LDAP Error ‘No Global Superior Knowledge’ When Adding a Country

countryldapopenldap

I must add an organizationalunit like this into a freshly installed OpenLDAP (on Ubuntu 12.04) :

dn: ou=MYREGION, ou=MYAPP, ou=GROUPS, o=myorganization, c=fr
ou: MYREGION
objectClass: top
objectClass: organizationalunit

So as it's a new LDAP, I think I must first add the fr country, and I create that file :

dn: c=fr
c: fr
objectClass: top
objectClass: country

Now I try to import it with that command (I have no domain for that server) :

ldapadd -x -D cn=admin,dc=nodomain -W -f country_fr.ldif

but OpenLDAP rejects that command with :

adding new entry "c=fr"
ldap_add: Server is unwilling to perform (53)
    additional info: no global superior knowledge

Any hint?

Best Answer

The error no global superior knowledge means that slapd doesn't know where to put your new entry. This typically means that you have not defined an appropriate database. With newer systems (ones using cn=config instead of slapd.conf), you would typically first add a new database or modify an existing database entry using ldapadd or ldapmodify. For example, on my Fedora 17 system, the default install sets up a database like this for hosting dc=my-domain,dc=com:

dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
creatorsName: cn=config
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com

To host your organization (o=myorganization, c=fr), I would need to create the following LDIF file:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: o=myorganization, c=fr
-
replace: olcRootDN
olcRootDN: cn=Manager,o=myorganization,c=fr
-
replace: olcAccess
olcAccess: {0}to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write 
  by dn.base="cn=Manager,o=myorganization,c=fr" write
  by * none

And I would then load these modifications like this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f mychanges.ldif

This works because of the following olcAccess lines already present in the configuration:

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by * none

This grants root, contacting slapd over the ldapi:/// socket, password-free access to the cn=config tree.

I would then load in my top-level entry:

dn: o=myorganization, c=fr
objectclass: organization
o: myorganization

By running:

ldapadd -Y EXTERNAL -H ldapi:/// -f myobject.ldif

This works because I've added a similar ACL to this database. Note that I didn't need to start with c=fr here, because the database is defined to hold o=myorganization,c=fr

The short answer

Use ldapmodify exactly like you would on a regular ldap entry with multi-valued attributes.

That's pretty much what I expected, but I wasn't 100% sure, due to the {N} indexing that you see when you run an ldap search for the schema.

The long answer

First, find your schema's dn. Something like cn={4}test,cn=schema,cn=config Then write an ldif file and apply it to your directory. On Ubuntu 12.04 I applied it as root with:

ldapmodify -Q -Y EXTERNAL -H ldapi://  -f test.ldif

The part I had issues with was the ldif modify syntax, and what to do with the {N} indexes.

So, the start of your ldif file should be something like:

version: 1

dn: cn={N}test,cn=schema,cn=config
changetype: modify

To modify an objectClass:

delete: olcObjectClasses
olcObjectClasses: <old value>
-
add: olcObjectClasses
olcObjectClasses: <new value>

To modify an attribute:

delete: olcAttributeTypes
olcAttributeTypes: <old value>
-
add: olcAttributeTypes
olcAttributeTypes: <new value>

Some tips I figured out about syntax:

Ignore the {N} indexes in your ldif file. They get fixed automatically.
You do need the {N} in your schema's DN.
Remember the '-' between statements.
Don't put a new line after the '-'. ldapmodify stops at that new line, so anything after it will not be executed.
Add new attributes before you modify the objectClass to include them.
Eliminate all tab characters. They cause the system to produce gibberish.

Ldap – Why can’t I create the first object in the Open-LDAP server

The solution seems to add the olcAccess property to dn: olcDatabase={2}hdb,cn=config. I thought I didn't need it, but I do. This makes it possible to modify the database.

So I added the following code to dn: olcDatabase={2}hdb,cn=config:

-
replace: olcAccess
olcAccess: {0}to *
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
  by * none

And it now works (at least, I could create dc=ashley-vps,dc=mildred,dc=fr)

Note: don't forget to put two space for lines continuations, or else you'll get the following error: ldap_modify: Other (e.g., implementation specific) error (80), <olcAccess> handler exited with 1

edit: see slapd.access(5) man page and grant manage access to root (the highest permissions)

Best Answer

Related Solutions

LDAP Attribute – How to Add a New Attribute to an Existing LDAP Objectclass

The short answer

The long answer

Ldap – Why can’t I create the first object in the Open-LDAP server

Related Topic