ldap_modify: Insufficient access (50) for cn=config as -H ldapi:/// -Y EXTERNAL
Your current rootdn is cn=admin,cn=config
, and your current rootpw is "secret".
SASL/EXTERNAL is enabled and working. However, the configuration of your cn=config
database does not give root
(aka gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
any special permissions.
To convert your rootdn to be local root you should run the following or its equivalent.
ldapmodify -D cn=admin,cn=config -w secret -H ldapi:/// <<EOF
dn: olcDatabase={0}config,cn=config
replace: olcrootdn
olcrootdn: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
-
delete: olcrootpw
-
EOF
Related videos on Youtube
Leo
I’m a Senior Site Reliability Engineer at Autonomic. I do Golang, Ruby, JS, Python, Elixir, as well as web scale devops with Terraform, Ansible, Kubernetes and Docker.
Updated on September 18, 2022Comments
-
Leo over 1 year
I'm setting up a second LDAP server. I've converted a
slapd.conf
to aslapd.d
database usingslaptest
. I'm trying to apply this LDIF:# cat loglevel.ldif dn: cn=config changetype:modify replace: olcLogLevel olcLogLevel: any
This error comes up:
# ldapmodify -H ldapi:/// -Y EXTERNAL -D 'cn=config' -f loglevel.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_modify: Insufficient access (50)
ldapwhoami
output:# ldapwhoami -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
Config database in
slapcat -n0
:dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by * none olcAddContentAcl: TRUE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=admin,cn=config olcRootPW:: c2VjcmV0 olcSyncUseSubentry: FALSE olcMonitoring: FALSE structuralObjectClass: olcDatabaseConfig entryUUID: a00805da-2405-1035-8da5-7568f1e7aea1 creatorsName: cn=config createTimestamp: 20151120190701Z entryCSN: 20151120190701.894877Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20151120190701Z
How do I make the command work?
Do I need to do something to enable the
-Y EXTERNAL
mechanism?Do I need to change the
olcRootDN
property forcn=config
? I can try changing it with a text editor in the/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif
file.