On 02/07/14 14:39 +0100, Ali Gholami wrote:
Thanks Vikas for the reply.
I removed the line to point to the "slapd.conf" and now I could run the service. But I get another error when I try to add structure of the entries using:
$sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f structure.ldif:
This is likely performing sasl external peercred authentication, rather than your desired external tls authentication as you intended below.
adding new entry "dc=x,dc=y"
ldap_add: Insufficient access (50) additional info: no write access to parent
I've created the ".ldaprc" in my home directory which defines the X590 certificates of the LDAP server and I've added the subject of the host certificated in the "slapd.conf":
access to * by dn="cn=admin,dc=x,dc=y" write by dn="cn=allowed host,dc=x,dc=y" read by * none
authz-regexp CN=ldap.biobankcloud.eu,O=BBC "cn=admin,dc=biobankcloud,dc=org"
database bdb suffix "dc=x,dc=y" rootdn "cn=admin,dc=x,dc=y" rootpw {SSHA}blabla...
IS there anything else that I should set or something broken?
Do:
sudo ldapwhoami -Y EXTERNAL -H ldapi:///
to obtain your resolved authentication identity, and create an appropriate authz-regexp rule that maps that identity to your desired user, e.g.:
authz-regexp "uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=admin,dc=biobankcloud,dc=org"
See: http://www.openldap.org/doc/admin24/sasl.html