We Keep Coding

How to delete one of these 2 entries in openldap

How to delete one of these 2 enteries. I want delete the first one.
I tryied it but always I have error
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcOverlay={2}auditlog |grep -v "#"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcOverlay={2}auditlog,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAuditlogConfig
olcOverlay: {2}auditlog
olcAuditlogFile: /var/log/ldapaudit.log
dn: olcOverlay={3}auditlog,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAuditlogConfig
olcOverlay: {3}auditlog
olcAuditlogFile: /var/log/ldap.log
search: 2
result: 0 Success

Older versions of OpenLDAP (2.4 or older, I believe) do not support hot removal of overlays – they can only be added via LDAP, but removing them needs to be done offline (i.e. with the slapd service stopped).
The official method is to dump the cn=config database slapcat -n 0 into an LDIF file, edit it as needed, then delete the whole slapd.d directory and rebuild it from LDIF using slapadd -n 0.
The unofficial method is to rm just the corresponding files from within slapd.d/cn=config/.

OpenLDAP editing userPassword attribute ACL

I try to create user, which can read other users password. I try to edit ACL already present in openLDAP, so I wrote:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {1}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=admin,dc=playground,dc=test,dc=local" write
by dn="cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local" read
by * none
the only modification in above olcAccess ACL from my side is:
by dn="cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local" read
After I do that (via ldapmodify) I loose ability to browse ldap tree as usermanager, but I can login, exmaple:
ldapsearch -x -D "cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local" -W -LLL
returns: No such object (32)
ldapwhoami -x -D "cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local" -W -LLL
returns: dn:cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local
Question is: how to write this ACL to grant user usermanager rights to read other users password?

SOLVED:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {1}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=admin,dc=playground,dc=test,dc=local" write
by dn="cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local" read
by * none
if anyone wants to use that please write it manually instead of copy-paste as ldifs are terribly sensitive on whitespaces and line endings.

No such object (32) error while trying to modify olcDatabase={2}hdb.ldif

I have installed LDAP and I am able to start it.
While I am trying to modify the olcDatabase={2}hdb.ldif file I am getting "ldap_modify: No such object (32)" error.
Steps followed to modify
1) created a db.ldif file with below contains
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc= ec2,dc=internal
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc= ec2,dc=internal
dn: olcDatabase={2}hdb,cn=config
changeType: modify
add: olcRootPW
olcRootPW: {SSHA}6zHtA20qkTmdLrJSfxo+VV3QLGS7m0CZ
2) ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
ldap_modify: No such object (32)
I am using centos7 and LDAP version openldap-clients-2.4.44-21.el7_6.x86_64
openldap-2.4.44-21.el7_6.x86_64
openldap-servers-sql-2.4.44-21.el7_6.x86_64
openldap-servers-2.4.44-21.el7_6.x86_64
openldap-devel-2.4.44-21.el7_6.x86_64
collectd-openldap-5.8.1-1.el7.x86_64
compat-openldap-2.3.43-5.el7.x86_64
Please help me fix this!!

There are two reasons for this result.
the entry actually doesn't exist,
it exists but you don't have permission to know that.
I suggest you try to search the cn=config database to see what it actually contains:
ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config'
If the result is No such object (32), then gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth doesn't have access to the config database on your system.
If the search does return output, check whether the entry olcDatabase={2}hdb,cn=config is actually listed.

I had the same problem and to fix it I restarted slapd.service:
systemctl stop slapd.service
systemctl start slapd.service

Error 50 (Insufficient Access Rights) when applying LDIF - OpenLDAP

I'm trying to apply a config through a LDIF file. I'm binding as admin on my LDAPs server and I'm getting the following Error Message:
LDAP: Error 50 - Insufficient Access Rights
I'm binding as admin and I'm able to perform any query or any changes like creating a new entry, modifying an existing one, etc.
I don't know what else to do since I'm already binding as admin. Besides, I even built a brand new LDAP server only to test this and I'm unable to apply any LDIF files as well.
I'm using the Apache Directory Studio LDIF Editor tool to push the LDIF file, which is the following:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by cn=replicator,ou=Users,dc=example,dc=com write
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}syncprov
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100
Could someone please help me with this issue? I've read a lot of articles with no success so far.

It's as expected in my comment above: If you connect as cn=admin,dc=yourdomain,dc=tld to your LDAP server, you connect as admin of your specific LDAP database (which is just one database within your LDAP server).
So you have to create another connection to your LDAP server with user cn=config and your LDAP admin password:
In case you don't know or forgot your LDAP password, take a look on how to view or modify it.
Alternatively, import LDIFs from the command line:
ldapadd -Q -Y EXTERNAL -H ldapi:/// -W -f file.ldif

openldap, I can't add user, invalid DN

I start my test openldap server on RedHat enterprise linux 6.5. I configured it properly I think. I add my base.ldif file which looks like that:
dn: dc=example,dc=com
dc: example
description: Root LDAP entry for example.com
objectClass: dcObject
objectClass: organizationalUnit
ou: rootObject
dn: ou=People,dc=exapmle,dc=com
ou: People
description: All people in organisation
objectClass: organizationalUnit
Using command:
ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f base.ldif
I got an output:
[root#melita-bladekp ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "ou=People,dc=exapmle,dc=com"
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge
But i tried second time and I receive:
[root#melita-bladekp ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
ldap_add: Already exists (68)
So it looks okay for me, next I tried to add an user:
dn: uid=ldapuser100,ou=People,dc=example,dc=com
uid: ldapuser100
cn: ldapuser100
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$E/tH1oRF$9.Km8Xs/wDIFgWgTT.domcw0PJGUZqK7mqdFPaNru2il5LMgsxaowq5bvjulQLR8CqSq.Pw.brZU77fzviQPG.
shadowLastChange: 16460
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1400
gidNumber: 1400
homeDirectory: /exports/ldapuser100
Using command:
[root#melita-bladekp ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f ldapuser100.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser100,ou=People,dc=example,dc=com"
ldap_add: No such object (32)
matched DN: dc=example,dc=com
And I receive that DN didn't exists. I think there is problem with that base file, do you have any idea what I can do to fix it?
My conf files(I think that the conf files are ok):
/etc/openldap/ldap.conf
BASE dc=example,dc=com
URI ldap://localhost
TLS_REQCERT never
/etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs/ldap.crt
TLSCertificateFile /etc/openldap/certs/ldap.crt
TLSCertificateKeyFile /etc/openldap/certs/ldap.key
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=example,dc=com" read
by * none
database bdb
suffix "dc=example,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=example,dc=com"
rootpw {SSHA}MdddSPNLtlsVia4T534qLL6LWLRy2lBB
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

It looks like you have a typo in the dn of your LDIF
dn: ou=People,**dc=exapmle**,dc=com
If you change exapmle to example and re-run the LDIF with continue on error you should get the example entry and then you will be able to add your user afterwards.