-   Linux - Software (
-   -   padl: Problem migrating users from passwd to ldap (

eantoranz 09-04-2008 11:42 AM

padl: Problem migrating users from passwd to ldap

I want to copy (every once in a while.... like every 5 minutes :-)) the users in passwd to an openLDAP. I will delete the old users and recreate the passwd completely.... so... i'm almost done, but when I run the ldapadd I get this message:


adding new entry "uid=at,ou=People,dc=fake,dc=domain,dc=com"
ldap_add: Insufficient access (50)
        additional info: no write access to parent

The ou=People is already created, taken from slapcat:

dn: ou=People,dc=fake,dc=domain,dc=com
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
ou: People
entryUUID: 7c56661a-0ee9-102d-90f4-0953d312da1a
creatorsName: dc=root,dc=fake,dc=domain,dc=com
createTimestamp: 20080904162300Z
entryCSN: 20080904162300.318105Z#000000#000#000000
modifiersName: dc=root,dc=fake,dc=domain,dc=com
modifyTimestamp: 20080904162300Z

This is the command that's running when the failure happens:
./ /etc/passwd | ldapadd -h -y /home/ecarmona/ldap/clave.txt -x -D cn=root,dc=fake,dc=domain,dc=com

As you can see, I'm connected as dc=root,dc=fake,dc=domain,dc=com (which is the admin of the ldap and the modifier of the ou=People node) to the ldap service. What am I missing?

eantoranz 09-04-2008 11:51 AM

Got it! The problem was the access in slapd.conf. I added this lines (just for starters... I'll "close it down" later):


# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=root,dc=fake,dc=domain,dc=com" write
        by * read

eantoranz 09-04-2008 12:28 PM

I have already copied the users to the ldap. This is the script I'm using (in case you want to use it):


ldapServer="host servidor"

# Hacemos unas busqueda de los usuarios definidos en el ldap
ldapsearch -h $ldapServer -y $adminPasswdFile -x -D $adminDN -b $userGroupDN -s sub "(!(objectClass=organizationalUnit))" dn | grep "^dn" | sed "s/^dn: //"| while read dn; do
      # hay que borrar ese dn
      ldapdelete -h $ldapServer -y $adminPasswdFile -x -D $adminDN $dn

# Copiamos los usuarios al LDAP
cd $padlPath
./ /etc/passwd | ldapadd -h $ldapServer -y $adminPasswdFile -x -D $adminDN > /dev/null


But the ldap won't allow me to authenticate using them (at least, not mine :-)). Any idea what I have to tweak (I'm willing to bet it's something on slapd's side).


ldapsearch -h -W -x -D uid=ecarmona,ou=People,dc=fake,dc=fomain,dc=com -b ou=People,dc=fake,dc=domain,dc=com -s sub objectClass="*" dn
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

tintunaungkyaw 06-11-2013 10:48 AM

HI All,

cat /etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/
argsfile /var/run/openldap/slapd.args

### Database Config###
database config
rootdn "cn=admin,cn=config"
rootpw config
access to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

### Enable Monitoring
database monitor

# allow only rootdn to read the monitor
access to *
by dn.exact="cn=admin,cn=config" read
by * none

But, when I try to slapadd

# ldapadd -v -x -D "cn=replicator,ou=admins,dc=example,dc=org" -w Secret123 -f newuser.ldif -h
ldap_initialize( ldap:// )
add uid:
add cn:
add sn:
add objectClass:
add loginShell:
add homeDirectory:
add uidNumber:
add gidNumber:
add userPassword:
add mail:
add gecos:
Student3 User
adding new entry "uid=student3,ou=People,dc=example,dc=org"
ldap_add: Insufficient access (50)
additional info: no write access to parent

It shows "no write access to parent"

In this case, what will be correct ACL.

Tin Tun

All times are GMT -5. The time now is 01:32 AM.