archive, the default access
>> rules for the config database include:
>>
>> # Config db settings
>> dn: olcDatabase=config,cn=config
>> objectClass: olcDatabaseConfig
>> olcDatabase: config
>> # Allow unlimited access to local connection from the local root user
>> olcAccess: to * by
>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> manage by * break
>>
>> You could grant root-like access to the root user by copying that
>> access line to your mdb database.
> Root can read, but it can't write.
>
> dictator@soothsayer:~$ sudo ldapadd  -H ldapi:/// -f
> add_ldap-connect1.ldif  -Y EXTERNAL
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> adding new entry "cn=ldap-connect1,ou=People,dc=d,dc=oflameo,dc=com"
> ldap_add: Insufficient access (50)
>         additional info: no write access to parent
>
> I am guessing that it has something to do with the order of the ACLs.
>
> olcAccess: {0}to dn.base="" by * read
> olcAccess: {1}to * by * read
> olcAccess: {2}to attrs=userPassword,shadowLastChange by self write by
> anonymou
>  s auth by * none
> olcAccess: {3}to * by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
>  ,cn=auth manage by * break
>
>

I reorganized the olcAccess and now root can write to the directory.

olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by * break
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
olcAccess: {3}to attrs=userPassword,shadowLastChange by self write by
anonymous auth by * none

Follow-Ups:
- Re: How do I allow root to edit mdb database? [SOLVED]
  - From: Frank Swasey <Frank.Swasey@uvm.edu>

References:
- How do I allow root to edit mdb database?
  - From: John Lewis <oflameo2@gmail.com>
- Re: How do I allow root to edit mdb database?
  - From: Ryan Tandy <ryan@nardis.ca>
- Re: How do I allow root to edit mdb database?
  - From: John Lewis <oflameo2@gmail.com>

Prev by Date: Re: How do I allow root to edit mdb database?
Next by Date: Re: How do I allow root to edit mdb database? [SOLVED]
Index(es):
- Chronological
- Thread