I tried adding the olcRootDN manually but slapd would not start. So I can't add this in manually.
I tried loading it in this way: http://www.openldap.org/lists/** openldap-technical/201211/**msg00195.html<http://www.openldap.org/lists/openldap-technical/201211/msg00195.html> But I'm unable to load it: slapadd -n0 -F /etc/ldap/slapd.d -l /tmp/config-in-portable-format.ldif 51cdbb3f str2entry: invalid value for attributeType olcRootDN #0 (syntax 1.3.6.1.4.1.1466.115.121.1.12) slapadd: could not parse entry (line=16) _ 1.63% eta none elapsed none spd 1.1 M/s Closing DB... Line=16 is the olcRootDN. Is there another way I can load it in? On Thu, Jun 27, 2013 at 7:33 PM, Dan White <[email protected]> wrote: > On 06/27/13 15:27 -0700, Michael Roth wrote: > >> Hi Dan, I'm still hitting my head against the wall on this one. >> >> I shutdown slapd and opened /etc/ldap/slap.d/cn=config/cn=** >> module{0}.ldif >> I then added" olcAuthzRegexp: >> {0}"gidNumber=0\+uidNumber=0,**cn=peercred,cn=external,cn=**auth" >> "cn=admin,dc=domain,dc=net"" at the bottom. >> I then restarted slapd. >> I ran "sudo ldapwhoami -Y EXTERNAL -H ldapi:///" >> >> SASL/EXTERNAL authentication started >> SASL username: gidNumber=0+uidNumber=0,cn=**peercred,cn=external,cn=auth >> SASL SSF: 0 >> dn:cn=admin,dc=onerecovery,dc=**net >> > > Looks good. > > > I then try to add the module again: >> sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f smbkrb5pwd_load.ldif >> SASL/EXTERNAL authentication started >> SASL username: gidNumber=0+uidNumber=0,cn=**peercred,cn=external,cn=auth >> SASL SSF: 0 >> modifying entry "cn=module{0},cn=config" >> ldap_modify: Insufficient access (50) >> > > You still need to make cn=admin,dc=onerecovery,dc=net the olcRootDN. You > don't need an olcRootPW in this instance. > > Since you decided to manually edit the /etc/ldap/slap.d/cn=config/ > hierarchy manually, which is not recommended, you should backup your config > with slapcat before proceeding, in case your config gets corrupted. > > On Thu, Jun 27, 2013 at 11:07 AM, Dan White <[email protected]> wrote: >> >>> Or by creating an olcAuthzRegexp rule like: >>> >>> dn: cn=config >>> olcAuthzRegexp: {0}"gidNumber=0\+uidNumber=0,*** >>> *cn=peercred,cn=external,cn= >>> **auth" "cn=admin,dc=example,dc=org" >>> >>> >>> and setting your olcRootDN to: >>> >>> dn: olcDatabase={0}config,cn=****config >>> olcRootDN: cn=admin,dc=example,dc=org >>> >> > Since you don't have any of the above config in place, you have a chicken >>> and egg problem with manipulating your configuration. You should dump it >>> to >>> portable ldif to modify it. See: >>> >>> http://www.openldap.org/lists/**openldap-technical/201211/** >>> msg00195.html<http://www.openldap.org/lists/openldap-technical/201211/msg00195.html> >>> >> > -- > Dan White >
