If, like me, you converted your OpenLDAP server installation from slapd.conf to OLC (On-Line Configuration), aka cn=config, you may find that local root privileges to modify your config are not configured; i.e. doing the following will fail:
ldapmodify -Y EXTERNAL -H ldapi:/// -f some_changes.ldif
This is because the olcRootDN for the cn=config database is probably not set up right. Mine looked something like:
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by * none
…
olcRootDN: cn=root,dc=example,dc=com
It may or may not also have an olcRootPW (root password) set.
You can query you you appear to be to the LDAP server by using ldapwhoami and specifying the SASL mechanism (-Y) and the LDAP URI (-H):
# ldapwhoami -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
In this case, the EXTERNAL mechanism is the Linux IPC (Inter-Process Communication), which gets the UID and GID of the client process. This is communicated via the domain socket transport (ldapi:).
The fix is straightforward. First, create a file to replace the olcRootDN field:
# replace_olcrootdn.ldif
dn: olcDatabase={0}config,cn=config
replace: olcRootDN
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
If you have an olcRootPW field, add another operation to delete: it. Then, apply the changes:
# ldapmodify -D cn=root,dc=example,dc=cluster -w somepassword -H ldapi:/// -f replace_olcrootdn.ldif
And that should do it. From now on, you should be able to modify the OLC with “-Y EXTERNAL -H ldapi:///” if you are root.
This post is expanded from this answer at Server Fault.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.