[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#4207) cn=config does not accept rootdn's outside of its naming context
quanah@stanford.edu wrote:
> Full_Name: Quanah Gibson-Mount
> Version: 2.3.12 + HEAD patches
> OS: Solaris 8
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (171.64.19.82)
>
>
> In continuing to try and set up a replicated cn=config, I find that although I
> can specify the rootdn to be something outside of the naming context, actually
> trying to do that rootdn gets an access denied message:
>
> #######################################################################
> # back-config database definitions
> #######################################################################
> database config
> rootdn "cn=replicator,cn=applications,dc=stanford,dc=edu"
>
>
> Nov 23 13:44:22 ldap-dev2.Stanford.EDU slapd[16082]: [ID 848112 local4.debug]
> conn=1 fd=12 ACCEPT from IP=171.67.16.99:47443 (IP=0.0.0.0:389)
> Nov 23 13:44:22 ldap-dev2.Stanford.EDU slapd[16082]: [ID 469902 local4.debug]
> conn=1 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
> Nov 23 13:44:22 ldap-dev2.Stanford.EDU slapd[16082]: [ID 744844 local4.debug]
> conn=1 op=0 SRCH attr=supportedSASLMechanisms
> Nov 23 13:44:22 ldap-dev2.Stanford.EDU slapd[16082]: [ID 167594 local4.debug]
> conn=1 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
> Nov 23 13:44:22 ldap-dev2.Stanford.EDU slapd[16082]: [ID 215403 local4.debug]
> conn=1 op=1 BIND dn="" method=163
> Nov 23 13:44:22 ldap-dev2.Stanford.EDU slapd[16082]: [ID 588225 local4.debug]
> conn=1 op=1 RESULT tag=97 err=14 text=
> Nov 23 13:44:22 ldap-dev2.Stanford.EDU slapd[16082]: [ID 215403 local4.debug]
> conn=1 op=2 BIND dn="" method=163
> Nov 23 13:44:22 ldap-dev2.Stanford.EDU slapd[16082]: [ID 588225 local4.debug]
> conn=1 op=2 RESULT tag=97 err=14 text=
> Nov 23 13:44:22 ldap-dev2.Stanford.EDU slapd[16082]: [ID 215403 local4.debug]
> conn=1 op=3 BIND dn="" method=163
> Nov 23 13:44:22 ldap-dev2.Stanford.EDU slapd[16082]: [ID 538062 local4.debug]
> conn=1 op=3 BIND authcid="service/ldap@stanford.edu"
> authzid="service/ldap@stanford.edu"
> Nov 23 13:44:22 ldap-dev2.Stanford.EDU slapd[16082]: [ID 690767 local4.debug]
> conn=1 op=3 BIND dn="cn=replicator,cn=service,cn=applications,dc=stanford,dc=edu"
> mech=GSSAPI ssf=56
> Nov 23 13:44:22 ldap-dev2.Stanford.EDU slapd[16082]: [ID 588225 local4.debug]
> conn=1 op=3 RESULT tag=97 err=0 text=
> Nov 23 13:44:22 ldap-dev2.Stanford.EDU slapd[16082]: [ID 469902 local4.debug]
> conn=1 op=4 SRCH base="cn=config" scope=2 deref=0 filter="(objectClass=*)"
> Nov 23 13:44:22 ldap-dev2.Stanford.EDU slapd[16082]: [ID 167594 local4.debug]
> conn=1 op=4 SEARCH RESULT tag=101 err=50 nentries=0 text=
> Nov 23 13:44:22 ldap-dev2.Stanford.EDU slapd[16082]: [ID 218904 local4.debug]
> conn=1 op=5 UNBIND
> Nov 23 13:44:22 ldap-dev2.Stanford.EDU slapd[16082]: [ID 952275 local4.debug]
> conn=1 fd=12 closed
>
>
> ldapsearch -LLL -Q -h ldap-dev2 -b "cn=config"
> Insufficient access (50)
>
It works for me.
database bdb
suffix "dc=example,dc=com"
directory ./testrun/db.1.a
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
index objectClass eq
index cn,sn,uid pres,eq,sub
database monitor
database config
rootdn cn=manager,dc=example,dc=com
ldapsearch -x -D cn=manager,dc=example,dc=com -w secret -b cn=config ...
Look at your log output again, more carefully. The DN you bound with is
not the same as the rootDN you configured. This ITS will be closed.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/