OpenLDAP Not Importing LDIF to cn=config – Troubleshooting Guide

openldap

I'm having issues setting up an admin group for an openLDAP.

I have just moved to olcconfig and have set up the following ldif:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn.subtree="dc=mysite,dc=com"
 by group(s)/groupOfNames/member="cn=admin,ou=group,dc=mysite,dc=com" manage

I try to add this via sudo ldapadd -D "cn=diradmin,dc=mysite,dc=com" -f admin.ldif -W -x where diradmin is the root dn. When I do this, I get:

modifying entry "olcDatabase={1}mdb,cn=config"
ldap_modify: Insufficient access (50)

I've read a few different tutorials but cannot see why this is occuring. Could anyone assist in likely causes (and even point out a good tutorial!).

Thanks.

—— Edit —–

I have now tried: sudo ldapadd -Y EXTERNAL -H ldapi:/// -f admin.ldif

The following was my error:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"
ldap_modify: Insufficient access (50)

Best Answer

In order to update the olcAccess attributes for your dc=mysite,dc=com you actually need permissions on the cn=config database.

The root DN you're trying to use will only work for updating objects in the dc=mysite,dc=com database, it doesn't/shouldn't have permission on the cn=config database.

I don't know how you generated your configuration, but it looks like you need to add at least something like olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none on the olcDatabase={0}config,cn=config object. That would then allow you to use the EXTERNAL auth mentioned in the other answer to apply your original LDIF change.

If you don't have any ACL's configured that allow you to update the cn=config database then you can try the accepted answer in this question to edit the database files that are usually under /etc/ldap/slapd.d or /etc/openldap/slapd.d.

Related Solutions

Ubuntu 10.04 (Lucid) OpenLDAP invalid credentials issue

This is also a tutorial issue with Ubuntu 10.10. If you refer to

Ubuntu OpenLDAP Guide

and let's say that for now you do everything in order except for setting up replication (the section immediately before that on adding extra schemas is unnecessary at this point also), when you arrive at the section entitled Setting Up ACL it doesn't matter what password you try, you'll get ldap_bind: Invalid credentials (49)...and not because there's a password problem. It's what gmuller said.

gmuller's solution above (it's a variant of a solution posted for Karmic Koala) works for me, in exactly the same situation, on Ubuntu 10.10. I had to make the same edits in fact from what is suggested for 9.10 in that second link.

This tutorial defect is not a showstopper for some things. One can ldapadd users and groups, and do certain searches.

Ubuntu – Working with OpenLDAP 2.4 LDIF config backend

There are two ways to edit the cn=config date: directly and indirectly. Indirect uses normal ldap tools, such as ldapmodify and ldapsearch, which provides the simplest and most logical approach. HOWEVER, many distros use SASL to restrict access to just the root user on the local box. Assuming, you have a preconfigured instance, you can easily change this:

Enabling external access to cn=config

sudo -i / su -
Create a new password:
```
slappasswd
```
Copy result, including "{SSHA}"

Prepare auth.ldif. Replace olcRootPW with your password hash from last command

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,cn=config 
-
replace: olcRootPW
olcRootPW: {SSHA}jCMTRlz/iT4cw3CZno5z2PtCkJQbKrqK

Import LDIF:

ldapmodify -Y EXTERNAL -H ldapi:/// -f auth.ldif

You may now connect externally (assuming you have network access), using any LDAP client. E.g.
```
ldapsearch -b cn=config -D cn=admin,cn=config -H ldap://myldapserver -W
```
Configure SSL ASAP!

Direct Mode

In direct mode, you can edit the cn=config database (and any other database), even if slapd is down. This is through the use of slapadd and slapcat tools. You must pass the database suffix. For example:

slapcat -b cn=config

IMHO, direct mode is best used when you know the exact LDIF you need to apply. I rarely do, so I tend to use normal LDAP tools to add, replace, and delete configuration on the fly.

Best Answer

Related Solutions

Ubuntu 10.04 (Lucid) OpenLDAP invalid credentials issue

Ubuntu – Working with OpenLDAP 2.4 LDIF config backend

Related Topic