Am Wed, 23 Dec 2015 10:30:41 +0000 schrieb Gary Spencer <[email protected]>:
> Hi, > > > I have deployed a new OpenLDAP server (RHEL 7.1 / openldap-2.4) and > have read Matt Butcher's 'Mastering ...' book and the > OpenLDAP-Admin-Guide but I'm continuing to struggle to find the > information I need to satisfactorily configure using the dynamic way > of working instead of using the legacy slapd.conf method. (Any > reference to administering ldap using dynamic method would be > appreciated) > > I have OpenLDAP basically configured to answer queries using the > Manager object, but I want to remove current privileges and have just > two accounts in the system ou - one with read only to the users ou > and all objects therein, and one with the equivalent of Manager > rights to the users OU that I can give to my devs to create their own > users. > > I would retain the Manager account for full access, but would just > like to give out the readonly and readwrite accounts in system OU > permissions to users OU, and remove users permissions to anything but > themselves. My intention is to delete the existing olcAccess rules > and implement a new set, but I can't get rid of the old rules as it's > not letting me. > > > When I try 'ldapmodify -x -W -H "ldap://HOSTNAME"; -D > "cn=Manager,dc=SUBDOMAIN,dc=DOMAIN,dc=TLD" -f > acl_delete_file.ldif' I receive :- 'modifying entry > "olcDatabase={2}hdb,cn=config" ldap_modify: Insufficient access (50)' Please note that the config database should have a rootDN set, if not set, it defaults to cn=config, see slapd-config(5). Thus, MANAGER has no write access to config database. [...] > I understood 'Manager' had full access to everything regardless, can > anyone shed any light on why this request would be refused ? No, rootDN only hase manage access to the configured database. every database should have a rootdn declaration. For more information see slapd.conf(5), section general database options. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
