Ubuntu – Insufficient access to edit OpenLDAP cn=config with external SASL authentication

openldapUbuntu

I want to add a schema to an OpenLDAP database that I've inherited.

ldapadd -vY EXTERNAL -H ldapi:/// -f schema.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
...
adding new entry "cn=openssh-lpk,cn=schema,cn=config"
ldap_add: Insufficient access (50)

A discussion on the mailing list regarding the same external SASL authentication issue leads me to believe that I need to "map a SASL EXTERNAL identity to the cn=config rootdn." How would I accomplish this?

While trying to figure this out, I created a similar VM and installed slapd from the Ubuntu repos. External SASL requests like the one above work right out of the box. I attempted to compare the cn=config settings between the two systems but failed to identify any obvious clues to perform this task. The production database was originally running on Gentoo. I migrated it to Ubuntu and have been happily editing the accounts and using it. However I've been unable to amend the configuration database since converting to the cn=config format during the migration.

Best Answer

Make sure that there is one olcAccess attribute of the {0}config database (/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif) that looks like this:

olcAccess: {0}to * 
 by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage 
 by * break

In the default config on Ubuntu, this is the only olcAccess entry for the config database. If you have more entries, make sure that the one I mentioned is the first (i. e. {0}) and the others follow ({1}, {2} etc.). Otherwise one of the others could match, assign too low permissions and stop traversing the list.

If there's some other user/DN in that list with sufficient (write, manage) permissions, you should preferably try to amend olcAccess with an LDIF file using ldapmodify with that user/DN.

Failing that, you can do:

sudo service slapd stop
sudo sensible-editor /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif
sudo service slapd start

But you should fix the CRC32 in that file afterwards.

Related Solutions

OpenLDAP Setup help: SASL/GSSAPI authentication started

If you don't want to authenticate with Kerberos, you need to tell the OpenLDAP tools that by using the -x command line option. From the man page for ldapsearch:

       -x     Use simple authentication instead of SASL.

When using -x, you will also need -D, to specify your bind DN, and you will need to provide the password via either -W (to prompt for the password) or -y file to read the password from file.

OpenLDAP 2.4.23 – Debian 6.0 – Import schema – Insufficient access (50)

The default access config for cn=config is to only allow via external auth. Try:

ldapadd -c -Y EXTERNAL -H ldapi:/// -f '/tmp/test.d/cn=config/cn=schema/cn={5}microsoft.ldif'

Best Answer

Related Solutions

OpenLDAP Setup help: SASL/GSSAPI authentication started

OpenLDAP 2.4.23 – Debian 6.0 – Import schema – Insufficient access (50)

Related Topic