1

I'm new to LDAP and for a school project I have an access to part of my school LDAP. I can bind with users that are in a Organizational Unit.

When I bind, I am able to see my password and not any other passwords from other users (That's normal I guess for security reasons).

So I have exported the LDIF of this LDAP and imported it on my own LDAP server for leaning purposes.

ldapsearch commands works well and I retrieve all entries (excepted password and that's normal).

So now, I try to bind with any user, I've added password by Apache Directory Studio in each LDAP Users (inetorgPerson under the ou where I usually search).

However, I can't bind.

I guess that it is due to wrong access rights.

I know that I must use ldapmodify command and that I need to forge a directive like access to * by * read (with less rights than * but it could be great to begin with).

However, I cant find how to use this directive with ldapmodify.

I think that I must create an LDIF file to modify config but I don't understand which entry I should update.

Can anyone give me tips in order to modify the proper entry?

Thanks

Here id part of my config (Domain edited to domain.fr):

    dn: olcDatabase={-1}frontend,cn=config
    objectClass: olcDatabaseConfig
    objectClass: olcFrontendConfig
    olcDatabase: {-1}frontend
    olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
    olcAccess: {1}to dn.exact="" by * read
    olcAccess: {2}to dn.base="cn=Subschema" by * read
    olcSizeLimit: 500
    
    dn: olcDatabase={0}config,cn=config
    objectClass: olcDatabaseConfig
    olcDatabase: {0}config
    olcAccess: {0}to * by * write
    
    dn: olcDatabase={1}mdb,cn=config
    objectClass: olcDatabaseConfig
    objectClass: olcMdbConfig
    olcDatabase: {1}mdb
    olcDbDirectory: /var/lib/ldap
    olcSuffix: dc=domain,dc=fr
    olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
    olcAccess: {1}to attrs=shadowLastChange by self write by * read
    olcAccess: {2}to * by * read
    olcLastMod: TRUE
    olcRoot
    
    dn: cn=admin,dc=domain,dc=fr
    olcRootPW: {SSHA}YNGbI0zpbUoVLZggbKeZqFIlVdq+0ZJP
    olcDbCheckpoint: 512 30
    olcDbIndex: objectClass eq
    olcDbIndex: cn,uid eq
    olcDbIndex: uidNumber,gidNumber eq
    olcDbIndex: member,memberUid eq
    olcDbMaxSize: 1073741824
    search: 2
Mathias R. Jessen
  • 157,619
  • 12
  • 148
  • 206
Wargal
  • 103
  • 1
  • 9
  • You can refer to this post [LDAP configuration ACL on centos 7](https://stackoverflow.com/q/58733133/2529954) (check your backend, it can be hdb, bdm, mdb). – EricLavault Nov 17 '21 at 12:06
  • Thanks, I'll look into it, my backend is indeed mdb according to my config (added in the post just now) – Wargal Nov 17 '21 at 14:36

1 Answers1

-1

• Since, you have imported the LDIF file in the new AD, all the users in the original AD are created afresh in your AD environment. Thus, you would need to create a DNS naming service identical to the original one in your environment as the suffix to which you want to add the entry should exist in the database. Also, the domain admin credentials used in the original LDAP directory will be required to bind with the credentials of a user in imported LDIF file.

To do this, you would need to modify the domain admin credentials using the following commands. Below shown script is a sample on how to modify the domain admin credentials and then try to bind the user using those credentials. Create a new LDIF file with the following contents: -

 ‘ dn: uid=XYZ,ou=Domain Administrators,dc=example,dc=com
   cn: XYZ
   sn: XYZ
   givenName: XYZ
   objectClass: top
   objectClass: person
   objectClass: organizationalPerson
   objectClass: inetOrgPerson
   ou: Accounting
   ou: People
    l: Santa Clara
  uid: XYZ
 mail: XYZ@example.com
  roomnumber: 5484
    userpassword: Pass@123 ’

Then, add the entry using ‘ldapmodify’ with the ‘—defaultAdd’ option

   ‘ ldapmodify --hostname localhost --port 389 --bindDN "cn=Directory Manager" \
 --bindPassword password --defaultAdd --filename /tmp/new.ldif ‘

With these commands, you would be able to modify the domain administrator credentials and then be able to bind the user in LDAP for sure. Just change the ldif file name with the one you have and change the entries in the ldif file with the actual ones from the original directory. Please find this link below for your reference: -

https://docs.oracle.com/cd/E22289_01/html/821-1273/adding-modifying-and-deleting-directory-data.html

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9