Hi ,
my slapd.conf file on parent server is like this :
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/new_core.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Directives needed to implement policy: #access to dn.base="" by * read #access to dn.base="cn=Subschema" by * read
# if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
olcAccess: to * by * write
access to * by * write by anonymous auth by * read
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "dc=cdac,dc=in" rootdn "cn=Manager,dc=cdac,dc=in" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq ----------------------------------------------------------------------------------------------------------------------------------------- and slapd.conf on child server is like this :
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/new_core.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
allow update_anon #allow bind_anon_dn #allow bind_anon_cred
#olcAccess: to dn.children="FileName=Development,dc=cdac,dc=in" by * write
#bydn.subtree="FileName=Development,dc=cdac,dc=in" write
olcAccess: to * by * write
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "FileName=Development,dc=cdac,dc=in" rootdn "cn=Manager,FileName=Development,dc=cdac,dc=in" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq
----------------------------------------------------------------------------------------- when i am trying to add entry under child server through parent server getting error this :
bdb_dn2entry("FileName=imp_doc,FileName=rkyadav,FileName=development,dc=cdac,dc=in") => bdb_dn2id("FileName=rkyadav,FileName=development,dc=cdac,dc=in") <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) bdb_referrals: op=104 target="FileName=Imp_doc,FileName=rkyadav,FileName=Development,dc=cdac,dc=in" matched="FileName=Development,dc=cdac,dc=in" ldap_url_parse_ext(ldap://192.168.4.147/FileName=Development,dc=cdac,dc=in) send_ldap_result: conn=1 op=1 p=3 send_ldap_response: msgid=2 tag=105 err=10 ber_flush: 143 bytes to sd 11 ldap_add_s: Insufficient access (50) additional info: no write access to parent connection_get(11): got connid=1 connection_read(11): checking for input on id=1 ber_get_next ber_get_next on fd 11 failed errno=0 (Success) connection_closing: readying conn=1 sd=11 for close connection_close: conn=1 sd=11
Actually ldap_search is successfully done and we are able to get entries of child server from parent server. So, there is no connectivity error.
Please reply me as soon as possible
Thanks and Regards,
Rakesh Yadav
No, there's no connectivity error.
bdb_dn2entry("FileName=imp_doc,FileName=rkyadav,FileName=development,dc=cdac,dc=in") => bdb_dn2id("FileName=rkyadav,FileName=development,dc=cdac,dc=in") <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990)
Try creating "FileName=rkyadav,FileName=development,dc=cdac,dc=in" as your first step. Then try creating "FileName=imp_doc,FileName=rkyadav,FileName=development,dc=cdac,dc=in" again, once that succeeds.
Hi,
Rakesh Yadav C-DAC , HTDG Pune ----- Original Message ----- From: "Aaron Richton" richton@nbcs.rutgers.edu To: "Rakesh Yadav" rkyadav@cdac.in Cc: openldap-software@openldap.org Sent: Tuesday, December 11, 2007 9:58 PM Subject: Re: Regarding distributed directory services : ldap_add_s: Insufficientaccess (50)
No, there's no connectivity error.
bdb_dn2entry("FileName=imp_doc,FileName=rkyadav,FileName=development,dc=cdac,dc=in") => bdb_dn2id("FileName=rkyadav,FileName=development,dc=cdac,dc=in") <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990)
Try creating "FileName=rkyadav,FileName=development,dc=cdac,dc=in" as your first step. Then try creating
"FileName=rkyadav,FileName=development,dc=cdac,dc=in" This entry is already present at client machine. When we issue ldapsearch that time this entry is also displayed at server machine, Here i m attatching the client machine log, please have a look of it:
"FileName=imp_doc,FileName=rkyadav,FileName=development,dc=cdac,dc=in" again, once that succeeds.
when i m adding "FileName=imp_doc,FileName=rkyadav,FileName=development,dc=cdac,dc=in" entry that time i m getting the error: --------------- Server ---------------
dnPrettyNormal: <FileName=Imp_doc, FileName=rkyadav, FileName=Development, dc=cdac, dc=in>
<<< dnPrettyNormal: <FileName=Imp_doc,FileName=rkyadav,FileName=Development,dc=cdac,dc=in>, <FileName=imp_doc,FileName=rkyadav,FileName=development,dc=cdac,dc=in> ber_scanf fmt ({m{W}}) ber: ber_scanf fmt ({m{W}}) ber: ber_scanf fmt ({m{W}}) ber: ber_scanf fmt ({m{W}}) ber: ber_scanf fmt ({m{W}}) ber: ber_scanf fmt ({m{W}}) ber: ber_scanf fmt ({m{W}}) ber: ber_scanf fmt ({m{W}}) ber: ber_scanf fmt (}) ber: bdb_dn2entry("FileName=imp_doc,FileName=rkyadav,FileName=development,dc=cdac,dc=in") => bdb_dn2id("FileName=rkyadav,FileName=development,dc=cdac,dc=in") <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) bdb_referrals: op=104 target="FileName=Imp_doc,FileName=rkyadav,FileName=Development,dc=cdac,dc=in" matched="FileName=Development,dc=cdac,dc=in" ldap_url_parse_ext(ldap://192.168.4.147/FileName=Development,dc=cdac,dc=in) send_ldap_result: conn=4 op=1 p=3 send_ldap_response: msgid=2 tag=105 err=10 ber_flush: 143 bytes to sd 11 ldap_add_s: Insufficient access (50) additional info: no write access to parent connection_get(11): got connid=4 connection_read(11): checking for input on id=4 ber_get_next ber_get_next on fd 11 failed errno=0 (Success) connection_closing: readying conn=4 sd=11 for close connection_close: conn=4 sd=11
--------------- At the same time getting these msg at CLIENT : --------------- bdb_dn2entry("FileName=imp_doc,FileName=rkyadav,FileName=development,dc=cdac,dc=in") => bdb_dn2id("FileName=imp_doc,FileName=rkyadav,FileName=development,dc=cdac,dc=in") <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) bdb_referrals: op=104 target="FileName=Imp_doc,FileName=rkyadav,FileName=Development,dc=cdac,dc=in" matched="FileName=rkyadav,FileName=Development,dc=cdac,dc=in" oc_check_required entry (FileName=Imp_doc,FileName=rkyadav,FileName=Development,dc=cdac,dc=in), objectClass "GfsNameSpace" oc_check_allowed type "FileName" oc_check_allowed type "FileSize" oc_check_allowed type "Parentid" oc_check_allowed type "FileMode" oc_check_allowed type "ProtocolType" oc_check_allowed type "objectClass" oc_check_allowed type "DirIndex" oc_check_allowed type "Gid" oc_check_allowed type "structuralObjectClass" oc_check_allowed type "entryUUID" oc_check_allowed type "creatorsName" oc_check_allowed type "createTimestamp" oc_check_allowed type "entryCSN" oc_check_allowed type "modifiersName" oc_check_allowed type "modifyTimestamp" bdb_dn2entry("FileName=imp_doc,FileName=rkyadav,FileName=development,dc=cdac,dc=in") => bdb_dn2id("FileName=imp_doc,FileName=rkyadav,FileName=development,dc=cdac,dc=in") <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) bdb_add: no write access to parent send_ldap_result: conn=8 op=1 p=3 send_ldap_response: msgid=3 tag=105 err=50 ber_flush: 39 bytes to sd 11 connection_get(11): got connid=8 connection_read(11): checking for input on id=8 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next do_unbind connection_closing: readying conn=8 sd=11 for close connection_resched: attempting closing conn=8 sd=11 connection_close: conn=8 sd=11
---------------------------------------------------------------- Now tell me whats the problem. Waiting for your reply.
On Wednesday 12 December 2007 07:31:05 Rakesh Yadav wrote:
Hi,
Server
[...]
ldap_add_s: Insufficient access (50) additional info: no write access to parent
[..]
At the same time getting these msg at CLIENT :
[...]
bdb_add: no write access to parent
[...]
Now tell me whats the problem.
The log tells you what the problem is, if you bother to read it.
Regards, Buchan
----- Original Message ----- From: "Buchan Milne" bgmilne@staff.telkomsa.net To: openldap-software@openldap.org Cc: "Rakesh Yadav" rkyadav@cdac.in Sent: Wednesday, December 12, 2007 2:11 PM Subject: Re: Regarding distributed directory services : ldap_add_s: Insufficientaccess (50)
On Wednesday 12 December 2007 07:31:05 Rakesh Yadav wrote:
Hi,
Server
[...]
ldap_add_s: Insufficient access (50) additional info: no write access to parent
[..]
At the same time getting these msg at CLIENT :
[...]
bdb_add: no write access to parent
[...]
Now tell me whats the problem.
The log tells you what the problem is, if you bother to read it.
Actually i already knew that i was getting "bdb_add: no write access to parent" error but i wanted to ask how can i overcome it.
but for the time being i have granted write permission to all in client slapd.conf file and it is working now.
Thanks Rakesh Yadav
On Wednesday 12 December 2007 11:13:25 Rakesh Yadav wrote:
bdb_add: no write access to parent
[...]
Now tell me whats the problem.
The log tells you what the problem is, if you bother to read it.
Actually i already knew that i was getting "bdb_add: no write access to parent" error but i wanted to ask how can i overcome it.
but for the time being i have granted write permission to all in client slapd.conf file and it is working now.
But, this has nothing to do with the multi-master setup that you said was causing the problems.
Please, go and read the slapd.access man page, or the relevant parts of the admin guide.
Regards, Buchan
Rakesh Yadav skrev, on 12-12-2007 10:13:
[...]
bdb_add: no write access to parent
[...]
Now tell me whats the problem.
The primary problem is, that you are not granting write access to the parent dn of the child dn that you wish to carry out operations on.
The secondary problem is, that you don't understand why, what you're doing wrong or how to alleviate the problem.
Now you're bothering the list to give you answers to what you could find out by reading the docs, agitating and not listening to advice. It's not likely to gain you friends or admirers here.
The log tells you what the problem is, if you bother to read it.
Actually i already knew that i was getting "bdb_add: no write access to parent" error but i wanted to ask how can i overcome it.
Because you can't be bothered to read the docs. So here's a comforter (http://www.m-w.com/dictionary/teat; a dummy 1:) for you:
From the OL 2.3 admin doc:
5.3.1. What to control access to
[...]
"There are two special pseudo attributes entry and children. To read (and hence return) a target entry, the subject must have read access to the target's entry attribute. To add or delete an entry, the subject must have write access to the entry's entry attribute AND must have write access to the entry's parent's children attribute. To rename an entry, the subject must have write access to entry's entry attribute AND have write access to both the old parent's and new parent's children attributes. The complete examples at the end of this section should help clear things up."
[...]
I didn't consult the 2.4 admin guide, but it's likely to be more or less the same.
but for the time being i have granted write permission to all in client slapd.conf file and it is working now.
This is not a good idea and defeats the whole concept of ACLs, upon which you (if you are administering a prof site) later will be *wholly* dependent.
Best,
--Tonni
openldap-software@openldap.org