Re: OpenLDAP static configuration

[Ali Gholami <gholami@kth.se>]

Dan,

I followed the instructions to update my config file but still I get the same error. I used the debug option as well but there were no obvious error message more than:
----
** ld 0x7f3c527864b0 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7f3c527864b0 request count 1 (abandoned 0)
** ld 0x7f3c527864b0 Response Queue:
   Empty
  ld 0x7f3c527864b0 response count 0
ldap_chkResponseList ld 0x7f3c527864b0 msgid 2 all 1
ldap_chkResponseList returns ld 0x7f3c527864b0 NULL
ldap_int_select
read1msg: ld 0x7f3c527864b0 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 37 contents:
read1msg: ld 0x7f3c527864b0 msgid 2 message type add
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f3c527864b0 0 new referrals
read1msg:  mark request completed, ld 0x7f3c527864b0 msgid 2
request done: ld 0x7f3c527864b0 msgid 2
res_errno: 50, res_error: <no write access to parent>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_add: Insufficient access (50)
    additional info: no write access to parent

ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
ldap_free_connection: actually freed
---

Any hints I can figure out what's set wrong?

Thanks
Ali

On 02/07/2014 03:17 PM, Dan White wrote:

On 02/07/14 14:39 +0100, Ali Gholami wrote:

Thanks Vikas for the reply.

I removed the line to point to the "slapd.conf" and now I could run the service. But I get another error when I try to add structure of the entries using:

----
$sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f structure.ldif:

This is likely performing sasl external peercred authentication, rather
than your desired external tls authentication as you intended below.

adding new entry "dc=x,dc=y"

ldap_add: Insufficient access (50)
   additional info: no write access to parent
----

I've created the  ".ldaprc" in my home directory which defines the X590 certificates of the LDAP server and I've added the subject of the host certificated in the "slapd.conf":

----
access to *
      by dn="cn=admin,dc=x,dc=y" write
      by dn="cn=allowed host,dc=x,dc=y" read
      by * none

authz-regexp CN=ldap.biobankcloud.eu,O=BBC "cn=admin,dc=biobankcloud,dc=org"

database        bdb
      suffix         "dc=x,dc=y"
      rootdn         "cn=admin,dc=x,dc=y"
      rootpw         {SSHA}blabla...
----


IS there anything else that I should set or something broken?

Do:

sudo ldapwhoami -Y EXTERNAL -H ldapi:///

to obtain your resolved authentication identity, and create an appropriate
authz-regexp rule that maps that identity to your desired user, e.g.:

authz-regexp
  "uidNumber=0,cn=peercred,cn=external,cn=auth"
  "cn=admin,dc=biobankcloud,dc=org"

See: http://www.openldap.org/doc/admin24/sasl.html

-- 
Dan White