We Keep Coding

How to set up proper access directive in LDAP?

I'm new to LDAP and for a school project I have an access to part of my school LDAP. I can bind with users that are in a Organizational Unit.
When I bind, I am able to see my password and not any other passwords from other users (That's normal I guess for security reasons).
So I have exported the LDIF of this LDAP and imported it on my own LDAP server for leaning purposes.
ldapsearch commands works well and I retrieve all entries (excepted password and that's normal).
So now, I try to bind with any user, I've added password by Apache Directory Studio in each LDAP Users (inetorgPerson under the ou where I usually search).
However, I can't bind.
I guess that it is due to wrong access rights.
I know that I must use ldapmodify command and that I need to forge a directive like access to * by * read (with less rights than * but it could be great to begin with).
However, I cant find how to use this directive with ldapmodify.
I think that I must create an LDIF file to modify config but I don't understand which entry I should update.
Can anyone give me tips in order to modify the proper entry?
Thanks
Here id part of my config (Domain edited to domain.fr):
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by * write
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=domain,dc=fr
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRoot
dn: cn=admin,dc=domain,dc=fr
olcRootPW: {SSHA}YNGbI0zpbUoVLZggbKeZqFIlVdq+0ZJP
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
search: 2

• Since, you have imported the LDIF file in the new AD, all the users in the original AD are created afresh in your AD environment. Thus, you would need to create a DNS naming service identical to the original one in your environment as the suffix to which you want to add the entry should exist in the database. Also, the domain admin credentials used in the original LDAP directory will be required to bind with the credentials of a user in imported LDIF file.
To do this, you would need to modify the domain admin credentials using the following commands. Below shown script is a sample on how to modify the domain admin credentials and then try to bind the user using those credentials.
Create a new LDIF file with the following contents: -
‘ dn: uid=XYZ,ou=Domain Administrators,dc=example,dc=com
cn: XYZ
sn: XYZ
givenName: XYZ
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: XYZ
mail: XYZ#example.com
roomnumber: 5484
userpassword: Pass#123 ’
Then, add the entry using ‘ldapmodify’ with the ‘—defaultAdd’ option
‘ ldapmodify --hostname localhost --port 389 --bindDN "cn=Directory Manager" \
--bindPassword password --defaultAdd --filename /tmp/new.ldif ‘
With these commands, you would be able to modify the domain administrator credentials and then be able to bind the user in LDAP for sure. Just change the ldif file name with the one you have and change the entries in the ldif file with the actual ones from the original directory. Please find this link below for your reference: -
https://docs.oracle.com/cd/E22289_01/html/821-1273/adding-modifying-and-deleting-directory-data.html

OpenLDAP ACL not working - Error code 50 - No write access to parent

I built couple of OpenLDAP servers for an application service. Both the servers seem perfectly okay on the configuration side and I can manage these with Apache Directory Studio as RootDN cn=admin,dc=somedomain,dc=com. And the replication works between them too. These are built on RHEL8 by compiling OpenLDAP source code as OpenLDAP Server packages are not provided any more. The OpenLDAP version is 2.4.52.
I'm able to create OUs and also users through Directory Studio and used one of them in the app for authentication purposes as service account. In this case the user is uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com and the OUs are as below:
ou=Admins,ou=People,dc=somedomain,dc=com
ou=Readers,ou=People,dc=somedomain,dc=com
ou=Users,ou=People,dc=somedomain,dc=com
The requirement now is that user svc-admin should have write/full permissions to the above OUs as the app is designed to provision new users and it'll be writing into the above OUs using svc-admin as service account. It should be able to create users and modify their attributes.
I created an ACL and was able to apply it using ldapmodify however, when I connect to the LDAP server as the svc-admin on Apache DS I can read but cannot modify or create new users. When I do that I get an error both via Apache DS and as well as in shell. Insufficient right - Error 50 - No write access to parent.
Here's the ACL that I used:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to dn.subtree="ou=People,dc=somedomain,dc=com" by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write
olcAccess: to dn.subtree="ou=Users,ou=People,dc=somedomain,dc=com" by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write
olcAccess: to dn.subtree="ou=Readers,ou=People,dc=somedomain,dc=com" by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write
It's not working. And here are my olcDatabase={1}mdb and olcDatabase={0}config files. I cleaned up the ACLs as they aren't doing any good.
olcDatabase={1}mdb
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 54063f10
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/openldap
olcSuffix: dc=somedomain,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange,shadowExpire by self wr
ite by anonymous auth by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn
=external,cn=auth" manage by * none
olcAccess: {1}to dn.subtree="dc=somedomain,dc=com" by dn.subtree="gidNumber=
0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by users read by * re
ad
olcRootDN: cn=admin,dc=somedomain,dc=com
olcRootPW:: e1NTSEF9dkc0ZkIyYkZrYVduNU1BbTdkAHQ5ZXE0WlFEUHBSSGk=
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: objectClass pres,eq
olcDbIndex: loginShell pres,eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbMaxSize: 42949672960
structuralObjectClass: olcMdbConfig
entryUUID: 3b57a8aa-b1d8-103a-87d6-7198db52aeab
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20201103042439Z
olcSyncrepl: {0}rid=003 provider=ldaps://ldapserver01.somedomain.com binddn="
cn=admin,dc=somedomain,dc=com" bindmethod=simple credentials="TestCreds" s
earchbase="dc=somedomain,dc=com" type=refreshAndPersist timeout=0 network-t
imeout=0 retry="30 5 300 +"
olcSyncrepl: {1}rid=004 provider=ldaps://ldapserver02.somedomain.com binddn="
cn=admin,dc=somedomain,dc=com" bindmethod=simple credentials="TestCreds" s
earchbase="dc=somedomain,dc=com" type=refreshAndPersist timeout=0 network-t
imeout=0 retry="30 5 300 +"
olcMirrorMode: TRUE
entryCSN: 20210202222100.054442Z#000000#001#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210202222100Z
olcDatabase={0}config:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 f2b26838
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to dn.base="cn=Subschema" by * read
olcAccess: {2}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=exter
nal,cn=auth" manage by self write by users read by anonymous auth
olcRootDN: cn=config
structuralObjectClass: olcDatabaseConfig
entryUUID: f1608708-b1d7-103a-8934-b724f0ebd8c8
creatorsName: cn=config
createTimestamp: 20201103042234Z
olcRootPW:: e1NTSEF9dkc0ZkIyYkZrYVduNU1BbTdkAHQ5ZXE0WlFEUHBSSGk=
olcSyncrepl: {0}rid=001 provider=ldaps://ldapserver01.ugo-wallet.com binddn="
cn=config" bindmethod=simple credentials="TestCreds" searchbase="cn=config
" type=refreshAndPersist timeout=0 network-timeout=0 retry="30 5 300 +"
olcSyncrepl: {1}rid=002 provider=ldaps://ldapserver02.ugo-wallet.com binddn="
cn=config" bindmethod=simple credentials="TestCreds" searchbase="cn=config
" type=refreshAndPersist timeout=0 network-timeout=0 retry="30 5 300 +"
olcMirrorMode: TRUE
entryCSN: 20210202221926.832349Z#000000#001#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210202221926Z
How can I solve this. Any help in tackling this problem is greatly appreciated.

I think this might not be the appropriate approach but it worked for me. I removed the below ACLs from olcDatabase={1}mdb ..
olcAccess: {0}to attrs=userPassword,shadowLastChange,shadowExpire by self wr
ite by anonymous auth by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn
=external,cn=auth" manage by * none
olcAccess: {1}to dn.subtree="dc=somedomain,dc=com" by dn.subtree="gidNumber=
0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by users read by * re
ad
..and add the below ones in LDIF file and now the user account svc-admin can do everything in that application wants it to do.
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword by self write by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write by * read
olcAccess: {2}to dn.subtree="ou=People,dc=somedomain,dc=com" by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write
olcAccess: {3}to * by * read

How do I list all the entries in LDAP directory information tree?

I'm running OpenLDAP 2.4.42, and this is my configuration file:
include C:/OpenLDAP/schema/core.schema
include C:/OpenLDAP/schema/cosine.schema
include C:/OpenLDAP/schema/inetorgperson.schema
pidfile C:/data/slapd/pidfile.pid
database config
database monitor
access to dn.subtree="cn=Monitor" by dn.exact="uid=Admin,dc=my,dc=org" write
access to * by * write
database bdb
include C:/data/pwm/openldap.schema
directory C:/data/slapd/db/bdb
suffix dc=example,dc=it
rootdn cn=root,dc=example,dc=it
rootpw secret
access to * by * manage
index default pres,eq
index cn eq,sub
index sn pres,eq,sub
index objectClass eq
With this slapcat (cut) output:
dn: cn=paul,dc=example,dc=it
objectClass: organizationalRole
cn: paul
dn: l=somewhere,dc=example,dc=it
objectClass: top
objectClass: locality
l: somewhere
dn: cn=john,l=somewhere,dc=example,dc=it
objectClass: organizationalRole
cn: john
structuralObjectClass: organizationalRole
dn: ou=users,dc=example,dc=it
objectClass: organizationalUnit
ou: users
structuralObjectClass: organizationalUnit
dn: cn=charles,ou=users,dc=example,dc=it
objectClass: person
objectClass: pwmUser
cn: charles
sn: charles
userPassword:: bWFyY28y
structuralObjectClass: person
Why does this return results (actually the "charles" entry):
ldapsearch -W -D cn=root,dc=example,dc=it -b "ou=users,dc=example,dc=it"
while this gives "no such object"?
ldapsearch -W -D cn=root,dc=example,dc=it -b "dc=example,dc=it"
I would think that the latter is the most general version of a search, where I'm asking for everything under that suffix.

search user uid in uniquemember - ldap

I have some user within a uid within uniquemember.
How to create a show that only the ldapsearch uid?
If today I run the command below, the Results is the entire contents of uniquemember and I just want to return the uid:
ldapsearch -x -h serverldap.com -p 389 -D uid=pdi00usr,ou=bind,ou=users,ou=access,o=com,c=br -W -b o=com,c=br -s sub "(&(uniqueMember=F)(cn=pdi*))"
# pdiasc01, pdi, aplic, groups, access, com, br
dn: cn=pdiasc01,ou=pdi,ou=aplic,ou=groups,ou=access,o=com,c=br
description: Administrator
objectclass: bb
objectclass: groupOfUniqueNames
objectclass: top
cn: pdiasc01
uniquemember: uid=dummy
uniquemember: uid=f6802561,ou=func,ou=users,ou=access,o=com,c=br
uniquemember: uid=f3799300,ou=func,ou=users,ou=access,o=com,c=br
# pdiapf02, pdi, aplicacao, grupos, acesso, bb, br
dn: cn=pdiapf02,ou=pdi,ou=aplic,ou=groups,ou=access,o=com,c=br
description: Aprover
objectclass: bb
objectclass: groupOfUniqueNames
objectclass: top
cn: pdiapf02
uniquemember: uid=dummy
uniquemember: uid=f3799300,ou=func,ou=users,ou=access,o=com,c=br
uniquemember: uid=f6802561,ou=func,ou=users,ou=access,o=bb,c=br
i need a resulta like this:
uid=f3799300
uid=f6802561

You've got two options as far as I can see.
First would be to simply pipe your output through grep and do some sed (or awk) magic to remove everything after the first comma or
Second use the returned uid for a second query for the entry with the dn returned by uid and query for the uid of that object (which should be what you are looking for)

How to configure ldap one slave - mutlimaster replication

I just successfully replicated Openldap using ubuntu 10.04 as master (provider), 12.04 as slave (consumer).
I'm using syncrepl method for this replication.
Below configuration for provider.ldif and consumer.ldif
### provider ###
# Add indexes to the frontend db.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq
#Load the syncprov and accesslog modules.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
-
add: olcModuleLoad
olcModuleLoad: accesslog
# Accesslog database definitions
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=teleneos,dc=org
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
# Accesslog db syncprov.
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
olcAccessLogPurge: 07+00:00 01+00:00
Then below consumer.ldif
### consumer ###
#Load the syncprov module.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
# syncrepl specific indices
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://192.168.2.29 bindmethod=simple binddn="cn=admin,dc=teleneos,dc=org"
credentials=teleneos searchbase="dc=teleneos,dc=org" logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on
type=refreshAndPersist retry="60 +" syncdata=accesslog
-
add: olcUpdateRef
olcUpdateRef: ldap://192.168.2.29
This is succesfully replicated, when i add value on provider, then will replicated on consumer (slave). But this is only 2 machine connected.How if i have more than 10 machine as provider(master).Should on customer.ldif add olcUpdateRef: ldap://url_ldap one by one ?
add: olcUpdateRef
olcUpdateRef: ldap://192.168.2.29
olcUpdateRef: ldap://192.168.2.30
olcUpdateRef: ldap://192.168.2.31
...
...
olcUpdateRef: ldap://192.168.2.39
Any another configuration for this case ? i think if i add one by one url of ldap master i will not effective.
Help me to solve this issue.
Thanks

It's not clear to me that this is a supported configuration or that it will work, but if so all you should need is multiple syncrepl directives in the consumer.
NB you shouldn't load the syncprov module in the consumer.