"no global superior knowledge" while adding a country

Question

I must add an organizationalunit like this into a freshly installed OpenLDAP (on Ubuntu 12.04) :

dn: ou=MYREGION, ou=MYAPP, ou=GROUPS, o=myorganization, c=fr
ou: MYREGION
objectClass: top
objectClass: organizationalunit

So as it's a new LDAP, I think I must first add the fr country, and I create that file :

dn: c=fr
c: fr
objectClass: top
objectClass: country

Now I try to import it with that command (I have no domain for that server) :

ldapadd -x -D cn=admin,dc=nodomain -W -f country_fr.ldif

but OpenLDAP rejects that command with :

adding new entry "c=fr"
ldap_add: Server is unwilling to perform (53)
    additional info: no global superior knowledge

Any hint?

score 23 · Answer 1 · answered Jan 15 '13 at 19:49

The error no global superior knowledge means that slapd doesn't know where to put your new entry. This typically means that you have not defined an appropriate database. With newer systems (ones using cn=config instead of slapd.conf), you would typically first add a new database or modify an existing database entry using ldapadd or ldapmodify. For example, on my Fedora 17 system, the default install sets up a database like this for hosting dc=my-domain,dc=com:

dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
creatorsName: cn=config
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com

To host your organization (o=myorganization, c=fr), I would need to create the following LDIF file:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: o=myorganization, c=fr
-
replace: olcRootDN
olcRootDN: cn=Manager,o=myorganization,c=fr
-
replace: olcAccess
olcAccess: {0}to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write 
  by dn.base="cn=Manager,o=myorganization,c=fr" write
  by * none

And I would then load these modifications like this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f mychanges.ldif

This works because of the following olcAccess lines already present in the configuration:

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by * none

This grants root, contacting slapd over the ldapi:/// socket, password-free access to the cn=config tree.

I would then load in my top-level entry:

dn: o=myorganization, c=fr
objectclass: organization
o: myorganization

By running:

ldapadd -Y EXTERNAL -H ldapi:/// -f myobject.ldif

This works because I've added a similar ACL to this database. Note that I didn't need to start with c=fr here, because the database is defined to hold o=myorganization,c=fr

OK, thanks a lot larsks. But if I correctly understand your answer, here you modify the current prefix of the database of this OpenLDAP. What if I would want to add a new one ? (I will test your recommendations anyway, I'm just curious) — Anthony O., Jan 16 '13 at 10:03
Use `ldapadd` instead of `ldapmodify`, and use the existing record as a model. — larsks, Jan 16 '13 at 19:55
If this answer sovled your problem it would be very kind of you to mark it as accepted by clicking the checkbox to the upper left of the question. — larsks, Jan 17 '13 at 12:59
Actually, it helped me a lot, but it was not the exact commands I passed, that's why I've created my own reply. I didn't dare edit your reply in order to correct it with the ldifs (specially about the `olcAccess`) & commands I really used... but if you want to edit it with copy / paste from my reply, I can mark it acceptable & remove mine :) — Anthony O., Jan 18 '13 at 10:29

score 2 · Accepted Answer · edited Apr 13 '17 at 12:14

Thanks to larsks answer, here is what I did.

First here is an extract of the default configuration with Ubuntu 12.04 (file /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif):

dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=nodomain
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
 s auth by dn="cn=admin,dc=nodomain" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=nodomain" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=nodomain

So I created the following change_suffix.ldif:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: o=myorganization,c=fr
-
replace: olcRootDN
olcRootDN: cn=admin,o=myorganization,c=fr
-
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,o=myorganization,c=fr" write by * none
olcAccess: {2}to * by self write by dn="cn=admin,o=myorganization,c=fr" write by * read

and added it to my ldap with the following command:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f change_suffix.ldif

Now I had to create the organization node with the following myorganization.ldif:

dn: o=myorganization,c=fr
objectclass: organization
o: myorganization

And finally add it with the following command (the first one didn't work due to Insufficient access (50)):

ldapadd -x -D cn=admin,o=myorganization,c=fr -W -f myorganization.ldif

Now I could add the organizational units:

dn: ou=GROUPS, o=myorganization,c=fr
ou: GROUPS
objectClass: top
objectClass: organizationalunit

dn: ou=MYAPP, ou=GROUPS, o=myorganization,c=fr
ou: MYAPP
objectClass: top
objectClass: organizationalunit

dn: ou=MYREGION, ou=MYAPP, ou=GROUPS, o=myorganization,c=fr
ou: MYREGION
objectClass: top
objectClass: organizationalunit

This `dn: olcDatabase={1}hdb,cn=config`was key for me, thanks — miguelfg, Jul 30 '18 at 09:42

"no global superior knowledge" while adding a country

2 Answers2

Linked