[Date Prev][Date Next] [Chronological] [Thread] [Top]

what is wrong with my permissions?


Sorry. I need help, again!

I am trying to configure my OpenLDAP so that cn=config has full
over-the-network write-access with a password.I thought at one point
that I got the permissions working. It turns out, those are not
working, now. Please say what I am doing wrong.

Last time, I had a similar problem with policy. Michael S. saved me a
bunch of time by advising to load ppolicy.ldif [with the appropriate
schema]. This is obviously no indicator of any kind, yet the problem
might be not in the LDIFs or ...

I understood that manage is the LDIF version of full permissions.
Found olcAccess syntax as "olcAccess: to <what> [ by <who>
[<accesslevel>] [<control>] ]+"
My OLC directives for ldapmodify(1) are below:
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
olcAccess: {1}to * by self write by dn="cn=config" write by * read

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}HyVltU836iL4aR0P0C6O8eHkOJt8nYGK

I tried various combinations, like: olcAccess: {1}to * by dn=cn=config
manage by * read

The old commands are valid, yet do not result in the desired
configuration. Instead, when ldapdelete(1) is invoked, I get:
ldap_delete: Insufficient access (50)
additional info: no write access to parent

Please advise.

I thank everyone on who has been reading my messages. People on this
list have been extremely helpful.


Igor Shmukler