Hi Sami,
Yes there is a olcRootDN (and its password) for the mdb database. But if I understand correctly the olcRootDN is valid only for its database. Anyway this olcRootDN and associated password don't work with the config database. As for the ACL, again but maybe I'm wrong, from the documentation it seems that the RootDN is always allowed whatever are the ACLs. And I can't change them neither as I bump in the same problem as for the login level :(
Thanks
On Mon, Apr 3, 2017 at 5:30 PM, Sami s.aitalioulahcen@cnrst.ma wrote:
Hi Huret, Could you check if the olcRootDN is in the db conf file /etc/openldap/slapd.d/cn=config/olcDatabase={x}mdb.ldif ? Also, your olcAccess could be the problem since you denied everything for everyone. I'm no openldap expert, so others can correct me if I'm wrong.
Sami
On 03/04/2017 11:04, huret deffgok wrote:
Hi list,
I have migrated my openldap installation from 2.3 (CentOS 5) to 2.4.40 (CentOS 7). So far so good the server is working, but then I found myself systematicaly denied when I tried to ajust the log level (or anything else in fact). In my olcDatabase={0}config.ldif I see that I dont have a olcRootPW set for the olcRootDN of this DB (I guess I made an error with my slapd.conf used for the migration with slaptest). The production db (on mdb, I hope it is stable enough with the centos 7 shipped version btw) is running fine and has a olcRootPW set and working.
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 07bfeb05 dn: olcDatabase={0}config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by * none olcAddContentAcl: TRUE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=config olcSyncUseSubentry: FALSE olcMonitoring: FALSE structuralObjectClass: olcDatabaseConfig
If I tried to just read the log level with:
root@ldap /etc/openldap # ldapsearch -x -H ldaps://ldap.mydomain -b 'cn=config' -D 'cn=config' -s base -LLL -W olcLoglevel Enter LDAP Password: ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed
(and I dont have any password to feed it)
Or: root@ldap /etc/openldap # ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 32 No such object
# numResponses: 1
My question is, and if it is indeed my problem, how can I add a olcRootPW to the config database if it's possible at all ?
Thank you, kfx
openldap-technical@openldap.org
-
huret deffgok