On Thu, Jun 27, 2013 at 6:26 AM, Dan White dwhite@olp.net wrote:
On 06/26/13 15:34 -0700, Michael Roth wrote:
Am I able to change the ACL so I can edit cn=config to load a module in? If so how do I do that?
If you bind as the rootdn, ACL restrictions do not apply. To view your existing olcRootDN/olcRootPW configuration, do:
slapcat -n0
On 06/27/13 10:13 -0700, Michael Roth wrote:
How do I bind as the rootdn when I use the command "sudo ldapmodify -Y EXTERNAL -f smbkrb5pwd_load.ldif"
By setting your olcRootDN to:
dn: olcDatabase={0}config,cn=config olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
Or by creating an olcAuthzRegexp rule like:
dn: cn=config olcAuthzRegexp: {0}"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=admin,dc=example,dc=org"
and setting your olcRootDN to:
dn: olcDatabase={0}config,cn=config olcRootDN: cn=admin,dc=example,dc=org
use:
sudo ldapwhoami -Y EXTERNAL -H ldapi:///
to trouble shoot.
See the manpage for slapd-conf for documentation.
I entered slapcat -n0 and found that dn: cn=module[0},cn=config doesn't have an admin in it.
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb structuralObjectClass: olcModuleList entryUUID: d36d2386-2d84-1031-9046-6d09752e7d3a creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20120508181023Z entryCSN: 20120508181023.990015Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20120508181023Z
Since you don't have any of the above config in place, you have a chicken and egg problem with manipulating your configuration. You should dump it to portable ldif to modify it. See:
http://www.openldap.org/lists/openldap-technical/201211/msg00195.html