Hello,
With help from various generous people on this list, I am finishing up with my project. Among other things, I need to perform a non-interactive OpenLDAP configuration.
I install the server with apptitude and have LDIFs to change the root password and suffix. However, it seems that I still need to correctly adjust olcAccess so my searches work.
The olcAccess is the part that is not working as I expected. My LDIF runs just fine changing the name, and domain suffix. Yet, after the operation is complete, ldapsearch(1) start returning errors. When the suffix was nodomain [default left by the install] searches worked. Please advise. The LDIF is below:
dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com" write by * read
dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=com
dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=admin,dc=example,dc=com
I don't see any errors. Nothing throws me off when I run slapcat(8). Please advise.
Thank you,
Igor Shmukler
Igor Shmukler wrote:
With help from various generous people on this list, I am finishing up with my project. Among other things, I need to perform a non-interactive OpenLDAP configuration.
I'd use static configuration which will still be supported in 2.5.x, at least a small snippet for boot-strapping.
Ciao, Michael.
Hello Michael,
Is there a reason why what I am doing now, does not [completely] work? I must be missing something. Currently, my credentials are accepted by ldapsearch(1) so something in olcAccess gets changed. At the same time, before changing the domain, I would get two (2) entries one for the nodomain and one for cn=admin,dc=nodomain and after chaining suffix, I get: 32 No such object
I have two databases - config and records. For some reason, ldapmodify(1) updates config [-n 0], but entries [-n 1] still have dc=nodomain suffix. How do I change this?
Sincerely,
Igor Shmukler
On Tue, Jan 6, 2015 at 2:12 PM, Michael Ströder michael@stroeder.com wrote:
Igor Shmukler wrote:
With help from various generous people on this list, I am finishing up with my project. Among other things, I need to perform a non-interactive OpenLDAP configuration.
I'd use static configuration which will still be supported in 2.5.x, at least a small snippet for boot-strapping.
Ciao, Michael.
Am Tue, 6 Jan 2015 14:50:15 +0100 schrieb Igor Shmukler igor.shmukler@gmail.com:
Hello Michael,
Is there a reason why what I am doing now, does not [completely] work? I must be missing something. Currently, my credentials are accepted by ldapsearch(1) so something in olcAccess gets changed. At the same time, before changing the domain, I would get two (2) entries one for the nodomain and one for cn=admin,dc=nodomain and after chaining suffix, I get: 32 No such object
I have two databases - config and records. For some reason, ldapmodify(1) updates config [-n 0], but entries [-n 1] still have dc=nodomain suffix. How do I change this?
[...]
You should remove the database file, slapcat the config database, modify the files, delete the old config database and slapadd the modified database ldif.
-Dieter
On Tue, Jan 06, 2015 at 02:12:51PM +0100, Michael Ströder wrote:
Igor Shmukler wrote:
With help from various generous people on this list, I am finishing up with my project. Among other things, I need to perform a non-interactive OpenLDAP configuration.
I'd use static configuration which will still be supported in 2.5.x, at least a small snippet for boot-strapping.
I previously used puppet to automate the following:
add a templated cn=config ldif to a host (with pre-populated syncrepl config) add templated database ldifs to a host run a wrapper to slapadd them all start slapd
This meant that I could boot a new server and come back in a few hours after syncrepl replication had finished to find a working replica. I presume the same technique will work no matter which configuration management software is in use.
I used slapcat on my existing pre-prod cn=config and databases to get the basic structure which I used to create the templated ldifs.
Ciao, Michael.
Hi Igor,
On Tue, Jan 06, 2015 at 01:56:23PM +0100, Igor Shmukler wrote:
I install the server with apptitude and have LDIFs to change the root password and suffix.
You might consider preseeding those prior to installation, using debconf-set-selections(1). If you do want to reconfigure the suffix after installation, dpkg-reconfigure(8) is a safe way to do that.
In particular, if you do this:
dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=com
and start loading new data into the existing database without deleting the old files first, you risk running into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546368 .
The olcAccess is the part that is not working as I expected. My LDIF runs just fine changing the name, and domain suffix. Yet, after the operation is complete, ldapsearch(1) start returning errors. When the suffix was nodomain [default left by the install] searches worked.
Please provide an example ldapsearch(1) command and its output, and the access rules currently in use (as per ldapsearch/slapcat of cn=config). I don't see anything obviously wrong in what you posted.
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com" write by * read
Consider the 'by self write' part of that carefully. You may not want users modifying their own uidNumber and gidNumber, for example. (Newer versions of the package stopped including 'by self write' in the default ACL because of that.)
hope that helps, Ryan
Hello Ryan,
I followed your advice to set selections. Did what I needed.
Thank you,
Igor Shmukler
On Tuesday, January 6, 2015, Ryan Tandy ryan@nardis.ca wrote:
Hi Igor,
On Tue, Jan 06, 2015 at 01:56:23PM +0100, Igor Shmukler wrote:
I install the server with apptitude and have LDIFs to change the root password and suffix.
You might consider preseeding those prior to installation, using debconf-set-selections(1). If you do want to reconfigure the suffix after installation, dpkg-reconfigure(8) is a safe way to do that.
In particular, if you do this:
dn: olcDatabase={1}hdb,cn=config
changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=com
and start loading new data into the existing database without deleting the old files first, you risk running into https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=546368 .
The olcAccess is the part that is not working as I expected. My LDIF
runs just fine changing the name, and domain suffix. Yet, after the operation is complete, ldapsearch(1) start returning errors. When the suffix was nodomain [default left by the install] searches worked.
Please provide an example ldapsearch(1) command and its output, and the access rules currently in use (as per ldapsearch/slapcat of cn=config). I don't see anything obviously wrong in what you posted.
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com"
write by * read
Consider the 'by self write' part of that carefully. You may not want users modifying their own uidNumber and gidNumber, for example. (Newer versions of the package stopped including 'by self write' in the default ACL because of that.)
hope that helps, Ryan
openldap-technical@openldap.org
-
Christopher Wood -
Dieter Klünter -
Igor Shmukler -
Michael Ströder -
Ryan Tandy