[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Re: what is wrong with my permissions?

To: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
Subject: Re: Re: what is wrong with my permissions?
From: Igor Shmukler <igor.shmukler@gmail.com>
Date: Mon, 23 Mar 2015 17:24:59 +0200
Cc: Ferenc Wagner <wferi@niif.hu>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=LyZMnCnqXkAQ6gu4q1Nxe3trHyIkyUJoynjNnL/DhUQ=; b=twdnKiXhdbPllRiyIu+XyUA5ZSfeMXtsuttD6F9jclOAyJU0gspLvwabJhsko8f6Vs JykVEJY0PmJ0Aw4JrciO+2DV6EG6oe2ZkvysPSRjvT9Qjn1tsehwhdMPKZhBjKQljUEh JsDM2QuP/tFvblbasW7eIUVPsysQlMHR7DPBankTZKy5b5A4Gxs0K2GHx451lX6FV5Qf P/uiwqzDzIKbJaXwfcxZ4axFV4k8Jwubm302iZZF2pTdJYcepc/J3c6lkdQre02py4bM fDAN1Dq0LhseZ0SlS6umaQsRB3E58ODBcJzN3zM4WwZbgUzHPpR87zeSOW/wsdKix7og e0Ag==
In-reply-to: <551034B1020000A1000198F3@gwsmtp1.uni-regensburg.de>
References: <CAA1SNA3S1dySN1BWw7fHv2f21ZU6i4pG0rPWHaJ9LpnuUbYNig@mail.gmail.com> <873851j33t.fsf@lant.ki.iif.hu> <CAA1SNA1aVtzJqAYnXZX5YrchgFwFgREE7wyR=PwjKe5AcNYG1g@mail.gmail.com> <87oanpfanj.fsf@lant.ki.iif.hu> <CAA1SNA2rh4Wz9Yh7ksb8XkwjEgjjLqgQWDjw--j3WSiwRVR3BQ@mail.gmail.com> <874mphf8r8.fsf@lant.ki.iif.hu> <CAA1SNA1h-FRxM=+MHqnTVncZscj-CS5avHbT4NvqcRMnh+_zMA@mail.gmail.com> <551034B1020000A1000198F3@gwsmtp1.uni-regensburg.de>

Hello Ulrich,

Thank you.
I finally figured out my problem. I did not notice/realize that
permissions were being given in stages: userPassword, dn.base then *.
Once I added dn="cn=config" to the correct line, things started
working.
I appreciate your help. [This is already, at least, the second time.]

Sincerely,

Igor Shmukler


On Mon, Mar 23, 2015 at 4:43 PM, Ulrich Windl
<Ulrich.Windl@rz.uni-regensburg.de> wrote:
>>>> Igor Shmukler <igor.shmukler@gmail.com> schrieb am 19.03.2015 um 15:03 in
> Nachricht
> <CAA1SNA1h-FRxM=+MHqnTVncZscj-CS5avHbT4NvqcRMnh+_zMA@mail.gmail.com>:
>> Hi Ferenc,
>>
>> I am still getting the same error with both by and your versions. Please
>> advise:
>>
>> $ cat set_config_passwd.ldif
>> dn: olcDatabase={0}config,cn=config
>> changetype: modify
>> replace: olcAccess
>> olcAccess: {0}to * by
>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
>>  ,cn=auth manage by * break
>> olcAccess: {1}to * by dn.exact=cn=config
>>
>> $ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f set_config_passwd.ldif
>> SASL/EXTERNAL authentication started
>> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> SASL SSF: 0
>> modifying entry "olcDatabase={0}config,cn=config"
>
> Igor,
>
> you allow cn=config to manage the config database, but below you remove an entry from another database with cn=config credentials.
>
>>
>> $ ldapdelete -x -D cn=config -W cn=john,dc=directory,dc=com
>> ldap_delete: Insufficient access (50)
>>   additional info: no write access to parent
>>
>> I even tried stripping the first line, so the rule was: {0}to * by
>> dn.exact=cn=config
>> Still gives me the same error.
>
> Check the ACL in the other database!
>
>>
>> Please advise,
>>
>> Igor Shmukler
>>
>>
>> On Thu, Mar 19, 2015 at 2:54 PM, Ferenc Wagner <wferi@niif.hu> wrote:
>>> Igor Shmukler <igor.shmukler@gmail.com> writes:
>>>
>>>> I want it to be something like:
>>>> olcAccess: {1}to * by dn="cn=config" manage
>>>>
>>>> Basically, I want dn=cn=config to have full root access over
>>>> everything. I also want this password ideally to be password
>>>> protected.
>>>>
>>>> Does it make sense? Can it be done?
>>>
>>> Sure.  Add this olcAccess attribute to all the databases.  Or to the
>>> frontend database, but check man slapd.access for the priorities and
>>> defaults.  For what it's worth, I use the syntax
>>>
>>> to * by dn.exact=cn=config
>>>
>>> (which should be equivalent to yours).
>>> --
>>> Feri.
>
>
>
>

References:
- what is wrong with my permissions?
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: what is wrong with my permissions?
  - From: Ferenc Wagner <wferi@niif.hu>
- Re: what is wrong with my permissions?
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: what is wrong with my permissions?
  - From: Ferenc Wagner <wferi@niif.hu>
- Re: what is wrong with my permissions?
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: what is wrong with my permissions?
  - From: Ferenc Wagner <wferi@niif.hu>
- Re: what is wrong with my permissions?
  - From: Igor Shmukler <igor.shmukler@gmail.com>

Prev by Date: Re: Antw: Re: external authentication source
Next by Date: Questionable log entries
Index(es):
- Chronological
- Thread