7

I'm new to OpenLDAP (but not Microsoft Active Directory) and reading zytrax's openldap guide. I'm using OpenLDAP 2.4.44 on CentOS 7.4, as shown here:

@(#) $OpenLDAP: slapd 2.4.44 (Aug  4 2017 14:23:27) $
    mockbuild@c1bm.rdu2.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd

I want to add cosine (and later inetorgperson) schemas, but this fails:

ldapadd -f /etc/openldap/schema/cosine.ldif
ldap_sasl_interactive_bind_s: No such attribute (16)

Whereas this works:

ldapadd -H ldapi:/// -Y EXTERNAL -f /etc/openldap/schema/cosine.ldif

Can anybody explain why? Apparently, ldapi:// -Y EXTERNAL seems to indicate SASL, but I haven't found zytrax's explanation of why/when to use ldapi:// instead of ldapadd commands in OLC.

mellow-yellow
  • 431
  • 5
  • 14

1 Answers1

10

You use ldapadd -H ldapi:/// -Y EXTERNAL ... when you want to modify cn=config - the LDAP config itself. LDAP schema is a part of cn=config.

  • -H ldapi:/// - use UNIX-domain socket (/var/run/ldapi)
  • -Y EXTERNAL - use EXTERNAL mechanism for SASL

I'm not an expert in SASL mechanisms but in this case authentication will succeed if user has UID and GID equal to 0 - is a root.

Paweł Tatarczuk
  • 496
  • 3
  • 6
  • 1
    Your answer, in combination with this (https://www.digitalocean.com/community/tutorials/how-to-manage-and-use-ldap-servers-with-openldap-utilities) helped. In short, it's because ldapi:// gives slapd access to the shell's user uid and gid (cat /etc/passwd), which cn=config uses to authenticate, instead of olcRootDN, as shown here: /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif "olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" manage by * none" -- And you can drop -Y EXTERNAL because it's apparently the default-see supportedSASLMechanisms – mellow-yellow Nov 01 '17 at 21:40
  • 1
    Documentation states that without `-Y` "program will choose the best mechanism the server knows", so it may vary. `SASL/EXTERNAL` is not default on servers I use. – Paweł Tatarczuk Nov 02 '17 at 06:15