[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cross DIT/TLD rootdn - or allow a foreign rootdn

On 21/02/15 17:21, Michael Ströder wrote:
lejeczek wrote:
Having multiple top level domains
Let's use clear terminology.
You probably mean the naming context, DB suffix.
hi, it's a bit confusing to a beginner, TLD term occurs so often when one reads about openldap. My configs for both databases are pretty basic, I'm away from that ldap system but I'll get a snapshot of it tomorrow It all felt to me so natural to have a rootdn of one database able to do do the same, manage another database, this I thought would be so helpful in GUIs like Apache's LDAP browser, particularly coping objects between databases trees, that idea that one "root" type of user can manage them all. thanks Michael, I'll try some more reading on access subject, but the fact that I have that:

to *  by dn="cn=manger,dc=B,dc=topdom" manage

and still cannot write, just perplexed me.

I wanted to allow rootdn from other domain
(say B) to have similar access rights to rootdn of home domain (say A)
and i put this into config of A domain

to *  by dn="cn=manger,dc=B,dc=topdom" manage

but I get infamous:

Insufficient access (50)
     additional info: no write access to parent

Is possible what I try to do, does LDAP allow, i prepared for such a scenario?
If yes can I get some light shed on what I got wrong or did not get at all.
This is definitely possible but I would not use the rootdn of a DB suffix for
this. I'd rather define a group (in any naming context) and assign rights to
this group.

Also we have to see your complete config to see whether things are complete.

Make sure to read and understand slapd-access(5):


Ciao, Michael.