Hi Dan, I'm still hitting my head against the wall on this one.
I shutdown slapd and opened /etc/ldap/slap.d/cn=config/cn=module{0}.ldif
I then added" olcAuthzRegexp:
{0}"gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=admin,dc=domain,dc=net"" at the bottom.
I then restarted slapd.
I ran "sudo ldapwhoami -Y EXTERNAL -H ldapi:///"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:cn=admin,dc=onerecovery,dc=net
I then try to add the module again:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f smbkrb5pwd_load.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=module{0},cn=config"
ldap_modify: Insufficient access (50)
On Thu, Jun 27, 2013 at 11:07 AM, Dan White <[email protected]> wrote:
> On Thu, Jun 27, 2013 at 6:26 AM, Dan White <[email protected]> wrote:
>>
>>> On 06/26/13 15:34 -0700, Michael Roth wrote:
>>>
>>>>
>>>> Am I able to change the ACL so I can edit cn=config to load a module
>>>> in? If so how do I do that?
>>>>
>>>
>>> If you bind as the rootdn, ACL restrictions do not apply. To view your
>>> existing olcRootDN/olcRootPW configuration, do:
>>>
>>> slapcat -n0
>>>
>>
> On 06/27/13 10:13 -0700, Michael Roth wrote:
>
>> How do I bind as the rootdn when I use the command "sudo ldapmodify -Y
>> EXTERNAL -f smbkrb5pwd_load.ldif"
>>
>
> By setting your olcRootDN to:
>
> dn: olcDatabase={0}config,cn=**config
> olcRootDN: gidNumber=0+uidNumber=0,cn=**peercred,cn=external,cn=auth
>
> Or by creating an olcAuthzRegexp rule like:
>
> dn: cn=config
> olcAuthzRegexp: {0}"gidNumber=0\+uidNumber=0,**cn=peercred,cn=external,cn=
> **auth" "cn=admin,dc=example,dc=org"
>
> and setting your olcRootDN to:
>
> dn: olcDatabase={0}config,cn=**config
> olcRootDN: cn=admin,dc=example,dc=org
>
> use:
>
> sudo ldapwhoami -Y EXTERNAL -H ldapi:///
>
> to trouble shoot.
>
> See the manpage for slapd-conf for documentation.
>
>
> I entered slapcat -n0 and found that dn: cn=module[0},cn=config doesn't
>> have an admin in it.
>>
>> dn: cn=module{0},cn=config
>> objectClass: olcModuleList
>> cn: module{0}
>> olcModulePath: /usr/lib/ldap
>> olcModuleLoad: {0}back_hdb
>> structuralObjectClass: olcModuleList
>> entryUUID: d36d2386-2d84-1031-9046-**6d09752e7d3a
>> creatorsName: gidNumber=0+uidNumber=0,cn=**peercred,cn=external,cn=auth
>> createTimestamp: 20120508181023Z
>> entryCSN: 20120508181023.990015Z#000000#**000#000000
>> modifiersName: gidNumber=0+uidNumber=0,cn=**peercred,cn=external,cn=auth
>> modifyTimestamp: 20120508181023Z
>>
>
> Since you don't have any of the above config in place, you have a chicken
> and egg problem with manipulating your configuration. You should dump it to
> portable ldif to modify it. See:
>
> http://www.openldap.org/lists/**openldap-technical/201211/**msg00195.html<http://www.openldap.org/lists/openldap-technical/201211/msg00195.html>
> --
> Dan White
>
