Reputation: 67
LDAP configuration ACL on centos 7
I'm trying to set ACL for Manager user by I understand where is my syntax error.
Is it correct to modify the "olcDatabase={2}hdb" file??
My Terminal command:
ldapmodify -a -x -D "cn=Manager,dc=gruppo6,dc=labreti,dc=it" -w root -H ldap:// -f acl.ldif
And this is the error:
ldapmodify: invalid format (line 5) entry: "olcDatabase={2}hdb"
acl.ldif:
dn: olcDatabase={2}hdb
changetype: modify
add: olcAccess
olcAccess:{0} to * by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" manage by * break
{1} to attrs=userPassword by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" write by self write by anonymous none by users none
{2} to attrs=loginShell by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" write by self read by anonymous none by users none to attrs=uid,sn,homeDirectory by self write
{3} to dn.subtree="dc=gruppo6,dc=labreti,dc=it" by * read
olcDatabase={2}hdb.ldif:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 0c9c7626
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 05c622d2-9007-1039-808a-1106615e0d2d
creatorsName: cn=config
createTimestamp: 20191031084858Z
olcRootPW:: e1NTSEF9QXNRTGdiYjZ0RTltMjMwbHdFcW5VeE5ETzNxcE1qSXE=
olcSuffix: dc=gruppo6,dc=labreti,dc=it
olcRootDN: cn=Manager,dc=gruppo6,dc=labreti,dc=it
entryCSN: 20191031122732.077139Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20191031122732Z
Thanks for every help guys
Upvotes: 0
Views: 552
Answers (1)
Reputation: 16095
There are 2 issues :
You are trying to modify
olcDatabase={2}hdbusing the wrong dn in acl.ldif, this entry should be in the subtree ofcn=config. You can grab the target olcDatabase using this command :slapcat -n 0 -a olcDatabase=hdb # Output dn: olcDatabase={2}hdb,cn=config ...Since you are modifying an existing entry, you don't need the
-aflag (ldapadd) inldapmodifycommand :ldapmodify -x -D "cn=Manager,dc=gruppo6,dc=labreti,dc=it" -w root -H ldap:// -f acl.ldif
If your ldap manager precisely cannot modify this config entry due to insufficient permissions (reading from this directive to * by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" manage), you can still use external binding (unix user) to perform that kind of operation :
ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif
Upvotes: 1
Related Questions
- How to view and modify LDAP password configuration
- How to make LAMP LDAPS authentication work?
- ldap_add: Insufficient access (50)
- PHP on CentOS 7: LDAP could not bind to the server
- Using php-ldap in Centos 6.3
- LDAP specific ACL for each users
- ldapsearch - Invalid credentials
- Openldap ldapmodify acl invalid DN
- OpenLDAP Centos 7 LDAP server request for passphrase
- LDAP PHP Centos