padl: Problem migrating users from passwd to ldap

eantoranz · 09-04-2008, 11:42 AM

Hi!

I want to copy (every once in a while.... like every 5 minutes :-)) the users in passwd to an openLDAP. I will delete the old users and recreate the passwd completely.... so... i'm almost done, but when I run the ldapadd I get this message:

Code:

adding new entry "uid=at,ou=People,dc=fake,dc=domain,dc=com"
ldap_add: Insufficient access (50)
        additional info: no write access to parent

The ou=People is already created, taken from slapcat:

Code:

dn: ou=People,dc=fake,dc=domain,dc=com
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
ou: People
entryUUID: 7c56661a-0ee9-102d-90f4-0953d312da1a
creatorsName: dc=root,dc=fake,dc=domain,dc=com
createTimestamp: 20080904162300Z
entryCSN: 20080904162300.318105Z#000000#000#000000
modifiersName: dc=root,dc=fake,dc=domain,dc=com
modifyTimestamp: 20080904162300Z

This is the command that's running when the failure happens:
./migrate_passwd.pl /etc/passwd | ldapadd -h 10.0.1.251 -y /home/ecarmona/ldap/clave.txt -x -D cn=root,dc=fake,dc=domain,dc=com

As you can see, I'm connected as dc=root,dc=fake,dc=domain,dc=com (which is the admin of the ldap and the modifier of the ou=People node) to the ldap service. What am I missing?

eantoranz · 09-04-2008, 11:51 AM

Got it! The problem was the access in slapd.conf. I added this lines (just for starters... I'll "close it down" later):

Code:

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=root,dc=fake,dc=domain,dc=com" write
        by * read

eantoranz · 09-04-2008, 12:28 PM

I have already copied the users to the ldap. This is the script I'm using (in case you want to use it):

Code:

#!/bin/bash
ldapServer="host servidor"
adminDN="cn=root,dc=fake,dc=domain,dc=com"
adminPasswdFile=/myhome/ldap/clave.txt
userGroupDN="ou=People,dc=fake,dc=domain,dc=com"
padlPath=/usr/local/padl

# Hacemos unas busqueda de los usuarios definidos en el ldap
ldapsearch -h $ldapServer -y $adminPasswdFile -x -D $adminDN -b $userGroupDN -s sub "(!(objectClass=organizationalUnit))" dn | grep "^dn" | sed "s/^dn: //"| while read dn; do
       # hay que borrar ese dn
       ldapdelete -h $ldapServer -y $adminPasswdFile -x -D $adminDN $dn
done

# Copiamos los usuarios al LDAP
cd $padlPath
./migrate_passwd.pl /etc/passwd | ldapadd -h $ldapServer -y $adminPasswdFile -x -D $adminDN > /dev/null

#Listo!

But the ldap won't allow me to authenticate using them (at least, not mine :-)). Any idea what I have to tweak (I'm willing to bet it's something on slapd's side).

Code:

ldapsearch -h 10.0.1.251 -W -x -D uid=ecarmona,ou=People,dc=fake,dc=fomain,dc=com -b ou=People,dc=fake,dc=domain,dc=com -s sub objectClass="*" dn
Enter LDAP Password:
ldap_bind: Invalid credentials (49)