0

I try to add a user to an existing and running openldap server. The server was setup by someone else (who is difficult to reach...) and is actively being used. Now I would like to add a new user, but get stuck with insufficient access.

The command I tried for adding a user is the following:

ldapadd -H ldap://servername -D "cn=admin,ou=..." -W -f ldap-userfile

The response I get is

adding new entry "cn=username,ou=..."
ldap_add: Insufficient access (50)
    additional info: no write access to parent

The info to use in the above command I got from

ldapsearch -x -LLL uid=*

and this was the only one with admin in the name.

Note: I am root on the server where ldap is installed, so I can do pretty much anything. The only thing I should avoid is permanently changing any passwords, as others have to perform some tasks as well.

I did have a look at /etc/openldap, but to no avail. I have no clue about openldap, so it does not help me. Under /etc/openldap/certs/password I can find a password, but I have no idea of what to use with it.

If it helps: The server is running CentOS 6.10, openldap version is 2.4.40.

EDIT: SOLVED See my own answer below.

laolux
  • 121
  • 1
  • 5

2 Answers2

0

Create a LDIF file for New User The following is a sample LDIF file that will be used to create a new user.

# cat adam.ldif
dn: uid=adam,ou=users,dc=tgs,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: adam
uid: adam
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/adam
loginShell: /bin/bash
gecos: adam
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

Now, use ldapadd command and the above ldif file to create a new user called adam in our OpenLDAP directory as shown below:

# ldapadd -x -W -D "cn=ramesh,dc=tgs,dc=com" -f adam.ldif
Enter LDAP Password:
adding new entry "uid=adam,ou=users,dc=tgs,dc=com"
vidarlo
  • 6,654
  • 2
  • 18
  • 31
Mehraj Patel
  • 36
  • 1
  • That does not work. Using "cn=ramesh..." obviously fails with `ldap_bind: Invalid credentials (49)` and using the existing "cn=admin..." fails with `ldap_add: Insufficient access (50)`, as described in the post. – laolux Oct 05 '20 at 07:14
0

Ok, I got it solved by using this answer.

To summarize: I got which id to use with

ldapsearch -Y EXTERNAL -Q -H ldapi:/// -LLL -o ldif-wrap=no -b cn=config '(objectClass=olcDatabaseConfig)' olcAccess

and then ran

ldapadd -H ldapi://servername -D "cn=Manager,..." -W -f ldapfile
laolux
  • 121
  • 1
  • 5