Modify or add information after conversion of slapd.conf to cn=config with fresh install of OpenLdap
3:29 a.m.
Hi!
I start with a fresh installation of openldap 2.4.28 on debian. They are
some problem with the debian package, and with gnuTLS, so i compile a
version with opennSSL library.
It's hard to understand with the official documentation how to start a
from scratch installation with the new cn=config administration of
openLDAP. So, i make a conversion ( with the great help of users on this
mailling list ) from slapd.conf to cn=config on the first launch of
openLDAP with this commands :
|/usr/local/libexec/slapd -u openldap -g openldap -f slapd.conf.seb -F
/usr/local/etc/openldap/slapd.d/ -d -1
|
My slapd.conf.seb, really simple, equal :
|include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
include /usr/local/etc/openldap/schema/gosa/samba3.schema
include /usr/local/etc/openldap/schema/gosa/trust.schema
include /usr/local/etc/openldap/schema/gosa/gofax.schema
include /usr/local/etc/openldap/schema/gosa/gofon.schema
include /usr/local/etc/openldap/schema/gosa/gosystem.schema
include /usr/local/etc/openldap/schema/gosa/goto-mime.schema
include /usr/local/etc/openldap/schema/gosa/goto.schema
include /usr/local/etc/openldap/schema/gosa/goserver.schema
include /usr/local/etc/openldap/schema/gosa/gosa-samba3.schema
include /usr/local/etc/openldap/schema/gosa/openssh-lpk.schema
include /usr/local/etc/openldap/schema/gosa/dnszone.schema
include /usr/local/etc/openldap/schema/gosa/nagios.schema
include /usr/local/etc/openldap/schema/gosa/dhcp.schema
include /usr/local/etc/openldap/schema/gosa/sudo.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
database bdb
suffix "dc=parisgeo,dc=cnrs,dc=fr"
rootdn "cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr"
rootpw {SSHA} secret
directory /srv/openldap-data
index objectClass eq
|
I have no problem with this simple conversion, but after that, it's
impossible to import data with this command ldapadd or ldapmodify.
I don't understand the default right for read/write for openLDAP, i try
with ldapmodify, with bind and password, and i have the same problem :
||
|root@xxxx:/usr/local/etc/openldap# ldapadd -x -D
"cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr" -W -f sauvegarde.ldif
Enter LDAP Password: xxx
adding new entry "cn=admin,dc=parisgeo,dc=cnrs,dc=fr"
ldap_add: Constraint violation (19)
additional info: structuralObjectClass: no user modification allowed
|
I try to modify the right for cn=config with this sample :
|dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA} secret
dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess
ldapadd -Y EXTERNAL -H ldapi:/// -f slapd.modify.root.ldif
|
Same problem, i have no right todo that, with or without option the
password entry -W or bind option -D
"cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr"
|root@xxxx:/usr/local/etc/openldap# ldapadd -Y EXTERNAL -H ldapi:/// -f
slapd.modify.root.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
ldap_modify: Insufficient access (50)
root@xxxx:/usr/local/etc/openldap# ldapadd -x -W -H ldapi:/// -f slapd.modify.root.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
root@xxxxx:/usr/local/etc/openldap# ldapadd -D
"cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr" -W -Y EXTERNAL -H ldapi:/// -f
slapd.modify.root.ldif
Enter LDAP Password:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
ldap_modify: Insufficient access (50)|
Anybody have this problem in the past, and have an idea of the solution
to create a good start configuration from scratch installation ? Do you
think there is mistake in my simple installation/configuration ?
I also create a post on serverFault.Com site, but i have no answer at
this time
http://serverfault.com/questions/342086/impossible-to-modify-or-add-infor...
Best regards,
SR
5:40 a.m.
On Monday, 9 January 2012 13:29:05 rey sebastien wrote:
Hi!
I start with a fresh installation of openldap 2.4.28 on debian. They are
some problem with the debian package, and with gnuTLS, so i compile a
version with opennSSL library.
It's hard to understand with the official documentation how to start a
from scratch installation with the new cn=config administration of
openLDAP. So, i make a conversion ( with the great help of users on this
mailling list ) from slapd.conf to cn=config on the first launch of
openLDAP with this commands :
|/usr/local/libexec/slapd -u openldap -g openldap -f slapd.conf.seb -F
|/usr/local/etc/openldap/slapd.d/ -d -1
My slapd.conf.seb, really simple, equal :
|include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
include /usr/local/etc/openldap/schema/gosa/samba3.schema
include /usr/local/etc/openldap/schema/gosa/trust.schema
include /usr/local/etc/openldap/schema/gosa/gofax.schema
include /usr/local/etc/openldap/schema/gosa/gofon.schema
include /usr/local/etc/openldap/schema/gosa/gosystem.schema
include /usr/local/etc/openldap/schema/gosa/goto-mime.schema
include /usr/local/etc/openldap/schema/gosa/goto.schema
include /usr/local/etc/openldap/schema/gosa/goserver.schema
include /usr/local/etc/openldap/schema/gosa/gosa-samba3.schema
include /usr/local/etc/openldap/schema/gosa/openssh-lpk.schema
include /usr/local/etc/openldap/schema/gosa/dnszone.schema
include /usr/local/etc/openldap/schema/gosa/nagios.schema
include /usr/local/etc/openldap/schema/gosa/dhcp.schema
include /usr/local/etc/openldap/schema/gosa/sudo.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
database bdb
suffix "dc=parisgeo,dc=cnrs,dc=fr"
rootdn "cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr"
rootpw {SSHA} secret
directory /srv/openldap-data
index objectClass eq
So, you have no definition for 'database config', and thus haven't set a
rootpw for it, or any ACLs on it for other users. The only alternative that
does not require a database definition for 'database config', an auth-regexp
to cn=config, is not present.
I have no problem with this simple conversion, but after that,
it's
impossible to import data with this command ldapadd or ldapmodify.
I don't understand the default right for read/write for openLDAP, i try
with ldapmodify, with bind and password, and i have the same problem :
|root@xxxx:/usr/local/etc/openldap# ldapadd -x -D
|"cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr" -W -f sauvegarde.ldif
Enter LDAP Password: xxx
adding new entry "cn=admin,dc=parisgeo,dc=cnrs,dc=fr"
ldap_add: Constraint violation (19)
additional info: structuralObjectClass: no user modification allowed
Why should the rootdn for one database automatically get write access to
another database?
I try to modify the right for cn=config with this sample :
|dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA} secret
dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess
ldapadd -Y EXTERNAL -H ldapi:/// -f slapd.modify.root.ldif
Well, this might work if you had mapped a SASL EXTERNAL identity to the
cn=config rootdn, but you didn't.
If you added the equivalent slapd.conf configuration to your slapd.conf prior
to conversion, your problem would be solved.
Same problem, i have no right todo that, with or without option the
password entry -W or bind option -D
"cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr"
|root@xxxx:/usr/local/etc/openldap# ldapadd -Y EXTERNAL -H ldapi:/// -f
|slapd.modify.root.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
ldap_modify: Insufficient access (50)
root@xxxx:/usr/local/etc/openldap# ldapadd -x -W -H ldapi:/// -f
slapd.modify.root.ldif Enter LDAP Password: ldap_bind: Invalid credentials
(49)
root@xxxxx:/usr/local/etc/openldap# ldapadd -D
"cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr" -W -Y EXTERNAL -H ldapi:///
-f slapd.modify.root.ldif Enter LDAP Password:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
ldap_modify: Insufficient access (50)|
Anybody have this problem in the past, and have an idea of the solution
to create a good start configuration from scratch installation ?
Something like this would create a minimal config, that you would be able to
add schema and databases to afterwards:
PASS=$(slappasswd)
echo -e "database config\nrootpw $PASS" > /tmp/slapd-initial.conf
slaptest -f /tmp/slapd-initial.conf -F /etc/*ldap/slapd.d
chown -R ldap:ldap /etc/*ldap/slapd.d
slapd -u ldap -g ldap
ldapwhoami -x -D cn=config -W
If you don't already have all your schema in ldif format, you may prefer to
have a bigger slapd.conf that includes all your schema, before doing the
conversion. Or, you could just add a two or three line database definition to
your existing slapd.conf and re-convert.
Or, you could look at the content in the EXAMPLES section of slapd-config(5),
and create an intial ldif configuration instead, and just slapadd it ...
Regards,
Buchan
8:03 a.m.
Le 09/01/2012 14:40, Buchan Milne a écrit :
On Monday, 9 January 2012 13:29:05 rey sebastien wrote:
> Hi!
>
> I start with a fresh installation of openldap 2.4.28 on debian. They are
> some problem with the debian package, and with gnuTLS, so i compile a
> version with opennSSL library.
>
> It's hard to understand with the official documentation how to start a
> from scratch installation with the new cn=config administration of
> openLDAP. So, i make a conversion ( with the great help of users on this
> mailling list ) from slapd.conf to cn=config on the first launch of
>
> openLDAP with this commands :
> |/usr/local/libexec/slapd -u openldap -g openldap -f slapd.conf.seb -F
> |/usr/local/etc/openldap/slapd.d/ -d -1
>
> My slapd.conf.seb, really simple, equal :
> |include /usr/local/etc/openldap/schema/cosine.schema
>
> include /usr/local/etc/openldap/schema/nis.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
> include /usr/local/etc/openldap/schema/openldap.schema
> include /usr/local/etc/openldap/schema/misc.schema
> include /usr/local/etc/openldap/schema/ppolicy.schema
> include /usr/local/etc/openldap/schema/gosa/samba3.schema
> include /usr/local/etc/openldap/schema/gosa/trust.schema
> include /usr/local/etc/openldap/schema/gosa/gofax.schema
> include /usr/local/etc/openldap/schema/gosa/gofon.schema
> include /usr/local/etc/openldap/schema/gosa/gosystem.schema
> include /usr/local/etc/openldap/schema/gosa/goto-mime.schema
> include /usr/local/etc/openldap/schema/gosa/goto.schema
> include /usr/local/etc/openldap/schema/gosa/goserver.schema
> include /usr/local/etc/openldap/schema/gosa/gosa-samba3.schema
> include /usr/local/etc/openldap/schema/gosa/openssh-lpk.schema
> include /usr/local/etc/openldap/schema/gosa/dnszone.schema
> include /usr/local/etc/openldap/schema/gosa/nagios.schema
> include /usr/local/etc/openldap/schema/gosa/dhcp.schema
> include /usr/local/etc/openldap/schema/gosa/sudo.schema
>
> pidfile /usr/local/var/run/slapd.pid
> argsfile /usr/local/var/run/slapd.args
>
> database bdb
> suffix "dc=parisgeo,dc=cnrs,dc=fr"
> rootdn "cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr"
> rootpw {SSHA} secret
> directory /srv/openldap-data
> index objectClass eq
>
>
So, you have no definition for 'database config', and thus haven't set a
rootpw for it, or any ACLs on it for other users. The only alternative that
does not require a database definition for 'database config', an auth-regexp
to cn=config, is not present.
Thanks, i understand ... the slapd.conf doesn't
contain the database
config line ..
And i add some other parameters to disable anonymous, force bind, and
only connect with STARTLS
My new slapd.conf before converting :
/
# global section
# Security - TLS section
TLSCertificateFile /etc/ssl/sCertificate/cert.pem
TLSCertificateKeyFile /etc/ssl/sCertificate/key.pem
#I use a self signed certificate, so TLSVerifyClient never
#TLSVerifyClient demand
# security - other directives
# prevents anonymous access to
# any connection
disallow bind_anon
require bind
security simple_bind=128
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
include /usr/local/etc/openldap/schema/gosa/samba3.schema
include /usr/local/etc/openldap/schema/gosa/trust.schema
include /usr/local/etc/openldap/schema/gosa/gofax.schema
include /usr/local/etc/openldap/schema/gosa/gofon.schema
include /usr/local/etc/openldap/schema/gosa/gosystem.schema
include /usr/local/etc/openldap/schema/gosa/goto-mime.schema
include /usr/local/etc/openldap/schema/gosa/goto.schema
include /usr/local/etc/openldap/schema/gosa/goserver.schema
include /usr/local/etc/openldap/schema/gosa/gosa-samba3.schema
include /usr/local/etc/openldap/schema/gosa/openssh-lpk.schema
include /usr/local/etc/openldap/schema/gosa/dnszone.schema
include /usr/local/etc/openldap/schema/gosa/nagios.schema
include /usr/local/etc/openldap/schema/gosa/dhcp.schema
include /usr/local/etc/openldap/schema/gosa/sudo.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
database config
rootdn "cn=admin,cn=config"
rootpw {SSHA}secret1
database bdb
suffix "dc=parisgeo,dc=cnrs,dc=fr"
rootdn "cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr"
rootpw {SSHA}secret2
directory /srv/openldap-data
index objectClass eq
/
I change the ldap.conf to :
/BASE dc=parisgeo,dc=cnrs,dc=fr
URI ldap://localhost
TLS_CACERT /etc/ssl/SSignedCertificate/cert.pem
TLS_REQCERT demand/
I change the slapd_services to :
/
SLAPD_SERVICES="ldap:/// ldapi:///"/
So it's ok, now it's possible :-) to connect and add people with this
type of line
/ldapsearch -D cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr -W -x
'userName=*' -H ldap://localhost -ZZ -d -1/
Thanks for your help on this point Buchan.
I have also three little question of misunderstanding about hierarchy
*1- * I don't understand why i cannot access with /-D
cn=admin,dc=parisgeo,dc=cnrs,dc=fr /or with
-D /cn=config,dc=parisgeo,dc=cnrs,dc=fr /. There is no hierarchical
information here ?
/root@xxxx:/usr/local/etc/openldap# ldapsearch -D
cn=admin,dc=parisgeo,dc=cnrs,dc=fr -W -x 'userName=*' -H
ldap://localhost -ZZ
Enter LDAP Password:
ldap_bind: Invalid credentials (49)/
*2- Second question*, I don't understand the difference between the
/cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr /database rootdn, and an
admin user defined like this ldif sample :
/
# Admin user.
dn: cn=admin,dc=parisgeo,dc=cnrs,dc=fr
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: //{SSHA}secret2/
I need to define the two .. but why i need to create a second cn=admin
user, with the same password for the same domain ?
*3 - Third question*, same logic, why when i define a bdd, openldap
doesn't define automaticly my top level domain dc=parisgeo,dc=cnrs,dc=fr
like this sample :
/
//*dn: dc=parisgeo,dc=cnrs,dc=fr*/
/*objectClass: top*/
/*objectClass: dcObject*/
/*objectclass: organization*/
/*o: xxx*/
/*description: My Top Domain*/
Thanks a lot for advice me on this point if you have time,
SR.
> I have no problem with this simple conversion, but after that, it's
> impossible to import data with this command ldapadd or ldapmodify.
>
> I don't understand the default right for read/write for openLDAP, i try
>
> with ldapmodify, with bind and password, and i have the same problem :
> |root@xxxx:/usr/local/etc/openldap# ldapadd -x -D
> |"cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr" -W -f sauvegarde.ldif
>
> Enter LDAP Password: xxx
> adding new entry "cn=admin,dc=parisgeo,dc=cnrs,dc=fr"
> ldap_add: Constraint violation (19)
> additional info: structuralObjectClass: no user modification allowed
Why should the rootdn for one database automatically get write access to
another database?
> I try to modify the right for cn=config with this sample :
> |dn: olcDatabase={-1}frontend,cn=config
>
> changetype: modify
> delete: olcAccess
>
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> add: olcRootDN
> olcRootDN: cn=admin,cn=config
>
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> add: olcRootPW
> olcRootPW: {SSHA} secret
>
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> delete: olcAccess
>
> ldapadd -Y EXTERNAL -H ldapi:/// -f slapd.modify.root.ldif
Well, this might work if you had mapped a SASL EXTERNAL identity to the
cn=config rootdn, but you didn't.
If you added the equivalent slapd.conf configuration to your slapd.conf prior
to conversion, your problem would be solved.
> Same problem, i have no right todo that, with or without option the
> password entry -W or bind option -D
> "cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr"
>
> |root@xxxx:/usr/local/etc/openldap# ldapadd -Y EXTERNAL -H ldapi:/// -f
> |slapd.modify.root.ldif
>
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> modifying entry "olcDatabase={-1}frontend,cn=config"
> ldap_modify: Insufficient access (50)
>
> root@xxxx:/usr/local/etc/openldap# ldapadd -x -W -H ldapi:/// -f
> slapd.modify.root.ldif Enter LDAP Password: ldap_bind: Invalid credentials
> (49)
>
> root@xxxxx:/usr/local/etc/openldap# ldapadd -D
> "cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr" -W -Y EXTERNAL -H ldapi:///
> -f slapd.modify.root.ldif Enter LDAP Password:
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> modifying entry "olcDatabase={-1}frontend,cn=config"
> ldap_modify: Insufficient access (50)|
>
> Anybody have this problem in the past, and have an idea of the solution
> to create a good start configuration from scratch installation ?
Something like this would create a minimal config, that you would be able to
add schema and databases to afterwards:
PASS=$(slappasswd)
echo -e "database config\nrootpw $PASS"> /tmp/slapd-initial.conf
slaptest -f /tmp/slapd-initial.conf -F /etc/*ldap/slapd.d
chown -R ldap:ldap /etc/*ldap/slapd.d
slapd -u ldap -g ldap
ldapwhoami -x -D cn=config -W
If you don't already have all your schema in ldif format, you may prefer to
have a bigger slapd.conf that includes all your schema, before doing the
conversion. Or, you could just add a two or three line database definition to
your existing slapd.conf and re-convert.
Or, you could look at the content in the EXAMPLES section of slapd-config(5),
and create an intial ldif configuration instead, and just slapadd it ...
Regards,
Buchan
3:22 a.m.
mån 2012-01-09 klockan 12:29 +0100 skrev rey sebastien:
Hi!
I start with a fresh installation of openldap 2.4.28 on debian. They
are some problem with the debian package, and with gnuTLS, so i
compile a version with opennSSL library.
It's hard to understand with the official documentation how to start a
from scratch installation with the new cn=config administration of
openLDAP. So, i make a conversion ( with the great help of users on
this mailling list ) from slapd.conf to cn=config on the first launch
of openLDAP with this commands :
I have done this now as an exercise in an uni sysadm exercise.
The method i used was this:
Install slapd with the default debian configuration.
Dump the cn=config tree and read that together with the openldap admin
guide.
Then I was able to write the minimum ldif for an working slapd.
so
slapcat -F /etc/ldap/slapd.d/ -l someinit.ldif
slapd -F /etc/ldap/slapd.d/
ldapadd my-dc=lokeldarn,dc=se.ldif ( someinit.ldif contains an hdb
database with suffix dc=lokeldarn,dc=se'
/usr/local/libexec/slapd -u openldap -g openldap -f slapd.conf.seb -F
/usr/local/etc/openldap/slapd.d/ -d -1
My slapd.conf.seb, really simple, equal :
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
include /usr/local/etc/openldap/schema/gosa/samba3.schema
include /usr/local/etc/openldap/schema/gosa/trust.schema
include /usr/local/etc/openldap/schema/gosa/gofax.schema
include /usr/local/etc/openldap/schema/gosa/gofon.schema
include /usr/local/etc/openldap/schema/gosa/gosystem.schema
include /usr/local/etc/openldap/schema/gosa/goto-mime.schema
include /usr/local/etc/openldap/schema/gosa/goto.schema
include /usr/local/etc/openldap/schema/gosa/goserver.schema
include /usr/local/etc/openldap/schema/gosa/gosa-samba3.schema
include /usr/local/etc/openldap/schema/gosa/openssh-lpk.schema
include /usr/local/etc/openldap/schema/gosa/dnszone.schema
include /usr/local/etc/openldap/schema/gosa/nagios.schema
include /usr/local/etc/openldap/schema/gosa/dhcp.schema
include /usr/local/etc/openldap/schema/gosa/sudo.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
database bdb
suffix "dc=parisgeo,dc=cnrs,dc=fr"
rootdn "cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr"
rootpw {SSHA} secret
directory /srv/openldap-data
index objectClass eq
Your rootpw stanza is wrong. You should create the stanza with the help
of slappasswd.
You should insert the output from '/usr/sbin/slappasswd -s secret'
or if it is good enough for now with an clear-text passwd in cn=config
simply write the stanza as :
----
rootpw secret
----
for 'secret' as the passwd.
I have no problem with this simple conversion, but after that,
it's
impossible to import data with this command ldapadd or ldapmodify.
I don't understand the default right for read/write for openLDAP, i
try with ldapmodify, with bind and password, and i have the same
problem :
root@xxxx:/usr/local/etc/openldap# ldapadd -x -D
"cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr" -W -f sauvegarde.ldif
Enter LDAP Password: xxx
adding new entry "cn=admin,dc=parisgeo,dc=cnrs,dc=fr"
ldap_add: Constraint violation (19)
additional info: structuralObjectClass: no user modification allowed
I try to modify the right for cn=config with this sample :
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA} secret
dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess
ldapadd -Y EXTERNAL -H ldapi:/// -f slapd.modify.root.ldif
Same problem, i have no right todo that, with or without option the
password entry -W or bind option -D
"cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr"
root@xxxx:/usr/local/etc/openldap# ldapadd -Y EXTERNAL -H ldapi:/// -f
slapd.modify.root.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
ldap_modify: Insufficient access (50)
root@xxxx:/usr/local/etc/openldap# ldapadd -x -W -H ldapi:/// -f slapd.modify.root.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
root@xxxxx:/usr/local/etc/openldap# ldapadd -D
"cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr" -W -Y EXTERNAL -H ldapi:/// -f
slapd.modify.root.ldif
Enter LDAP Password:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
ldap_modify: Insufficient access (50)
Anybody have this problem in the past, and have an idea of the
solution to create a good start configuration from scratch
installation ? Do you think there is mistake in my simple
installation/configuration ?
I also create a post on serverFault.Com site, but i have no answer at
this time
http://serverfault.com/questions/342086/impossible-to-modify-or-add-infor...
Best regards,
SR
4044
days inactive
4048
days old
openldap-technical@openldap.org
3 comments
3 participants
participants (3)
-
Buchan Milne -
rey sebastien -
Stefan Skoglund