Ldap_modify: Insufficient access (50) for cn=config as -H ldapi:/// -Y EXTERNAL

centos6openldap

I'm setting up a second LDAP server. I've converted a slapd.conf to a slapd.d database using slaptest. I'm trying to apply this LDIF:

# cat loglevel.ldif
dn: cn=config
changetype:modify
replace: olcLogLevel
olcLogLevel: any

This error comes up:

# ldapmodify -H ldapi:/// -Y EXTERNAL -D 'cn=config' -f loglevel.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Insufficient access (50)

ldapwhoami output:

# ldapwhoami -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Config database in slapcat -n0:

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to *  by * none
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=admin,cn=config
olcRootPW:: c2VjcmV0
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: a00805da-2405-1035-8da5-7568f1e7aea1
creatorsName: cn=config
createTimestamp: 20151120190701Z
entryCSN: 20151120190701.894877Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20151120190701Z

How do I make the command work?

Do I need to do something to enable the -Y EXTERNAL mechanism?

Do I need to change the olcRootDN property for cn=config? I can try changing it with a text editor in the /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif file.

Best Answer

Your current rootdn is cn=admin,cn=config, and your current rootpw is "secret".

SASL/EXTERNAL is enabled and working. However, the configuration of your cn=config database does not give root (aka gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth any special permissions.

To convert your rootdn to be local root you should run the following or its equivalent.

ldapmodify -D cn=admin,cn=config -w secret -H ldapi:/// <<EOF
dn: olcDatabase={0}config,cn=config
replace: olcrootdn
olcrootdn: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
-
delete: olcrootpw
-
EOF

Related Solutions

ldap_modify: Insufficient Access (50) – Troubleshooting OpenLDAP on Debian Squeeze

It is exactly what is says on the tin. Your DN cn=myuser,dc=mydomain,dc=com does not have enough permissions to modify the cn=config tree. And when you are trying "to specify the config database" you are using an entirely different DN, cn=myuser,cn=config, which apparently either doesn't exist or you are using a wrong password.

To do modifications like these you need to work with an account privileged enough to modify the various databases. The "admin" account, i.e. the one account that always has all privileges, is specified in the attribute olcRootDN and its password is found in olcRootPW. For the cn=config database those attributes are found in olcDatabase={0}config,cn=config and for the "regular" database, usually of type HDB, in olcDatabase={1}hdb,cn=config.

Which tutorial or documentation did you follow? It doesn't seem like you understand completely what you are doing here.

Ubuntu – Insufficient access to edit OpenLDAP cn=config with external SASL authentication

Make sure that there is one olcAccess attribute of the {0}config database (/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif) that looks like this:

olcAccess: {0}to * 
 by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage 
 by * break

In the default config on Ubuntu, this is the only olcAccess entry for the config database. If you have more entries, make sure that the one I mentioned is the first (i. e. {0}) and the others follow ({1}, {2} etc.). Otherwise one of the others could match, assign too low permissions and stop traversing the list.

If there's some other user/DN in that list with sufficient (write, manage) permissions, you should preferably try to amend olcAccess with an LDIF file using ldapmodify with that user/DN.

Failing that, you can do:

sudo service slapd stop
sudo sensible-editor /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif
sudo service slapd start

But you should fix the CRC32 in that file afterwards.

Best Answer

Related Solutions

ldap_modify: Insufficient Access (50) – Troubleshooting OpenLDAP on Debian Squeeze

Ubuntu – Insufficient access to edit OpenLDAP cn=config with external SASL authentication

Related Topic