[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "dn: cn=admin,cn=config" adding problem

To: openldap-technical@openldap.org
Subject: Re: "dn: cn=admin,cn=config" adding problem
From: Alex Moen <alexm@ndtel.com>
Date: Tue, 12 Nov 2013 09:43:03 -0600
In-reply-to: <2A6111B1732A78F75AA9BD01@[192.168.1.93]>
References: <20131111110336.GA27136@localhost> <3A5FE2EB1881C805DAFDB69B@[192.168.1.93]> <20131111163915.GA25492@localhost> <2A6111B1732A78F75AA9BD01@[192.168.1.93]>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0

On 11/11/2013 12:52 PM, Quanah Gibson-Mount wrote:

--On Monday, November 11, 2013 8:39 PM +0400 Oleg <lego12239@yandex.ru>
wrote:

  ok. How can i place restrictions for admin access to cn=config db?
According to docs i must add a user to a db to do this.


I suggest looking at what Debian does in their default configurations,
which restricts the admin user to using the ldapi:/// socket and the
root user only, which meets your criteria for locking it down to
localhost and even goes beyond that to locking down the user that is
mapped to the rootdn as well.

--Quanah


Hi all,

I am trying to do something similar, and am experiencing issues as well.At the end of the day, my goal is to migrate from some older MirapointLDAP servers. Mirapoint uses OpenLDAP, but adds their own schema to themix, and I'll have to import that as well. I also need the Sambasupport. Since Samba is a recognized service and schema, I thought I'dstart with that.

Following your advice, here are some of my relevant config lines(though, not Debian):


*******************
# rootdn can always read and write EVERYTHING!
...

database config
access to *

bydn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

        by * none

...

rootdn          "cn=Manager,dc=ndtel,dc=com"
*******************

I can use cn=Manager,dc=ndtel,dc=com (and the associated password) to doother things (IE: see the existing structure and schemas inPHPLdapAdmin), but I cannot seem to update the config db.

Here's what happens when I attempt to import a schema LDIF, as explainedathttp://www.linuxquestions.org/questions/linux-server-73/how-to-add-a-new-schema-to-openldap-2-4-11-a-700452/:


*******************

[root@ldap1 ~]# ldapadd -x -W -D 'cn=Manager,dc=ndtel,dc=com' -W -f./samba.ldif -H ldap://10.255.255.40

Enter LDAP Password:
adding new entry "cn=samba,cn=schema,cn=config"
ldap_add: Insufficient access (50)
*******************

I have been researching this for a couple of days, and I can't seem tofind the solution.


BTW:
Centos 6.4, updated.

[root@ldap1 ~]# slapd -V
@(#) $OpenLDAP: slapd 2.4.23 (Apr 29 2013 07:47:08) $

mockbuild@c6b7.bsys.dev.centos.org:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd

If anything else is needed to help with this troubleshooting or to helpme understand what it is I am missing (which is what I prefer: tolearn), please let me know.


Thanks!

Alex

Follow-Ups:
- Re: "dn: cn=admin,cn=config" adding problem
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Antw: Re: "dn: cn=admin,cn=config" adding problem
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>

References:
- "dn: cn=admin,cn=config" adding problem
  - From: Oleg <lego12239@yandex.ru>
- Re: "dn: cn=admin,cn=config" adding problem
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: "dn: cn=admin,cn=config" adding problem
  - From: Oleg <lego12239@yandex.ru>
- Re: "dn: cn=admin,cn=config" adding problem
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: TLS_REQCERT and no server certificate
Next by Date: Re: RE24 testing call (OpenLDAP 2.4.38)
Index(es):
- Chronological
- Thread