[ldapvi] ldapvi - How to edit acl-entries within the cn=config backend
Ulrich Spoerlein
uspoerlein at gmail.com
Fri May 21 21:02:35 CEST 2010
On Thu, 20.05.2010 at 20:54:12 +0200, Axel Birndt wrote:
> Hi Ulrich,
>
> Ulrich Spörlein schrieb:
> > On Thu, 20.05.2010 at 19:05:19 +0200, Axel Birndt wrote:
>
> > This looks like a permission denied problem. NB the admin account for
> > dc=2axels-company,dc=de does not necessarly have read/write access for
> > the cn=config tree. This must usually be done by cn=admin,cn=config
> >
> > This is how I do it:
> > ldapvi -D cn=admin,cn=config -b cn=config
>
> Yes, i think you are right. Thank you very much for your help.
>
> Now it is working!
>
> Maybe you could do a little explaining, why it is working now?
>
> What is the difference between "cn=admin,cn=config" and
> "cn=admin,dc=2axels-company,dc=de"?
>
> Why does the user "cn=admin,dc=2axels-company,dc=de" have not sufficient
> rights to access the ACL's ?
>
> Is this a expected behavior?
Yes, this is expected behaviour. cn=admin,cn=config is what the admin of
OpenLDAP can use to change its settings, like only the superuser would
be able to edit the slapd.conf file in previous versions.
Your cn=admin,dc=2axels... is just the name of an LDAP object which
could be anything. Also, think about "virtual domains", where there are
multiple "admins" for multiple base DNs. There can be only one for the
slapd instance itself, though.
hth,
Uli
More information about the ldapvi
mailing list