我开始在 Debian 上全新安装 openldap 2.4.28。Debian 软件包和 gnuTLS 存在一些问题,因此我编译了一个带有 opennSSL 库的版本。
很难理解官方文档如何使用 openLDAP 的新 cn=config 管理从头开始安装。因此,我在第一次启动 openLDAP 时使用以下命令将 slapd.conf 转换为 cn=config:
/usr/local/libexec/slapd -u openldap -g openldap -f slapd.conf.seb -F /usr/local/etc/openldap/slapd.d/ -d -1
我的 slapd.conf.seb 等于:
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
include /usr/local/etc/openldap/schema/gosa/samba3.schema
include /usr/local/etc/openldap/schema/gosa/trust.schema
include /usr/local/etc/openldap/schema/gosa/gofax.schema
include /usr/local/etc/openldap/schema/gosa/gofon.schema
include /usr/local/etc/openldap/schema/gosa/gosystem.schema
include /usr/local/etc/openldap/schema/gosa/goto-mime.schema
include /usr/local/etc/openldap/schema/gosa/goto.schema
include /usr/local/etc/openldap/schema/gosa/goserver.schema
include /usr/local/etc/openldap/schema/gosa/gosa-samba3.schema
include /usr/local/etc/openldap/schema/gosa/openssh-lpk.schema
include /usr/local/etc/openldap/schema/gosa/dnszone.schema
include /usr/local/etc/openldap/schema/gosa/nagios.schema
include /usr/local/etc/openldap/schema/gosa/dhcp.schema
include /usr/local/etc/openldap/schema/gosa/sudo.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
database bdb
suffix "dc=parisgeo,dc=cnrs,dc=fr"
rootdn "cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr"
rootpw {SSHA} secret
directory /srv/openldap-data
index objectClass eq
我对这个简单的转换没有任何问题,但是在那之后,就不可能用ldapadd或ldapmodify这个命令导入数据了。
我不明白 openLDAP 的默认读/写权限,我尝试使用 ldapmodify,使用绑定和密码,但遇到了同样的问题:
root@xxxx:/usr/local/etc/openldap# ldapadd -x -D "cn=admin,cn=config,dc=parisgeo,dc=cnrs,dc=fr" -W -f sauvegarde.ldif
Enter LDAP Password: xxx
adding new entry "cn=admin,dc=parisgeo,dc=cnrs,dc=fr"
ldap_add: Constraint violation (19)
additional info: structuralObjectClass: no user modification allowed
我尝试使用此示例修改 cn=config 的权利:
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA} secret
dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess
ldapadd -Y EXTERNAL -H ldapi:/// -f slapd.modify.root.ldif
同样的问题,我没有权利这样做,无论有没有选项密码输入 -W 或绑定选项 -D“cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr”
root@xxxx:/usr/local/etc/openldap# ldapadd -Y EXTERNAL -H ldapi:/// -f slapd.modify.root.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
ldap_modify: Insufficient access (50)
root@xxxx:/usr/local/etc/openldap# ldapadd -x -W -H ldapi:/// -f slapd.modify.root.ldif Enter LDAP Password:
ldap_bind: Invalid credentials (49)
root@xxxxx:/usr/local/etc/openldap# ldapadd -D "cn=config,cn=admin,dc=parisgeo,dc=cnrs,dc=fr" -W -Y EXTERNAL -H ldapi:/// -f slapd.modify.root.ldif
Enter LDAP Password:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
ldap_modify: Insufficient access (50)
您对这个从头开始安装的解决方案有什么想法吗?
答案1
我知道我的错误,我们需要在转换之前将这三行添加到 slapd.conf 中:
database config
rootdn "cn=admin,cn=config"
rootpw {SSHA} secret
转换后,我们可以测试一下:
ldapwhoami -x -D cn=config -W