Hello Ulrich, Thank you. I finally figured out my problem. I did not notice/realize that permissions were being given in stages: userPassword, dn.base then *. Once I added dn="cn=config" to the correct line, things started working. I appreciate your help. [This is already, at least, the second time.]
Sincerely, Igor Shmukler On Mon, Mar 23, 2015 at 4:43 PM, Ulrich Windl <[email protected]> wrote: >>>> Igor Shmukler <[email protected]> schrieb am 19.03.2015 um 15:03 in > Nachricht > <CAA1SNA1h-FRxM=+mhqntvnczscj-cs5avhbt4nvqcrmnh+_...@mail.gmail.com>: >> Hi Ferenc, >> >> I am still getting the same error with both by and your versions. Please >> advise: >> >> $ cat set_config_passwd.ldif >> dn: olcDatabase={0}config,cn=config >> changetype: modify >> replace: olcAccess >> olcAccess: {0}to * by >> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external >> ,cn=auth manage by * break >> olcAccess: {1}to * by dn.exact=cn=config >> >> $ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f set_config_passwd.ldif >> SASL/EXTERNAL authentication started >> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >> SASL SSF: 0 >> modifying entry "olcDatabase={0}config,cn=config" > > Igor, > > you allow cn=config to manage the config database, but below you remove an > entry from another database with cn=config credentials. > >> >> $ ldapdelete -x -D cn=config -W cn=john,dc=directory,dc=com >> ldap_delete: Insufficient access (50) >> additional info: no write access to parent >> >> I even tried stripping the first line, so the rule was: {0}to * by >> dn.exact=cn=config >> Still gives me the same error. > > Check the ACL in the other database! > >> >> Please advise, >> >> Igor Shmukler >> >> >> On Thu, Mar 19, 2015 at 2:54 PM, Ferenc Wagner <[email protected]> wrote: >>> Igor Shmukler <[email protected]> writes: >>> >>>> I want it to be something like: >>>> olcAccess: {1}to * by dn="cn=config" manage >>>> >>>> Basically, I want dn=cn=config to have full root access over >>>> everything. I also want this password ideally to be password >>>> protected. >>>> >>>> Does it make sense? Can it be done? >>> >>> Sure. Add this olcAccess attribute to all the databases. Or to the >>> frontend database, but check man slapd.access for the priorities and >>> defaults. For what it's worth, I use the syntax >>> >>> to * by dn.exact=cn=config >>> >>> (which should be equivalent to yours). >>> -- >>> Feri. > > > >
