On 08/05/2016 07:42 AM, John Lewis wrote: > On 08/02/2016 11:43 AM, Ryan Tandy wrote: >> On Tue, Aug 02, 2016 at 12:37:58AM -0400, John Lewis wrote: >>> How do I allow root aka >>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external to edit >>> olcDatabase={1}mdb,cn=config. >> Besides olcAuthRegex mentioned by other posters, setting up an >> explicit access control entry for that DN is another option. >> >> If you installed slapd from the Debian archive, the default access >> rules for the config database include: >> >> # Config db settings >> dn: olcDatabase=config,cn=config >> objectClass: olcDatabaseConfig >> olcDatabase: config >> # Allow unlimited access to local connection from the local root user >> olcAccess: to * by >> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >> manage by * break >> >> You could grant root-like access to the root user by copying that >> access line to your mdb database. > Root can read, but it can't write. > > dictator@soothsayer:~$ sudo ldapadd -H ldapi:/// -f > add_ldap-connect1.ldif -Y EXTERNAL > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > adding new entry "cn=ldap-connect1,ou=People,dc=d,dc=oflameo,dc=com" > ldap_add: Insufficient access (50) > additional info: no write access to parent > > I am guessing that it has something to do with the order of the ACLs. > > olcAccess: {0}to dn.base="" by * read > olcAccess: {1}to * by * read > olcAccess: {2}to attrs=userPassword,shadowLastChange by self write by > anonymou > s auth by * none > olcAccess: {3}to * by > dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external > ,cn=auth manage by * break > >
I reorganized the olcAccess and now root can write to the directory. olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcAccess: {3}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none