I want to add a schema to an OpenLDAP database that I've inherited.
ldapadd -vY EXTERNAL -H ldapi:/// -f schema.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
...
adding new entry "cn=openssh-lpk,cn=schema,cn=config"
ldap_add: Insufficient access (50)
A discussion on the mailing list regarding the same external SASL authentication issue leads me to believe that I need to "map a SASL EXTERNAL identity to the cn=config
rootdn." How would I accomplish this?
While trying to figure this out, I created a similar VM and installed slapd from the Ubuntu repos. External SASL requests like the one above work right out of the box. I attempted to compare the cn=config
settings between the two systems but failed to identify any obvious clues to perform this task. The production database was originally running on Gentoo. I migrated it to Ubuntu and have been happily editing the accounts and using it. However I've been unable to amend the configuration database since converting to the cn=config
format during the migration.
Best Answer
Make sure that there is one
olcAccess
attribute of the{0}config
database (/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
) that looks like this:In the default config on Ubuntu, this is the only
olcAccess
entry for the config database. If you have more entries, make sure that the one I mentioned is the first (i. e.{0}
) and the others follow ({1}
,{2}
etc.). Otherwise one of the others could match, assign too low permissions and stop traversing the list.If there's some other user/DN in that list with sufficient (
write
,manage
) permissions, you should preferably try to amend olcAccess with anLDIF
file usingldapmodify
with that user/DN.Failing that, you can do:
But you should fix the
CRC32
in that file afterwards.