Hi, I have a standard Debian install of slapd that was apparently automatically upgraded/updated from using slapd.conf to using olc. Now I would like to view settings before editing them so I tried some simple ldapsearch queries but all the things I try return empty results.
How do I get to see the contents of cn=config?
Things I have tried: ldapsearch -b cn=config -D cn=admin,dc=mydomain -W ldapsearch -x cn=config ldapsearch -D cn=admin,dc=mydomain -W cn=config
Some help/pointers in the right direction would be greatly appreciated. Thanks, Eli
On 04/01/11 17:44 +0200, E.S. Rosenberg wrote:
Hi, I have a standard Debian install of slapd that was apparently automatically upgraded/updated from using slapd.conf to using olc. Now I would like to view settings before editing them so I tried some simple ldapsearch queries but all the things I try return empty results.
How do I get to see the contents of cn=config?
Things I have tried: ldapsearch -b cn=config -D cn=admin,dc=mydomain -W ldapsearch -x cn=config ldapsearch -D cn=admin,dc=mydomain -W cn=config
You're probably missing the config backend. I added this to the end of my slapd.conf before conversion to slapd.d:
database config rootdn "cn=admin,dc=example,dc=org"
See the manpage for slapd-config for details.
Quoting "E.S. Rosenberg" esr+openldap@g.jct.ac.il:
How do I get to see the contents of cn=config?
There are two main methods that I know of and for both you have to be logged in as root. First:
~# slapcat -b cn=config
Slapd does not even have to be running. This command will dump the entire configuration, but you can also filter its output:
~# slapcat -b cn=config -a cn=config
This will show only the root object. However:
~# slapcat -b cn=config -a "(|(cn=config)(olcDatabase={1}hdb))"
This will show both the root object and the hdb database definition.
Second method:
~# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
Again, you can also filter the output:
~# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config cn=config
~# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config \ "(|(cn=config)(olcDatabase={1}hdb))"
Hope that helps!
Cheers,
Jaap
--On Tuesday, January 04, 2011 9:18 PM +0100 Jaap Winius jwinius@umrk.nl wrote:
Quoting "E.S. Rosenberg" esr+openldap@g.jct.ac.il:
How do I get to see the contents of cn=config?
There are two main methods that I know of and for both you have to be logged in as root. First:
It is just like any other LDAP backend. But I think one of the earlier posters nailed it -- He is probably missing having it configured as a backend entirely.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Quoting Quanah Gibson-Mount quanah@zimbra.com:
... He is probably missing having it configured as a backend entirely.
That wasn't literally his question, but I would not be surprised if Dan was right. I've been running Debian squeeze since June and started with a slapd.conf configuration. Then along came 2.4.23-3 and asked if I wanted to migrate to cn=config. I felt optimistic and said Yes. Doh! It failed. I forget exactly why; I'm very dependent on my slapd server and just wanted to get the old version running again ASAP.
Since then I've installed the new version many times, but have yet to go back and attempt that migration again. For some time now I've been wanting to set up a test system to see if I run into the same problem, and if so how to deal with it, but have yet to get around to it.
Cheers,
Jaap
On Tue, Jan 04, 2011 at 05:44:25PM +0200, E.S. Rosenberg wrote:
How do I get to see the contents of cn=config? Things I have tried: ldapsearch -b cn=config -D cn=admin,dc=mydomain -W ldapsearch -x cn=config ldapsearch -D cn=admin,dc=mydomain -W cn=config Some help/pointers in the right direction would be greatly appreciated.
Have you tried:
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
(need to be run as root)
Hi, sorry that it took me a while to reply.
So I do have the config backend, since debian moved me over automatically. So far the slapcat method has been working very nicely for me.
Another question I ran into is how do you edit cn=config, by default I have not been able to figure out. I have so far seen two methods that work for me but they both feel a bit 'hacky' so I was wondering if there is another 'official' method.
The two things I have done: 1. edit the files in slapd.d (after stopping the openldap server to be on the safe side). 2. using ldapmodify, but this was only possible after I added a olcRootPW attribute to the olcDatabase object of the config backend by editing the file as described here: http://www.zarafa.com/wiki/index.php/OpenLdap:_Switch_to_dynamic_config_back...
It confused me at first since the configdb entry has the following acl: olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break I didn't understand how I could get access, it looked like I had to be root but even as root ldapmodify would refuse duty.
I guess after seeing these mails I should have been using something like -Y EXTERNAL?
Thanks and regards, Eli
2011/1/5 Brian Candler B.Candler@pobox.com
On Tue, Jan 04, 2011 at 05:44:25PM +0200, E.S. Rosenberg wrote:
How do I get to see the contents of cn=config? Things I have tried: ldapsearch -b cn=config -D cn=admin,dc=mydomain -W ldapsearch -x cn=config ldapsearch -D cn=admin,dc=mydomain -W cn=config Some help/pointers in the right direction would be greatly
appreciated.
Have you tried:
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
(need to be run as root)
E.S. Rosenberg wrote:
Hi, sorry that it took me a while to reply.
So I do have the config backend, since debian moved me over automatically. So far the slapcat method has been working very nicely for me.
Another question I ran into is how do you edit cn=config, by default I have not been able to figure out. I have so far seen two methods that work for me but they both feel a bit 'hacky' so I was wondering if there is another 'official' method.
The two things I have done:
- edit the files in slapd.d (after stopping the openldap server to be on the
safe side).
Never do that.
- using ldapmodify, but this was only possible after I added a olcRootPW
attribute to the olcDatabase object of the config backend by editing the file as described here: http://www.zarafa.com/wiki/index.php/OpenLdap:_Switch_to_dynamic_config_back...
It confused me at first since the configdb entry has the following acl: olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break I didn't understand how I could get access, it looked like I had to be root but even as root ldapmodify would refuse duty.
I guess after seeing these mails I should have been using something like -Y EXTERNAL?
Yes, from your description, you should have used "ldapmodify -Y EXTERNAL -H ldapi:///" while running as root.
Hi, sorry that it took me a while to reply.
So I do have the config backend, since debian moved me over automatically. So far the slapcat method has been working very nicely for me.
Another question I ran into is how do you edit cn=config, by default I have not been able to figure out. I have so far seen two methods that work for me but they both feel a bit 'hacky' so I was wondering if there is another 'official' method.
The two things I have done:
- edit the files in slapd.d (after stopping the openldap server to be on
the safe side). 2. using ldapmodify, but this was only possible after I added a olcRootPW attribute to the olcDatabase object of the config backend by editing the file as described here: http://www.zarafa.com/wiki/index.php/OpenLdap:_Switch_to_dynamic_config_back...
This is not necessary, see below.
It confused me at first since the configdb entry has the following acl: olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by
break I didn't understand how I could get access, it looked like I had to be root but even as root ldapmodify would refuse duty.
You need to start slapd with -h ldapi:/// and bind on that URI using SASL external from the machine where slapd is running on, while logged into a shell as root. That ACL is giving access to the user whose DN results from this bind.
I guess after seeing these mails I should have been using something like -Y EXTERNAL?
Exactly. Something like
login: root password: ***** # slapd -h ldapi:/// # ldapmodify -H ldapi:/// -Y EXTERNAL
p.
openldap-technical@openldap.org
-
Brian Candler -
Dan White -
E.S. Rosenberg -
Howard Chu -
Jaap Winius -
masarati@aero.polimi.it -
Quanah Gibson-Mount