Marc, Thank you for explanations. I appreciate your time. I also appreciate people on list have given me, including Michael, Ferenc and others. I don't even recall everyone's name. I am thinking about giving up, though.
I even have hard time understanding your messages, let alone OpenLDAP configuration steps. I do have entries for each database. If my suffix is, for example dc=test,dc=org, administrator would be cn=admin,dc=test,dc=org Administrators have manage access to their databases. This part is working fine. I add and remove records as needed. You also wrote one per database - this is exactly what I have. Unfortunately, despite all the help, I don't see how this is relevant. The advice to read documentation is great. In fact, i never hurt. I am happy to offer a bounty to person who can configure this. I need to keep my setup with one config databases with multiple DITs. I need each DIT database to work as today - be managed by an authenticated local/suffix root user. I need a way to alter records in any/every DIT database using another root - one that would work on ALL DITs. If someone could do this before Sunday morning, please contact me to discuss compensation. If I don't get to a result by Sunday morning, I have to start changing the architecture so I can show something on Monday. :) Sincerely, Igor Shmukler On Fri, Mar 20, 2015 at 1:09 PM, Marc Patermann <[email protected]> wrote: > Igor, > > Igor Shmukler schrieb (20.03.2015 11:59 Uhr): > >>> - or make your first steps with ACLs and another user entry. >> >> What do I do here? > > read about ACL in the man pages and the admin guide!? > >>> Do you need multiple mappings? >> >> >> I understand that config database would allow me to have unto fifty >> mapping. I just don't understand those could work for my need. >> >>> As you are one user on your system, this maps to one user in ldap with >>> olcAuthzRegexp. >>> As Micheal already posted: >>> >>> authz-regexp >>> "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth" >>> "cn=root,dc=example,dc=com" >>> >>> uid 0 (from your system) maps to ldap entry cn=root,dc=example,dc=com. >> >> >> I don't understand how this COULD work. Please explain why admin in >> DIT 1 would have manage right to DIT 2. > > He don't have to! But he can. > > Go back to: > > - Configure a rootdn with rootpw for each database. Use this to > authenticate to slapd und modify things. > This works? Fine, go on. > - Create a user entry inside your DIT > _for every database admin you want_. > Use _these entries_ as rootdn (one per database!). > This works? Fine, go on. > - Delete the rootdn from config and make the user entry admin by an ACL. > > > Marc
