1

I have a query about OpenLdap and importing a ldiff. I have Openldap running with Windows.

My slapd.conf:

database    mdb
suffix      "dc=aaa,dc=com"
rootdn      "cn=Manager,dc=aaa,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw    secret

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory ./data
searchstack 20
# Indices to maintain
index mail pres,eq
index objectclass pres
index default eq,sub
index sn eq,sub,subinitial
index telephonenumber
index cn

I can view the my connection using apache active directory.

I can see dc=aaa,dc=com.

I am trying to import a ldif file.

At the top, it contains:

dn: cn=ab3java,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: ab3java

When I run 

ldapmodify -a -x -D "cn=Manager,dc=aaa,dc=com" -w secret -H ldap:// -f ab3java.ldif

I get the following error:

adding new entry "cn=ab3java,cn=schema,cn=config"
ldap_add: Insufficient access (50)

I cannot see cn=config in ldap browser.

Please advise. How can i get the correct access?

Regards, B.

user518066
  • 1,277
  • 3
  • 23
  • 35
  • have you referred to this post? http://stackoverflow.com/questions/33647440/error-of-insufficient-access-when-binding-as-the-rootdn-rootpw – fenixan May 12 '16 at 05:35

1 Answers1

2

What you want to do is not possible without migrating your server to the online configuration database. Your server probably is not configured for using the online configuration database, seeing how you use slapd.conf for the configuration and not the files under /etc/openldap/slapd.d. It is possible to do use both slapd.d and slapd.conf, so you need to check. If openldap is not configured to use online configuration then you cannot change its configuration while the server is running. You need to edit /etc/openldap/slapd.conf and restart the server.

It is possible to have multiple backend databases in openldap, each with its own suffix and access controls. The database for which you have defined access controls in the example above is the database that can be accessed below is dc=aaa,dc=com. The database you are trying to update has the suffix cn=config. It is the database where openldap stores its own configuration (if configured with the online configuration option). So the provided credentials will not match.

In general it is recommended to use the online configuration database as it is a superior method of running openldap. For more information about the cn=config database see this link: http://www.zytrax.com/books/ldap/ch6/slapd-config.html. This book also contains information on how to migrate from static configuration to online configuration.

Typically, the openldap configuration database will be protected so that it can only be accessed by the root user on the machine where the ldap server is running.

You can check this by looking at the configuration files for openldap /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif. There should be a line similar like this:

olcAccess: {0} 
   to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
     manage 
   by * none

This means that the only person to have access to the configuration database will be the root user on the local system. You can add a root userid and password, but that will only open your ldap server to remote attacks.

Hans Then
  • 10,935
  • 3
  • 32
  • 51