Hi guys, I have google a lot to modify cn=config but all failed. Hope someone can help. Thanks. [openldap2.6.1 CentOS7.9] My initial ldif is like below: `[root@rayc01 openldap]# more slapd.ldif |grep -v ^# dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /usr/local/openldap-2.6.1/var/run/slapd.args olcPidFile: /usr/local/openldap-2.6.1/var/run/slapd.pid
dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/local/openldap-2.6.1/libexec/openldap olcModuleload: back_mdb.la
dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema
include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/core.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/collective.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/corba.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/cosine.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/dsee.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/duaconf.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/dyngroup.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/inetorgperson.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/java.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/misc.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/namedobject.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/nis.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/openldap.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/pmi.ldif
dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend
dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 1073741824 olcSuffix: dc=domain,dc=com olcRootDN: cn=root,dc=domain,dc=com olcRootPW: {SSHA}N/Zg9jqjoL1E4xEHc1dGdyTzZiOlEsrs olcDbDirectory: /usr/local/openldap-2.6.1/var/openldap-data olcDbIndex: objectClass eq
dn: olcDatabase=monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: monitor olcRootDN: cn=config olcMonitoring: FALSE [root@rayc01 openldap]# ` After import by slapadd and after slapd start, i can add my ou with cn=root by ldapadd. like below: `[root@rayc01 ~]# more base.ldif dn: dc=domain,dc=com dc: domain objectClass: top objectClass: domain
dn: ou=People,dc=domain,dc=com objectClass: organizationalUnit ou: People
dn: ou=Group,dc=domain,dc=com objectClass: organizationalUnit ou: Group
dn: ou=Mounts,dc=domain,dc=com objectClass: organizationalUnit ou: Mounts`
But when I try to modify olcLogLevel and olcIdleTimeout in cn=config, I get errors:
[root@rayc01 ~]# more log.ldif dn: cn=config changeType: modify replace: olcIdleTimeout olcIdleTimeout: 60
dn: cn=config changeType: modify replace: olcLogLevel olcLogLevel: 256
[root@rayc01 ~]# ldapmodify -Y external -H ldapi:/// -f 1.ldif ldap_sasl_interactive_bind: Can't contact LDAP server (-1) [root@rayc01 ~]# ldapmodify -x -D cn=root,dc=domain,dc=com -w "xxx@123" -f log.ldif modifying entry "cn=config" ldap_modify: Insufficient access (50)
[root@rayc01 ~]# ldapmodify -x -D cn=config -f log.ldif ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed [root@rayc01 ~]#
[root@rayc01 ~]# more 1.ldif dn: olcDatabase={0}config,cn=config #olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=r oot,dc=huawei,dc=com" read by * none
[root@rayc01 ~]# ldapmodify -Y external -H ldapi:/// -f 1.ldif ldap_sasl_interactive_bind: Can't contact LDAP server (-1) [root@rayc01 ~]#
On 01.05.22 13:21, butterfly-cry@qq.com wrote:
[root@rayc01 ~]# ldapmodify -Y external -H ldapi:/// -f 1.ldif ldap_sasl_interactive_bind: Can't contact LDAP server (-1)
Does your /etc/sysconfig/slapd include the ldapi URL?
Should look like
SLAPD_URLS="ldapi:/// ldap:///"
Best regards Ulf
Hi Ulf, Thanks for reply. I compiler to install openldap-2.6.1 and the slapd is a binary file in /LDAP_HOME/libexec/.
--On Sunday, May 1, 2022 12:21 PM +0000 butterfly-cry@qq.com wrote:
Hi guys, I have google a lot to modify cn=config but all failed. Hope someone can help. Thanks. [openldap2.6.1 CentOS7.9] My initial ldif is like below: `[root@rayc01 openldap]# more slapd.ldif |grep -v ^# dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /usr/local/openldap-2.6.1/var/run/slapd.args olcPidFile: /usr/local/openldap-2.6.1/var/run/slapd.pid
dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/local/openldap-2.6.1/libexec/openldap olcModuleload: back_mdb.la
dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema
dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend
You didn't supply a rootpw for the config rootdn, or as an alternative, you didn't provide a SASL mapping to allow SASL/EXTERNAL connections over ldapi as the root user to map the config user. You need to fix your configuration to allow the ability to assume the cn=config identity in some fashion.
Regards, Quanah
Hi Quanah, Thanks for reply. I didn't find a clear step to setup the rootpw/rootdn for cn=config and the steps to enable SASL/EXTERNAL in doc of 2.6. When I use rpm/yum to install openldap-2.4.44 , the SASL/EXTERNAL was enabled by default so I don't have problem. But now I compiler install the version of 2.6.1 and cannot find a correct way to setup permission for cn=config.
--On Monday, May 2, 2022 1:32 PM +0000 butterfly-cry@qq.com wrote:
Hi Quanah, Thanks for reply. I didn't find a clear step to setup the rootpw/rootdn for cn=config and the steps to enable SASL/EXTERNAL in doc of 2.6. When I use rpm/yum to install openldap-2.4.44 , the SASL/EXTERNAL was enabled by default so I don't have problem. But now I compiler install the version of 2.6.1 and cannot find a correct way to setup permission for cn=config.
The method of doing this hasn't changed between 2.4 and 2.6. You could look at the olcsaslauthzregexp mapping in the 2.4 config database for comparison.
--Quanah
Today when I re-initial-setup the openldap with slapd.conf instead of slapd.ldif, I get 'segmentation fault': [root@rayc01 openldap]# slaptest -f slapd.conf -F /tmp/slapd.d /usr/local/openldap-2.6.1/etc/openldap/schema/dyngroup.schema: line 49 objectIdentifier: "NetscapeRoot" previously defined "2.16.840.1.113730" Segmentation fault (core dumped) [root@rayc01 openldap]# [root@rayc01 openldap]# cat slapd.conf|grep -v '#'|grep -v ^$ include /usr/local/openldap-2.6.1/etc/openldap/schema/core.schema include ... include /usr/local/openldap-2.6.1/etc/openldap/schema/pmi.schema pidfile /usr/local/openldap-2.6.1/var/run/slapd2.pid argsfile /usr/local/openldap-2.6.1/var/run/slapd2.args modulepath /usr/local/openldap-2.6.1/libexec/openldap moduleload back_mdb.la database config rootpw issecret database mdb maxsize 1073741824 suffix "dc=domain,dc=com" rootdn "cn=root,dc=domain,dc=com" rootpw secret directory /usr/local/openldap-2.6.1/var/openldap-data2 index objectClass eq database monitor [root@rayc01 openldap]#
openldap-technical@openldap.org
-
butterfly-cry@qq.com -
Quanah Gibson-Mount -
Ulf Volmer