Re: OpenLDAP static configuration

[Dan White <dwhite@olp.net>]

On 02/07/14 14:39 +0100, Ali Gholami wrote:
> Thanks Vikas for the reply.
>
> I removed the line to point to the "slapd.conf" and now I could run 
> the service. But I get another error when I try to add structure of 
> the entries using:
>
> ----
> $sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f structure.ldif:

This is likely performing sasl external peercred authentication, rather
than your desired external tls authentication as you intended below.

> adding new entry "dc=x,dc=y"
>
> ldap_add: Insufficient access (50)
>    additional info: no write access to parent
> ----
>
> I've created the  ".ldaprc" in my home directory which defines the 
> X590 certificates of the LDAP server and I've added the subject of 
> the host certificated in the "slapd.conf":
>
> ----
> access to *
>       by dn="cn=admin,dc=x,dc=y" write
>       by dn="cn=allowed host,dc=x,dc=y" read
>       by * none
>
> authz-regexp CN=ldap.biobankcloud.eu,O=BBC "cn=admin,dc=biobankcloud,dc=org"
>
> database        bdb
>       suffix         "dc=x,dc=y"
>       rootdn         "cn=admin,dc=x,dc=y"
>       rootpw         {SSHA}blabla...
> ----
>
>
> IS there anything else that I should set or something broken?

Do:

sudo ldapwhoami -Y EXTERNAL -H ldapi:///

to obtain your resolved authentication identity, and create an appropriate
authz-regexp rule that maps that identity to your desired user, e.g.:

authz-regexp
  "uidNumber=0,cn=peercred,cn=external,cn=auth"
  "cn=admin,dc=biobankcloud,dc=org"

See: http://www.openldap.org/doc/admin24/sasl.html

--
Dan White