Re: Insufficient access error when adding entries

[Tony Earnshaw <tonni@billy.demon.nl>]

fre, 2002-07-26 kl. 01:11 skrev Victor Mendez:

> > fre, 2002-07-26 kl. 00:01 skrev Victor Mendez:
> > > cuzco:/home/backup/ldap # ldapadd -v  -f netsys.ldif -W -x
> > >
> > > adding new entry "dc=netsystemsinfo,dc=com"
> > >
> > > ldap_add: Insufficient access
> > > ldif_record() = 50
> >
> > In this particular, single case (there are more "horribles" not detailed
> > here to taunt you later, but that's all part of the fun).

 REPLY: Tony Hi, I appreciate your candor that is what I need..;-)

It's only what I see. Don't forget that everyone has made mistakes in
their first configurations, simply because they don't know what's going
on.

> > In your slapd.conf you've told the thing to allow Manager with an
> > impossible password to write (o,k., you let someother person write too,
> > but the thing doesn't know who that is yet), then you try and write
> > without letting it know who you are. It asks you a password, but no
> > name. So again it doesn't know who you are.

> REPLY: The impossible password is simple to explain the documentation says 
> not to create plain ascci text passwords so I used the slappasswd to create a 
> SHA password. See rootpw line.

Do it later, when you've added your first couple of records.

> As for the ACL , what is a good ACL!!! any suggestions are welcome.

How about one that works? Use the standard one in slapd.conf for the
first couple of records, then experiment. Adam Williams's ldapv3.pdf is
more than a good help when working out what acls do and how (see this
list for his ftp site - I'm not going to give you that, he can do it -
it's his site).

As far as acls go, I'm still learning what is possible, and what wasn't
possible the day before yesterday became possible yesterday. Now my acls
are quite complicated, simply because they're necessary to do what I
want (virtual users, group managers and that sort of thing). I.e., you
shouldn't be able to see users' particular details when doing an
ldapsearch as an unauthorized user.

Tell you what I did. Using a virtually unmodified slapd.conf to add the
first two records, organization and Manager. I used slapadd -l as the
database isn't running yet with that utility and one does it as root.

Here are my first two ldifs:
_______

dn: dc=billy,dc=demon,dc=nl
objectClass: dcObject
objectClass: organization
dc: billy
o: Billy

dn: cn=Manager,dc=billy,dc=demon,dc=nl
objectClass: organizationalRole
cn: Manager
_______

dn: cn=Tony,dc=billy,dc=demon,dc=nl
objectClass: person
objectClass: organizationalPerson
objectClass: evolutionPerson
objectClass: top
cn: Tony
sn: Earnshaw
_______

By now, you can change your Manager password to encrypted, but my
opinion is that you should use another user to do the admin (I have
Admin to do the basic database administration and he's not allowed even
to see the Manager record).

After that, I used GQ to add things like objectClasses and attributes.
GQ is picky, and together with a tail -f on a debug 256 log, it will let
you see all you need to learn what can and what can't. Now and again
stop the database and do an slapcat to an ldif file, to see what you've
done up to now ...

Best,

Tony

-- 

Tony Earnshaw

The usefulness of RTFM is vastly overrated.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981