Hi Sami,

Yes there is a olcRootDN (and its password) for the mdb database. But if I understand correctly the olcRootDN is valid only for its database. Anyway this olcRootDN and associated password don't work with the config database. As for the ACL, again but maybe I'm wrong, from the documentation it seems that the RootDN is always allowed whatever are the ACLs. And I can't change them neither as I bump in the same problem as for the login level :(

Thanks

On Mon, Apr 3, 2017 at 5:30 PM, Sami <s.aitalioulahcen@cnrst.ma> wrote:

Hi Huret,

Could you check if the olcRootDN is in the db conf file /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{x\}mdb.ldif ?
Also, your olcAccess could be the problem since you denied everything for everyone.
I'm no openldap expert, so others can correct me if I'm wrong.

- -
Sami


On 03/04/2017 11:04, huret deffgok wrote:
Hi list,

I have migrated my openldap installation from 2.3 (CentOS 5) to 2.4.40 (CentOS 7).
So far so good the server is working, but then I found myself systematicaly denied when I tried to ajust the log level (or anything else in fact).
In my olcDatabase=\{0\}config.ldif I see that I dont have a olcRootPW set for the olcRootDN of this DB (I guess I made an error with my slapd.conf used for the migration with slaptest). The production db (on mdb, I hope it is stable enough with the centos 7 shipped version btw) is running fine and has a olcRootPW set and working.
 
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 07bfeb05
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to *  by * none
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=config
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig

If I tried to just read the log level with:

root@ldap /etc/openldap # ldapsearch -x -H ldaps://ldap.mydomain -b 'cn=config' -D 'cn=config' -s base -LLL -W olcLoglevel
Enter LDAP Password:
ldap_bind: Server is unwilling to perform (53)
        additional info: unauthenticated bind (DN with no password) disallowed

(and I dont have any password to feed it)

Or:
root@ldap /etc/openldap # ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1


My question is, and if it is indeed my problem, how can I add a olcRootPW to the config database if it's possible at all ?

Thank you,
kfx