Re: [Spam]No olcRootPW in olcDatabase=\{0\}config.ldif
by huret deffgok
Hi Sami,
Yes there is a olcRootDN (and its password) for the mdb database. But if I
understand correctly the olcRootDN is valid only for its database. Anyway
this olcRootDN and associated password don't work with the config database.
As for the ACL, again but maybe I'm wrong, from the documentation it seems
that the RootDN is always allowed whatever are the ACLs. And I can't change
them neither as I bump in the same problem as for the login level :(
Thanks
On Mon, Apr 3, 2017 at 5:30 PM, Sami <s.aitalioulahcen(a)cnrst.ma> wrote:
> Hi Huret,
> Could you check if the olcRootDN is in the db conf file
> /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{x\}mdb.ldif ?
> Also, your olcAccess could be the problem since you denied everything for
> everyone.
> I'm no openldap expert, so others can correct me if I'm wrong.
>
> - -
> Sami
>
>
> On 03/04/2017 11:04, huret deffgok wrote:
>
> Hi list,
>
> I have migrated my openldap installation from 2.3 (CentOS 5) to 2.4.40
> (CentOS 7).
> So far so good the server is working, but then I found myself
> systematicaly denied when I tried to ajust the log level (or anything else
> in fact).
> In my olcDatabase=\{0\}config.ldif I see that I dont have a olcRootPW set
> for the olcRootDN of this DB (I guess I made an error with my slapd.conf
> used for the migration with slaptest). The production db (on mdb, I hope it
> is stable enough with the centos 7 shipped version btw) is running fine and
> has a olcRootPW set and working.
>
> # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
> # CRC32 07bfeb05
> dn: olcDatabase={0}config
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config
> olcAccess: {0}to * by * none
> olcAddContentAcl: TRUE
> olcLastMod: TRUE
> olcMaxDerefDepth: 15
> olcReadOnly: FALSE
> olcRootDN: cn=config
> olcSyncUseSubentry: FALSE
> olcMonitoring: FALSE
> structuralObjectClass: olcDatabaseConfig
>
> If I tried to just read the log level with:
>
> root@ldap /etc/openldap # ldapsearch -x -H ldaps://ldap.mydomain -b
> 'cn=config' -D 'cn=config' -s base -LLL -W olcLoglevel
> Enter LDAP Password:
> ldap_bind: Server is unwilling to perform (53)
> additional info: unauthenticated bind (DN with no password)
> disallowed
>
> (and I dont have any password to feed it)
>
> Or:
> root@ldap /etc/openldap # ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 32 No such object
>
> # numResponses: 1
>
>
> My question is, and if it is indeed my problem, how can I add a olcRootPW
> to the config database if it's possible at all ?
>
> Thank you,
> kfx
>
>
>
6 years, 5 months
No olcRootPW in olcDatabase=\{0\}config.ldif
by huret deffgok
Hi list,
I have migrated my openldap installation from 2.3 (CentOS 5) to 2.4.40
(CentOS 7).
So far so good the server is working, but then I found myself systematicaly
denied when I tried to ajust the log level (or anything else in fact).
In my olcDatabase=\{0\}config.ldif I see that I dont have a olcRootPW set
for the olcRootDN of this DB (I guess I made an error with my slapd.conf
used for the migration with slaptest). The production db (on mdb, I hope it
is stable enough with the centos 7 shipped version btw) is running fine and
has a olcRootPW set and working.
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 07bfeb05
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by * none
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=config
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
If I tried to just read the log level with:
root@ldap /etc/openldap # ldapsearch -x -H ldaps://ldap.mydomain -b
'cn=config' -D 'cn=config' -s base -LLL -W olcLoglevel
Enter LDAP Password:
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password)
disallowed
(and I dont have any password to feed it)
Or:
root@ldap /etc/openldap # ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
My question is, and if it is indeed my problem, how can I add a olcRootPW
to the config database if it's possible at all ?
Thank you,
kfx
6 years, 5 months
[openldap-technical] OpenLDAP custom schema [dummy question]
by Alexandru Ocheana
Hi all,
My name is Alex and I recently joined this list because I can't find
some straight forward guidelines and nothing seems to work for me. Of
course it is a dummy question and I know you saw it many time but I am
sure that I'm missing something very very simple in fact. If you want,
please help me because I am a bit lost and I don't know how to move forward.
I am trying to setup an OpenLDAP server on Centos 7. This is my first
time, so please take me easy :))
I will try to reproduce my steps because being my first time error may
occur at any moment but I strongly want to learn OpenLDAP.
My goal is to add some custom fields (atributeType) into Ldap DB. I know
there can be a workaround for this, like add the data into inetOrgPerson
schema but I want a new Schema, defined for what I need. Basically this
schema will contain supplementary informations about students like
(ID-Number, University Assigned Number, contact email, address, name
after marriage, etc).
Here are all steps I've done (successfully I believe):
install and configure OpenLDAP from here:
https://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=1
----
I've tried to create my new schema like this (I have my private IANA OID):
-----------------------------------
info.schema
----
attributetype ( 1.3.6.1.4.1.49565.1.1.1
NAME 'cnp'
DESC 'Cod Numeric Personal'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
attributetype ( 1.3.6.1.4.1.49565.1.1.2
NAME 'emailContact'
DESC 'Email for external user'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
objectclass (
1.3.6.1.4.1.49565.1.2.1
NAME 'infoVCard'
DESC 'Extra Information Card'
AUXILIARY )
-----------------------------------
* Moved to /tmp/slapd folder and created an info.conf file:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/info.schema
* transformed info.schema to ldif
slaptest -f info.conf -F .
config file testing succeeded
* moved to cn=config/cn=schema and all 5 files are here:
-rw-------. 1 root root 15546 Mar 31 22:15 cn={0}core.ldif
-rw-------. 1 root root 11363 Mar 31 22:15 cn={1}cosine.ldif
-rw-------. 1 root root 6495 Mar 31 22:15 cn={2}nis.ldif
-rw-------. 1 root root 2857 Mar 31 22:15 cn={3}inetorgperson.ldif
-rw-------. 1 root root 890 Mar 31 22:15 cn={4}info.ldif
--------------------------------------------
* edited cn={4}info.ldif like so:
--------------------------------------------
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 bc62c5f1
dn: cn=info,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: info
olcAttributeTypes: {0}( 1.3.6.1.4.1.49565.1.1.1 NAME 'cnp' DESC 'Cod Numeric
Personal' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{32768} )
olcAttributeTypes: {1}( 1.3.6.1.4.1.49565.1.1.2 NAME 'emailContact' DESC 'Em
ail for external user' EQUALITY caseIgnoreMatch SUBSTR
caseIgnoreSubstrings
Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
olcObjectClasses: {0}( 1.3.6.1.4.1.49565.1.2.1 NAME 'infoVCard' DESC 'Extra
Information Card' AUXILIARY )
-------------------------------------------
* copied info.ldif from /tmp to /etc/openldap/schema/info.ldif
* load info.ldif into OpenLDAP
ldapadd -Y EXTERNAL -H ldapi:/// -f info.ldif
OUTPUT of above command:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=info,cn=schema,cn=config"
------------------------------------
I suppose everything is correct because at
/etc/openldap/slapd.d/cn=config/cn=schema now appears my cn={4}info.ldif
file with the following content:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 a48aaa49
dn: cn={4}info
objectClass: olcSchemaConfig
cn: {4}info
olcAttributeTypes: {0}( 1.3.6.1.4.1.49565.1.1.1 NAME 'cnp' DESC 'Cod Numeric
Personal' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{32768} )
olcAttributeTypes: {1}( 1.3.6.1.4.1.49565.1.1.2 NAME 'emailContact' DESC 'Em
ail for external user' EQUALITY caseIgnoreMatch SUBSTR
caseIgnoreSubstrings
Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
olcObjectClasses: {0}( 1.3.6.1.4.1.49565.1.2.1 NAME 'infoVCard' DESC 'Extra
Information Card' AUXILIARY )
structuralObjectClass: olcSchemaConfig
entryUUID: 9d56682a-aa93-1036-9882-31e47bf02dae
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20170331192559Z
entryCSN: 20170331192559.397549Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20170331192559Z
---------------------------------------
Now, till here everything worked smooth but from this step forward
everything turns into a nightmare. How do I add data using this new
schema? I've tried this:
ldapuser.ldif
---
dn: uid=alex,ou=People,dc=info,dc=uaic,dc=ro
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Alexandru
sn: Ocheana
userPassword: {SSHA}BBxUpzvO93HlFEFPSkexvXA7G06UBYO4
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/alex
## -------------------------
## HERE I BELIEVE IS AN ERROR BUT WHICH IS THE CORRECT WAY TO ADD IT?
## THIS PART IS TO ADD DATA TO THAT NEW SCHEMA
## -------------------------
dn: uid=alex,ou=People,dc=info,dc=uaic,dc=ro
objectClass: infoVCard
cnp: myCNP
emailContact: otheremail(a)gmail.com
dn: cn=alex,ou=Group,dc=info,dc=uaic,dc=ro
objectClass: posixGroup
cn: Alex
gidNumber: 2000
memberUid: alex
----
I am trying to add this to OpenLDAP like so:
ldapadd -x -D cn=Manager,dc=info,dc=uaic,dc=ro -W -f ldapuser.ldif
After asking for password I am getting this output:
adding new entry "uid=alex,ou=People,dc=info,dc=uaic,dc=ro"
adding new entry "uid=alex,ou=People,dc=info,dc=uaic,dc=ro"
ldap_add: Object class violation (65)
additional info: no structural object class provided
My logic tells me that my infoVCard should be bound somehow to first set
as inetPersonOrg (I've read about this but I don't know how to really
achieve this ... I know about SUP but I am lost at this point).
Can you bring some light into my head please? What I am missing?
Thank you very much for your time!
Regards,
Alexandru Ocheana
6 years, 5 months
OpenLDAP Tutorial on YouTube Channel
by Rajesh R
Hello,
At the outset, thank you to each member of the OpenLDAP project for all the hard work in developing a great LDAP Server.
I'm Rajesh Rajasekharan, and have spent a great deal of my time in various Organizations teaching several Products, including their LDAP Servers. While searching for good OpenLDAP resources, I couldn't really find a systematic tutorial for the same, so thought of making one myself. As a result, I have a playlist of 19 vidoes on OpenLDAP on my YouTube channel. If/when you've some time to spare, request you to please take a look at it and kindly advise if I could contribute in any other ways to this great Project.
https://www.youtube.com/playlist?list=PLfO6SFqcY2PrDR5yct96n4qfgMmh6g0eP
kind regards,
--R Rajesh
Sent from my iPhone
6 years, 5 months