[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "dn: cn=admin,cn=config" adding problem

On 11/11/2013 12:52 PM, Quanah Gibson-Mount wrote:
--On Monday, November 11, 2013 8:39 PM +0400 Oleg <lego12239@yandex.ru>

  ok. How can i place restrictions for admin access to cn=config db?
According to docs i must add a user to a db to do this.

I suggest looking at what Debian does in their default configurations,
which restricts the admin user to using the ldapi:/// socket and the
root user only, which meets your criteria for locking it down to
localhost and even goes beyond that to locking down the user that is
mapped to the rootdn as well.


Hi all,

I am trying to do something similar, and am experiencing issues as well. At the end of the day, my goal is to migrate from some older Mirapoint LDAP servers. Mirapoint uses OpenLDAP, but adds their own schema to the mix, and I'll have to import that as well. I also need the Samba support. Since Samba is a recognized service and schema, I thought I'd start with that.

Following your advice, here are some of my relevant config lines (though, not Debian):

# rootdn can always read and write EVERYTHING!

database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none


rootdn          "cn=Manager,dc=ndtel,dc=com"

I can use cn=Manager,dc=ndtel,dc=com (and the associated password) to do other things (IE: see the existing structure and schemas in PHPLdapAdmin), but I cannot seem to update the config db.

Here's what happens when I attempt to import a schema LDIF, as explained at http://www.linuxquestions.org/questions/linux-server-73/how-to-add-a-new-schema-to-openldap-2-4-11-a-700452/:

[root@ldap1 ~]# ldapadd -x -W -D 'cn=Manager,dc=ndtel,dc=com' -W -f ./samba.ldif -H ldap://
Enter LDAP Password:
adding new entry "cn=samba,cn=schema,cn=config"
ldap_add: Insufficient access (50)

I have been researching this for a couple of days, and I can't seem to find the solution.

Centos 6.4, updated.

[root@ldap1 ~]# slapd -V
@(#) $OpenLDAP: slapd 2.4.23 (Apr 29 2013 07:47:08) $


If anything else is needed to help with this troubleshooting or to help me understand what it is I am missing (which is what I prefer: to learn), please let me know.