add LDAP_INIT_ALLOW_CONFIG_ACCESS

README.md

@@ -44,6 +44,7 @@ ### <a name="initial-config"></a>Initial configuration
 LDAP_INIT_ROOT_USER_DN='uid=admin,${LDAP_INIT_ORG_DN}'
 LDAP_INIT_ROOT_USER_PW='changeit'
 LDAP_INIT_RFC2307BIS_SCHEMA=0 # 0=use NIS (RFC2307) schema, 1=use RFC2307bis schema
+LDAP_INIT_ALLOW_CONFIG_ACCESS='true' # if set to true, the "cn=config" namespace can be read/edited by LDAP admins
 ```
 
 Environment variables can for example be set using `docker run` with `-e`, e.g.

image/Dockerfile

@@ -90,6 +90,7 @@ ENV \
   LDAP_INIT_ADMIN_GROUP_DN='cn=ldapadmins,ou=Groups,${LDAP_INIT_ORG_DN}' \
   LDAP_INIT_ROOT_USER_DN='uid=admin,${LDAP_INIT_ORG_DN}' \
   LDAP_INIT_ROOT_USER_PW='' \
+  LDAP_INIT_ALLOW_CONFIG_ACCESS='false' \
   LDAP_INIT_PPOLICY_DEFAULT_DN='cn=DefaultPasswordPolicy,ou=Policies,${LDAP_INIT_ORG_DN}' \
   LDAP_INIT_PPOLICY_PW_MIN_LENGTH=8 \
   LDAP_INIT_PPOLICY_MAX_FAILURES=3 \

image/ldifs/init_config_admin_access.ldif

@@ -0,0 +1,7 @@
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+add: olcAccess
+olcAccess: to *
+  by dn="${LDAP_INIT_ROOT_USER_DN}" write
+  by group/groupOfUniqueNames/uniqueMember="${LDAP_INIT_ADMIN_GROUP_DN}" write
+  by * none

image/run.sh

@@ -138,6 +138,10 @@ if [ ! -e /etc/ldap/slapd.d/initialized ]; then
    ldif add    -Y EXTERNAL /opt/ldifs/init_module_unique.ldif
    ldif add    -Y EXTERNAL /opt/ldifs/init_module_ppolicy.ldif
 
+   if [ "${LDAP_INIT_ALLOW_CONFIG_ACCESS:-false}" == "true" ]; then
+     ldif modify -Y EXTERNAL /opt/ldifs/init_config_admin_access.ldif
+   fi
+
    LDAP_INIT_ORG_DN_ATTR=$(substr_before $LDAP_INIT_ORG_DN "," | str_replace "=" ": ") # referenced by init_org_tree.ldif
    ldif add -x -D "$LDAP_INIT_ROOT_USER_DN" -w "$LDAP_INIT_ROOT_USER_PW" /opt/ldifs/init_org_tree.ldif
    ldif add -x -D "$LDAP_INIT_ROOT_USER_DN" -w "$LDAP_INIT_ROOT_USER_PW" /opt/ldifs/init_org_ppolicy.ldif