Configure multi-master replication OpenLDAP using https://repo.symas.com/soldap2.5/rhel8/
Hi,
I am running OpenLdap server 2.5.18 on Red Hat Enterprise Linux release 8.10 (Ootpa) OS to enable multimaster replication on both nodes (node 1 and node 2). Currently on Node1 I am encountering the *ldap_modify: Insufficient access (50) *issue
*Node1* # rpm -qa | grep openldap symas-openldap-clients-2.5.18-1.el8.x86_64 symas-openldap-servers-selinux-1.0.6-2.el8.noarch openldap-2.4.46-18.el8.x86_64 symas-openldap-servers-2.5.18-1.el8.x86_64 symas-openldap-libs-2.5.18-1.el8.x86_64
# cat /etc/redhat-release Red Hat Enterprise Linux release 8.10 (Ootpa) #
# pwd /opt/symas/etc/openldap # ls -l total 20 -rw-r--r-- 1 symas symas 247 May 23 20:21 ldap.conf.default drwxr-xr-x 2 symas symas 4096 Jun 26 16:02 schema -rw------- 1 symas symas 2901 Jun 27 17:55 slapd.conf -rw------- 1 symas symas 2710 May 23 20:21 slapd.conf.default -rw------- 1 symas symas 2761 May 23 20:21 slapd.ldif.default #
# cat syncprov_mod.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: syncprov.la
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=module{0},cn=config" *ldap_modify: Insufficient access (50)* #
Am I missing anything? Please guide me.
Best Regards,
Kaushal
--On Friday, July 5, 2024 1:28 AM +0530 Kaushal Shriyan kaushalshriyan@gmail.com wrote:
Am I missing anything? Please guide me.
It sounds like you do not understand the basics of configuring slapd, and could use either a course in how OpenLDAP works (Symas used to offer these, not sure if they still do) or a lot of time reading the documentation and test suite examples until you understand how the software operates.
--Quanah
From: Kaushal Shriyan kaushalshriyan@gmail.com Sent: Thursday, July 4, 2024 8:59 PM To: openldap-technical@openldap.org Subject: [EXT] Configure multi-master replication OpenLDAP using https://repo.symas.com/soldap2.5/rhel8/
Hi,
I am running OpenLdap server 2.5.18 on Red Hat Enterprise Linux release 8.10 (Ootpa) OS to enable multimaster replication on both nodes (node 1 and node 2). Currently on Node1 I am encountering the ldap_modify: Insufficient access (50) issue
Node1 # rpm -qa | grep openldap symas-openldap-clients-2.5.18-1.el8.x86_64 symas-openldap-servers-selinux-1.0.6-2.el8.noarch openldap-2.4.46-18.el8.x86_64 symas-openldap-servers-2.5.18-1.el8.x86_64 symas-openldap-libs-2.5.18-1.el8.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux release 8.10 (Ootpa) #
# pwd /opt/symas/etc/openldap # ls -l total 20 -rw-r--r-- 1 symas symas 247 May 23 20:21 ldap.conf.default drwxr-xr-x 2 symas symas 4096 Jun 26 16:02 schema -rw------- 1 symas symas 2901 Jun 27 17:55 slapd.conf -rw------- 1 symas symas 2710 May 23 20:21 slapd.conf.default -rw------- 1 symas symas 2761 May 23 20:21 slapd.ldif.default #
# cat syncprov_mod.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: syncprov.la
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=module{0},cn=config" ldap_modify: Insufficient access (50) [Windl, Ulrich] (Sorry, Outlook is not good inline-quoting HTML mail) It means that your ldapi:/// URL does not have the rights to modify cn=config. Usually you authenticate with the cn=config user to do that. Also for replication, you probably want to set up a replication user that can read everything…
# Am I missing anything? Please guide me.
Best Regards,
Kaushal
--On Mond
[Windl, Ulrich]
(Sorry, Outlook is not good inline-quoting HTML mail)
It means that your ldapi:/// URL does not have the rights to modify cn=config.
If you actually look at the information they provided, it is clear they are not using cn=config for the slapd configuration, therefore this answer is invalid.
--Quanah
openldap-technical@openldap.org
-
Kaushal Shriyan -
Quanah Gibson-Mount -
Windl, Ulrich