Thanks again, I think I figured it out. I made some edits to the olcDatabase={1}bdb.ldif file in the slapd.d, and was able to write to the database. (It sure does help when you read the right set of instructions)
Unfortunately I somehow seem to have corrupted the database too. Now when I restart the server I get the following in syslog.
----------------------
Jul 8 08:27:30 bison slapd[11407]: @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $ ^Ibuildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd Jul 8 08:27:30 bison slapd[11408]: bdb_db_open: database "dc=moores,dc=ca" cannot be opened, err 13. Restore from backup! Jul 8 08:27:30 bison slapd[11408]: bdb(dc=moores,dc=ca): txn_checkpoint interface requires an environment configured for the transaction subsystem Jul 8 08:27:30 bison slapd[11408]: bdb_db_close: database "dc=moores,dc=ca": txn_checkpoint failed: Invalid argument (22). Jul 8 08:27:30 bison slapd[11408]: backend_startup_one: bi_db_open failed! (13) Jul 8 08:27:30 bison slapd[11408]: bdb_db_close: database "dc=moores,dc=ca": alock_close failed Jul 8 08:27:30 bison slapd[11408]: slapd stopped.
----------------------
Interestingly if I run slapd from the commandline instead of in the background it still works. (Though possibly in read only mode I'm not sure) Why does it not work when run from /etc/init.d too?
I came across this post WRT how to fix the database:
http://techarold.blogspot.com/2006/07/more-openldap-recovery.html
and it suggesting running a utility called slapd_db_recover. There is no such utility on my system nor in any of the Ubuntu repos that I can see. Is this something that is suppose to come with openLdap?
cheers, darryl
P.S. It is too bad this list is configured as it is. I got several replies to my initial query but most came back as private emails. One of the benefits of email lists is that others can gain insight simply by following a conversation without having to participate, but if the default reply is to the sender rather than the list then most of the time the list subscribers will never see them.
Jonathan Clarke wrote:
Hi,
On 07/07/2009 17:13, Darryl Moore wrote:
Hi all,
I've installed a LDAP server on my network against which all my users can authenticate. They can even change their passwords via GUI or CLI without any issue.
What I am trying to do now is allow each one of them to have an address book in their subtree.
I created a subtree in each authentication relm that looks like this
ou=Contacts,uid=user,ou=People,dc=domain,dc=ca
Their is no problem with the rootdn adding entries below this, but I am unable to get the user to be able to. In fact I can't seem to allow the user to write anywhere. Even with the lone access rule:
access to * by * write
in the /etc/ldap/ldap.conf file (and yes I restart slapd everytime I change this file)
I presume you mean slapd.conf file, not ldap.conf.
When testing this, make sure to put this rule as the *first* access rule in the slapd.conf file.
Order is important in ACLs, since the first matching rule will apply. So if your "access to * by * write" is not the first, it probably is never reached.
I beleive the correct access rule for what I want is: access to dn.children="ou=People,dc=domain,dc=ca" by self write
A quick excerpt from the admin guide:
To add or delete an entry, the subject must have write access to the entry's entry attribute AND must have write access to the entry's parent's children attribute.
Be careful of "self" as well, it only represents the current user's entry, not it's children/etc.
Hope this helps, Jonathan