I'm having issues setting up an admin group for an openLDAP.
I have just moved to olcconfig and have set up the following ldif:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn.subtree="dc=mysite,dc=com"
by group(s)/groupOfNames/member="cn=admin,ou=group,dc=mysite,dc=com" manage
I try to add this via sudo ldapadd -D "cn=diradmin,dc=mysite,dc=com" -f admin.ldif -W -x
where diradmin is the root dn. When I do this, I get:
modifying entry "olcDatabase={1}mdb,cn=config"
ldap_modify: Insufficient access (50)
I've read a few different tutorials but cannot see why this is occuring. Could anyone assist in likely causes (and even point out a good tutorial!).
Thanks.
—— Edit —–
I have now tried: sudo ldapadd -Y EXTERNAL -H ldapi:/// -f admin.ldif
The following was my error:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"
ldap_modify: Insufficient access (50)
Best Answer
In order to update the
olcAccess
attributes for yourdc=mysite,dc=com
you actually need permissions on thecn=config
database.The root DN you're trying to use will only work for updating objects in the
dc=mysite,dc=com
database, it doesn't/shouldn't have permission on thecn=config
database.I don't know how you generated your configuration, but it looks like you need to add at least something like
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
on theolcDatabase={0}config,cn=config
object. That would then allow you to use theEXTERNAL
auth mentioned in the other answer to apply your original LDIF change.If you don't have any ACL's configured that allow you to update the
cn=config
database then you can try the accepted answer in this question to edit the database files that are usually under/etc/ldap/slapd.d
or/etc/openldap/slapd.d
.