2:06 a.m.
Hello,
I am trying to setup a sync between 2 ldap instance, following the guide
here<http://askubuntu.com/questions/360190/how-to-configure-master-sla...;.
I ran the command below, but got the following error message.
sudo ldapadd -x -W -D cn=admin,dc=acme,dc=come -f
/root/enable_sync_prov.ldif
Enter LDAP Password:
*modifying entry "olcDatabase={1}hdb,cn=config"ldap_modify: Insufficient
access (50)*
How do i fix the insuffient access problem? I am using the admin that has
full write access on ldap.
Regards
--
------------------------------------------------------------------------
*Seun Ojedeji,Federal University Oye-Ekitiweb: http://www.fuoye.edu.ng
<http://www.fuoye.edu.ng> Mobile: +2348035233535**alt email:
<http://goog_1872880453>seun.ojedeji@fuoye.edu.ng
<seun.ojedeji(a)fuoye.edu.ng>*
3:01 a.m.
Hi,
On Tue, 11 Mar 2014, Seun Ojedeji wrote:
Hello,
I am trying to setup a sync between 2 ldap instance, following the guide
here<http://askubuntu.com/questions/360190/how-to-configure-master-sla...;.
I ran the command below, but got the following error message.
sudo ldapadd -x -W -D cn=admin,dc=acme,dc=come -f
/root/enable_sync_prov.ldif
Enter LDAP Password:
*modifying entry "olcDatabase={1}hdb,cn=config"ldap_modify: Insufficient
access (50)*
How do i fix the insuffient access problem? I am using the admin that has
full write access on ldap.
you obviously are not using a user with write access to cn=config.
It is hard to help as we do not know your starting point. Above howto starts somewhere in
the middle with an already setup of ldap server.
You might want to start by reading the projects original admin guide on:
http://www.openldap.org/doc/admin24/
And if you still can't see the problem post following information to the list:
1. your openldap version
2. your full configuration (preferably on pastebin oder such)
Use slapcat -n0 to extract the config
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
3:56 a.m.
Hello thanks for your response,
On Tue, Mar 11, 2014 at 11:01 AM, Christian Kratzer <ck-lists(a)cksoft.de>wrote:
Hi,
On Tue, 11 Mar 2014, Seun Ojedeji wrote:
How do i fix the insuffient access problem? I am using the admin that has
full write access on ldap.
you obviously are not using a user with write access to cn=config.
It is hard to help as we do not know your starting point. Above howto
starts somewhere in the middle with an already setup of ldap server.
Its a fresh ldap setup and i only have one admin user created (with on
personal user) here is the script i used in setting up ldap:
http://pastebin.com/JagCtptS
You might want to start by reading the projects original admin guide on:
http://www.openldap.org/doc/admin24/
And if you still can't see the problem post following information to the
list:
1. your openldap version
openldap-2.4.28
2. your full configuration (preferably on pastebin oder such)
Use slapcat -n0 to extract the config
Thanks again for helping out
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
--
------------------------------------------------------------------------
*Seun Ojedeji,Federal University Oye-Ekitiweb: http://www.fuoye.edu.ng
<http://www.fuoye.edu.ng> Mobile: +2348035233535**alt email:
<http://goog_1872880453>seun.ojedeji@fuoye.edu.ng
<seun.ojedeji(a)fuoye.edu.ng>*
5:28 a.m.
Hi,
On Tue, 11 Mar 2014, Seun Ojedeji wrote:
Hello thanks for your response,
On Tue, Mar 11, 2014 at 11:01 AM, Christian Kratzer <ck-lists(a)cksoft.de>wrote:
> Hi,
>
>
> On Tue, 11 Mar 2014, Seun Ojedeji wrote:
> How do i fix the insuffient access problem? I am using the admin that has
> full write access on ldap.
<snipp/>
Its a fresh ldap setup and i only have one admin user created (with
on
personal user) here is the script i used in setting up ldap:
http://pastebin.com/JagCtptS
your acl for cn=config is as follows:
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break
This only allows the unix root user to manage cn=config.
The admin user you are using is for managing access to the main directory.
To manage cn=config in this setup you should use
ldapadd -Y EXTERNAL -H ldapi:///
ldapmodify -Y EXTERNAL -H ldapi:///
> 1. your openldap version
>
openldap-2.4.28
Do yourself a favor and upgrade to 2.4.39 before starting with any serious openldap work.
You can get upto date rpm and deb packages from http://ltb-project.org/wiki/
Greetings
Christian
>
> 2. your full configuration (preferably on pastebin oder such)
>
Use slapcat -n0 to extract the config
>
> http://pastebin.com/U6SmeFNC
Thanks again for helping out
>
> Greetings
> Christian
>
> --
> Christian Kratzer CK Software GmbH
> Email: ck(a)cksoft.de Wildberger Weg 24/2
> Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
> Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
> Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
> Web: http://www.cksoft.de/
>
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
8:10 a.m.
Hello Christian,
Thanks for the pointer. I followed your suggestion and it worked on the
provider server.
However the customer server is still throwing the same error. Even though i
used the a root unix user. Below is the config on the customer side:
http://pastebin.com/9zanEh8c
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_sync_consumer.ldif
modifying entry "cn=config"
ldap_modify: Insufficient access (50)
Thanks again
Cheers!
On Tue, Mar 11, 2014 at 1:28 PM, Christian Kratzer <ck-lists(a)cksoft.de>wrote:
Hi,
On Tue, 11 Mar 2014, Seun Ojedeji wrote:
Hello thanks for your response,
>
> On Tue, Mar 11, 2014 at 11:01 AM, Christian Kratzer <ck-lists(a)cksoft.de
> >wrote:
>
> Hi,
>>
>>
>> On Tue, 11 Mar 2014, Seun Ojedeji wrote:
>> How do i fix the insuffient access problem? I am using the admin that has
>> full write access on ldap.
>>
> <snipp/>
Its a fresh ldap setup and i only have one admin user created (with on
> personal user) here is the script i used in setting up ldap:
> http://pastebin.com/JagCtptS
>
your acl for cn=config is as follows:
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth
manage by * break
This only allows the unix root user to manage cn=config.
The admin user you are using is for managing access to the main directory.
To manage cn=config in this setup you should use
ldapadd -Y EXTERNAL -H ldapi:///
ldapmodify -Y EXTERNAL -H ldapi:///
1. your openldap version
>>
>>
> openldap-2.4.28
>
Do yourself a favor and upgrade to 2.4.39 before starting with any serious
openldap work.
You can get upto date rpm and deb packages from
http://ltb-project.org/wiki/
Greetings
Christian
>
>
>> 2. your full configuration (preferably on pastebin oder such)
>>
>>
> Use slapcat -n0 to extract the config
>
>>
>> http://pastebin.com/U6SmeFNC
>>
>
> Thanks again for helping out
>
>
>> Greetings
>> Christian
>>
>> --
>> Christian Kratzer CK Software GmbH
>> Email: ck(a)cksoft.de Wildberger Weg 24/2
>> Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
>> Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
>> Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
>> Web: http://www.cksoft.de/
>>
>>
>
>
>
>
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
--
------------------------------------------------------------------------
*Seun Ojedeji,Federal University Oye-Ekitiweb: http://www.fuoye.edu.ng
<http://www.fuoye.edu.ng> Mobile: +2348035233535**alt email:
<http://goog_1872880453>seun.ojedeji@fuoye.edu.ng
<seun.ojedeji(a)fuoye.edu.ng>*
8:36 a.m.
Hi,
On Tue, 11 Mar 2014, Seun Ojedeji wrote:
Hello Christian,
Thanks for the pointer. I followed your suggestion and it worked on the
provider server.
However the customer server is still throwing the same error. Even though i
used the a root unix user. Below is the config on the customer side:
http://pastebin.com/9zanEh8c
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_sync_consumer.ldif
modifying entry "cn=config"
ldap_modify: Insufficient access (50)
your other server has a totally different configuration for cn=config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
structuralObjectClass: olcDatabaseConfig
entryUUID: f08d9646-a28f-1031-9ff3-c94fbd1c81f2
creatorsName: cn=config
createTimestamp: 20121004165443Z
olcRootDN: cn=admin,cn=config
olcRootPW:: .....
entryCSN: 20121004165515.430118Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20121004165515Z
olcRootPW is an SHA hash of the password.
modifiersNAme suggests that the config once has had the same olcAccess configuration as
your other server but olcAccess has been deleted.
You have three options:
1. If you remember the password you have set for cn=admin,cn=config use that with
ldapmodify -x -w pass -D cn=admin,cn=config -H ldap://...
2. Dump the config using slapcat -n0, edit and reimport using slapadd -n0
3. Ask the NSA if they can crack your SHA hash. Even though these things are hashes you
should not really post secrets to pastebin.
Greetings
Christian
Thanks again
Cheers!
On Tue, Mar 11, 2014 at 1:28 PM, Christian Kratzer <ck-lists(a)cksoft.de>wrote:
> Hi,
>
> On Tue, 11 Mar 2014, Seun Ojedeji wrote:
>
> Hello thanks for your response,
>>
>> On Tue, Mar 11, 2014 at 11:01 AM, Christian Kratzer <ck-lists(a)cksoft.de
>>> wrote:
>>
>> Hi,
>>>
>>>
>>> On Tue, 11 Mar 2014, Seun Ojedeji wrote:
>>> How do i fix the insuffient access problem? I am using the admin that has
>>> full write access on ldap.
>>>
>> <snipp/>
>
> Its a fresh ldap setup and i only have one admin user created (with on
>> personal user) here is the script i used in setting up ldap:
>> http://pastebin.com/JagCtptS
>>
>
> your acl for cn=config is as follows:
>
> dn: olcDatabase={0}config,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config
> olcAccess: {0}to * by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth
> manage by * break
>
> This only allows the unix root user to manage cn=config.
>
> The admin user you are using is for managing access to the main directory.
>
> To manage cn=config in this setup you should use
>
> ldapadd -Y EXTERNAL -H ldapi:///
> ldapmodify -Y EXTERNAL -H ldapi:///
>
>
> 1. your openldap version
>>>
>>>
>> openldap-2.4.28
>>
>
>
> Do yourself a favor and upgrade to 2.4.39 before starting with any serious
> openldap work.
>
> You can get upto date rpm and deb packages from
> http://ltb-project.org/wiki/
>
> Greetings
> Christian
>
>
>
>
>>
>>
>>> 2. your full configuration (preferably on pastebin oder such)
>>>
>>>
>> Use slapcat -n0 to extract the config
>>
>>>
>>> http://pastebin.com/U6SmeFNC
>>>
>>
>> Thanks again for helping out
>>
>>
>>> Greetings
>>> Christian
>>>
>>> --
>>> Christian Kratzer CK Software GmbH
>>> Email: ck(a)cksoft.de Wildberger Weg 24/2
>>> Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
>>> Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
>>> Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
>>> Web: http://www.cksoft.de/
>>>
>>>
>>
>>
>>
>>
> --
> Christian Kratzer CK Software GmbH
> Email: ck(a)cksoft.de Wildberger Weg 24/2
> Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
> Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
> Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
> Web: http://www.cksoft.de/
>
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
12:53 a.m.
Hello Christian,
Thanks, kindly find my response inset
On Tue, Mar 11, 2014 at 4:36 PM, Christian Kratzer <ck-lists(a)cksoft.de>wrote:
Hi,
On Tue, 11 Mar 2014, Seun Ojedeji wrote:
You have three options:
1. If you remember the password you have set for cn=admin,cn=config use
that with
ldapmodify -x -w pass -D cn=admin,cn=config -H ldap://...
I followed this option, however i keep getting the error below when i
tried setting
up the customer side:
sudo ldapadd -x -w mypass -D cn=admin,cn=config -H ldapi:/// -f
enable_sync_consumer.ldif
modifying entry "cn=config"
modifying entry "olcDatabase={1}hdb,cn=config"
ldap_modify: No such attribute (16)
additional info: modify/delete: olcAccess: no such value
Any idea on what i may be doing wrong?
Thanks again
--
------------------------------------------------------------------------
*Seun Ojedeji,Federal University Oye-Ekitiweb: http://www.fuoye.edu.ng
<http://www.fuoye.edu.ng> Mobile: +2348035233535**alt email:
<http://goog_1872880453>seun.ojedeji@fuoye.edu.ng
<seun.ojedeji(a)fuoye.edu.ng>*
2:57 a.m.
Hi Seun,
On Wed, 12 Mar 2014, Seun Ojedeji wrote:
Hello Christian,
Thanks, kindly find my response inset
On Tue, Mar 11, 2014 at 4:36 PM, Christian Kratzer <ck-lists(a)cksoft.de>wrote:
> Hi,
>
> On Tue, 11 Mar 2014, Seun Ojedeji wrote:
> You have three options:
>
> 1. If you remember the password you have set for cn=admin,cn=config use
> that with
>
> ldapmodify -x -w pass -D cn=admin,cn=config -H ldap://...
>
> I followed this option, however i keep getting the error below when i
tried setting up the customer side:
sudo ldapadd -x -w mypass -D cn=admin,cn=config -H ldapi:/// -f
enable_sync_consumer.ldif
modifying entry "cn=config"
modifying entry "olcDatabase={1}hdb,cn=config"
ldap_modify: No such attribute (16)
additional info: modify/delete: olcAccess: no such value
Any idea on what i may be doing wrong?
The ldif modify snippet you are trying to apply does not match what you
have in your configuration.
From a quick look at enable_sync_consumer.ldif on the howto you
referenced earlier I can see they replace the olcAccess configuration on
your databases thereby also deleting your original olcAccess
configuration which is why you had difficulty accessing cn=config over
ldapi:// with root credentials.
You really need to work through the documentation and understand what
you are doing or you will never have a reliably working replication
configuration.
I suggest you start fresh and:
1. get current 2.4.39 rpms from ltb-procject.org
2. start with a fresh install
3. build the configuration from scratch
You can of course post all your configs again and show us the file you
are trying to apply and we would see what is wrong but then the next
problem will turn up and you will not be able to solve it yourself.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
3:21 a.m.
Hello Christian,
Thanks again, advice well taken ;)
Cheers!
On Wed, Mar 12, 2014 at 10:57 AM, Christian Kratzer <ck-lists(a)cksoft.de>wrote:
Hi Seun,
On Wed, 12 Mar 2014, Seun Ojedeji wrote:
Hello Christian,
>
> Thanks, kindly find my response inset
> On Tue, Mar 11, 2014 at 4:36 PM, Christian Kratzer <ck-lists(a)cksoft.de
> >wrote:
>
> Hi,
>>
>> On Tue, 11 Mar 2014, Seun Ojedeji wrote:
>> You have three options:
>>
>> 1. If you remember the password you have set for cn=admin,cn=config use
>> that with
>>
>> ldapmodify -x -w pass -D cn=admin,cn=config -H ldap://...
>>
>> I followed this option, however i keep getting the error below when i
>>
> tried setting up the customer side:
>
> sudo ldapadd -x -w mypass -D cn=admin,cn=config -H ldapi:/// -f
> enable_sync_consumer.ldif
> modifying entry "cn=config"
>
> modifying entry "olcDatabase={1}hdb,cn=config"
> ldap_modify: No such attribute (16)
> additional info: modify/delete: olcAccess: no such value
>
> Any idea on what i may be doing wrong?
>
The ldif modify snippet you are trying to apply does not match what you
have in your configuration.
From a quick look at enable_sync_consumer.ldif on the howto you
referenced earlier I can see they replace the olcAccess configuration on
your databases thereby also deleting your original olcAccess
configuration which is why you had difficulty accessing cn=config over
ldapi:// with root credentials.
You really need to work through the documentation and understand what
you are doing or you will never have a reliably working replication
configuration.
I suggest you start fresh and:
1. get current 2.4.39 rpms from ltb-procject.org
2. start with a fresh install
3. build the configuration from scratch
You can of course post all your configs again and show us the file you
are trying to apply and we would see what is wrong but then the next
problem will turn up and you will not be able to solve it yourself.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
--
------------------------------------------------------------------------
*Seun Ojedeji,Federal University Oye-Ekitiweb: http://www.fuoye.edu.ng
<http://www.fuoye.edu.ng> Mobile: +2348035233535**alt email:
<http://goog_1872880453>seun.ojedeji@fuoye.edu.ng
<seun.ojedeji(a)fuoye.edu.ng>*
3374
days inactive
3375
days old
openldap-technical@openldap.org
8 comments
2 participants
participants (2)
-
Christian Kratzer -
Seun Ojedeji