Re: [Spam]No olcRootPW in olcDatabase=\{0\}config.ldif

Monday, 3 April 2017

Hi Sami,

Yes there is a olcRootDN (and its password) for the mdb database. But if I
understand correctly the olcRootDN is valid only for its database. Anyway
this olcRootDN and associated password don't work with the config database.
As for the ACL, again but maybe I'm wrong, from the documentation it seems
that the RootDN is always allowed whatever are the ACLs. And I can't change
them neither as I bump in the same problem as for the login level :(

Thanks

On Mon, Apr 3, 2017 at 5:30 PM, Sami <s.aitalioulahcen(a)cnrst.ma&gt; wrote:

...
 Hi Huret,
 Could you check if the olcRootDN is in the db conf file
 /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{x\}mdb.ldif ?
 Also, your olcAccess could be the problem since you denied everything for
 everyone.
 I'm no openldap expert, so others can correct me if I'm wrong.

 - -
 Sami

 On 03/04/2017 11:04, huret deffgok wrote:

 Hi list,

 I have migrated my openldap installation from 2.3 (CentOS 5) to 2.4.40
 (CentOS 7).
 So far so good the server is working, but then I found myself
 systematicaly denied when I tried to ajust the log level (or anything else
 in fact).
 In my olcDatabase=\{0\}config.ldif I see that I dont have a olcRootPW set
 for the olcRootDN of this DB (I guess I made an error with my slapd.conf
 used for the migration with slaptest). The production db (on mdb, I hope it
 is stable enough with the centos 7 shipped version btw) is running fine and
 has a olcRootPW set and working.

 # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
 # CRC32 07bfeb05
 dn: olcDatabase={0}config
 objectClass: olcDatabaseConfig
 olcDatabase: {0}config
 olcAccess: {0}to *  by * none
 olcAddContentAcl: TRUE
 olcLastMod: TRUE
 olcMaxDerefDepth: 15
 olcReadOnly: FALSE
 olcRootDN: cn=config
 olcSyncUseSubentry: FALSE
 olcMonitoring: FALSE
 structuralObjectClass: olcDatabaseConfig

 If I tried to just read the log level with:

 root@ldap /etc/openldap # ldapsearch -x -H ldaps://ldap.mydomain -b
 'cn=config' -D 'cn=config' -s base -LLL -W olcLoglevel
 Enter LDAP Password:
 ldap_bind: Server is unwilling to perform (53)
         additional info: unauthenticated bind (DN with no password)
 disallowed

 (and I dont have any password to feed it)

 Or:
 root@ldap /etc/openldap # ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
 SASL/EXTERNAL authentication started
 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 SASL SSF: 0
 # extended LDIF
 #
 # LDAPv3
 # base <cn=config> with scope subtree
 # filter: (objectclass=*)
 # requesting: ALL
 #

 # search result
 search: 2
 result: 32 No such object

 # numResponses: 1

 My question is, and if it is indeed my problem, how can I add a olcRootPW
 to the config database if it's possible at all ?

 Thank you,
 kfx

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007