openldap - ldap_add : Insufficient access (50)

Question

我正在尝试使用以下命令添加以下条目:

ldapadd -Y EXTERNAL -H ldapi:/// -f server5_ldap.ldif

server5_ldap.ldif 的内容如下:

# Entry 31: cn=default,ou=pwpolicies,dc=example,dc=com
dn: cn=default,ou=pwpolicies,dc=example,dc=com
cn: default
objectclass: device
objectclass: top
objectclass: pwdPolicy
objectclass: pwdPolicyChecker
pwdallowuserchange: TRUE
pwdattribute: userPassword
pwdcheckquality: 2
pwdexpirewarning: 604800
pwdfailurecountinterval: 3600
pwdgraceauthnlimit: 0
pwdinhistory: 5
pwdlockout: TRUE
pwdlockoutduration: 900
pwdmaxage: 0
pwdmaxfailure: 5
pwdminage: 0
pwdminlength: 8
pwdmustchange: FALSE
pwdsafemodify: FALSE

我收到错误:

ldap_add: Insufficient access (50)
    additional info: no write access to parent

我的 permissions.ldif 如下:

#OlcAccess
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0} to attrs=userPassword by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {1} to attrs=uid by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage  by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {2} to attrs=objectClass by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {3} to attrs=cn by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {4} to attrs=sn by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {5} to * by self write by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by users read by anonymous none
olcAccess: {6} to attrs=userPassword by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=pwpolicies,ou=PPS,dc=example,dc=com" write by * none

我是 ldap 的新手，我被这个问题阻止了任何帮助将不胜感激。

Answer 1

如果你想使用 Unix 域套接字认证(-Y EXTERNAL)，那么你必须给 root manage 权限数据库。 root 通过 Unix 域套接字进行身份验证的 dn 是:

gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

在 Redhat 和 CentOS 上只有配置和监视器后端有 root 权限。

# ldapsearch -Y EXTERNAL -Q -H ldapi:/// -LLL -o ldif-wrap=no -b cn=config '(objectClass=olcDatabaseConfig)' olcAccess 
dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none

dn: olcDatabase={1}monitor,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by * none

dn: olcDatabase={2}hdb,cn=config

如果您想以管理配置的相同方式管理数据库 2，则必须向数据库 2 添加相同的 olcAccess 规则，因为它是为数据库 0(配置后端)定义的.

to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage