[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Quick newbie pointer - unauth ldap* commands as root on ldap master



On 15/09/11 18:18 +0100, Tim Watts wrote:
Hi,

Sorry - this will sound really dumb... For people who aren't very LDAP savvy, what the cleanest way to rig an LDAP server that I have root access to to:

allow unprompted ldap* commands (eg ldapmodify).

GoSA has got confused creating a user and I need to manually force some ldif files with minor changes through...

MIT Kerberos has a kdamin.local command that does not care about authentication because it has direct access to the database files.

Is there something similar for OpenLDAP? This is a files based ldap server, not using SQL.

I have located an ldap.secret file but am having trouble authenticating with its content. I'm fairly confused because LDAP appears to have many many ways to handle authentication...

You could use slapcat(8) to add entries.

What I prefer to do instead is use SASL EXTERNAL authentication over
ldapi:///, which allows me to use all the standard command line utilities
(e.g. ldapsearch). This following is from an older server using a
slapd.conf config:

# Map the root user to the rootdn
authz-regexp
  "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
  "cn=admin,dc=example,dc=net"

See slapd.conf(5)/slapd-config(5). Then configure default
parameters in your ldap.conf, such as:

BASE   dc=example,dc=net
URI    ldapi:///

And set your /root/.ldaprc to:

SASL_MECH EXTERNAL

See ldap.conf(5).

You'll need to configure your slapd server to listen on ldapi:///, which
might be configured in your init.d startup script or, on some Linux
distributions, in /etc/default/slapd.

After doing so, I can add entries with:

ldapadd -f entries.ldif

When connecting from remote servers, I use a similar setup using SASL
GSSAPI authentication.

--
Dan White