Le 09/01/2012 14:40, Buchan Milne a écrit :
On Monday, 9 January 2012 13:29:05 rey sebastien wrote:
Hi!

I start with a fresh installation of openldap 2.4.28 on debian. They are
some problem with the debian package, and with gnuTLS, so i compile a
version with opennSSL library.

It's hard to understand with the official documentation how to start a
from scratch installation with the new cn=config administration of
openLDAP. So, i make a conversion ( with the great help of users on this
mailling list ) from slapd.conf to cn=config on the first launch of

openLDAP with this commands :
|/usr/local/libexec/slapd -u openldap -g openldap -f slapd.conf.seb -F
|/usr/local/etc/openldap/slapd.d/ -d -1

My slapd.conf.seb, really simple, equal :
|include         /usr/local/etc/openldap/schema/cosine.schema

include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/ppolicy.schema
include         /usr/local/etc/openldap/schema/gosa/samba3.schema
include         /usr/local/etc/openldap/schema/gosa/trust.schema
include         /usr/local/etc/openldap/schema/gosa/gofax.schema
include         /usr/local/etc/openldap/schema/gosa/gofon.schema
include         /usr/local/etc/openldap/schema/gosa/gosystem.schema
include         /usr/local/etc/openldap/schema/gosa/goto-mime.schema
include         /usr/local/etc/openldap/schema/gosa/goto.schema
include         /usr/local/etc/openldap/schema/gosa/goserver.schema
include         /usr/local/etc/openldap/schema/gosa/gosa-samba3.schema
include         /usr/local/etc/openldap/schema/gosa/openssh-lpk.schema
include         /usr/local/etc/openldap/schema/gosa/dnszone.schema
include         /usr/local/etc/openldap/schema/gosa/nagios.schema
include         /usr/local/etc/openldap/schema/gosa/dhcp.schema
include         /usr/local/etc/openldap/schema/gosa/sudo.schema

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

database        bdb
suffix          "dc=parisgeo,dc=cnrs,dc=fr"
rootdn          "cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr"
rootpw  {SSHA} secret
directory       /srv/openldap-data
index   objectClass     eq


So, you have no definition for 'database config', and thus haven't set a 
rootpw for it, or any ACLs on it for other users. The only alternative that 
does not require a database definition for 'database config', an auth-regexp 
to cn=config, is not present.
Thanks, i understand ... the slapd.conf doesn't contain the database config line ..
And i add some other parameters to disable anonymous, force bind, and only connect with STARTLS

My new slapd.conf before converting :

# global section
# Security - TLS section

TLSCertificateFile /etc/ssl/sCertificate/cert.pem
TLSCertificateKeyFile /etc/ssl/sCertificate/key.pem

#I use a self signed certificate, so TLSVerifyClient never
#TLSVerifyClient demand

# security - other directives
# prevents anonymous access to
# any connection
disallow bind_anon
require bind

security simple_bind=128

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/ppolicy.schema
include         /usr/local/etc/openldap/schema/gosa/samba3.schema
include         /usr/local/etc/openldap/schema/gosa/trust.schema
include         /usr/local/etc/openldap/schema/gosa/gofax.schema
include         /usr/local/etc/openldap/schema/gosa/gofon.schema
include         /usr/local/etc/openldap/schema/gosa/gosystem.schema
include         /usr/local/etc/openldap/schema/gosa/goto-mime.schema
include         /usr/local/etc/openldap/schema/gosa/goto.schema
include         /usr/local/etc/openldap/schema/gosa/goserver.schema
include         /usr/local/etc/openldap/schema/gosa/gosa-samba3.schema
include         /usr/local/etc/openldap/schema/gosa/openssh-lpk.schema
include         /usr/local/etc/openldap/schema/gosa/dnszone.schema
include         /usr/local/etc/openldap/schema/gosa/nagios.schema
include         /usr/local/etc/openldap/schema/gosa/dhcp.schema
include         /usr/local/etc/openldap/schema/gosa/sudo.schema

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

database config
rootdn "cn=admin,cn=config"
rootpw {SSHA}secret1

database        bdb
suffix          "dc=parisgeo,dc=cnrs,dc=fr"
rootdn          "cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr"

rootpw  {SSHA}secret2

directory       /srv/openldap-data

index   objectClass     eq

I change the ldap.conf to :

BASE    dc=parisgeo,dc=cnrs,dc=fr
URI ldap://localhost
TLS_CACERT /etc/ssl/SSignedCertificate/cert.pem
TLS_REQCERT demand


I change the slapd_services to :

SLAPD_SERVICES="ldap:/// ldapi:///"


So it's ok, now it's possible  :-) to connect and add people with this type of line

ldapsearch -D cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr -W -x 'userName=*' -H ldap://localhost -ZZ -d -1

Thanks for your help on this point Buchan.
I have also three little question of misunderstanding about hierarchy

1-  I don't understand why i cannot access with -D cn=admin,dc=parisgeo,dc=cnrs,dc=fr or with
-D cn=config,dc=parisgeo,dc=cnrs,dc=fr . There is no hierarchical information here ?

root@xxxx:/usr/local/etc/openldap# ldapsearch -D cn=admin,dc=parisgeo,dc=cnrs,dc=fr -W -x 'userName=*' -H ldap://localhost -ZZ
Enter LDAP Password:
ldap_bind: Invalid credentials (49)


2- Second question, I don't understand the difference between the cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr database rootdn, and an admin user defined like this ldif sample :

# Admin user.
dn: cn=admin,dc=parisgeo,dc=cnrs,dc=fr
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:
{SSHA}secret2

I need to define the two .. but why i need to create a second cn=admin user, with the same password for the same domain ?

3 - Third question, same logic, why when i define a bdd, openldap doesn't define automaticly my top level domain dc=parisgeo,dc=cnrs,dc=fr like this sample :

dn: dc=parisgeo,dc=cnrs,dc=fr
objectClass: top
objectClass: dcObject
objectclass: organization
o: xxx
description: My Top Domain


Thanks a lot for advice me on this point if you have time,
SR.

I have no problem with this simple conversion, but after that, it's
impossible to import data with this command ldapadd or ldapmodify.

I don't understand the default right for read/write for openLDAP, i try

with ldapmodify, with bind and password, and i have the same problem :
|root@xxxx:/usr/local/etc/openldap# ldapadd -x -D
|"cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr" -W -f sauvegarde.ldif

Enter LDAP Password: xxx
adding new entry "cn=admin,dc=parisgeo,dc=cnrs,dc=fr"
ldap_add: Constraint violation (19)
     additional info: structuralObjectClass: no user modification allowed
Why should the rootdn for one database automatically get write access to 
another database?

I try to modify the right for cn=config with this sample :
|dn: olcDatabase={-1}frontend,cn=config

changetype: modify
delete: olcAccess

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA} secret

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

ldapadd -Y EXTERNAL -H ldapi:/// -f slapd.modify.root.ldif
Well, this might work if you had mapped a SASL EXTERNAL identity to the 
cn=config rootdn, but you didn't.

If you added the equivalent slapd.conf configuration to your slapd.conf prior 
to conversion, your problem would be solved.

Same problem, i have no right todo that, with or without option the
password entry -W or bind option -D
"cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr"

|root@xxxx:/usr/local/etc/openldap# ldapadd -Y EXTERNAL -H ldapi:/// -f
|slapd.modify.root.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
ldap_modify: Insufficient access (50)

root@xxxx:/usr/local/etc/openldap# ldapadd -x -W -H ldapi:/// -f
slapd.modify.root.ldif Enter LDAP Password: ldap_bind: Invalid credentials
(49)

root@xxxxx:/usr/local/etc/openldap# ldapadd -D
"cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr" -W -Y EXTERNAL -H ldapi:///
-f slapd.modify.root.ldif Enter LDAP Password:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
ldap_modify: Insufficient access (50)|

Anybody have this problem in the past, and have an idea of the solution
to create a good start configuration from scratch installation ?
Something like this would create a minimal config, that you would be able to 
add schema and databases to afterwards:

PASS=$(slappasswd)
echo -e "database config\nrootpw  $PASS" > /tmp/slapd-initial.conf
slaptest -f /tmp/slapd-initial.conf -F /etc/*ldap/slapd.d
chown -R ldap:ldap /etc/*ldap/slapd.d
slapd -u ldap -g ldap
ldapwhoami -x -D cn=config -W

If you don't already have all your schema in ldif format, you may prefer to 
have a bigger slapd.conf that includes all your schema, before doing the 
conversion. Or, you could just add a two or three line database definition to 
your existing slapd.conf and re-convert.

Or, you could look at the content in the EXAMPLES section of slapd-config(5), 
and create an intial ldif configuration instead, and just slapadd it ...

Regards,
Buchan