1

Topic: Unable to Extend LDAP Schema

I have a new install of the latestest release of iRedAdminPro + iRedMail on a CentOS 7.2 server.

I need to extend the LDAP schema but it would seem the rootdn on an IRedMail server does not have write permissions to cn=config.

I just have one object class and one attribute to add, but I"m getting the following error.

ldapmodify -h 127.0.0.1 -axWD cn=manager,dc=domain,dc=com -f openssh-ldap.ldif

adding new entry "cn=openssh-openldap,cn=schema,cn=config"
ldap_add: Insufficient access (50)

I'm far from an LDAP expert so I'm reluctant to mess with an LDAP config that I didn't build from scratch.

Can you suggest a clean way to gain access?

2 (edited by bmackay 2016-06-25 06:06:27)

Re: Unable to Extend LDAP Schema

Digging a bit further...

slapcat -n0  reveals the following.

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" manage by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 4544b750-b9f7-1035-92b1-15f19808f5f8
creatorsName: cn=config
createTimestamp: 20160529144211Z
entryCSN: 20160529144211.085663Z#000000#000#000000
modifiersName: cn=config
dn: olcDatabase={0}config,cn=config
modifyTimestamp: 20160529144211Z
dn: olcDatabase={0}config,cn=config

So I crafted up the following LDIF.

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=manager,dc=mydomain,dc=com

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: {0}"gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=manager,dc=mydomain,dc=com"

Connecting as UID 0 and attempting to apply the above ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f access.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
ldap_modify: Insufficient access (50)

Blocked when trying to apply the LDIF as root (uid0).  Perhaps I misread the the slapcat output, but I thought

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

would give me write perms.

Suggestions welcome.

3

Re: Unable to Extend LDAP Schema

The root dn 'cn=manager,dc=xx,dx=xx' has all privileges. Did you create 'cn=config' first?

----

Buy me a cup of coffee ($5) to support iRedMail:

buy me a cup of coffee

4

Re: Unable to Extend LDAP Schema

No, I assumed that any recent LDAP install would use dynamic configuration.  Use of slapd.conf was deprecated and like a dummy, I had blinders on and was looking for reasons why dynamic config wasn't working.  In more modern implementations it's bad voodoo to manually edit the schema files.

The default iRedMail LDAP setup breaks a number of common LDAP management tools.  For example Apache Directory Studio is unable to process schema changes as it can't successfully submit LDIFs, even command line tools such as ldapadd/ldapmodify fail.

Once I realized what was going on and that I couldn't use common LDAP practices, I was able to extend the schema with no problem.  I'm able to generate and store public keys in the directory as intended.

Sorry for troubling you.