Ldap – Why can’t I create the first object in the Open-LDAP server

ldapopenldap

I'm trying to set up my first LDAP server that will be used to store user accounts (for things such as mail, git server and a few other things). I managed to install the server, but I'm stuck when I want to create my first object.

The server I want to set up is ashley-vps.mildred.fr (for now, this is a test server). Its dn is dc=ashley-vps, dc=mildred, dc=fr. First thing I did was to import the cosine (is that a math function?) and nis schemas. Then, I modified the oldSuffix and oldRootDN of my configuration as follows:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ashley-vps, dc=mildred, dc=fr
-
replace: olcRootDN
olcRootDN: cn=Manager, dc=ashley-vps, dc=mildred, dc=fr

I used the answer at "no global superior knowledge" while adding a country as a template.

I don't think I need to set up any special access because I'm using -Y EXTERNAL -H ldapi:/// and when I look at my access settings, I seem to have the necessary permissions:

# {0}config, config
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth" manage by * none

# {1}monitor, config
dn: olcDatabase={1}monitor,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none

Now, I'd like to create my first object. Let's start by dn: dc=ashley-vps, dc=mildred, dc=fr:

dn: dc=ashley-vps, dc=mildred, dc=fr
changetype: add
objectclass: top
objectclass: organizationalUnit
objectclass: dcObject
ou: ashley-vps.mildred.fr

I get rejected with:

ldap_add: Insufficient access (50)
    additional info: no write access to parent

I suppose this is because this is beyond the top of the hierarchy managed by the LDAP server, or is it? And if I try to directly create a person:

dn: cn=Toto, dc=ashley-vps, dc=mildred, dc=fr
changetype: add
objectclass: person
cn: Toto
sn: Surname

I also get rejected with:

ldap_add: No such object (32)

This time I suppose this is because the top object is missing.

Then, how to create the top object?
Why do I even need to create a top object? This seems like an unnecessary restriction. Similarly, when creating posixAccounts, it seems that we also need to create a user and group organizationalUnits (as seen in this howto). Can I do without?

Best Answer

The solution seems to add the olcAccess property to dn: olcDatabase={2}hdb,cn=config. I thought I didn't need it, but I do. This makes it possible to modify the database.

So I added the following code to dn: olcDatabase={2}hdb,cn=config:

-
replace: olcAccess
olcAccess: {0}to *
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
  by * none

And it now works (at least, I could create dc=ashley-vps,dc=mildred,dc=fr)

Note: don't forget to put two space for lines continuations, or else you'll get the following error: ldap_modify: Other (e.g., implementation specific) error (80), <olcAccess> handler exited with 1

edit: see slapd.access(5) man page and grant manage access to root (the highest permissions)

Related Topic