LDAP Modify: Fixing Insufficient Access (50) When Changing Password


I'm trying to modify the LDAP admin password on a fresh OpenLDAP install on CentOS 6.7 (similar to RHEL 6.7).

I created a file called change_ldap_password.ldif:

# Hash your password:
# slappasswd -h {SSHA} -s "my_password"

# I also tried {1}hdb instead of {0}config
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}YP8q2haCD1POSzQC3GAuBdrfaHh+/Y49

When I run the following command as root, I get an access error:

# ldapmodify -x  -W -D "cn=admin,dc=my_domain,dc=com" -f ./change_ldap_password.ldif
Enter LDAP Password:
modifying entry "olcDatabase={0}config,cn=config"
ldap_modify: Insufficient access (50)

Here's the output of ldapwhoami:

# ldapwhoami -x  -W -D "cn=admin,dc=my_domain,dc=com"
Enter LDAP Password:

Here's the result of grepping for olcRoot in cn=config:

# grep -R olcRoot /etc/openldap/slapd.d/cn=config
/etc/openldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif:olcRootDN: cn=admin,dc=my_domain,dc=com
/etc/openldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif:olcRootPW:: ...

Here's the debug info for ldapmodify:

# ldapmodify -x  -W -D "cn=admin,dc=my_domain,dc=com" -f ./change_ldap_password.ldif -d1
Enter LDAP Password:
ldap_new_connection 1 1 0
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 4
ldap_new_socket: 4
ldap_connect_to_path: Trying /var/run/ldapi
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_close_socket: 4
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate [CN=my_server.my_domain.com] is valid
TLS certificate verification: subject: CN=my_server.my_domain.com, issuer: CN=my_server.my_domain.com, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 0, cache not reusable: 0
ldap_open_defconn: successful
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 50 bytes to sd 4
ldap_result ld 0x184a340 msgid 1
wait4msg ld 0x184a340 msgid 1 (infinite timeout)
wait4msg continue ld 0x184a340 msgid 1 all 1
** ld 0x184a340 Connections:
* host: (null)  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Fri Oct 30 14:04:24 2015

** ld 0x184a340 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x184a340 request count 1 (abandoned 0)
** ld 0x184a340 Response Queue:
  ld 0x184a340 response count 0
ldap_chkResponseList ld 0x184a340 msgid 1 all 1
ldap_chkResponseList returns ld 0x184a340 NULL
read1msg: ld 0x184a340 msgid 1 all 1
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x184a340 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x184a340 0 new referrals
read1msg:  mark request completed, ld 0x184a340 msgid 1
request done: ld 0x184a340 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
modifying entry "olcDatabase={0}config,cn=config"
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 102 bytes to sd 4
ldap_result ld 0x184a340 msgid 2
wait4msg ld 0x184a340 msgid 2 (timeout 100000 usec)
wait4msg continue ld 0x184a340 msgid 2 all 1
** ld 0x184a340 Connections:
* host: (null)  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Fri Oct 30 14:04:24 2015

** ld 0x184a340 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x184a340 request count 1 (abandoned 0)
** ld 0x184a340 Response Queue:
  ld 0x184a340 response count 0
ldap_chkResponseList ld 0x184a340 msgid 2 all 1
ldap_chkResponseList returns ld 0x184a340 NULL
read1msg: ld 0x184a340 msgid 2 all 1
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x184a340 msgid 2 message type modify
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x184a340 0 new referrals
read1msg:  mark request completed, ld 0x184a340 msgid 2
request done: ld 0x184a340 msgid 2
res_errno: 50, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_modify: Insufficient access (50)

ldap_free_connection 1 1
ber_flush2: 7 bytes to sd 4
ldap_free_connection: actually freed

If I enter a wrong password, the error changes from Insufficient Access to Invalid Credentials:

ldap_bind: Invalid credentials (49)

I saw this ServerFault question, but that one was about a user with limited privileges rather than admin or root.

How do I get past the ldap_modify: Insufficient access (50) error?

Why does root identifying as LDAP admin not have access to change the password?

I'm ok reinstalling slapd if that's the recommended solution. I'd like to resolve this error before moving further.

Edit: Going to cn=config on ldapi:/// gives the following error:

# ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config' -d1
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_new_socket: 3
ldap_connect_to_path: Trying /var/run/ldapi
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_close_socket: 3
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

I think I have ldapi:// defined in /etc/openldap/ldap.conf, but I'm not sure about ldapi:///

# LDAP Defaults

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=my_domain,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
URI     ldap:// ldapi:// ldaps://

#DEREF          never

TLS_CACERTDIR /etc/openldap/certs

Edit 2: I get the same ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) error after stopping the firewall (service iptables stop), so the firewall is not the issue.

Best Answer

In order to admin the 'cn=config' database you need the 'cn=config' admin, not the admin of the data DB. In debian such admin is root with SASL TLS External. Try

sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config'

Once you've confirmed the above works, you can change the password. First, hash the value:

slappasswd -h {SSHA} -s "my_password"

Then, paste the hashed value into an ldif file such as ./change_ldap_password.ldif:

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW

Finally, apply the ldif file:

sudo ldapmodify -H ldapi:/// -Y EXTERNAL -D 'cn=config' -f ./change_ldap_password.ldif

Changing passwords with ldapmodify is discouraged. If user exists (it is not this case), ldappasswd is way better.