Re: OpenLDAP permissions question

[Igor Shmukler <igor.shmukler@gmail.com>]

Hello Dan,

I must have done something wrong, yet this thing did not work either.
One: the delete still failed with the usual error, and second - I got
an error concerning my olcs:

550b380f /etc/ldap/slapd.d: line 1: rootdn is always granted unlimited
privileges.
550b380f olcRootPW: value #0: <olcRootPW> can only be set when rootdn
is under suffix
550b380f config error processing olcDatabase={0}config,cn=config:
<olcRootPW> can only be set when rootdn is under suffix
slapcat: bad configuration file!

After running the above command, I actually dropped my OpenLDAP server
and rebuilt in by running a bunch of prepared scripts, so go back to
the point where my settings made more sense. I have been experimenting
for a bit too long without refreshing the environment. I am concerned
that something stale is causing my problems.

Sincerely,

Igor Shmukler


On Thu, Mar 19, 2015 at 10:42 PM, Dan White <dwhite@cafedemocracy.org> wrote:
> On 03/19/15 22:33 +0200, Igor Shmukler wrote:
>>
>> Hello Dieter,
>>
>> $ sudo ldapwhoami -Y EXTERNAL -H ldapi:///
>> SASL/EXTERNAL authentication started
>> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> SASL SSF: 0
>> dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>>
>> I have been trying to delete a record using LDAPI as well as -D
>> cn=config with a password. I have also added commands olcAccess to
>> both dn: olcDatabase={0}config,cn=config as well as dn:
>> olcDatabase={1}hdb,cn=config [DIT] databases.
>>
>> The result is always the same: ldap_delete: Insufficient access (50)
>> additional info: no write access to parent
>
>
> If your goal is to manage your server using EXTERNAL over ldapi:///,
> configuring a olcAuthzRegexp is a far simpler approach. Map
> 'gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth' to your rootdn
> identity and you'll bypass acl restrictions altogether.
> --
> Dan White