OpenLDAP 2.6.6r1 on Apline Linux aarch64
Not sure what I am doing wrong but I am unable to change the
rootDN's password.
# ldapmodify -H ldapi:/// -Y EXTERNAL -D 'cn=config' << EOF
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> add: olcRootPW
> olcRootPW: {SSHA}cZbRoOhRew8MBiWGSEOiFX0XqbAQwXUr
> EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
ldap_modify: Insufficient access (50)
I also tried remotely, and same thing.
I noticed *olcAccess: {0}to * by * none* in the config DB but I didn't put
that there, and not sure how to change it.
Here is the slapcat output:
(Also, at the end I copied the LDIF I use to initialize the LDAP)
/ # slapcat -n 0
dn: cn=config
objectClass: olcGlobal
cn: config
olcDisallows: bind_anon
olcRequires: authc
structuralObjectClass: olcGlobal
entryUUID: 3ebf1971-b32e-41eb-ac58-a0a30fe18734
creatorsName: cn=config
createTimestamp: 20231025213204Z
entryCSN: 20231025213204.508761Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20231025213204Z
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/openldap
olcModuleLoad: {0}back_mdb.so
olcModuleLoad: {1}refint.so
olcModuleLoad: {2}memberof.so
olcModuleLoad: {3}argon2.so
structuralObjectClass: olcModuleList
entryUUID: 3b732d07-c664-4294-87ca-d5e29a32aa6c
creatorsName: cn=config
createTimestamp: 20231025213204Z
entryCSN: 20231025213204.509009Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20231025213204Z
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
structuralObjectClass: olcSchemaConfig
entryUUID: c38bf741-8d4a-4e36-b012-22a70577d429
creatorsName: cn=config
createTimestamp: 20231025213204Z
entryCSN: 20231025213204.509955Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20231025213204Z
dn: cn={0}core,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {0}core
[snip]
...
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcPasswordHash: {ARGON2}
structuralObjectClass: olcDatabaseConfig
entryUUID: 4459a62b-80f9-449c-b4a6-20cd2108a486
creatorsName: cn=config
createTimestamp: 20231025213204Z
entryCSN: 20231025213204.512390Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20231025213204Z
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
*olcAccess: {0}to * by * none*
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcLastBind: FALSE
olcLastBindPrecision: 0
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=config
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: 08d3cdfa-b552-45ab-a183-fc5802e9c910
creatorsName: cn=config
createTimestamp: 20231025213204Z
entryCSN: 20231025213204.512505Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20231025213204Z
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/openldap/openldap-data
olcSuffix: dc=foo,dc=bar
olcRootDN: cn=admin,dc=foo,dc=bar
olcRootPW::
e0FSR09OMn0kYXJnb24yaSR2PTE5JG09NDA5Nix0PTMscD0xJHVKeWYwVWZCMjVTUV
RmWDdvQ3lLMnckVTQ1REpxRUZ3RDB5RmFMdlRWeUFDSEx2R013ek5HZjE5ZHZ6UFI4WHZHYw==
olcDbIndex: objectClass eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: 169807ec-3bfc-4a20-b4ab-e60cddd777a2
creatorsName: cn=config
createTimestamp: 20231025213204Z
entryCSN: 20231025213204.512483Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20231025213204Z
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: {0}memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
structuralObjectClass: olcMemberOfConfig
entryUUID: f45b11d4-aba8-40ec-83b5-5688aa6c4c42
creatorsName: cn=config
createTimestamp: 20231025213204Z
entryCSN: 20231025213204.513061Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20231025213204Z
dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof
olcRefintAttribute: member
olcRefintAttribute: uniqueMember
olcRefintAttribute: manager
olcRefintAttribute: owner
olcRefintNothing: cn=admin,dc=foo,dc=bar
structuralObjectClass: olcRefintConfig
entryUUID: 498d5840-1ebf-43d9-ad16-264069969adc
creatorsName: cn=config
createTimestamp: 20231025213204Z
entryCSN: 20231025213204.513211Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20231025213204Z
dn: olcDatabase={2}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {2}monitor
olcRootDN: cn=config
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: 82712ebd-5149-496a-bec8-a2853249d9f3
creatorsName: cn=config
createTimestamp: 20231025213204Z
entryCSN: 20231025213204.513336Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20231025213204Z
Here is the LDIF I am using to initialize the LDAP and populate slapd.d:
# config global
dn: cn=config
objectClass: olcGlobal
cn: config
#TODO: fine tune security rlevel estrictions
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
olcDisallows: bind_anon
olcRequires: authc
# dynamic backend modules:
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/openldap
olcModuleload: back_mdb.so
olcModuleLoad: refint.so
olcModuleLoad: memberof.so
olcModuleload: argon2.so
# schemas
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/dynamodel.ldif
# frontend settings
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcPasswordHash: {ARGON2}
# LMDB database definitions
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 1073741824
olcSuffix: dc=foo,dc=bar
olcRootDN: cn=admin,dc=foo,dc=bar
olcRootPW:
{ARGON2}$argon2i$v=19$m=4096,t=3,p=1$uJyf0UfB25SQTfX7oCyK2w$U45DJqEFwD0yFaLvTVyACHLvGMwzNGf19dvzPR8XvGc
olcDbDirectory: /var/lib/openldap/openldap-data
olcDbIndex: objectClass eq
# memberOf overlay
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: {0}memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
# refint overlay
dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof
olcRefintAttribute: member
olcRefintAttribute: uniqueMember
olcRefintAttribute: manager
olcRefintAttribute: owner
olcRefintNothing: cn=admin,dc=foo,dc=bar
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcRootDN: cn=config
olcMonitoring: FALSE
Thank you in advance for any pointers !
--
Alex