[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Modify or add information after conversion of slapd.conf to cn=config with fresh install of OpenLdap



mÃn 2012-01-09 klockan 12:29 +0100 skrev rey sebastien:
> Hi!
> 
> 
> I start with a fresh installation of openldap 2.4.28 on debian. They
> are some problem with the debian package, and with gnuTLS, so i
> compile a version with opennSSL library.
> 
> It's hard to understand with the official documentation how to start a
> from scratch installation with the new cn=config administration of
> openLDAP. So, i make a conversion ( with the great help of users on
> this mailling list ) from slapd.conf to cn=config on the first launch
> of openLDAP with this commands :
> 

I have done this now as an exercise in an uni sysadm exercise. 
The method i used was this:
Install slapd with the default debian configuration.
Dump the cn=config tree and read that together with the openldap admin
guide.
Then I was able to write the minimum ldif for an working slapd.

so
slapcat -F /etc/ldap/slapd.d/ -l someinit.ldif
slapd -F /etc/ldap/slapd.d/
ldapadd my-dc=lokeldarn,dc=se.ldif  ( someinit.ldif contains an hdb
database with suffix dc=lokeldarn,dc=se'
 


> /usr/local/libexec/slapd -u openldap -g openldap -f slapd.conf.seb -F /usr/local/etc/openldap/slapd.d/ -d -1
> 
> 
> My slapd.conf.seb, really simple, equal :
> 
> 
> include         /usr/local/etc/openldap/schema/cosine.schema
> include         /usr/local/etc/openldap/schema/nis.schema
> include         /usr/local/etc/openldap/schema/inetorgperson.schema
> include         /usr/local/etc/openldap/schema/openldap.schema
> include         /usr/local/etc/openldap/schema/misc.schema
> include         /usr/local/etc/openldap/schema/ppolicy.schema
> include         /usr/local/etc/openldap/schema/gosa/samba3.schema
> include         /usr/local/etc/openldap/schema/gosa/trust.schema
> include         /usr/local/etc/openldap/schema/gosa/gofax.schema
> include         /usr/local/etc/openldap/schema/gosa/gofon.schema
> include         /usr/local/etc/openldap/schema/gosa/gosystem.schema
> include         /usr/local/etc/openldap/schema/gosa/goto-mime.schema
> include         /usr/local/etc/openldap/schema/gosa/goto.schema
> include         /usr/local/etc/openldap/schema/gosa/goserver.schema
> include         /usr/local/etc/openldap/schema/gosa/gosa-samba3.schema
> include         /usr/local/etc/openldap/schema/gosa/openssh-lpk.schema
> include         /usr/local/etc/openldap/schema/gosa/dnszone.schema
> include         /usr/local/etc/openldap/schema/gosa/nagios.schema
> include         /usr/local/etc/openldap/schema/gosa/dhcp.schema
> include         /usr/local/etc/openldap/schema/gosa/sudo.schema
> 
> pidfile         /usr/local/var/run/slapd.pid
> argsfile        /usr/local/var/run/slapd.args
> 
> database        bdb
> suffix          "dc=parisgeo,dc=cnrs,dc=fr"
> rootdn          "cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr"
> rootpw  {SSHA} secret
> directory       /srv/openldap-data
> index   objectClass     eq
> 

Your rootpw stanza is wrong. You should create the stanza with the help
of slappasswd. 
You should insert the output from '/usr/sbin/slappasswd -s secret'
or if it is good enough for now with an clear-text passwd in cn=config
simply write the stanza as :
----
rootpw secret
----
for 'secret' as the passwd.

> I have no problem with this simple conversion, but after that, it's
> impossible to import data with this command ldapadd or ldapmodify.
> 
> I don't understand the default right for read/write for openLDAP, i
> try with ldapmodify, with bind and password, and i have the same
> problem :
> 
> root@xxxx:/usr/local/etc/openldap# ldapadd -x -D "cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr" -W -f sauvegarde.ldif 
> Enter LDAP Password: xxx
> adding new entry "cn=admin,dc=parisgeo,dc=cnrs,dc=fr"
> ldap_add: Constraint violation (19)
>     additional info: structuralObjectClass: no user modification allowed
> 
> 
> I try to modify the right for cn=config with this sample : 
> 
> dn: olcDatabase={-1}frontend,cn=config
> changetype: modify
> delete: olcAccess
> 
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> add: olcRootDN
> olcRootDN: cn=admin,cn=config
> 
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> add: olcRootPW
> olcRootPW: {SSHA} secret
> 
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> delete: olcAccess
> 
> ldapadd -Y EXTERNAL -H ldapi:/// -f slapd.modify.root.ldif 
> 
> 
> Same problem, i have no right todo that, with or without option the
> password entry -W or bind option -D
> "cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr"
> 
> root@xxxx:/usr/local/etc/openldap# ldapadd -Y EXTERNAL -H ldapi:/// -f slapd.modify.root.ldif 
> 
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> modifying entry "olcDatabase={-1}frontend,cn=config"
> ldap_modify: Insufficient access (50)
> 
> root@xxxx:/usr/local/etc/openldap# ldapadd -x -W -H ldapi:/// -f slapd.modify.root.ldif Enter LDAP Password: 
> ldap_bind: Invalid credentials (49)
> 
> root@xxxxx:/usr/local/etc/openldap# ldapadd -D "cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr" -W -Y EXTERNAL -H ldapi:/// -f slapd.modify.root.ldif 
> Enter LDAP Password: 
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> modifying entry "olcDatabase={-1}frontend,cn=config"
> ldap_modify: Insufficient access (50)
> 
> Anybody have this problem in the past, and have an idea of the
> solution to create a good start configuration from scratch
> installation ? Do you think there is mistake in my simple
> installation/configuration ?
> 
> 
> I also create a post on serverFault.Com site, but i have no answer at
> this time 
> http://serverfault.com/questions/342086/impossible-to-modify-or-add-information-after-conversion-of-slapd-conf-to-cn-con
> 
> 
> Best regards,
> SR
> 
>