I try to create user, which can read other users password. I try to edit ACL already present in openLDAP, so I wrote:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {1}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=admin,dc=playground,dc=test,dc=local" write
by dn="cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local" read
by * none
the only modification in above olcAccess ACL from my side is:
by dn="cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local" read
After I do that (via ldapmodify) I loose ability to browse ldap tree as usermanager, but I can login, exmaple:
ldapsearch -x -D "cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local" -W -LLL
returns: No such object (32)
ldapwhoami -x -D "cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local" -W -LLL
returns: dn:cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local
Question is: how to write this ACL to grant user usermanager rights to read other users password?
SOLVED:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {1}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=admin,dc=playground,dc=test,dc=local" write
by dn="cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local" read
by * none
if anyone wants to use that please write it manually instead of copy-paste as ldifs are terribly sensitive on whitespaces and line endings.
Related
I have installed LDAP and I am able to start it.
While I am trying to modify the olcDatabase={2}hdb.ldif file I am getting "ldap_modify: No such object (32)" error.
Steps followed to modify
1) created a db.ldif file with below contains
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc= ec2,dc=internal
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc= ec2,dc=internal
dn: olcDatabase={2}hdb,cn=config
changeType: modify
add: olcRootPW
olcRootPW: {SSHA}6zHtA20qkTmdLrJSfxo+VV3QLGS7m0CZ
2) ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
ldap_modify: No such object (32)
I am using centos7 and LDAP version openldap-clients-2.4.44-21.el7_6.x86_64
openldap-2.4.44-21.el7_6.x86_64
openldap-servers-sql-2.4.44-21.el7_6.x86_64
openldap-servers-2.4.44-21.el7_6.x86_64
openldap-devel-2.4.44-21.el7_6.x86_64
collectd-openldap-5.8.1-1.el7.x86_64
compat-openldap-2.3.43-5.el7.x86_64
Please help me fix this!!
There are two reasons for this result.
the entry actually doesn't exist,
it exists but you don't have permission to know that.
I suggest you try to search the cn=config database to see what it actually contains:
ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config'
If the result is No such object (32), then gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth doesn't have access to the config database on your system.
If the search does return output, check whether the entry olcDatabase={2}hdb,cn=config is actually listed.
I had the same problem and to fix it I restarted slapd.service:
systemctl stop slapd.service
systemctl start slapd.service
I am new to working with LDAP, and my ultimate goal is to offer LDAP single sign-on in a web app. In order to achieve this, I'm trying to run ldapwhoami, but I'm running into issues. I am able to run other commands, like ldapsearch and ldapadd.
I'm running OpenLdap on Mac OS High Sierra.
My relevant slapd.conf looks like this:
access to *
by self write
by * read
by anonymous auth
database ldif
suffix "dc=test,dc=com"
directory openldap-data
rootdn "cn=admin,dc=test,dc=com"
## rootpw = secret
rootpw {SSHA}fFjKcZb4cfOAcwSjJer8nCGOEVRUnwCC
I then added a user with ldapadd -x -w secret -f shanson.ldif, where shanson.ldif looks like:
dn: cn=shanson,dc=test,dc=com
objectClass: inetOrgPerson
sn: Hanson
uid: shanson
cn: shanson
userPassword: secret
I am successfully able to search for and find this new user with ldapsearch -x "(cn=shanson)".
Now, I am trying to verify the user's credentials using ldapwhoami, and I keep getting an error:
> ldapwhoami -x -D cn=shanson,dc=test,dc=com -w secret
ldap_bind: Invalid credentials (49)
The same operation with my root admin user succeeds:
> ldapwhoami -x -D cn=admin,dc=test,dc=com -w secret
dn:cn=admin,dc=test,dc=com
I'm sure I'm just making a simple mistake or not understanding what I'm doing, but I don't really know where else to look right now for answers. Thanks!
It seems to have had something to do with the plain text password I set up. I installed Jxplorer and manually updated my user's password and hashed it with MD5, and now the ldapwhoami command works. If I set the password as plain text in JXplorer, ldapwhoami still does not work. Beyond that, I'm not entirely sure what I was doing wrong.
For me, my dn was wrong.
I did an ldapsearch with admin credentials to get the dn: uid=xxx,ou=xxx,dc=xxx,dc=xxx,dc=xxx
Then I did an ldapwhoami -x -D "uid=xxx,ou=xxx,dc=xxx,dc=xxx,dc=xxx" -w secret and it worked fine.
I'm trying to apply a config through a LDIF file. I'm binding as admin on my LDAPs server and I'm getting the following Error Message:
LDAP: Error 50 - Insufficient Access Rights
I'm binding as admin and I'm able to perform any query or any changes like creating a new entry, modifying an existing one, etc.
I don't know what else to do since I'm already binding as admin. Besides, I even built a brand new LDAP server only to test this and I'm unable to apply any LDIF files as well.
I'm using the Apache Directory Studio LDIF Editor tool to push the LDIF file, which is the following:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by cn=replicator,ou=Users,dc=example,dc=com write
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}syncprov
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100
Could someone please help me with this issue? I've read a lot of articles with no success so far.
It's as expected in my comment above: If you connect as cn=admin,dc=yourdomain,dc=tld to your LDAP server, you connect as admin of your specific LDAP database (which is just one database within your LDAP server).
So you have to create another connection to your LDAP server with user cn=config and your LDAP admin password:
In case you don't know or forgot your LDAP password, take a look on how to view or modify it.
Alternatively, import LDIFs from the command line:
ldapadd -Q -Y EXTERNAL -H ldapi:/// -W -f file.ldif
I have recently updated my debian to jessie. After the upgrade - including slapd - I can bind to the ldap server but cannot read or change attributes. For example
ldapsearch -LLL -W -x -h edhu -D "uid=mrx,ou=People,dc=example,dc=local" -b "ou=People,dc=example,dc=local" shadowLastChange
returns No such object (32)
Password is fine and the binding works but I cannot read any object attributes. Here is my ACL
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=local" write by * none
olcAccess: {2}to dn.one=ou=People,dc=example,dc=local by self write
olcAccess: {3}to dn.base="" by * read
olcAccess: {4}to dn.subtree=dc=example,dc=local by dn="cn=reader,dc=example,dc=local" read
OpenLDAP 2.4.40
Any ideas?
Thank you!
Well, it seemed to be a problem with a second ldap database where a checksum error appeared. After correcting that checksum error all ist fine again :-)
We have 389-ds directory with many users in a particular group. Does anyone know how I can delete a user from a group called ' clients ' using ldapmodify or ldapdelete command line tools?
Thank You
Using ldapmodify:
ldapmodify -h ldapserver -D "cn=admin" -w password -f modGroup.ldif
where modGroup.ldif is:
dn: cn=clients, o=Your Company
changetype: modify
delete: member
member: cn=user1896576, o=Your Company
-jim