Modify or add information after conversion of slapd.conf to cn=config with fresh install of OpenLdap

Mon, 09 Jan 2012 03:30:44 -0800 

Hi!
I start with a fresh installation of openldap 2.4.28 on debian. They are some problem with the debian package, and with gnuTLS, so i compile a version with opennSSL library. 


It's hard to understand with the official documentation how to start a 
from scratch installation with the new cn=config administration of 
openLDAP. So, i make a conversion ( with the great help of users on this 
mailling list ) from slapd.conf to cn=config on the first launch of 
openLDAP with this commands :


|/usr/local/libexec/slapd -u openldap -g openldap -f slapd.conf.seb -F 
/usr/local/etc/openldap/slapd.d/ -d -1

|

My slapd.conf.seb, really simple, equal :

|include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/ppolicy.schema
include         /usr/local/etc/openldap/schema/gosa/samba3.schema
include         /usr/local/etc/openldap/schema/gosa/trust.schema
include         /usr/local/etc/openldap/schema/gosa/gofax.schema
include         /usr/local/etc/openldap/schema/gosa/gofon.schema
include         /usr/local/etc/openldap/schema/gosa/gosystem.schema
include         /usr/local/etc/openldap/schema/gosa/goto-mime.schema
include         /usr/local/etc/openldap/schema/gosa/goto.schema
include         /usr/local/etc/openldap/schema/gosa/goserver.schema
include         /usr/local/etc/openldap/schema/gosa/gosa-samba3.schema
include         /usr/local/etc/openldap/schema/gosa/openssh-lpk.schema
include         /usr/local/etc/openldap/schema/gosa/dnszone.schema
include         /usr/local/etc/openldap/schema/gosa/nagios.schema
include         /usr/local/etc/openldap/schema/gosa/dhcp.schema
include         /usr/local/etc/openldap/schema/gosa/sudo.schema

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

database        bdb
suffix          "dc=parisgeo,dc=cnrs,dc=fr"
rootdn          "cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr"
rootpw  {SSHA} secret
directory       /srv/openldap-data
index   objectClass     eq
|


I have no problem with this simple conversion, but after that, it's 
impossible to import data with this command ldapadd or ldapmodify.



I don't understand the default right for read/write for openLDAP, i try 
with ldapmodify, with bind and password, and i have the same problem :


||

|root@xxxx:/usr/local/etc/openldap# ldapadd -x -D 
"cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr" -W -f sauvegarde.ldif
Enter LDAP Password: xxx
adding new entry "cn=admin,dc=parisgeo,dc=cnrs,dc=fr"
ldap_add: Constraint violation (19)
    additional info: structuralObjectClass: no user modification allowed
|

I try to modify the right for cn=config with this sample :

|dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA} secret

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

ldapadd -Y EXTERNAL -H ldapi:/// -f slapd.modify.root.ldif
|


Same problem, i have no right todo that, with or without option the 
password entry -W or bind option -D 
"cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr"


|root@xxxx:/usr/local/etc/openldap# ldapadd -Y EXTERNAL -H ldapi:/// -f 
slapd.modify.root.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
ldap_modify: Insufficient access (50)

root@xxxx:/usr/local/etc/openldap# ldapadd -x -W -H ldapi:/// -f 
slapd.modify.root.ldif Enter LDAP Password:
ldap_bind: Invalid credentials (49)

root@xxxxx:/usr/local/etc/openldap# ldapadd -D 
"cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr" -W -Y EXTERNAL -H ldapi:/// -f 
slapd.modify.root.ldif
Enter LDAP Password:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
ldap_modify: Insufficient access (50)|


Anybody have this problem in the past, and have an idea of the solution 
to create a good start configuration from scratch installation ? Do you 
think there is mistake in my simple installation/configuration ?



I also create a post on serverFault.Com site, but i have no answer at 
this time

http://serverfault.com/questions/342086/impossible-to-modify-or-add-information-after-conversion-of-slapd-conf-to-cn-con

Best regards,
SR























					Reply via email to