No write access to parent
Solution 1
I met the same error:
CMD: ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "dc=example,dc=com"
ldap_add: Insufficient access (50)
additional info: no write access to parent
And my base.ldif content:
CMD: cat base.ldif
dn: dc=example,dc=com
objectClass: dcObject
objectclass: organization
o: example.com
dc: example
description: My LDAP Root
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: secret
description: LDAP administrator
I fixed the error with command:
ldapadd -x -D 'cn=admin,dc=example,dc=com' -w secret -H ldapi:/// -f base.ldif
Successful:
adding new entry "dc=example,dc=com"
adding new entry "cn=admin,dc=example,dc=com"
Solution 2
The default ACL do not allow this. External authentication do not have write access to the tree; only the ldap admin/super-user (rootdn) has that. (Actually it bypasses all ACL.)
So either bind as the ldap admin – as the other answer suggest – or add your own acl rules.
I use this as the first acl rule:
to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by * break
You can also use manage
instead of write
.
Related videos on Youtube
Admin
Updated on September 18, 2022Comments
-
Admin over 1 year
I am facing an issue chen trying to setup an openldap server with chef.
Configuration:
- Ubuntu 15.04
- OpenLdap 2.4.31
- Chef/OpenLdap 2.7.1
For information, when I run dkpg-reconfigure slapd (which is not an option when trying to automate the process), part 1 of the issue is solved (w/o changing any phpldapadmin configuration file) but part 2 remains.
Part 1: when accessing to the admin account to phpldapadmin, the admin user is not accessible (message: This base cannot be created with PLA.)
Part 2: when trying to execute
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/db.ldif
the error message is:STDERR: SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldap_add: Insufficient access (50) additional info: no write access to parent
slapd.conf
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/nis.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 0 modulepath /usr/lib/ldap moduleload back_hdb sizelimit 500 tool-threads 1 database hdb suffix "dc=a6,dc=com" rootdn "cn=admin,dc=a6,dc=com" rootpw {SSHA}a6a6aa66a6a6a6a6a6a6a6 directory "/var/lib/ldap" lastmod on dbconfig set_cachesize 0 31457280 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index default pres,eq,approx,sub index objectClass eq index cn,ou,sn,uid,l,mail,gecos,memberUid,description index loginShell,homeDirectory pres,eq,approx index uidNumber,gidNumber pres,eq
db.ldif
dn: dc=a6,dc=com objectClass: top objectClass: dcObject objectClass: organization dc: a6 o: a6 description: A6 dn: cn=admin,dc=a6,dc=com cn: admin description: LDAP administrator objectclass: simpleSecurityObject objectclass: organizationalRole userpassword: {SSHA}Aa6a6aa66a6a6a6a6a6a6a6 dn: ou=users,dc=a6,dc=com objectClass: top objectClass: organizationalUnit ou: users dn: ou=groups,dc=a6,dc=com objectClass: top objectClass: organizationalUnit ou: groups dn: cn=administrators,ou=groups,dc=a6,dc=com objectClass: posixGroup cn: administrators gidNumber: 500 dn: uid=co,ou=administrators,dc=a6,dc=com objectclass: inetOrgPerson objectclass: posixAccount cn: co gidnumber: 500 givenname: Jack homedirectory: /home/co loginshell: /bin/bash uid: co uidnumber: 1000 userpassword: {SSHA}a6a6aa66a6a6a6a6a6a6a6
Thanks for your help. L.