[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unable to edit cn=config

To: Michael Roth <mikeroth.sd@gmail.com>
Subject: Re: Unable to edit cn=config
From: Dan White <dwhite@olp.net>
Date: Thu, 27 Jun 2013 21:33:37 -0500
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <CAJTDGgtxVPJEphiP-7SSg3iEj+_tZAVZ+zLboAEh=D+xV-B-XA@mail.gmail.com>
References: <CAJTDGgsGPxXh6pBbAf-7ePgp1=AP2-Q+e1eLC=oNwL0sJ5t6aA@mail.gmail.com> <20130627132633.GA6742@dan.olp.net> <CAJTDGgvYoi9ZY4AT+hPvZ5nco8A7cK1CzOnUw3-NBafjmsFDRg@mail.gmail.com> <20130627180721.GC6742@dan.olp.net> <CAJTDGgtxVPJEphiP-7SSg3iEj+_tZAVZ+zLboAEh=D+xV-B-XA@mail.gmail.com>
User-agent: Mutt/1.5.21 (2010-09-15)

On 06/27/13 15:27 -0700, Michael Roth wrote:

Hi Dan, I'm still hitting my head against the wall on this one.

I shutdown slapd and opened /etc/ldap/slap.d/cn=config/cn=module{0}.ldif
I then added" olcAuthzRegexp:
{0}"gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=admin,dc=domain,dc=net"" at the bottom.
I then restarted slapd.
I ran "sudo ldapwhoami -Y EXTERNAL -H ldapi:///"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:cn=admin,dc=onerecovery,dc=net


Looks good.

I then try to add the module again:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f smbkrb5pwd_load.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=module{0},cn=config"
ldap_modify: Insufficient access (50)


You still need to make cn=admin,dc=onerecovery,dc=net the olcRootDN. You
don't need an olcRootPW in this instance.

Since you decided to manually edit the /etc/ldap/slap.d/cn=config/
hierarchy manually, which is not recommended, you should backup your config
with slapcat before proceeding, in case your config gets corrupted.

On Thu, Jun 27, 2013 at 11:07 AM, Dan White <dwhite@olp.net> wrote:

Or by creating an olcAuthzRegexp rule like:

dn: cn=config
olcAuthzRegexp: {0}"gidNumber=0\+uidNumber=0,**cn=peercred,cn=external,cn=
**auth"  "cn=admin,dc=example,dc=org"

and setting your olcRootDN to:

dn: olcDatabase={0}config,cn=**config
olcRootDN: cn=admin,dc=example,dc=org

Since you don't have any of the above config in place, you have a chicken
and egg problem with manipulating your configuration. You should dump it to
portable ldif to modify it. See:

http://www.openldap.org/lists/openldap-technical/201211/msg00195.html


--
Dan White

Follow-Ups:
- Re: Unable to edit cn=config
  - From: Michael Roth <mikeroth.sd@gmail.com>

References:
- Unable to edit cn=config
  - From: Michael Roth <mikeroth.sd@gmail.com>
- Re: Unable to edit cn=config
  - From: Dan White <dwhite@olp.net>
- Re: Unable to edit cn=config
  - From: Michael Roth <mikeroth.sd@gmail.com>
- Re: Unable to edit cn=config
  - From: Dan White <dwhite@olp.net>
- Re: Unable to edit cn=config
  - From: Michael Roth <mikeroth.sd@gmail.com>

Prev by Date: Types of Groups, Structural objects and Inheritance
Next by Date: Re: Controlling access to users
Index(es):
- Chronological
- Thread