3

I'm trying to enable logging in an openldap (slapd) server. So I tried to execute:

$ ldapmodify -D cn=admin,dc=domain,dc=tld -W -H ldap:/// <<EOF
  > dn: cn=config
  > changetype:modify
  > replace: olcLogLevel
  > olcLogLevel: any
  > EOF
modifying entry "cn=config"
ldap_modify: Insufficient access (50)

This is my slapcat -n0 output:

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: f2abd5ee-adb8-103b-8c18-6da3f145a1c2
creatorsName: cn=config
createTimestamp: 20210919171535Z
entryCSN: 20210919171535.786316Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20210919171535Z

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
structuralObjectClass: olcModuleList
entryUUID: f2aca6cc-adb8-103b-8c20-6da3f145a1c2
creatorsName: cn=config
createTimestamp: 20210919171535Z
entryCSN: 20210919171535.791752Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20210919171535Z


dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
structuralObjectClass: olcSchemaConfig
entryUUID: f2abf484-adb8-103b-8c1b-6da3f145a1c2
creatorsName: cn=config
createTimestamp: 20210919171535Z
entryCSN: 20210919171535.787189Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20210919171535Z


dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
olcSizeLimit: 500
structuralObjectClass: olcDatabaseConfig
entryUUID: f2abdfee-adb8-103b-8c19-6da3f145a1c2
creatorsName: cn=config
createTimestamp: 20210919171535Z
entryCSN: 20210919171535.786661Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20210919171535Z


dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth manage by * break
structuralObjectClass: olcDatabaseConfig
entryUUID: f2abede0-adb8-103b-8c1a-6da3f145a1c2
creatorsName: cn=config
createTimestamp: 20210919171535Z
entryCSN: 20210919171535.787019Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20210919171535Z


dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=domain,dc=tld
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * non
 e
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=domain,dc=tld
olcRootPW:: SOME_HASH_VALUE
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: f2accdf0-adb8-103b-8c21-6da3f145a1c2
creatorsName: cn=config
createTimestamp: 20210919171535Z
entryCSN: 20210919171535.792748Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20210919171535Z

I can't figure out whats the problem. The account "admin" is defined as olcRootDN cn=admin,dc=domain,dc=tld. Why can't i change the configs?

gxor
  • 198

1 Answers1

4

It's defined as the rootDN for the dc=domain,dc=tld database. But that's not the database you're trying to modify – the rootDN of one database has no special rights on other databases.

You're trying to change the cn=config database – it doesn't have a custom rootDN specified, so "cn=config" would be the default rootDN… but there's neither an olcRootPW that would allow authenticating to the rootDN directly, nor any authz policy that would allow a different DN to authorize as it.

However, the access list (olcAccess) for the cn=config database grants full unrestricted access to the DN gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth, which is the special DN that is used for clients that 1) connect through Unix socket and 2) use SASL EXTERNAL authentication.

In short, there's no rootDN, but the configuration grants full access to local uid 0 instead.

To actually use this access, you need to run ldapmodify as root, then specify ldapi:/// as the URL and -Y EXTERNAL as the authentication method:

$ sudo ldapmodify -H ldapi:/// -Y EXTERNAL <<EOF
dn: cn=config
replace: olcLogLevel
olcLogLevel: any
EOF

(It's a bit like how MariaDB has no root password nowadays, but instead allows sudo mariadb to connect without a password.)

You can also use this to grant cn=config modify rights to any other DN you like (by editing the {0}config database's olcAccess accordingly).

grawity
  • 501,077