Hello openldap masters,
I have a big issue and I'm praying someone can help me
Am I able to change the ACL so I can edit cn=config to load a module in? If so how do I do that?
How I setup my working LDAP with the script here: http://www.ghacks.net/2010/08/31/set-up-your-ldap-server-on-ubuntu-10-04/
I'm now using Ubuntu 12.04 Server x64
Working on this module here: http://raerek.blogspot.com/2012/06/sync-ldap-and-samba-passwords-using.html
When I load changes into LDAP I'm denied.
$ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f smbkrb5pwd_load.ldif
modifying entry "cn=module{0},cn=config"
ldap_modify: Insufficient access (50)
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f smbkrb5pwd_load.ldif
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
$ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase=hdb olcAccess
Enter LDAP Password:
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=domain,dc=net" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=domain,dc=net" write by * read
Regards,
~Mike
On 06/26/13 15:34 -0700, Michael Roth wrote:
Hello openldap masters,
I have a big issue and I'm praying someone can help me
Am I able to change the ACL so I can edit cn=config to load a module in? If so how do I do that?
If you bind as the rootdn, ACL restrictions do not apply. To view your existing olcRootDN/olcRootPW configuration, do:
slapcat -n0
When I load changes into LDAP I'm denied.
$ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f smbkrb5pwd_load.ldif
modifying entry "cn=module{0},cn=config"
ldap_modify: Insufficient access (50)
How do I bind as the rootdn when I use the command "sudo ldapmodify -Y EXTERNAL -f smbkrb5pwd_load.ldif"
sudo ldapmodify -D "cn=admin,dc=domain,dc=net" -w secret -f smbkrb5pwd_load.ldif modifying entry "cn=module{0},cn=config" ldap_modify: Insufficient access (50)
I entered slapcat -n0 and found that dn: cn=module[0},cn=config doesn't have an admin in it.
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb structuralObjectClass: olcModuleList entryUUID: d36d2386-2d84-1031-9046-6d09752e7d3a creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20120508181023Z entryCSN: 20120508181023.990015Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20120508181023Z
Thanks for the help, I really appreciate it.
On Thu, Jun 27, 2013 at 6:26 AM, Dan White dwhite@olp.net wrote:
On 06/26/13 15:34 -0700, Michael Roth wrote:
Hello openldap masters,
I have a big issue and I'm praying someone can help me
Am I able to change the ACL so I can edit cn=config to load a module in? If so how do I do that?
If you bind as the rootdn, ACL restrictions do not apply. To view your existing olcRootDN/olcRootPW configuration, do:
slapcat -n0
When I load changes into LDAP I'm denied.
$ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f smbkrb5pwd_load.ldif
modifying entry "cn=module{0},cn=config"
ldap_modify: Insufficient access (50)
-- Dan White
On Thu, Jun 27, 2013 at 6:26 AM, Dan White dwhite@olp.net wrote:
On 06/26/13 15:34 -0700, Michael Roth wrote:
Am I able to change the ACL so I can edit cn=config to load a module in? If so how do I do that?
If you bind as the rootdn, ACL restrictions do not apply. To view your existing olcRootDN/olcRootPW configuration, do:
slapcat -n0
On 06/27/13 10:13 -0700, Michael Roth wrote:
How do I bind as the rootdn when I use the command "sudo ldapmodify -Y EXTERNAL -f smbkrb5pwd_load.ldif"
By setting your olcRootDN to:
dn: olcDatabase={0}config,cn=config olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
Or by creating an olcAuthzRegexp rule like:
dn: cn=config olcAuthzRegexp: {0}"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=admin,dc=example,dc=org"
and setting your olcRootDN to:
dn: olcDatabase={0}config,cn=config olcRootDN: cn=admin,dc=example,dc=org
use:
sudo ldapwhoami -Y EXTERNAL -H ldapi:///
to trouble shoot.
See the manpage for slapd-conf for documentation.
I entered slapcat -n0 and found that dn: cn=module[0},cn=config doesn't have an admin in it.
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb structuralObjectClass: olcModuleList entryUUID: d36d2386-2d84-1031-9046-6d09752e7d3a creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20120508181023Z entryCSN: 20120508181023.990015Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20120508181023Z
Since you don't have any of the above config in place, you have a chicken and egg problem with manipulating your configuration. You should dump it to portable ldif to modify it. See:
http://www.openldap.org/lists/openldap-technical/201211/msg00195.html
Hi Dan, I'm still hitting my head against the wall on this one.
I shutdown slapd and opened /etc/ldap/slap.d/cn=config/cn=module{0}.ldif I then added" olcAuthzRegexp: {0}"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=admin,dc=domain,dc=net"" at the bottom. I then restarted slapd. I ran "sudo ldapwhoami -Y EXTERNAL -H ldapi:///"
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:cn=admin,dc=onerecovery,dc=net
I then try to add the module again: sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f smbkrb5pwd_load.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=module{0},cn=config" ldap_modify: Insufficient access (50)
On Thu, Jun 27, 2013 at 11:07 AM, Dan White dwhite@olp.net wrote:
On Thu, Jun 27, 2013 at 6:26 AM, Dan White dwhite@olp.net wrote:
On 06/26/13 15:34 -0700, Michael Roth wrote:
Am I able to change the ACL so I can edit cn=config to load a module in? If so how do I do that?
If you bind as the rootdn, ACL restrictions do not apply. To view your existing olcRootDN/olcRootPW configuration, do:
slapcat -n0
On 06/27/13 10:13 -0700, Michael Roth wrote:
How do I bind as the rootdn when I use the command "sudo ldapmodify -Y EXTERNAL -f smbkrb5pwd_load.ldif"
By setting your olcRootDN to:
dn: olcDatabase={0}config,cn=**config olcRootDN: gidNumber=0+uidNumber=0,cn=**peercred,cn=external,cn=auth
Or by creating an olcAuthzRegexp rule like:
dn: cn=config olcAuthzRegexp: {0}"gidNumber=0+uidNumber=0,**cn=peercred,cn=external,cn= **auth" "cn=admin,dc=example,dc=org"
and setting your olcRootDN to:
dn: olcDatabase={0}config,cn=**config olcRootDN: cn=admin,dc=example,dc=org
use:
sudo ldapwhoami -Y EXTERNAL -H ldapi:///
to trouble shoot.
See the manpage for slapd-conf for documentation.
I entered slapcat -n0 and found that dn: cn=module[0},cn=config doesn't
have an admin in it.
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb structuralObjectClass: olcModuleList entryUUID: d36d2386-2d84-1031-9046-**6d09752e7d3a creatorsName: gidNumber=0+uidNumber=0,cn=**peercred,cn=external,cn=auth createTimestamp: 20120508181023Z entryCSN: 20120508181023.990015Z#000000#**000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=**peercred,cn=external,cn=auth modifyTimestamp: 20120508181023Z
Since you don't have any of the above config in place, you have a chicken and egg problem with manipulating your configuration. You should dump it to portable ldif to modify it. See:
http://www.openldap.org/lists/**openldap-technical/201211/**msg00195.htmlhttp://www.openldap.org/lists/openldap-technical/201211/msg00195.html
Dan White
On 06/27/13 15:27 -0700, Michael Roth wrote:
Hi Dan, I'm still hitting my head against the wall on this one.
I shutdown slapd and opened /etc/ldap/slap.d/cn=config/cn=module{0}.ldif I then added" olcAuthzRegexp: {0}"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=admin,dc=domain,dc=net"" at the bottom. I then restarted slapd. I ran "sudo ldapwhoami -Y EXTERNAL -H ldapi:///"
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:cn=admin,dc=onerecovery,dc=net
Looks good.
I then try to add the module again: sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f smbkrb5pwd_load.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=module{0},cn=config" ldap_modify: Insufficient access (50)
You still need to make cn=admin,dc=onerecovery,dc=net the olcRootDN. You don't need an olcRootPW in this instance.
Since you decided to manually edit the /etc/ldap/slap.d/cn=config/ hierarchy manually, which is not recommended, you should backup your config with slapcat before proceeding, in case your config gets corrupted.
On Thu, Jun 27, 2013 at 11:07 AM, Dan White dwhite@olp.net wrote:
Or by creating an olcAuthzRegexp rule like:
dn: cn=config olcAuthzRegexp: {0}"gidNumber=0+uidNumber=0,**cn=peercred,cn=external,cn= **auth" "cn=admin,dc=example,dc=org"
and setting your olcRootDN to:
dn: olcDatabase={0}config,cn=**config olcRootDN: cn=admin,dc=example,dc=org
Since you don't have any of the above config in place, you have a chicken and egg problem with manipulating your configuration. You should dump it to portable ldif to modify it. See:
http://www.openldap.org/lists/openldap-technical/201211/msg00195.html
I tried adding the olcRootDN manually but slapd would not start. So I can't add this in manually.
I tried loading it in this way: http://www.openldap.org/lists/** openldap-technical/201211/**msg00195.htmlhttp://www.openldap.org/lists/openldap-technical/201211/msg00195.html
But I'm unable to load it:
slapadd -n0 -F /etc/ldap/slapd.d -l /tmp/config-in-portable-format.ldif 51cdbb3f str2entry: invalid value for attributeType olcRootDN #0 (syntax 1.3.6.1.4.1.1466.115.121.1.12) slapadd: could not parse entry (line=16) _ 1.63% eta none elapsed none spd 1.1 M/s Closing DB...
Line=16 is the olcRootDN.
Is there another way I can load it in?
On Thu, Jun 27, 2013 at 7:33 PM, Dan White dwhite@olp.net wrote:
On 06/27/13 15:27 -0700, Michael Roth wrote:
Hi Dan, I'm still hitting my head against the wall on this one.
I shutdown slapd and opened /etc/ldap/slap.d/cn=config/cn=** module{0}.ldif I then added" olcAuthzRegexp: {0}"gidNumber=0+uidNumber=0,**cn=peercred,cn=external,cn=**auth" "cn=admin,dc=domain,dc=net"" at the bottom. I then restarted slapd. I ran "sudo ldapwhoami -Y EXTERNAL -H ldapi:///"
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=**peercred,cn=external,cn=auth SASL SSF: 0 dn:cn=admin,dc=onerecovery,dc=**net
Looks good.
I then try to add the module again:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f smbkrb5pwd_load.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=**peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=module{0},cn=config" ldap_modify: Insufficient access (50)
You still need to make cn=admin,dc=onerecovery,dc=net the olcRootDN. You don't need an olcRootPW in this instance.
Since you decided to manually edit the /etc/ldap/slap.d/cn=config/ hierarchy manually, which is not recommended, you should backup your config with slapcat before proceeding, in case your config gets corrupted.
On Thu, Jun 27, 2013 at 11:07 AM, Dan White dwhite@olp.net wrote:
Or by creating an olcAuthzRegexp rule like:
dn: cn=config olcAuthzRegexp: {0}"gidNumber=0+uidNumber=0,*** *cn=peercred,cn=external,cn= **auth" "cn=admin,dc=example,dc=org"
and setting your olcRootDN to:
dn: olcDatabase={0}config,cn=****config olcRootDN: cn=admin,dc=example,dc=org
Since you don't have any of the above config in place, you have a chicken
and egg problem with manipulating your configuration. You should dump it to portable ldif to modify it. See:
http://www.openldap.org/lists/**openldap-technical/201211/** msg00195.htmlhttp://www.openldap.org/lists/openldap-technical/201211/msg00195.html
-- Dan White
openldap-technical@openldap.org
-
Dan White -
Michael Roth