Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am facing issue on my test ldap server server is working fine but i am trying to configure ACL in openldap server so that ldap users can change their password but it show me the below error
ldap_modify: Object class violation (65)
additional info: attribute 'olcTLSCertificateFile' not allowed
The below changes has been made on the database of LDAP which make it fixed
add these below line at the bottom of the file
# cat olcDatabase\=\{2\}bdb.ldif
olcAccess: to attrs=userPassword by self write by anonymous auth by dn.exact="cn=Manager,ou=Groups,dc=unxldap,dc=com" write by * none
olcAccess: to * by dn.exact="cn=Manager,dc=unxldap,dc=com" write by * read
now login into the client machine & change the password
I am sorry for bumping into this old thread but I landed here in search for something and I think anybody could land here.
Quote:
The below changes has been made on the database of LDAP which make it fixed
add these below line at the bottom of the file
# cat olcDatabase\=\{2\}bdb.ldif
olcAccess: to attrs=userPassword by self write by anonymous auth by dn.exact="cn=Manager,ou=Groups,dc=unxldap,dc=com" write by * none
olcAccess: to * by dn.exact="cn=Manager,dc=unxldap,dc=com" write by * read
now login into the client machine & change the password
#passwd
This is not the right way for adding attributes to the db. You need to use "ldapmodify" and pass the ldif files with changes (called mods). I was stuck on this very error for the past few hours and the following fixed it for me:
The error you are getting ("additional info: attribute 'olcTLSCertificateFile' not allowed") is because the TLS certificates does not belong to individual databases, they belong to dn: cn=config which is global.
All that is left is add (in my case) the olcAccess attribute using another ldif file (/tmp/passaccess.ldif)
3. Create /tmp/passaccess.ldif
Code:
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=example,dc=com" write by * none
-
add: olcAccess
olcAccess: to * by self write by dn.base="cn=Manager,dc=example,dc=com" write by * read
Run it as: # ldapmodify -H ldapi:// -Y EXTERNAL -f /tmp/passaccess.ldif
As we've changed the TLS certs location, a restart for slapd is needed (not everything is automated, yet!)
Hope this helps somebody who is trying to figure out a way out.
PS: Many thanks to @tarpman and @JoBbZ at #openldap for pointing me in the right direction from time to time.
Cheers
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.