0

This is the second day I try to add the first entry to OpenLDAP 2.4.44.

Configuration:

# {-1}frontend, config
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend

# {0}config, config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none

# {1}monitor, config
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,ou=kyc-sandbox,dc=domain,dc=eu" read by * none

# {2}hdb, config
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: ou=sandbox,dc=domain,dc=eu
olcRootDN: cn=admin,ou=sandbox,dc=domain,dc=eu
olcRootPW: {SSHA}qBaRencYaGnITygKWsFCuk2T8UkN
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,ou=sandbox,dc=domain,dc=eu" write  by * none

Entry:

ldapadd -Y EXTERNAL -H ldapi:///
dn: ou=sandbox,dc=domain,dc=eu
dc: domain
objectClass: dcObject
objectclass: organizationalUnit
ou: sandbox

adding new entry "ou=sandbox,dc=domain,dc=eu"
ldap_add: Insufficient access (50)
    additional info: no write access to parent

Alternatively I receive this error:

ldap_add: Server is unwilling to perform (53)
    additional info: no global superior knowledge

How can I add the root entry?

Leos Literak
  • 305
  • 4
  • 13
  • This tutorial works: https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html – Leos Literak May 15 '20 at 12:46

1 Answers1

0

The -H ldapi:/// -Y EXTERNAL pattern authenticates you based on your Unix user id. In your paste above, the olcAccess on your olcDatabase={2}hdb,cn=config grants gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth read access only, not write.

cn=admin,ou=sandbox,dc=domain,dc=eu is the olcRootDN (and also has write access assigned, which is redundant), so you should use Simple authentication with this DN and its password:

ldapadd -x -D cn=admin,ou=sandbox,dc=domain,dc=eu -W
rtandy
  • 346
  • 1
  • 5