3

I'm trying to set up my first LDAP server that will be used to store user accounts (for things such as mail, git server and a few other things). I managed to install the server, but I'm stuck when I want to create my first object.

The server I want to set up is ashley-vps.mildred.fr (for now, this is a test server). Its dn is dc=ashley-vps, dc=mildred, dc=fr. First thing I did was to import the cosine (is that a math function?) and nis schemas. Then, I modified the oldSuffix and oldRootDN of my configuration as follows:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ashley-vps, dc=mildred, dc=fr
-
replace: olcRootDN
olcRootDN: cn=Manager, dc=ashley-vps, dc=mildred, dc=fr

I used the answer at "no global superior knowledge" while adding a country as a template.

I don't think I need to set up any special access because I'm using -Y EXTERNAL -H ldapi:/// and when I look at my access settings, I seem to have the necessary permissions:

# {0}config, config
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth" manage by * none

# {1}monitor, config
dn: olcDatabase={1}monitor,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none

Now, I'd like to create my first object. Let's start by dn: dc=ashley-vps, dc=mildred, dc=fr:

dn: dc=ashley-vps, dc=mildred, dc=fr
changetype: add
objectclass: top
objectclass: organizationalUnit
objectclass: dcObject
ou: ashley-vps.mildred.fr

I get rejected with:

ldap_add: Insufficient access (50)
    additional info: no write access to parent

I suppose this is because this is beyond the top of the hierarchy managed by the LDAP server, or is it? And if I try to directly create a person:

dn: cn=Toto, dc=ashley-vps, dc=mildred, dc=fr
changetype: add
objectclass: person
cn: Toto
sn: Surname

I also get rejected with:

ldap_add: No such object (32)

This time I suppose this is because the top object is missing.

Then, how to create the top object? Why do I even need to create a top object? This seems like an unnecessary restriction. Similarly, when creating posixAccounts, it seems that we also need to create a user and group organizationalUnits (as seen in this howto). Can I do without?

Community
  • 1
Mildred
  • 815
  • 2
  • 10
  • 16
  • Have you tried it without the spaces? A lot of LDAP clients (most notably Microsoft ones) don't handle spaces well. – HopelessN00b Mar 22 '13 at 21:00
  • No, but I'm using `ldapmodify` on Fedora 17 and there are a lot of example that contain spaces. So I'm not too worried about that. – Mildred Mar 22 '13 at 21:34

2 Answers2

3

The solution seems to add the olcAccess property to dn: olcDatabase={2}hdb,cn=config. I thought I didn't need it, but I do. This makes it possible to modify the database.

So I added the following code to dn: olcDatabase={2}hdb,cn=config:

-
replace: olcAccess
olcAccess: {0}to *
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
  by * none

And it now works (at least, I could create dc=ashley-vps,dc=mildred,dc=fr)

Note: don't forget to put two space for lines continuations, or else you'll get the following error: ldap_modify: Other (e.g., implementation specific) error (80), <olcAccess> handler exited with 1

edit: see slapd.access(5) man page and grant manage access to root (the highest permissions)

Community
  • 1
Mildred
  • 815
  • 2
  • 10
  • 16
0

I realize this is late, but I'll post this for future reference. The first error I won't address, because I think you simply didn't add a required schema. But for the error ldap_add: Insufficient access (50) additional info: no write access to parent The following command is used for modifying/adding schema: 

ldapadd -Q -Y EXTERNAL -H ldapi:/// -w <password> -f </path/to/file>

To add entries to your LDAP use this one instead:

ldapadd -x -D 'cn=Manager,dc=domain,dc=local' -w <password> -H ldapi:/// -f </path/to/file>
Sami
  • 1