[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: what is wrong with my permissions?

Hi Ferenc,

I am still getting the same error with both by and your versions. Please advise:

$ cat set_config_passwd.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
olcAccess: {1}to * by dn.exact=cn=config

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f set_config_passwd.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifying entry "olcDatabase={0}config,cn=config"

$ ldapdelete -x -D cn=config -W cn=john,dc=directory,dc=com
ldap_delete: Insufficient access (50)
  additional info: no write access to parent

I even tried stripping the first line, so the rule was: {0}to * by
Still gives me the same error.

Please advise,

Igor Shmukler

On Thu, Mar 19, 2015 at 2:54 PM, Ferenc Wagner <wferi@niif.hu> wrote:
> Igor Shmukler <igor.shmukler@gmail.com> writes:
>> I want it to be something like:
>> olcAccess: {1}to * by dn="cn=config" manage
>> Basically, I want dn=cn=config to have full root access over
>> everything. I also want this password ideally to be password
>> protected.
>> Does it make sense? Can it be done?
> Sure.  Add this olcAccess attribute to all the databases.  Or to the
> frontend database, but check man slapd.access for the priorities and
> defaults.  For what it's worth, I use the syntax
> to * by dn.exact=cn=config
> (which should be equivalent to yours).
> --
> Feri.