Thanks, i understand ... the slapd.conf doesn't contain the database config line ..On Monday, 9 January 2012 13:29:05 rey sebastien wrote:Hi! I start with a fresh installation of openldap 2.4.28 on debian. They are some problem with the debian package, and with gnuTLS, so i compile a version with opennSSL library. It's hard to understand with the official documentation how to start a from scratch installation with the new cn=config administration of openLDAP. So, i make a conversion ( with the great help of users on this mailling list ) from slapd.conf to cn=config on the first launch of openLDAP with this commands : |/usr/local/libexec/slapd -u openldap -g openldap -f slapd.conf.seb -F |/usr/local/etc/openldap/slapd.d/ -d -1 My slapd.conf.seb, really simple, equal : |include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/ppolicy.schema include /usr/local/etc/openldap/schema/gosa/samba3.schema include /usr/local/etc/openldap/schema/gosa/trust.schema include /usr/local/etc/openldap/schema/gosa/gofax.schema include /usr/local/etc/openldap/schema/gosa/gofon.schema include /usr/local/etc/openldap/schema/gosa/gosystem.schema include /usr/local/etc/openldap/schema/gosa/goto-mime.schema include /usr/local/etc/openldap/schema/gosa/goto.schema include /usr/local/etc/openldap/schema/gosa/goserver.schema include /usr/local/etc/openldap/schema/gosa/gosa-samba3.schema include /usr/local/etc/openldap/schema/gosa/openssh-lpk.schema include /usr/local/etc/openldap/schema/gosa/dnszone.schema include /usr/local/etc/openldap/schema/gosa/nagios.schema include /usr/local/etc/openldap/schema/gosa/dhcp.schema include /usr/local/etc/openldap/schema/gosa/sudo.schema pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args database bdb suffix "dc=parisgeo,dc=cnrs,dc=fr" rootdn "cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr" rootpw {SSHA} secret directory /srv/openldap-data index objectClass eqSo, you have no definition for 'database config', and thus haven't set a rootpw for it, or any ACLs on it for other users. The only alternative that does not require a database definition for 'database config', an auth-regexp to cn=config, is not present.
ldapsearch -D cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr -W -x 'userName=*' -H ldap://localhost -ZZ -d -1
Thanks for your help on this point Buchan.I have no problem with this simple conversion, but after that, it's impossible to import data with this command ldapadd or ldapmodify. I don't understand the default right for read/write for openLDAP, i try with ldapmodify, with bind and password, and i have the same problem : |root@xxxx:/usr/local/etc/openldap# ldapadd -x -D |"cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr" -W -f sauvegarde.ldif Enter LDAP Password: xxx adding new entry "cn=admin,dc=parisgeo,dc=cnrs,dc=fr" ldap_add: Constraint violation (19) additional info: structuralObjectClass: no user modification allowedWhy should the rootdn for one database automatically get write access to another database?I try to modify the right for cn=config with this sample : |dn: olcDatabase={-1}frontend,cn=config changetype: modify delete: olcAccess dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootDN olcRootDN: cn=admin,cn=config dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA} secret dn: olcDatabase={0}config,cn=config changetype: modify delete: olcAccess ldapadd -Y EXTERNAL -H ldapi:/// -f slapd.modify.root.ldifWell, this might work if you had mapped a SASL EXTERNAL identity to the cn=config rootdn, but you didn't. If you added the equivalent slapd.conf configuration to your slapd.conf prior to conversion, your problem would be solved.Same problem, i have no right todo that, with or without option the password entry -W or bind option -D "cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr" |root@xxxx:/usr/local/etc/openldap# ldapadd -Y EXTERNAL -H ldapi:/// -f |slapd.modify.root.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={-1}frontend,cn=config" ldap_modify: Insufficient access (50) root@xxxx:/usr/local/etc/openldap# ldapadd -x -W -H ldapi:/// -f slapd.modify.root.ldif Enter LDAP Password: ldap_bind: Invalid credentials (49) root@xxxxx:/usr/local/etc/openldap# ldapadd -D "cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr" -W -Y EXTERNAL -H ldapi:/// -f slapd.modify.root.ldif Enter LDAP Password: SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={-1}frontend,cn=config" ldap_modify: Insufficient access (50)| Anybody have this problem in the past, and have an idea of the solution to create a good start configuration from scratch installation ?Something like this would create a minimal config, that you would be able to add schema and databases to afterwards: PASS=$(slappasswd) echo -e "database config\nrootpw $PASS" > /tmp/slapd-initial.conf slaptest -f /tmp/slapd-initial.conf -F /etc/*ldap/slapd.d chown -R ldap:ldap /etc/*ldap/slapd.d slapd -u ldap -g ldap ldapwhoami -x -D cn=config -W If you don't already have all your schema in ldif format, you may prefer to have a bigger slapd.conf that includes all your schema, before doing the conversion. Or, you could just add a two or three line database definition to your existing slapd.conf and re-convert. Or, you could look at the content in the EXAMPLES section of slapd-config(5), and create an intial ldif configuration instead, and just slapadd it ... Regards, Buchan