Hello,
I'm migrating from an old openldap 2.3.30 to a 2.4.21 running in an ubuntu server, so I'm new with cn=config database.
The problem I have is that I want to create a user under cn=config, so I could configure the server without providing the password for cn=config (I want to restrict the IPs from that user could be used).
So I'm trying to add an entry like:
dn: cn=myuser,cn=config changetype: add objectClass: organizationalRole objectClass: simpleSecurityObject cn: myuser userPassword: mypassword
but I'm getting the error:
Object class violation (65).
In the server's log I get:
Sep 27 12:52:04 canis10 slapd[10564]: conn=1018 op=2 ADD dn="cn=myuser,cn=config " Sep 27 12:52:04 canis10 slapd[10564]: slap_queue_csn: queing 0x7f47bc1d8f10 2010 0927105204.422891Z#000000#001#000000 Sep 27 12:52:04 canis10 slapd[10564]: conn=1018 op=2 RESULT tag=105 err=65 text=
I have tried to add it with the server running in debug mode, and then I get:
dnPrettyNormal: <cn=myuser,cn=config>
=> ldap_bv2dn(cn=myuser,cn=config,0) <= ldap_bv2dn(cn=myuser,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=myuser,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=myuser,cn=config)=0 <<< dnPrettyNormal: <cn=myuser,cn=config>, <cn=myuser,cn=config> conn=1002 op=2 ADD dn="cn=myuser,cn=config" daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero => access_allowed: add access to "cn=myuser,cn=config" "entry" requested <= root access granted => access_allowed: add access granted by manage(=mwrscxd) <= acl_access_allowed: granted to database root oc_check_required entry (cn=myuser,cn=config), objectClass "organizationalRole" oc_check_required entry (cn=myuser,cn=config), objectClass "simpleSecurityObject" oc_check_allowed type "objectClass" oc_check_allowed type "cn" oc_check_allowed type "userPassword" oc_check_allowed type "structuralObjectClass" => access_allowed: add access to "cn=config" "children" requested <= root access granted => access_allowed: add access granted by manage(=mwrscxd) conn=1002 op=2: config_add_internal: DN="cn=myuser,cn=config" no structural objectClass in configuration table
but organizationalRole is an structural object class. I have tried with other objectclasses like person or inetOrgPerson, but I get the same result.
Could anybody help me?
On Monday, 27 September 2010 11:56:47 Angel L. Mateo wrote:
Hello,
I'm migrating from an old openldap 2.3.30 to a 2.4.21 running in an ubuntu server, so I'm new with cn=config database.
The problem I have is that I want to create a user under cn=config, so I could configure the server without providing the password for cn=config (I want to restrict the IPs from that user could be used).
[...]
Could anybody help me?
Add access controls to the database, allowing your existing user accounts write access to cn=config.
The config database is for configuration, not for data (e.g. users).
Here is my access rule:
$ ldapsearch -LLL -b cn=config "(olcDatabase={0}config)" olcAccess SASL/GSSAPI authentication started SASL username: bgmilne@RANGER.DNSALIAS.COM SASL SSF: 56 SASL data security layer installed. dn: olcDatabase={0}config,cn=config olcAccess: {0}to * by group="cn=LDAP Admins,ou=System Groups,dc=ranger,dc=dnsa lias,dc=com" ssf=112 write olcAccess: {1}to * by * none
This shows how my account managed to see the configuration above:
$ ldapwhoami SASL/GSSAPI authentication started SASL username: bgmilne@RANGER.DNSALIAS.COM SASL SSF: 56 SASL data security layer installed. dn:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com
$ ldapcompare 'cn=LDAP Admins,ou=System Groups,dc=ranger,dc=dnsalias,dc=com' member:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com SASL/GSSAPI authentication started SASL username: bgmilne@RANGER.DNSALIAS.COM SASL SSF: 56 SASL data security layer installed. TRUE
This can be done without SASL, but since I have SASL setup, it is so more convenient to show with SASL than without.
Regards, Buchan
El 27/09/10 15:17, Buchan Milne escribió:
On Monday, 27 September 2010 11:56:47 Angel L. Mateo wrote:
Hello,
I'm migrating from an old openldap 2.3.30 to a 2.4.21 running in an ubuntu server, so I'm new with cn=config database.
The problem I have is that I want to create a user under cn=config, so I could configure the server without providing the password for cn=config (I want to restrict the IPs from that user could be used).
[...]
Could anybody help me?
Add access controls to the database, allowing your existing user accounts write access to cn=config.
I have write access to cn=config. In fact, I'm using the rootdn
The config database is for configuration, not for data (e.g. users).
I know it. I just want to create a user for configuration and automation (of configuration) purposes. I'm trying to configure slapd from a configuration system like puppet, so I need a user for ldap operations (instead of this I could configure slapd managing files directly, but I prefer ldap commands). Because of I want to make configuration previous to the creation of databases, I would like that user to be directly in cn=config database.
On Tuesday, 28 September 2010 07:58:00 Angel L. Mateo wrote:
El 27/09/10 15:17, Buchan Milne escribió:
The config database is for configuration, not for data (e.g. users).
I know it
So then why do you ask how to create users there.
. I just want to create a user for configuration and automation (of configuration) purposes. I'm trying to configure slapd from a configuration system like puppet, so I need a user for ldap operations (instead of this I could configure slapd managing files directly, but I prefer ldap commands). Because of I want to make configuration previous to the creation of databases, I would like that user to be directly in cn=config database.
Well, there may be other possible solutions to your *real* problem, but it seems you aren't open to anything besides "creating users under cn=config", it is difficult to help.
Regards, Buchan
El 28/09/10 09:46, Buchan Milne escribió:
On Tuesday, 28 September 2010 07:58:00 Angel L. Mateo wrote:
El 27/09/10 15:17, Buchan Milne escribió:
The config database is for configuration, not for data (e.g. users).
I know it
So then why do you ask how to create users there.
Because I want to create a (just one) user in cn=config.
. I just want to create a user for configuration and automation (of configuration) purposes. I'm trying to configure slapd from a configuration system like puppet, so I need a user for ldap operations (instead of this I could configure slapd managing files directly, but I prefer ldap commands). Because of I want to make configuration previous to the creation of databases, I would like that user to be directly in cn=config database.
Well, there may be other possible solutions to your *real* problem, but it seems you aren't open to anything besides "creating users under cn=config", it is difficult to help.
I don't know why you said this. I'm open to any solution that adjust with my problem. I don't like to create user in other databases, because I want to use the user before creating any database (I need it for a ldap deployment and configuration tool).
Am Tue, 28 Sep 2010 11:12:32 +0200 schrieb "Angel L. Mateo" amateo@um.es:
El 28/09/10 09:46, Buchan Milne escribió:
On Tuesday, 28 September 2010 07:58:00 Angel L. Mateo wrote:
El 27/09/10 15:17, Buchan Milne escribió:
The config database is for configuration, not for data (e.g. users).
I know it
So then why do you ask how to create users there.
Because I want to create a (just one) user in cn=config.
. I just want to create a user for configuration and automation (of configuration) purposes. I'm trying to configure slapd from a configuration system like puppet, so I need a user for ldap operations (instead of this I could configure slapd managing files directly, but I prefer ldap commands). Because of I want to make configuration previous to the creation of databases, I would like that user to be directly in cn=config database.
Well, there may be other possible solutions to your *real* problem, but it seems you aren't open to anything besides "creating users under cn=config", it is difficult to help.
I don't know why you said this. I'm open to any solution that adjust with my problem. I don't like to create user in other databases, because I want to use the user before creating any database (I need it for a ldap deployment and configuration tool).
cn=config is NOT a user database, but only a configuration database. As is with all databases you may define a rootdn, but that is all. If you want to allow write access to cn=config to any other user, you may create appropriate access rules which allow defined users or network devices write access.
-Dieter
Am Tue, 28 Sep 2010 08:58:00 +0200 schrieb "Angel L. Mateo" amateo@um.es:
El 27/09/10 15:17, Buchan Milne escribió:
On Monday, 27 September 2010 11:56:47 Angel L. Mateo wrote:
Hello,
I'm migrating from an old openldap 2.3.30 to a 2.4.21 running in an ubuntu server, so I'm new with cn=config database.
The problem I have is that I want to create a user under cn=config, so I could configure the server without providing the password for cn=config (I want to restrict the IPs from that user could be used).
[...]
Could anybody help me?
Add access controls to the database, allowing your existing user accounts write access to cn=config.
I have write access to cn=config. In fact, I'm using the rootdn
The config database is for configuration, not for data (e.g. users).
I know it. I just want to create a user for configuration and automation (of configuration) purposes. I'm trying to configure slapd from a configuration system like puppet, so I need a user for ldap operations (instead of this I could configure slapd managing files directly, but I prefer ldap commands). Because of I want to make configuration previous to the creation of databases, I would like that user to be directly in cn=config database.
ldapmodify dn: olcdatabase={0}cn=config,cn=config changetype: modify add: olcRootDN olcRootDN: cn=config - add: olcRootPW olcRootPW: secret -
-Dieter
On Tuesday, 28 September 2010 08:51:24 Dieter Kluenter wrote:
Am Tue, 28 Sep 2010 08:58:00 +0200
schrieb "Angel L. Mateo" amateo@um.es:
El 27/09/10 15:17, Buchan Milne escribió:
On Monday, 27 September 2010 11:56:47 Angel L. Mateo wrote:
[...]
The config database is for configuration, not for data (e.g. users).
I know it. I just want to create a user for configuration and
automation (of configuration) purposes. I'm trying to configure slapd from a configuration system like puppet, so I need a user for ldap operations (instead of this I could configure slapd managing files directly, but I prefer ldap commands). Because of I want to make configuration previous to the creation of databases, I would like that user to be directly in cn=config database.
ldapmodify dn: olcdatabase={0}cn=config,cn=config changetype: modify add: olcRootDN olcRootDN: cn=config
add: olcRootPW olcRootPW: secret
Invalid solution to the original requirement (which has no solution):
On Monday, 27 September 2010 11:56:47 Angel L. Mateo wrote:
Hello,
I'm migrating from an old openldap 2.3.30 to a 2.4.21 running in an ubuntu server, so I'm new with cn=config database.
The problem I have is that I want to create a user under cn=config, so I could configure the server without providing the password for cn=config (I want to restrict the IPs from that user could be used).
Regards, Buchan
openldap-technical@openldap.org
-
Angel L. Mateo -
Buchan Milne -
Dieter Kluenter