[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Quick newbie pointer - unauth ldap* commands as root on ldap master



On 19/09/11 15:58, Dan White wrote:
On 15/09/11 18:18 +0100, Tim Watts wrote:
Hi,

Sorry - this will sound really dumb... For people who aren't very LDAP
savvy, what the cleanest way to rig an LDAP server that I have root
access to to:

allow unprompted ldap* commands (eg ldapmodify).

GoSA has got confused creating a user and I need to manually force
some ldif files with minor changes through...

MIT Kerberos has a kdamin.local command that does not care about
authentication because it has direct access to the database files.

Is there something similar for OpenLDAP? This is a files based ldap
server, not using SQL.

I have located an ldap.secret file but am having trouble
authenticating with its content. I'm fairly confused because LDAP
appears to have many many ways to handle authentication...

You could use slapcat(8) to add entries.

What I prefer to do instead is use SASL EXTERNAL authentication over
ldapi:///, which allows me to use all the standard command line utilities
(e.g. ldapsearch). This following is from an older server using a
slapd.conf config:

# Map the root user to the rootdn
authz-regexp
"gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=admin,dc=example,dc=net"

See slapd.conf(5)/slapd-config(5). Then configure default
parameters in your ldap.conf, such as:

BASE dc=example,dc=net
URI ldapi:///

And set your /root/.ldaprc to:

SASL_MECH EXTERNAL

See ldap.conf(5).

You'll need to configure your slapd server to listen on ldapi:///, which
might be configured in your init.d startup script or, on some Linux
distributions, in /etc/default/slapd.

After doing so, I can add entries with:

ldapadd -f entries.ldif

When connecting from remote servers, I use a similar setup using SASL
GSSAPI authentication.


That's very interesting - I will also try that - thanks Dan.

Cheers

Tim

--
Tim Watts
Personal Email
Personal website and blog: http://www.dionic.net/tim/