[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLdap provider-client replication error



Hi,

On Tue, 11 Mar 2014, Seun Ojedeji wrote:

Hello Christian,

Thanks for the pointer. I followed your suggestion and it worked on the
provider server.

However the customer server is still throwing the same error. Even though i
used the a root unix user. Below is the config on the customer side:
http://pastebin.com/9zanEh8c

sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_sync_consumer.ldif
modifying entry "cn=config"
ldap_modify: Insufficient access (50)

your other server has a totally different configuration for cn=config



    dn: olcDatabase={0}config,cn=config
    objectClass: olcDatabaseConfig
    olcDatabase: {0}config
    structuralObjectClass: olcDatabaseConfig
    entryUUID: f08d9646-a28f-1031-9ff3-c94fbd1c81f2
    creatorsName: cn=config
    createTimestamp: 20121004165443Z
    olcRootDN: cn=admin,cn=config
    olcRootPW:: .....
    entryCSN: 20121004165515.430118Z#000000#000#000000
    modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    modifyTimestamp: 20121004165515Z

olcRootPW is an SHA hash of the password.

modifiersNAme suggests that the config once has had the same olcAccess configuration as your other server but olcAccess has been deleted.

You have three options:

1. If you remember the password you have set for cn=admin,cn=config use that with

	ldapmodify -x -w pass -D cn=admin,cn=config -H ldap://...

2. Dump the config using slapcat -n0, edit and reimport using slapadd -n0

3. Ask the NSA if they can crack your SHA hash.  Even though these things are hashes you should not really post secrets to pastebin.


Greetings
Christian



Thanks again

Cheers!


On Tue, Mar 11, 2014 at 1:28 PM, Christian Kratzer <ck-lists@cksoft.de>wrote:

Hi,

On Tue, 11 Mar 2014, Seun Ojedeji wrote:

 Hello thanks for your response,

On Tue, Mar 11, 2014 at 11:01 AM, Christian Kratzer <ck-lists@cksoft.de
wrote:

 Hi,


On Tue, 11 Mar 2014, Seun Ojedeji wrote:
How do i fix the insuffient access problem? I am using the admin that has
full write access on ldap.

<snipp/>

 Its a fresh ldap setup and i only have one admin user created (with on
personal user) here is the script i used in setting up ldap:
http://pastebin.com/JagCtptS


your acl for cn=config is as follows:

    dn: olcDatabase={0}config,cn=config
    objectClass: olcDatabaseConfig
    olcDatabase: {0}config
    olcAccess: {0}to * by
    dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth
manage by * break

This only allows the unix root user to manage cn=config.

The admin user you are using is for managing access to the main directory.

To manage cn=config in this setup you should use

    ldapadd -Y EXTERNAL  -H ldapi:///
    ldapmodify -Y EXTERNAL  -H ldapi:///


 1. your openldap version


openldap-2.4.28



Do yourself a favor and upgrade to 2.4.39 before starting with any serious
openldap work.

You can get upto date rpm and deb packages from
http://ltb-project.org/wiki/

Greetings
Christian






2. your full configuration (preferably on pastebin oder such)


  Use slapcat -n0 to extract the config


http://pastebin.com/U6SmeFNC


Thanks again for helping out


Greetings
Christian

--
Christian Kratzer                   CK Software GmbH
Email:   ck@cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/






--
Christian Kratzer                   CK Software GmbH
Email:   ck@cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/






--
Christian Kratzer                   CK Software GmbH
Email:   ck@cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/