Error:
ldap_add insufficient access (50) openldap
Cause:
The ldap_add insufficient access (50) openldap exception is thrown while adding or modifying the cn=Config object in the Open Ldap because the admin user CN=Manager,dc=example,dc=edu don't have enough privileges to update the schema.
Solution:
1. Finding the olcRootDN in olcDatabase={0}config.ldif
You need to update the schema using the cn=Config Object. You can find the olcRootDN as follows
Go to the /etc/openldap/slapd.d/cn=config directory and edit the olcDatabase={0}config.ldif file. Find the olcRootDN in this file. In my config files olcRootDN is olcRootDN: cn=config
2. Updating the olcRootDN password
2.1 Generating the New Password
execute the slappasswd command and it will generate the new password as follows.
slappasswd
New password:
Re-enter new password:
{SSHA}Hfpsjkt/Am2LDOndfBmPyjWyXaBk8K+
2.2 Updating the olcRootDN password
Go to the /etc/openldap/slapd.d/cn=config and edit the olcDatabase={0}config.ldif file and add the generated password after olcRootDN
olcRootPW: {SSHA}Hfpsjkt/Am2LDOndfBmPyjWyXaBk8K+
Save the file and restart the Ldap Server
3. Updating the Config Object
3.1 Adding the module object (addmodule.ldif)
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: memberof
3.2 Executing the LDAP command
ldapadd-x -h <hostname> -p 389 -D CN=config -W -f addmodule.ldif
The ldap_add insufficient access (50) openldap will be resolved after executing the above steps.
ldap_add insufficient access (50) openldap
Cause:
The ldap_add insufficient access (50) openldap exception is thrown while adding or modifying the cn=Config object in the Open Ldap because the admin user CN=Manager,dc=example,dc=edu don't have enough privileges to update the schema.
Solution:
1. Finding the olcRootDN in olcDatabase={0}config.ldif
You need to update the schema using the cn=Config Object. You can find the olcRootDN as follows
Go to the /etc/openldap/slapd.d/cn=config directory and edit the olcDatabase={0}config.ldif file. Find the olcRootDN in this file. In my config files olcRootDN is olcRootDN: cn=config
2. Updating the olcRootDN password
2.1 Generating the New Password
execute the slappasswd command and it will generate the new password as follows.
slappasswd
New password:
Re-enter new password:
{SSHA}Hfpsjkt/Am2LDOndfBmPyjWyXaBk8K+
2.2 Updating the olcRootDN password
Go to the /etc/openldap/slapd.d/cn=config and edit the olcDatabase={0}config.ldif file and add the generated password after olcRootDN
olcRootPW: {SSHA}Hfpsjkt/Am2LDOndfBmPyjWyXaBk8K+
Save the file and restart the Ldap Server
3. Updating the Config Object
3.1 Adding the module object (addmodule.ldif)
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: memberof
3.2 Executing the LDAP command
ldapadd-x -h <hostname> -p 389 -D CN=config -W -f addmodule.ldif
The ldap_add insufficient access (50) openldap will be resolved after executing the above steps.
It seems that by default when openldap is installed the setting is "olcRootDN: cn=cfgadmin,cn=config" in olcDatabase={0}config.ldif. Why is that, and why is it not set to cn=config by default? Basically changing it places the config DB in the root cn=config domain instead of a cn=cfgadmin child of cn=config, right?
ReplyDeleteDoes that arrangement of the OpenLDAP tree have something to do with separating out user roles and permissions so that only certain aspects of the OLC live config can be changed by certain users? And if so what are the (security and tree structure) consequences of placing the config{0} DB directly under cn=config? Maybe I'm misunderstanding what this change actually does.
I think I confused DN with Domain Name instead of Distinguished Name there for a moment. So this is a user change rather than a tree change isn't it? If so that makes more sense, and I guess cfgadmin is a dummy account that gets rolled out with OpenLDAP. But if my olcRootDN is set to "cn=root,dn=mydomain" in the olcDatabase={1}bdb.ldif file why should it not be the same in olcDatabase={0}config.ldif, and instead be the cn=config object?
DeleteHI
DeleteThe cn=config DIT is used to dynamically configure the slapd daemon, allowing the modification of schema definitions, indexes, ACLs, etc without stopping the service.
olcRootDN: "cn=Manager,dc=example,dc=com" is a administrator user for the domain example.com.
HI
DeleteI have installed the openldap in red hat linux using the yum. After installing the openldap the olcRootDN is cn=config in the olcDatabase={0}config.ldif, file.
Please let me know if you need more help.
Ah you are right. I am on Centos 6 which is essentially the same and I compared a backup LDAP server with a fresh installation that I will be using for Sync Replication and it did have the cn=config setting. I must have made a rookie mistake by blindly following some blog's suggestion to change my Master LDAP server to have ""olcRootDN: cn=cfgadmin,cn=config" in olcDatabase={0}config.ldif.
DeleteThat is fixable, but since the whole issue is that I can't do a live config edit I will have to take the Master's slapd process down for a second to restart it after manually editing the LDIF. Is there a better way? I am authenticating as cn=root in my environment with -D with commands like ldapadd, ldapmodify, etc. Thanks!
BTW, I do not use the cfgadmin user and though there is a set password I don't know what it is, thus why I cannot edit the config database live. I must have followed a suggestion I read on a blog or tutorial when converting from slapd.conf to the cn=config format.
DeleteOkay, so I'm going to test this on my new server first. So on that server only "olcRootDN: cn=config" is present and no password. After step 2.2 above (which I dumped into a file named "passwdchange.ldif") how do you bind to LDAP using ldapadd to make the password change? I have tried "cn=config" and leaving the password blank when it prompts, and I have tried the "cn=root" account I have in my olcDatabase={2}bdb.ldif file. I am using:
ReplyDeleteldapadd -f passwdchange.ldif -D "cn=config" -H "ldap://ldap02.mydomain" -W -x
With no password entered at the prompt I get:
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed
Same message if I simply leave -W off.
Hi Josh,
Deleteedit the olcDatabase={0}config.ldif file and add the olcRootPW attribute after olcRootDN : cn=config. The password format should be olcRootPW: {SSHA}
Restart the ldap server and issue will be resolved and you can add or modify the ldap schema using ldap client utilities like ldapadd or ldapmodify. Please let me know if you need any help.
Okay, thanks! Maybe you should note in your post above that that is a manual step rather than an LDIF to be added (a chicken & egg problem).
ReplyDeleteAnyway, now I'm on to something more frustrating. I can't add a new object due to a syntax error. In your Module example above, will there be a new LDIF file created in /etc/openldap/slapd.d/cn=config/ called "cn=module.ldif", since it doesn't exist when you run it, or will it add those olcModule commands directly to olcDatabase= {0}config.ldif?
I'm basically trying to do the same thing with the syncprov object and it keeps erroring:
ldapadd -f SyncprovOverlayAdd.ldif -D "cn=config" -H "ldap://ldap02.mydomain" -W -x
Enter LDAP Password:
adding new entry "olcOverlay={0}syncprov,olcDatabase={0}config,cn=config"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #1 invalid per syntax
SyncprovOverlayAdd.ldif contains:
dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov{0}
There are no typos I can see, and I have tried "syncprov" without {0} at the end but neither way works. I know this is beyond what your article addresses but any pointers would be helpful!
Hi
DeleteDid you enabled the modules library in ldap. If yes then
First you need to add the module syncprov as follows
ldapadd -h localhost -p 389 -D cn=config -W
Enter LDAP Password:
dn: cn=module{0},cn=config
changetype: modify
add:olcModuleLoad
olcModuleLoad: syncprov
modifying entry "cn=module{0},cn=config"
ldapadd -h localhost -p 389 -D cn=config -W
Enter LDAP Password:
dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
After executing the above command successfully, syncprov module is added in the /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb directory as a olcOverlay={1}syncprov.ldif file. If your adding the module first time the file name should be olcOverlay={0}syncprov.ldif
If not , Please follow the step 3.1 to enable the module. You can replace member with syncprov and also olcModulePath as per your environment. In my environment openldap modules are located at /usr/lib64/openldap. My Operating system Read Hat 6 64 bit.
ldapadd -h localhost -p 389 -D cn=config -W
Enter LDAP Password:
dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
Please let me know if you need more info.
Very helpful. Believe it or not I figured out that the Module definition was missing and I added it right before you replied! But I followed the same procedure you outlined above. I made an LDIF with this in it:
Deletedn: cn=module{0},cn=config
changetype: add
objectClass: olcModuleList
olcModuleLoad: accesslog
olcModuleLoad: syncprov
And then the syntax error went away when I tried to add syncprov to the other DBs. Those darn error messages aren't very informative. Thanks for helping a novice to cn=config!
is there any way to do same in slapd.conf? i am stuck badly here and and am not using slapd.d :( .
ReplyDeleteHi
ReplyDeleteAfter run the procedure suggested, I can't start my slapd anymore. Receive:
slapd[9544]: config error processing cn=module,cn=config,cn=config:
any suggestion?
It is very useful information. Thanks for sharing with us. I would like share my website about LDAP Integeration Module.
ReplyDeleteThanks! Your post helped me trouble shooting :)
ReplyDelete