[ldapvi] ldapvi - How to edit acl-entries within the cn=config backend

Axel Birndt towerlexa at gmx.de
Sat May 22 18:37:37 CEST 2010 

Hi Ulrich,

Ulrich Spörlein schrieb:
> On Thu, 20.05.2010 at 20:54:12 +0200, Axel Birndt wrote:
>> Hi Ulrich,
>>
>> Ulrich Spörlein schrieb:
>>> On Thu, 20.05.2010 at 19:05:19 +0200, Axel Birndt wrote:
>>> This looks like a permission denied problem. NB the admin account for
>>> dc=2axels-company,dc=de does not necessarly have read/write access for
>>> the cn=config tree. This must usually be done by cn=admin,cn=config
>>>
>>> This is how I do it:
>>> ldapvi -D cn=admin,cn=config -b cn=config
>> Yes, i think you are right. Thank you very much for your help.
>>
>> Now it is working!
>>
>> Maybe you could do a little explaining, why it is working now?
>>
>> What is the difference between "cn=admin,cn=config" and 
>> "cn=admin,dc=2axels-company,dc=de"?
>>
>> Why does the user "cn=admin,dc=2axels-company,dc=de" have not sufficient 
>> rights to access the ACL's ?
>>
>> Is this a expected behavior?
> 
> Yes, this is expected behaviour. cn=admin,cn=config is what the admin of
> OpenLDAP can use to change its settings, like only the superuser would
> be able to edit the slapd.conf file in previous versions.
> 
> Your cn=admin,dc=2axels... is just the name of an LDAP object which
> could be anything. Also, think about "virtual domains", where there are
> multiple "admins" for multiple base DNs. There can be only one for the
> slapd instance itself, though.

Now after looking in my config (I understand a little bit more yet, for 
which keyword i have to search...) i understand now that there are 2 
Users in my ldap-server. One User is the "cn=admin,dc=2axels*" and oine 
more is the "cn=admin,cn=config" User, which both have the same password 
per default.

One more question:

Could i change the password for both of the user-entry's separately?

8 olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootDN: cn=admin,cn=config
olcRootPW: {CRYPT}7hzU8RaZxaGi2

9 olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=2axels-company,dc=de
olcAccess: {0}to attrs=userPassword,shadowLastChange by 
dn="cn=admin,dc=2axels-company,dc=ro" write by anonymous auth by self 
write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=2axels-company,dc=de" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=2axels-company,dc=de
olcRootPW: 7890

Could i replace the values of the 'olcRootPW' - entry's

with a new crypted password? Or is there something more whereupon i have 
to pay attention for?

Once more i say Thankyou to all of you, who helped me to understand 
better the function and working from the ldap-server.

Kind regards
Axel



-- 


Gruß Axel

------------------------------

=> einen Server härten? google mal nach Stahl härten oder was meinst Du 
mit härten?

Aus:
http://www.administrator.de/index.php?content=69906

------------------------------

http://www.tty1.net/smart-questions_de.html

More information about the ldapvi mailing list