Hello-
Thanks to the help of Michael and others I was able to migrate my root dn user from slapd.conf to the database. (BTW should I file a bug for bad documentation on example from 7.1 from [1]?)
Here's how I did it (for the curious and benefit of future users/searchers)::
Add rootdn user to ldif (/tmp/entries.ldif)::
# Organization for Example Corporation dn: dc=example,dc=com objectClass: dcObject objectClass: organization dc: example o: Example Corporation description: The Example Corporation
# Organizational Role for Directory Manager dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole objectClass: simpleSecurityObject cn: Manager description: Directory Manager userPassword: secret
load it::
ldapadd -x -D "cn=Manager,dc=example,dc=com" -w secret -f /tmp/entries.ldif
stop ldap
comment out "rootdn" and "rootpw" from slapd.conf
start ldap
test user from db::
ldapwhoami -x -D "cn=Manager,dc=example,dc=com" -w secret
Yeah! It works!
So, now back to my original issue. Updating the rootdn password. When I try the following it fails:: ldappasswd -x -v -S -w secret -D cn=Manager,dc=example,dc=com cn=Manager,dc=example,dc=com New password: Re-enter new password: ldap_initialize( <DEFAULT> ) Result: Insufficient access (50)
I also have another user that I added and tried to update his password and got the same error::
ldappasswd -x -v -S -w secret -D cn=Manager,dc=example,dc=com cn=s2searchuser,ou=InternalPerson,cn=Manager,dc=example,dc=com New password: Re-enter new password: ldap_initialize( <DEFAULT> ) Result: Insufficient access (50)
If I stop ldap, put rootdn/rootpw back in slapd, start ldap and re-run the above and it works::
$ ldappasswd -x -v -S -w secret -D cn=Manager,dc=example,dc=com cn=s2searchuser,ou=InternalPerson,cn=Manager,dc=example,dc=com New password: Re-enter new password: ldap_initialize( <DEFAULT> ) Result: Success (0)
I'm sure I'm missing something that is probably obvious to the seasoned veterans, but frustrating to a newbie like me. If anyone can point me further in the right direction that'd be great.
thanks much
-matt
I'll answer my own question!
On 2/8/07, m h sesquile@gmail.com wrote:
So, now back to my original issue. Updating the rootdn password. When I try the following it fails:: ldappasswd -x -v -S -w secret -D cn=Manager,dc=example,dc=com cn=Manager,dc=example,dc=com New password: Re-enter new password: ldap_initialize( <DEFAULT> ) Result: Insufficient access (50)
You silly person! You haven't set any ACLs! If you would have read here [1] you would see how to create a group and set acl's in the slapd.conf file.
Here I'll give you an example, add the following to your ldif::
#add groups for acl # create FIRST Level groups branch
dn: ou=groups,dc=example,dc=com objectclass:organizationalunit ou: groups description: generic groups branch
# create the admin entry under groups dn: cn=admin,ou=groups,dc=example,dc=com objectclass: groupofnames cn: admin description: Admin group member: cn=Manager,dc=example,dc=com
Noticed how we made our rootdn user (cn=Manager,dc=example,dc=com) a member of the admin group.
Now in slapd.conf add the following::
##let admin user change everything # ACL1 see http://www.zytrax.com/books/ldap/ch5/step2.html access to attr=userpassword by self write by anonymous auth by group.exact="cn=admin,ou=groups,dc=example,dc=com" write by * none
good luck!
-matt
m h wrote:
I'll answer my own question!
On 2/8/07, m h sesquile@gmail.com wrote:
So, now back to my original issue. Updating the rootdn password. When I try the following it fails:: ldappasswd -x -v -S -w secret -D cn=Manager,dc=example,dc=com cn=Manager,dc=example,dc=com New password: Re-enter new password: ldap_initialize( <DEFAULT> ) Result: Insufficient access (50)
You silly person! You haven't set any ACLs! If you would have read here [1] you would see how to create a group and set acl's in the slapd.conf file.
More to the point, you should not have deleted your rootdn from slapd.conf, only the rootpw. The rootdn directive is what tells slapd that a particular DN should be treated as the administrator. If you don't need an administrator identity, then you should of course delete the rootdn config. But if you *do* need one (and for 99.99% of deployments, you need one) then you should keep the rootdn defined.
The other possible answer to the original question - convert your slapd.conf configurations to dynamic configurations, and use ldapModify on the olcRootPW attributes in the cn=config database.
On 2/8/07, Howard Chu hyc@symas.com wrote:
m h wrote:
I'll answer my own question!
On 2/8/07, m h sesquile@gmail.com wrote:
So, now back to my original issue. Updating the rootdn password. When I try the following it fails:: ldappasswd -x -v -S -w secret -D cn=Manager,dc=example,dc=com cn=Manager,dc=example,dc=com New password: Re-enter new password: ldap_initialize( <DEFAULT> ) Result: Insufficient access (50)
You silly person! You haven't set any ACLs! If you would have read here [1] you would see how to create a group and set acl's in the slapd.conf file.
More to the point, you should not have deleted your rootdn from slapd.conf, only the rootpw. The rootdn directive is what tells slapd that a particular DN should be treated as the administrator. If you don't need an administrator identity, then you should of course delete the rootdn config. But if you *do* need one (and for 99.99% of deployments, you need one) then you should keep the rootdn defined.
Good to know that. Thanks!
--On Thursday, February 08, 2007 12:25 PM -0700 m h sesquile@gmail.com wrote:
Hello-
Thanks to the help of Michael and others I was able to migrate my root dn user from slapd.conf to the database. (BTW should I file a bug for bad documentation on example from 7.1 from [1]?)
I'm sure I'm missing something that is probably obvious to the seasoned veterans, but frustrating to a newbie like me. If anyone can point me further in the right direction that'd be great.
What is obvious is you really have no clue what you just did, or what the rootdn/rootpw mean in slapd.conf, versus what it means to be binding as a local user. I suggest reading any variety of books about LDAP, and the OpenLDAP web site, until you do understand the differences. I will give you one hint -- Since you are *no longer* using the rootdn, you must provide acl rules to your new local user.
--Quanh
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
On Thursday 08 February 2007, m h wrote:
Hello-
Thanks to the help of Michael and others I was able to migrate dn user from slapd.conf to the database.
Well, you didn't migrate the root dn user into the database. You *removed* the rootdn.
(BTW should I file a bug for bad documentation on example from 7.1 from [1]?)
Considering 2.2 is unsupported, no, and I don't see any problem with the documentation. It doesn't claim to cover anything related. You could however submit a patch to the documentation that improves the situation.
Here's how I did it (for the curious and benefit of future users/searchers)::
[..]
stop ldap
comment out "rootdn" and "rootpw" from slapd.conf
That removed your root dn. So, there is no "user" or DN that has privileged access to the database. So, all ACLs and limits need to be explicitly set.
If you were really migrating your "root dn" to the database, you would leave rootdn uncommented in the slapd.conf.
Regards, Buchan
openldap-software@openldap.org
-
Buchan Milne -
Howard Chu -
m h -
Quanah Gibson-Mount