LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   padl: Problem migrating users from passwd to ldap (http://www.linuxquestions.org/questions/linux-software-2/padl-problem-migrating-users-from-passwd-to-ldap-667568/)

eantoranz 09-04-2008 11:42 AM

padl: Problem migrating users from passwd to ldap
 
Hi!

I want to copy (every once in a while.... like every 5 minutes :-)) the users in passwd to an openLDAP. I will delete the old users and recreate the passwd completely.... so... i'm almost done, but when I run the ldapadd I get this message:

Code:

adding new entry "uid=at,ou=People,dc=fake,dc=domain,dc=com"
ldap_add: Insufficient access (50)
        additional info: no write access to parent

The ou=People is already created, taken from slapcat:
Code:

dn: ou=People,dc=fake,dc=domain,dc=com
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
ou: People
entryUUID: 7c56661a-0ee9-102d-90f4-0953d312da1a
creatorsName: dc=root,dc=fake,dc=domain,dc=com
createTimestamp: 20080904162300Z
entryCSN: 20080904162300.318105Z#000000#000#000000
modifiersName: dc=root,dc=fake,dc=domain,dc=com
modifyTimestamp: 20080904162300Z

This is the command that's running when the failure happens:
./migrate_passwd.pl /etc/passwd | ldapadd -h 10.0.1.251 -y /home/ecarmona/ldap/clave.txt -x -D cn=root,dc=fake,dc=domain,dc=com

As you can see, I'm connected as dc=root,dc=fake,dc=domain,dc=com (which is the admin of the ldap and the modifier of the ou=People node) to the ldap service. What am I missing?

eantoranz 09-04-2008 11:51 AM

Got it! The problem was the access in slapd.conf. I added this lines (just for starters... I'll "close it down" later):

Code:

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=root,dc=fake,dc=domain,dc=com" write
        by * read


eantoranz 09-04-2008 12:28 PM

I have already copied the users to the ldap. This is the script I'm using (in case you want to use it):

Code:

#!/bin/bash
ldapServer="host servidor"
adminDN="cn=root,dc=fake,dc=domain,dc=com"
adminPasswdFile=/myhome/ldap/clave.txt
userGroupDN="ou=People,dc=fake,dc=domain,dc=com"
padlPath=/usr/local/padl

# Hacemos unas busqueda de los usuarios definidos en el ldap
ldapsearch -h $ldapServer -y $adminPasswdFile -x -D $adminDN -b $userGroupDN -s sub "(!(objectClass=organizationalUnit))" dn | grep "^dn" | sed "s/^dn: //"| while read dn; do
      # hay que borrar ese dn
      ldapdelete -h $ldapServer -y $adminPasswdFile -x -D $adminDN $dn
done

# Copiamos los usuarios al LDAP
cd $padlPath
./migrate_passwd.pl /etc/passwd | ldapadd -h $ldapServer -y $adminPasswdFile -x -D $adminDN > /dev/null

#Listo!

But the ldap won't allow me to authenticate using them (at least, not mine :-)). Any idea what I have to tweak (I'm willing to bet it's something on slapd's side).

Code:

ldapsearch -h 10.0.1.251 -W -x -D uid=ecarmona,ou=People,dc=fake,dc=fomain,dc=com -b ou=People,dc=fake,dc=domain,dc=com -s sub objectClass="*" dn
Enter LDAP Password:
ldap_bind: Invalid credentials (49)


tintunaungkyaw 06-11-2013 10:48 AM

HI All,

cat /etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args


### Database Config###
database config
rootdn "cn=admin,cn=config"
rootpw config
access to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break


### Enable Monitoring
database monitor

# allow only rootdn to read the monitor
access to *
by dn.exact="cn=admin,cn=config" read
by * none




But, when I try to slapadd

# ldapadd -v -x -D "cn=replicator,ou=admins,dc=example,dc=org" -w Secret123 -f newuser.ldif -h ldap1.example.org
ldap_initialize( ldap://ldap1.example.org )
add uid:
student3
add cn:
student3
add sn:
3
add objectClass:
top
posixAccount
inetOrgPerson
add loginShell:
/bin/bash
add homeDirectory:
/home/student3
add uidNumber:
14583102
add gidNumber:
14564100
add userPassword:
{SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A
add mail:
student3@example.org
add gecos:
Student3 User
adding new entry "uid=student3,ou=People,dc=example,dc=org"
ldap_add: Insufficient access (50)
additional info: no write access to parent




It shows "no write access to parent"


In this case, what will be correct ACL.

Regards,
Tin Tun


All times are GMT -5. The time now is 10:38 PM.