Re: LDAP browsers and cn=config

[Gervase Markham <gerv@mozilla.org>]

Hi Torsten,

Thanks for your help!

On 07/03/11 17:37, Torsten Schlabach (Tascel eG) wrote:
> Take a look at the olcAccess attribute values of your cn=config database.
> This should tell you who's allowed to read it or not.

I did add a value to try and make this work (see below), but perhaps I 
haven't done all that's necessary.

> It depends where your cn=config data comes from, but in many examples you
> will find an olcAccess attribute granting write access to a DN called
> cn=admin,cn=config. You need to have that object in your cn=config database
> then and it should have the password attribute set.
>
> Post the olcAccess sections of your LDIF here, I think this may help.

Here is my olcDatabase={0}config.ldif, with some comments:

dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by 
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
# This one added by me recently:
olcAccess: {0}to * by dn.exact=cn=admin,cn=config manage by * break
structuralObjectClass: olcDatabaseConfig
entryUUID: 9dfea13e-dd1c-102f-8cc4-2fe95e0d0dbe
creatorsName: cn=config
createTimestamp: 20110307153755Z
entryCSN: 20110307153755.993390Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110307153755Z
# These two added by me recently:
oldRootDN: cn=admin,cn=config
olcRootPW: config

So it looks like I just need to make sure I have the cn=admin,cn=config 
object in my database. And I think I can probably add it using the magic 
-Y EXTERNAL method and ldapadd. However, I don't know how to construct 
it - what objectClass should it have?

Gerv