[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: what is wrong with my permissions?

To: Ferenc Wagner <wferi@niif.hu>
Subject: Re: what is wrong with my permissions?
From: Igor Shmukler <igor.shmukler@gmail.com>
Date: Thu, 19 Mar 2015 07:14:14 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8RcvNzznTAdWgRn7YR7c7sF15/Dmv+4U0C0fYWoR2NE=; b=qgph9uDmV/rD5suibM0On0hEX+MfidwzIdZYsx4p70ZQFKTWxnqEgNWjfpk8S6tfHS YCaXKbcIcRyE7RDOVxWPSiQWKsnbysB2NDrZmCEFkZgYn97jwKRQ9xEybdwfZ0UpOvZG +cv6Cq1KUYaTQyqBJynR1KcPlZxBHkepUDXihwySv4SMEh4A/11lYO+bfdSqxGD06968 iblNq27HhwmUdNwBPqoGXMvInnGXcEutur8cgVAnqMZZWoKuz7BjQBXLql8e+wDKAqpu S/mdbOALnXh5rW6BCPrbRr/rfoY46U/zyMBv4BU/9ycsnaq+enR846R0R647tqj1ol4t f5KQ==
In-reply-to: <873851j33t.fsf@lant.ki.iif.hu>
References: <CAA1SNA3S1dySN1BWw7fHv2f21ZU6i4pG0rPWHaJ9LpnuUbYNig@mail.gmail.com> <873851j33t.fsf@lant.ki.iif.hu>

Hello Ferenc,

Thank you for the email.
Yes, I want to delete an entry inside DIT. You are correct.

I try the below:
$ sudo ldapdelete -Y external -H ldapi:/// cn=john,dc=directory,dc=com
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_delete: Insufficient access (50)
    additional info: no write access to parent

As you suggested, this is not working. Can this work somehow? I would
rather just cn=config with a password, which I am able to set. LDAPI
is work too, although not my preferred route.

Sincerely,

Igor Shmukler

On Thu, Mar 19, 2015 at 1:30 AM, Ferenc Wagner <wferi@niif.hu> wrote:
> Igor Shmukler <igor.shmukler@gmail.com> writes:
>
>> I understood that manage is the LDIF version of full permissions.
>
> Yes, that goes further than write permission by allowing (eg.) the
> relax rules control.  I couldn't find definitive documentation on this.
>
>> dn: olcDatabase={0}config,cn=config
>> changetype: modify
>> replace: olcAccess
>> olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
>>  ,cn=auth manage by * break
>> olcAccess: {1}to * by self write by dn="cn=config" write by * read
>
> Note that this rule allows generic write access to cn=config inside the
> config database only.
> http://www.openldap.org/devel/admin/slapdconf2.html#Access%20Control%20Evaluation
>
>> when ldapdelete(1) is invoked, I get:
>> ldap_delete: Insufficient access (50)
>> additional info: no write access to parent
>
> You don't tell, but your latest question suggests that you're trying to
> delete an entry outside of cn=config, which is not covered by the above
> olcAccess line.  What was your exact ldapdelete command?
> --
> Feri.

Follow-Ups:
- Re: what is wrong with my permissions?
  - From: Ferenc Wagner <wferi@niif.hu>

References:
- what is wrong with my permissions?
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: what is wrong with my permissions?
  - From: Ferenc Wagner <wferi@niif.hu>

Prev by Date: RE: default behavior of server certificate validation
Next by Date: Re: ppolicy: pwdInHistory attribute
Index(es):
- Chronological
- Thread