granting write privileges to alternate updatedn

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>

Subject: granting write privileges to alternate updatedn

From: "Heinemann, Peter G" <phei@isc.upenn.edu>

Date: Tue, 23 Oct 2018 13:48:06 +0000

Accept-language: en-US

Authentication-results: spf=none (sender IP is ) smtp.mailfrom=phei@isc.upenn.edu;

Content-language: en-US

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=PennO365.onmicrosoft.com; s=selector1-isc-upenn-edu; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=m7AvL+IN8G40WOy+s6qexf+5q2304tncDj/fA0hMlZw=; b=fp2WIMdw1reSXedXt6jxdR7tSmKiwU75rahoGIJsLoS3/islB22QoG3/JoJN6cDzg5b4CUizCsLjAb4cAW9WQtFKJdSCBg3OpYXuNLRUPlSrvWMwCQ032qLOU/n2VG971T6OhsOM75whypGEA90yA0qbb69onMdFDj75I97k95A=

Spamdiagnosticmetadata: NSPM

Spamdiagnosticoutput: 1:99

Thread-index: AQHUatXgmXKOFjNczESlYwdaOiUPZw==

Thread-topic: granting write privileges to alternate updatedn

Running Openldap 2.4.40 under RHEL 6.10

Trying to get this to work without success (from the slapd.access man page):

" One useful application is to easily grant write privileges to an updatedn that is different from the rootdn.

In this case, since the updatedn needs write access to (almost) all data, one can use

access to *

by dn.exact="cn=The Update DN,dc=example,dc=com" write

by * break "

I have this as the only access rule in slapd.conf but any write operation using this dn gives me insufficient access, and slapacl verifies that read access only is permitted.

access to dn.subtree="dc=university,dc=edu"

by dn.exact="cn=grouper-admin,dc=university,dc=edu" write

by * break

Standard rootdn works fine. This system is a master for two consumers, but there's no external access to the master so a stripped-down acl list is appropriate.

Thanks for any direction for what I've missed.

Peter