On Thu, Apr 21, 2011 at 11:47 AM, Olivier Guillard olivier@guillard.nom.fr wrote:
No, that is not the meaning of "add".
In that case, how can you change olcRootPW: MySecretPassword
If you forgot your rootdn pass, and have no other user that with write privileges to cn=config, I guess you would need to slapcat your config, edit it, delete old config, and reload with slapadd. Or... take the risk and just edit the file by hand.
Ildefonso.
2011/4/21 Jose Ildefonso Camargo Tolosa ildefonso.camargo@gmail.com:
On Thu, Apr 21, 2011 at 11:47 AM, Olivier Guillard olivier@guillard.nom.fr wrote:
No, that is not the meaning of "add".
In that case, how can you change olcRootPW: MySecretPassword
If you forgot your rootdn pass, and have no other user that with write privileges to cn=config, I guess you would need to slapcat your config, edit it, delete old config, and reload with slapadd. Or... take the risk and just edit the file by hand.
Or use the ldapi:// URI, with "EXTERNAL" SASL mechanism, and correct ACL.
On Thu, Apr 21, 2011 at 12:32 PM, Erwann ABALEA eabalea@gmail.com wrote:
2011/4/21 Jose Ildefonso Camargo Tolosa ildefonso.camargo@gmail.com:
On Thu, Apr 21, 2011 at 11:47 AM, Olivier Guillard olivier@guillard.nom.fr wrote:
No, that is not the meaning of "add".
In that case, how can you change olcRootPW: MySecretPassword
If you forgot your rootdn pass, and have no other user that with write privileges to cn=config, I guess you would need to slapcat your config, edit it, delete old config, and reload with slapadd. Or... take the risk and just edit the file by hand.
Or use the ldapi:// URI, with "EXTERNAL" SASL mechanism, and correct ACL.
Ok.... can you elaborate? if you can do this, I feel that this is almost a security problem (where you can bypass LDAP authentication by using an external auth that was not previously configured on the directory).
2011/4/21 Jose Ildefonso Camargo Tolosa ildefonso.camargo@gmail.com: [...]
Or use the ldapi:// URI, with "EXTERNAL" SASL mechanism, and correct ACL.
Ok.... can you elaborate? if you can do this, I feel that this is almost a security problem (where you can bypass LDAP authentication by using an external auth that was not previously configured on the directory).
On my Debian server, the default openldap installation has this only ACL defined for cn=config: olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage break
And I can access it by connecting as root *on the same server*, and using ldap* tools like this: ldapsearch -H "ldapi:///" -Y EXTERNAL -b "cn=config"
This is to be used at the very start of the installation. I use it to create a user, and add an ACL with this user to allow me to access the directory from outside (and have some graphical tool if they can make admin tasks easier).
On Thu, Apr 21, 2011 at 1:02 PM, Erwann ABALEA eabalea@gmail.com wrote:
2011/4/21 Jose Ildefonso Camargo Tolosa ildefonso.camargo@gmail.com: [...]
Or use the ldapi:// URI, with "EXTERNAL" SASL mechanism, and correct ACL.
Ok.... can you elaborate? if you can do this, I feel that this is almost a security problem (where you can bypass LDAP authentication by using an external auth that was not previously configured on the directory).
On my Debian server, the default openldap installation has this only ACL defined for cn=config: olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage break
Ok, due that I just took my old slapd.conf and converted with slaptest, I was not aware of that default config. Now, lets say that you changed the config, and that you had the rootdn, and that ACL was not there, in that case: you can't use the SASL external, right?
And I can access it by connecting as root *on the same server*, and using ldap* tools like this: ldapsearch -H "ldapi:///" -Y EXTERNAL -b "cn=config"
This is to be used at the very start of the installation. I use it to create a user, and add an ACL with this user to allow me to access the directory from outside (and have some graphical tool if they can make admin tasks easier).
-- Erwann.
2011/4/21 Jose Ildefonso Camargo Tolosa ildefonso.camargo@gmail.com:
On Thu, Apr 21, 2011 at 1:02 PM, Erwann ABALEA eabalea@gmail.com wrote:
2011/4/21 Jose Ildefonso Camargo Tolosa ildefonso.camargo@gmail.com: [...]
Or use the ldapi:// URI, with "EXTERNAL" SASL mechanism, and correct ACL.
Ok.... can you elaborate? if you can do this, I feel that this is almost a security problem (where you can bypass LDAP authentication by using an external auth that was not previously configured on the directory).
On my Debian server, the default openldap installation has this only ACL defined for cn=config: olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage break
Ok, due that I just took my old slapd.conf and converted with slaptest, I was not aware of that default config. Now, lets say that you changed the config, and that you had the rootdn, and that ACL was not there, in that case: you can't use the SASL external, right?
Right. If you lose your password, and have no other way to authentify to your LDAP server, you're screwed. Just give you a second chance, by adding this ACL. Of course, if you lose the ability to become root on this server, then you don't have access to the server anymore. Evident.
In the end, if really you don't have any way to authentify, then yes, that's a disaster, and in case of disasters, big measures need to be taken. Stop slapd, "slapcat -n 0", edit the file, delete the content of slapd.d directory, "slapadd -n 0". I guess.
openldap-technical@openldap.org
-
Erwann ABALEA -
Jose Ildefonso Camargo Tolosa