Hi,

when comparing the LDIF you used to initialize with the slapcat output, what I can see is that you have no distict definition of olcDatabase={0}config,cn=config. I suspect that OpenLDAP then used default vaules, including the "to * by * none" ACL.

How mission critical is this server? Can you backup/restore? Is this a VM that you can clone?

First thing I would do is not to use "-Y EXTERNAL -H ldapi:///" because with that you don't connect as RootDN but as "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" as you can see from the ldapmodify output.

Try the following (and replace with the correct URL):

$ ldifmodify -x -H ldap://localhost/ -D cn=config -W << EOF

dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}cZbRoOhRew8MBiWGSEOiFX0XqbAQwXUr EOF

You will be asked for the old RootPW.

If that fails I would take the slapcat output, clean the operational attributes from it, change the problematic ACL to something more sensible (and the olcRootPW) and use that to re-create the LDAPs configuration.

Following steps are from the top of my head, so don't follow blindly:

- Stop slapd - Make a backup of your slapd.d directory and your data directory - Remove the content of the slapd.d directory - Use slapadd with the prepared LDIF to re-create the slapd.d directory - Change the ownership of the slapd.d directory - Start slapd

Hoe that helps,

Uwe

Am 25.10.23 um 23:52 schrieb Alejandro Imass:

OpenLDAP 2.6.6r1 on Apline Linux aarch64

Not sure what I am doing wrong but I am unable to change the rootDN's password.

# ldapmodify -H ldapi:/// -Y EXTERNAL -D 'cn=config' << EOF

...

dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}cZbRoOhRew8MBiWGSEOiFX0XqbAQwXUr EOF

SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config" ldap_modify: Insufficient access (50)

I also tried remotely, and same thing.

I noticed *olcAccess: {0}to *  by * none* in the config DB but I didn't put that there, and not sure how to change it.

Here is the slapcat output: (Also, at the end I copied the LDIF I use to initialize the LDAP)

/ # slapcat -n 0 dn: cn=config objectClass: olcGlobal cn: config olcDisallows: bind_anon olcRequires: authc structuralObjectClass: olcGlobal entryUUID: 3ebf1971-b32e-41eb-ac58-a0a30fe18734 creatorsName: cn=config createTimestamp: 20231025213204Z entryCSN: 20231025213204.508761Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20231025213204Z

dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/openldap olcModuleLoad: {0}back_mdb.so olcModuleLoad: {1}refint.so olcModuleLoad: {2}memberof.so olcModuleLoad: {3}argon2.so structuralObjectClass: olcModuleList entryUUID: 3b732d07-c664-4294-87ca-d5e29a32aa6c creatorsName: cn=config createTimestamp: 20231025213204Z entryCSN: 20231025213204.509009Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20231025213204Z

dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema structuralObjectClass: olcSchemaConfig entryUUID: c38bf741-8d4a-4e36-b012-22a70577d429 creatorsName: cn=config createTimestamp: 20231025213204Z entryCSN: 20231025213204.509955Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20231025213204Z

dn: cn={0}core,cn=schema,cn=config objectClass: olcSchemaConfig cn: {0}core [snip] ...

dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcPasswordHash: {ARGON2} structuralObjectClass: olcDatabaseConfig entryUUID: 4459a62b-80f9-449c-b4a6-20cd2108a486 creatorsName: cn=config createTimestamp: 20231025213204Z entryCSN: 20231025213204.512390Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20231025213204Z

dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config *olcAccess: {0}to *  by * none* olcAddContentAcl: TRUE olcLastMod: TRUE olcLastBind: FALSE olcLastBindPrecision: 0 olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=config olcSyncUseSubentry: FALSE olcMonitoring: FALSE structuralObjectClass: olcDatabaseConfig entryUUID: 08d3cdfa-b552-45ab-a183-fc5802e9c910 creatorsName: cn=config createTimestamp: 20231025213204Z entryCSN: 20231025213204.512505Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20231025213204Z

dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/openldap/openldap-data olcSuffix: dc=foo,dc=bar olcRootDN: cn=admin,dc=foo,dc=bar olcRootPW:: e0FSR09OMn0kYXJnb24yaSR2PTE5JG09NDA5Nix0PTMscD0xJHVKeWYwVWZCMjVTUV  RmWDdvQ3lLMnckVTQ1REpxRUZ3RDB5RmFMdlRWeUFDSEx2R013ek5HZjE5ZHZ6UFI4WHZHYw== olcDbIndex: objectClass eq olcDbMaxSize: 1073741824 structuralObjectClass: olcMdbConfig entryUUID: 169807ec-3bfc-4a20-b4ab-e60cddd777a2 creatorsName: cn=config createTimestamp: 20231025213204Z entryCSN: 20231025213204.512483Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20231025213204Z

dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: {0}memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf structuralObjectClass: olcMemberOfConfig entryUUID: f45b11d4-aba8-40ec-83b5-5688aa6c4c42 creatorsName: cn=config createTimestamp: 20231025213204Z entryCSN: 20231025213204.513061Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20231025213204Z

dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: {1}refint olcRefintAttribute: memberof olcRefintAttribute: member olcRefintAttribute: uniqueMember olcRefintAttribute: manager olcRefintAttribute: owner olcRefintNothing: cn=admin,dc=foo,dc=bar structuralObjectClass: olcRefintConfig entryUUID: 498d5840-1ebf-43d9-ad16-264069969adc creatorsName: cn=config createTimestamp: 20231025213204Z entryCSN: 20231025213204.513211Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20231025213204Z

dn: olcDatabase={2}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {2}monitor olcRootDN: cn=config olcMonitoring: FALSE structuralObjectClass: olcDatabaseConfig entryUUID: 82712ebd-5149-496a-bec8-a2853249d9f3 creatorsName: cn=config createTimestamp: 20231025213204Z entryCSN: 20231025213204.513336Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20231025213204Z

Here is the LDIF I am using to initialize the LDAP and populate slapd.d:

# config global dn: cn=config objectClass: olcGlobal cn: config #TODO: fine tune security rlevel estrictions #olcSecurity: ssf=1 update_ssf=112 simple_bind=64 olcDisallows: bind_anon olcRequires: authc

# dynamic backend modules: dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/openldap olcModuleload: back_mdb.so olcModuleLoad:  refint.so olcModuleLoad:  memberof.so olcModuleload:  argon2.so

# schemas dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema

include: file:///etc/openldap/schema/core.ldif include: file:///etc/openldap/schema/cosine.ldif include: file:///etc/openldap/schema/inetorgperson.ldif include: file:///etc/openldap/schema/nis.ldif include: file:///etc/openldap/schema/dynamodel.ldif

# frontend settings dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend olcPasswordHash: {ARGON2}

# LMDB database definitions dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 1073741824 olcSuffix: dc=foo,dc=bar olcRootDN: cn=admin,dc=foo,dc=bar olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$uJyf0UfB25SQTfX7oCyK2w$U45DJqEFwD0yFaLvTVyACHLvGMwzNGf19dvzPR8XvGc olcDbDirectory: /var/lib/openldap/openldap-data olcDbIndex: objectClass eq

# memberOf overlay dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: {0}memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf

# refint overlay dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: {1}refint olcRefintAttribute: memberof olcRefintAttribute: member olcRefintAttribute: uniqueMember olcRefintAttribute: manager olcRefintAttribute: owner olcRefintNothing: cn=admin,dc=foo,dc=bar

dn: olcDatabase=monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: monitor olcRootDN: cn=config olcMonitoring: FALSE

Thank you in advance for any pointers !

-- Alex