I'm trying to apply a config through a LDIF file. I'm binding as admin on my LDAPs server and I'm getting the following Error Message:
LDAP: Error 50 - Insufficient Access Rights
I'm binding as admin and I'm able to perform any query or any changes like creating a new entry, modifying an existing one, etc.
I don't know what else to do since I'm already binding as admin. Besides, I even built a brand new LDAP server only to test this and I'm unable to apply any LDIF files as well.
I'm using the Apache Directory Studio LDIF Editor tool to push the LDIF file, which is the following:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by cn=replicator,ou=Users,dc=example,dc=com write
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}syncprov
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100
Could someone please help me with this issue? I've read a lot of articles with no success so far.
It's as expected in my comment above: If you connect as cn=admin,dc=yourdomain,dc=tld to your LDAP server, you connect as admin of your specific LDAP database (which is just one database within your LDAP server).
So you have to create another connection to your LDAP server with user cn=config and your LDAP admin password:
In case you don't know or forgot your LDAP password, take a look on how to view or modify it.
Alternatively, import LDIFs from the command line:
ldapadd -Q -Y EXTERNAL -H ldapi:/// -W -f file.ldif
Related
How to delete one of these 2 enteries. I want delete the first one.
I tryied it but always I have error
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcOverlay={2}auditlog |grep -v "#"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcOverlay={2}auditlog,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAuditlogConfig
olcOverlay: {2}auditlog
olcAuditlogFile: /var/log/ldapaudit.log
dn: olcOverlay={3}auditlog,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAuditlogConfig
olcOverlay: {3}auditlog
olcAuditlogFile: /var/log/ldap.log
search: 2
result: 0 Success
Older versions of OpenLDAP (2.4 or older, I believe) do not support hot removal of overlays – they can only be added via LDAP, but removing them needs to be done offline (i.e. with the slapd service stopped).
The official method is to dump the cn=config database slapcat -n 0 into an LDIF file, edit it as needed, then delete the whole slapd.d directory and rebuild it from LDIF using slapadd -n 0.
The unofficial method is to rm just the corresponding files from within slapd.d/cn=config/.
I have installed LDAP and I am able to start it.
While I am trying to modify the olcDatabase={2}hdb.ldif file I am getting "ldap_modify: No such object (32)" error.
Steps followed to modify
1) created a db.ldif file with below contains
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc= ec2,dc=internal
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc= ec2,dc=internal
dn: olcDatabase={2}hdb,cn=config
changeType: modify
add: olcRootPW
olcRootPW: {SSHA}6zHtA20qkTmdLrJSfxo+VV3QLGS7m0CZ
2) ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
ldap_modify: No such object (32)
I am using centos7 and LDAP version openldap-clients-2.4.44-21.el7_6.x86_64
openldap-2.4.44-21.el7_6.x86_64
openldap-servers-sql-2.4.44-21.el7_6.x86_64
openldap-servers-2.4.44-21.el7_6.x86_64
openldap-devel-2.4.44-21.el7_6.x86_64
collectd-openldap-5.8.1-1.el7.x86_64
compat-openldap-2.3.43-5.el7.x86_64
Please help me fix this!!
There are two reasons for this result.
the entry actually doesn't exist,
it exists but you don't have permission to know that.
I suggest you try to search the cn=config database to see what it actually contains:
ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config'
If the result is No such object (32), then gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth doesn't have access to the config database on your system.
If the search does return output, check whether the entry olcDatabase={2}hdb,cn=config is actually listed.
I had the same problem and to fix it I restarted slapd.service:
systemctl stop slapd.service
systemctl start slapd.service
I have to clone data between two openLDAP servers. I obtain LDIF from source but I have a problem with import. I have error like
root#dc:/etc/ldap/schema# ldapadd -Y external -H ldapi:/// -f /tmp/export.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=Tomasz Topolski,ou=Pracownicy,dc=tropico,dc=local"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #3 invalid per syntax
After googling I saw that problem is with 4th objectClass (because it start counting from 0), so i check and 4th objectClass in my exported ldif is
objectClass: user
And main question is. How to add this objectClass to my LDAP ?
If you are looking for migrating all configs, can use slapcat with "-n 0" as parameter to export the all configs including schema. Then, can add the schema first and then data.
But, if only this particular objectclass "user" is needed, then can follow below steps
Create a file user.schema with contents same as the source OPENLDAP user objectclass definition.
Create conf file user.conf
include ~/user.schema
Create a directory and run below commands
mkdir userdir
slaptest -f user.conf -F userdir
The resulting file in userdir can be used to add to schema
service slapd stop
slapadd -l -n 0
service slapd start
My current problem is that i cannot stop OpenLDAP to store passwords as plaintext. In an older openLDAP version , i entered following configuration in the slapd.conf
ppolicy_hash_cleartext
password-hash {SSHA} {SHA}
So once a password was sent from my application as plaintext, the ldap was encrypting it and storing it encrypted.
Unfortunately i was not able to configure OpenLDAP 2.4.40. I found out that the slapd.conf does not exist anymore in the newer version and instead the configuration is taking place in the cn=config.ldif file.
I tried to add again the same configuration there but it seems that it has no effect.
EDIT : I added with ldapmodify the olcPasswordHash: {SSHA} entry in olcBackend={0}mdb.ldif , olcDatabase={1}mdb.ldif , olcDatabase={0}config.ldif and cn=config.ldif , still my passwords that are sent as plaintext are stored as plaintext.
Took some time, but figured out finally.
Load schema describing ppolicy attributes.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
Create a ppolicy_module.ldif with the following content and make sure that the ppolicy.la is located under the defined olcModulePath. Store the file under /etc/ldap
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleLoad: ppolicy.la
olcModulePath: /usr/lib/ldap
Add the ppolicy_module.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy_module.ldif
Create a ppolicy-overlay.ldif file with the following content. Make sure of the olcDatabase number . In this case it is olcDatabase={1}mdb . Store the file under /etc/ldap
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=ppolicy,ou=policies,dc=example,dc=com
olcPPolicyUseLockout: FALSE
olcPPolicyHashCleartext: TRUE
Add LDIF file.
ldapadd -Y EXTERNAL -H ldapi:/// -f ./ppolicy-overlay.ldif
Restart ldap.
More details under:
https://fedorahosted.org/sssd/wiki/openldap_ppolicy
Openldap 2.4.31 is installed on Ubuntu 14.04.
When I try to add the first entry to the LDAP, it says:
adding new entry "dc=abc,dc=com"
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge
This is the command I use in CLI:
ldapadd -Y EXTERNAL -H ldapi:// -f import-org.ldif
From various blogs I understood that this happens because the the new entry with dn dc=abc,dc=com cannot be added to the LDAP with suffix dc=xyz,dc=com.
Installation process defines the LDAP suffix without prompting to set a custom one.
I read a bunch of manuals and blogs and failed to find any document that describes how to change or add a new suffix or any other way to solve the issue in this version of openldap.
You need to add the new Suffix.
This example assumes that dc=example,dc=com exisits and you desire to add dc=example,dc=net
You can do this via LDIF with Something like:
# add example.net to an existing LDAP server
version: 1
dn: dc=example,dc=net
dc: example
description: Example Network Operations
objectClass: dcObject
objectClass: organization
o: Example, Inc.
dn: ou=people, dc=example,dc=net
ou: people
description: All people in organisation
objectClass: organizationalUnit
Than add the entry as desired under the new suffix.