On Mon, Sep 12, 2005 at 03:47:12PM -0700, Howard Chu wrote:
> The config database currently does not honor ACLs; it is hardcoded to
> only allow access to the rootdn.
I'm having a problem with this (ol-2.3.7). I get back an "insufficient access"
error when attempting to modify an entry under cn=config as its rootdn.
The config portion from slapd.conf is this:
"""
database config
rootdn "uid=andreas,cn=digest-md5,cn=auth"
database bdb
suffix "o=company,c=br"
rootdn "cn=Manager,o=company,c=br"
rootpw password
(...)
"""
The only acl lines are below the "database bdb" definition and all begin with
"access to dn.subtree="o=company,c=br" ...
I migrated this file to slapd.d and started slapd. Logging in as the
cn=config rootdn and trying to change a config parameter gives me this
(slapd -d 128 output):
=> access_allowed: search access to "olcDatabase={1}bdb,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "entry"
requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "objectClass"
requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDatabase"
requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcSuffix"
requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcAccess"
requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcLastMod"
requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config"
"olcMaxDerefDepth" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcReadOnly"
requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcRootDN"
requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcRootPW"
requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config"
"olcDbDirectory" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config"
"olcDbCacheSize" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config"
"olcDbCheckpoint" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDbConfig"
requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDbNoSync"
requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config"
"olcDbDirtyRead" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config"
"olcDbIDLcacheSize" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDbIndex"
requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config"
"olcDbLinearIndex" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDbMode"
requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config"
"olcDbSearchStack" requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcDbShmKey"
requested
<= root access granted
=> access_allowed: read access to "olcDatabase={1}bdb,cn=config" "olcLimits"
requested
<= root access granted
=> access_allowed: backend default write access denied to
"uid=andreas,cn=digest-md5,cn=auth"
The client gets back an "insufficient access" error. Is this a bug or am I
doing something wrong?
/etc/openldap/slapd.d is mode 0750 owner ldap and all files under it are owned
by ldap.
