14

I am running an OpenLDAP 2.4 server that uses the SSL service for communication. It works for lookups.

I am trying to add mirror mode replication.

So this is the command that I'm executing:

ldapmodify -D "cn=myuser,dc=mydomain,dc=com" -H ldaps://myloadbalancer -W -f /etc/ldap/ldif/server_id.ldif

Where this is my server_id.ldif:

dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 myserver1
olcServerID: 2 myserver2

and this is my cn\=config.ldif in the slapd.d tree of text files:

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: ff9689de-c61d-1031-880b-c3eb45d66183
creatorsName: cn=config
createTimestamp: 20121118224947Z
olcLogLevel: stats
olcTLSCertificateFile: /etc/ldap/certs/ldapscert.pem
olcTLSCertificateKeyFile: /etc/ldap/certs/ldapskey.pem
olcTLSCACertificateFile: /etc/ldap/certs/ldapscert.pem
olcTLSVerifyClient: never
entryCSN: 20121119022009.770692Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20121119022009Z

But unfortunately I'm getting this:

Enter LDAP Password: 
modifying entry "cn=config"
ldap_modify: Insufficient access (50)

If I try to specify the config database I get this:

ldapmodify -H 'ldaps://myloadbalancer/cn=config' -D "cn=myuser,cn=config" -W -f ./server_id.ldif 
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)}

Does anyone know how I can add the serverID to the config database so that I can complete the setup of mirror mode?

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
Lynn Owens
  • 435
  • 3
  • 7
  • 14

3 Answers3

13

It is exactly what is says on the tin. Your DN cn=myuser,dc=mydomain,dc=com does not have enough permissions to modify the cn=config tree. And when you are trying "to specify the config database" you are using an entirely different DN, cn=myuser,cn=config, which apparently either doesn't exist or you are using a wrong password.

To do modifications like these you need to work with an account privileged enough to modify the various databases. The "admin" account, i.e. the one account that always has all privileges, is specified in the attribute olcRootDN and its password is found in olcRootPW. For the cn=config database those attributes are found in olcDatabase={0}config,cn=config and for the "regular" database, usually of type HDB, in olcDatabase={1}hdb,cn=config.

Which tutorial or documentation did you follow? It doesn't seem like you understand completely what you are doing here.

daff
  • 4,729
  • 2
  • 26
  • 27
  • Hmm, I am already using the olcRootDN account. -D "cn=myuser,dc=mydomain,dc=com" is my replacement of "cn=Manager,dc=example,dc=com" ... I replaced Manager with myuser for security purposes. I expected it to work. I think that I need to specify serverID at a level higher than the databases, ... at the base configuration of slapd itself, which I would expect to be in cn=config.ldif, not in olcDatabase\=\{1\}hdb.ldif where one finds the olcRootDN. – Lynn Owens Nov 25 '12 at 04:42
  • If you get "insufficient access" then you are not using the admin user configured in `olcRootDN` and `olcRootPW`. That user always has access to everything, by definition. Again, be advised that the different databases have different admin users. For the `cn=config` tree use the one specified under `olcDatabase={0}config,cn=config`. And no, the `olcServerID` attributes *do* belong in the `cn=config` DN. It's where I have them, too. – daff Nov 25 '12 at 05:09
  • Thanks Daff, that was it. I was ignorant to the fact that the config database was the {0} database. There was indeed an admin user in there. I gave it a password and my modifications went through with no problem. :) – Lynn Owens Nov 26 '12 at 00:34
  • I would be interested to know what Tutorial or Documentation you would recommend to quickly get familiar with ldap. Because It is clear to me that I have absolutely no idea what I am doing.. – The Lazy Coder Oct 20 '15 at 22:39
  • 1
    @TheLazyCoder The [official documentation](http://www.openldap.org/doc/admin24/) is comprehensive but not very accessible to novices. The [Ubuntu OpenLDAP docs](https://help.ubuntu.com/lts/serverguide/openldap-server.html) have gotten better over time and might be good enough for a beginner. Other than that I have learned quite a bit from Matt Butcher's book "Mastering OpenLDAP", published by Packt. You might want to start there, even if it is a bit dated now. – daff Oct 21 '15 at 14:59
10

As I had a quite similar problem, I tried daff interesting solution but to no avail. Contrary to Lynn Owens I failed to add a password to the admin in olcDatabase={0}config,cn=config. I finally managed to modify my cn=config using commands like:

ldapmodify -Y EXTERNAL -H ldapi:/// -f somefile.ldif
phep
  • 414
  • 5
  • 15
0

Thanks Chicken Suop! Finally I was able to modify loglevel at the cn=config as follows:

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
dn:           cn=config
changetype:   modify
replace:      olcLogLevel
olcLogLevel:  256
EOF

I post answer here rather than comment of this answer because to show the code flagment above.