Woe is me! I have to deal with good ol' OpenLDAP. I have installed OpenLDAP by installing RPMs openldap-servers, openldap and openldap-clients. I want to change the olcSuffix from the default:
olcSuffix: dc=my-domain,dc=com
To my real domain. So I created this file, ex.ldif:
# pwd
/etc/openldap
# cat ex.ldif
dn: olcDatabase{2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
Then I execute:
# ldapmodify -Y EXTERNAL -H ldapi:/// -f ex.ldif
But I get this error message:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
ldap_modify: Other (e.g. implementation specific) error (80)
And nothing is updated in my /etc/openldap/slapd.d configs.
I disabled selinux and the problem went away.
I have been trying to apply this dlif to my openldap server:
$ cat acl.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn.exact="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com" attrs="ipServicePort,description" by dn="mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" write by * read
I believe this should allow user with DN: "mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" to update the attributes ipServicePort and description on "cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com"
This seems to apply fine:
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"
When I search for it I can find my updated entry:
$ sudo ldapsearch -Y EXTERNAL -H ldapi:// -b cn=config 'olcDatabase={1}hdb'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: olcDatabase={1}hdb
# requesting: ALL
#
# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=thedomain,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=domain,dc=ie,dc=aws,dc=thedomain,dc=net" write by * n
one
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=domain,dc=ie,dc=aws,dc=thedomain,dc=net" w
rite by * read
olcAccess: {3}to dn.exact="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,
dc=com" attrs="ipServicePort,description" by dn="mail=itops#thedomain.com,ou=p
eople,dc=thedomain,dc=com" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=thedomain,dc=com
olcRootPW: {SSHA}HASHEDPW
olcSyncrepl: {0}rid=003 provider=ldap://ldap.city.thedomain.com binddn="cn
=admin,dc=thedomain,dc=com" bindmethod=simple credentials=Cju8MJZhegnEgKp2nU s
earchbase="dc=thedomain,dc=com" type=refreshAndPersist interval=00:00:00:10 re
try="5 5 300 5" timeout=1
olcSyncrepl: {1}rid=004 provider=ldap://ldap1.domain.ie.aws.thedomain.net binddn
="cn=admin,dc=thedomain,dc=com" bindmethod=simple credentials=Cju8MJZhegnEgKp2
nU searchbase="dc=thedomain,dc=com" type=refreshAndPersist interval=00:00:00:1
0 retry="5 5 300 5" timeout=1
olcMirrorMode: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
However, when I try to make a change using these credentials, it still fails:
$ cat /tmp/modify.ldif
dn: cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com
changetype: modify
replace: ipServicePort
ipServicePort: 1485176342
dn: cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com
changetype: modify
replace: description
description: Updated by ldap.city.thedomain.com on Mon Jan 23 12:59:02 UTC 2017
Running:
$ ldapmodify -H ldap://localhost -w PASSWORD -D "mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" -f /tmp/modify.ldif
modifying entry "cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com"
ldap_modify: Insufficient access (50)
I also tried making my ACL slightly less restrictive to try to understand what wasn't working, I have tried the following acl.ldif files:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com" attrs="ipServicePort,description" by dn="mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" write by * read
Result was the same
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com" by dn="mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" write by * read
Result was the same
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to * by dn="mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" write by * read
Result was the same
The only thing I didn't try yet, as I was hoping to avoid making the db this insecure, even during testing, was to allow * to write this record, or * to write to all records.
I've taken the dn of the record I want to allow editing on from Apache Directory Studio, which shows me:
DN: cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com
And my users DN from the same:
DN: mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com
I'm sure I'm doing something obviously idiotic, as my knowledge of ldap is poor and reading the documentation is painful for me. I'm hoping someone can spot my obvious error and suggest a correction as I can't see what I have done wrong after a large number of hours of tinkering.
Thank you to JoBbZ in #openldap IRC. This is a simple misunderstanding on my part. Order matters in ACL rules. LDAP will stop looking on the first match, so I need to save my olcAccess as 2 not 3
I try to setup an OpenLDAP Server with mdb backend. But neither the version from packet repository nor a self compiled version (to be shure that back_mdb is compiled into slapd) works for me.
Config database is accessible, log doesn't print any errors and the database file is created (data.mdb) - but my root (suffix) won't show up and isn't writeable.
A basic configuration suggested by the OpenLDAP administrator's guide won't help either.
My config:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database mdb
maxsize 1073741824
suffix "dc=directory,dc=local"
rootdn "cn=admin,dc=directory,dc=local"
rootpw "{SSHA}Lh2sewmXFDo+bwc0Vqy12Xwc61n9sQ5t"
directory /var/lib/openldap/openldap-data
index objectClass eq
access to dn.subtree="ou=contacts,dc=directory,dc=local" by self write by dn="cn=server,ou=people,dc=directory,dc=local" write by dn="cn=phone,ou=people,dc=directory,dc=local" read
access to * by dn="cn=admin,dc=directory,dc=local" write by anonymous auth by dn.subtree="ou=people,dc=directory,dc=local" read by * none
database config
rootdn "cn=admin,cn=config"
rootpw "{SSHA}Lh2sewmXFDo+bwc0Vqy12Xwc61n9sQ5t"
I had to add the ldif to create my root dn on the localhost.
Create LDIF file:
dn: dc=directory,dc=local
dc: directory
o: directory.local
objectClass: top
objectClass: dcObject
objectClass: organization
structuralObjectClass: organization
Add the LDIF file and recreate database index:
slappadd -b "dc=directory,dc=local" -v -l basedn.ldif
slapindex
Start the ldap daemon and there it is: my root dn.
I've got over 150 GB of logs in /var/lib/ldap/accesslog and for some reason they won't rotate out or purge old logs. I'm not sure what I'm missing.
I'm using HDB.
I'm using an OLC setup, so I have no slapd.conf file.
My Slapd version is 2.4.31-1+nmu2ubuntu8.2
My AccessLog overlay is configured with:
dn: olcOverlay={1}accesslog
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: {1}accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogPurge: 7+00:00 1+00:00
olcAccessLogSuccess: TRUE
...
Unfortunately I still have log files dated from November of 2014, which is probably when this server was upgraded to Ubuntu 14.04 LTS and the LDAP services were re-initialized from a backup LDIF file.
I've tried creating a DB_CONFIG file in the accesslog directory containing the following:
set_flags DB_LOG_AUTOREMOVE
to no avail.
So apparently the "set_flags DB_LOG_AUTOREMOVE" didn't kick in until I restarted the slapd service. As soon as I did the old logs were purged out.
I am on OpenLdap and trying to modify an entry via an LDIF with slapadd command.
#LDIF
dn: uid=ROOTADMIN,ou=users,dc=example,dc=com
changetype: modify
add: userPassword
userPassword: MyPassWord
But I am getting below error....
54a0fc8e <= str2entry: str2ad(changetype): attribute type undefined
Why changetype is not taken by slapadd command?
Also when I manually try to change the password on ldap browser I get following on the
logs
#!RESULT ERROR
#!CONNECTION ldap://<MY_MACHINENAME>:389
#!DATE 2014-12-29T10:14:16.930
#!ERROR [LDAP: error code 8 - modifications require authentication]
dn: uid=ROOTADMIN,ou=users,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword:: S2l0ZXNGbHk=
LDAP: error code 8 - modifications require authentication? Which Authenication is required?
An ldif file like this (containing changetype entries) should be used with ldapadd, not slapadd.