hello,
I am trying to setup PPs using this guide: https://tylersguides.com/guides/openldap-password-policy-overlay/
Everything went fine up to adding the OU for the PP:
policyou.ldif:
dn: ou=policies,dc=company,dc=com objectClass: organizationalUnit ou: policies
ldapadd -Y EXTERNAL -Q -H ldapi:/// -f policyou.ldif (1)
which results in https://ldapwiki.com/wiki/LDAP_INSUFFICIENT_ACCESS (with "additional info: no write access to parent")
Now I tried _several_ commands to fix this, then I did:
ldapadd -H ldapi:/// -D cn=admin,cn=config -W -f policyou.ldif (2)
which works. But I have to fix this on the production server now, and I don't know whether (2) fixed this or some other command.
What could be the problem with (1)?
Previously I used this guide to change the admin password twice: https://www.digitalocean.com/community/tutorials/how-to-change-account-passw...
Do I have to set the password for cn=admin,cn=config separately? If yes, could you suggest a HOWTO?
Many Thanks and Best Regards, Felix -- Felix Natter
On 12.02.22 20:00, Felix Natter wrote:
policyou.ldif:
dn: ou=policies,dc=company,dc=com objectClass: organizationalUnit ou: policies
ldapadd -Y EXTERNAL -Q -H ldapi:/// -f policyou.ldif (1)
which results in https://ldapwiki.com/wiki/LDAP_INSUFFICIENT_ACCESS (with "additional info: no write access to parent")
Now I tried _several_ commands to fix this, then I did:
ldapadd -H ldapi:/// -D cn=admin,cn=config -W -f policyou.ldif (2)
which works. But I have to fix this on the production server now, and I don't know whether (2) fixed this or some other command.
What could be the problem with (1)?
Looks like an issue with your ACLs. Here we have somthing like
to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
to enable ldapi auth for local root account.
Best regards Ulf
hello Ulf,
Ulf Volmer u.volmer@u-v.de writes:
On 12.02.22 20:00, Felix Natter wrote:
policyou.ldif: dn: ou=policies,dc=company,dc=com objectClass: organizationalUnit ou: policies ldapadd -Y EXTERNAL -Q -H ldapi:/// -f policyou.ldif (1) which results in https://ldapwiki.com/wiki/LDAP_INSUFFICIENT_ACCESS (with "additional info: no write access to parent") Now I tried _several_ commands to fix this, then I did: ldapadd -H ldapi:/// -D cn=admin,cn=config -W -f policyou.ldif (2) which works. But I have to fix this on the production server now, and I don't know whether (2) fixed this or some other command. What could be the problem with (1)?
Looks like an issue with your ACLs. Here we have somthing like
to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
to enable ldapi auth for local root account.
thank you for your reply! I manage to create the OU (please see my previous reply) :-)
Many Thanks and Best Regards, -- Felix Natter
--On Saturday, February 12, 2022 8:00 PM +0100 Felix Natter fnatter@gmx.net wrote:
hello,
I am trying to setup PPs using this guide: https://tylersguides.com/guides/openldap-password-policy-overlay/
Everything went fine up to adding the OU for the PP:
policyou.ldif:
dn: ou=policies,dc=company,dc=com objectClass: organizationalUnit ou: policies
ldapadd -Y EXTERNAL -Q -H ldapi:/// -f policyou.ldif (1)
On most configurations, this gives access to the config database, not the binary storage backend (like back-mdb).
which results in https://ldapwiki.com/wiki/LDAP_INSUFFICIENT_ACCESS (with "additional info: no write access to parent")
So I would expect this.
Now I tried _several_ commands to fix this, then I did:
ldapadd -H ldapi:/// -D cn=admin,cn=config -W -f policyou.ldif (2)
which works. But I have to fix this on the production server now, and I don't know whether (2) fixed this or some other command.
It seems like this user has permission to your binary storage backend, although that's an odd DN to give access to it with.
What could be the problem with (1)?
I would say generally the problem is not understanding that different databases in slapd can have different privilege separations. Also there's no one rule to how a system is configured. You have to understand how your *specific* instance is configured, some random HOWTO (generally I call them HOW NOT TO) on the internet is not going to know your specific configuration.
--Quanah
hello Quanah,
Quanah Gibson-Mount quanah@fast-mail.org writes:
What could be the problem with (1)?
I would say generally the problem is not understanding that different databases in slapd can have different privilege separations. Also there's no one rule to how a system is configured. You have to understand how your *specific* instance is configured, some random HOWTO (generally I call them HOW NOT TO) on the internet is not going to know your specific configuration.
many thanks for the reply! I managed to create the OU now :-) The password policy is not enforced though. I am currently trying to understand [1] [2]. I might send a second post (if I don't get it), because it does not seem to be related.
[1] https://www.openldap.org/doc/admin25/guide.html#Password%20Policies [2] ppolicy_hash_cleartext
Many Thanks and Best Regards, Felix -- Felix Natter
openldap-technical@openldap.org
-
Felix Natter -
Quanah Gibson-Mount -
Ulf Volmer