ldap_modify: Insufficient access (50) for cn=config as -H ldapi:/// -Y EXTERNAL

centos6 openldap
6,713

Your current rootdn is cn=admin,cn=config, and your current rootpw is "secret".

SASL/EXTERNAL is enabled and working. However, the configuration of your cn=config database does not give root (aka gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth any special permissions.

To convert your rootdn to be local root you should run the following or its equivalent.

ldapmodify -D cn=admin,cn=config -w secret -H ldapi:/// <<EOF
dn: olcDatabase={0}config,cn=config
replace: olcrootdn
olcrootdn: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
-
delete: olcrootpw
-
EOF
Share:
6,713

Related videos on Youtube

Leo
Author by

Leo

I’m a Senior Site Reliability Engineer at Autonomic. I do Golang, Ruby, JS, Python, Elixir, as well as web scale devops with Terraform, Ansible, Kubernetes and Docker.

Updated on September 18, 2022

Comments

  • Leo
    Leo over 1 year

    I'm setting up a second LDAP server. I've converted a slapd.conf to a slapd.d database using slaptest. I'm trying to apply this LDIF:

    # cat loglevel.ldif
dn: cn=config
changetype:modify
replace: olcLogLevel
olcLogLevel: any

    This error comes up:

    # ldapmodify -H ldapi:/// -Y EXTERNAL -D 'cn=config' -f loglevel.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Insufficient access (50)

    ldapwhoami output:

    # ldapwhoami -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

    Config database in slapcat -n0:

    dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to *  by * none
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=admin,cn=config
olcRootPW:: c2VjcmV0
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: a00805da-2405-1035-8da5-7568f1e7aea1
creatorsName: cn=config
createTimestamp: 20151120190701Z
entryCSN: 20151120190701.894877Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20151120190701Z

    How do I make the command work?

    Do I need to do something to enable the -Y EXTERNAL mechanism?

    Do I need to change the olcRootDN property for cn=config? I can try changing it with a text editor in the /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif file.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

openLDAP Client Config for CentOS 6
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) for ldapi:/// on CentOS
ldap_add: Other (e.g., implementation specific) error (80) when adding pw-sha2.la module
ldap_modify: Insufficient access (50) when changing password
How do I get openldap on Centos 6 to write anything to it's log files
How do I configure LDAP on Centos 6 for user authentication in the most secure and correct way?
What are the other alternative to test a LDAP connection on linux machine
install MySQL Server 5.0 on CentOS 6.3
Installing OpenLDAP on Fedora 12: ldap_bind: Invalid credentials (49)
Change owner of a currently running process