Openldap

OpenLDAP cn=config 數據庫訪問被阻止

  • December 10, 2020

我將 OpenLDAP 2.4.54 與 Alpine 一起使用。這是我的 ldap 配置

$ sudo slapcat -n0
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
structuralObjectClass: olcDatabaseConfig
entryUUID: afb8286a-68e7-426d-8a9f-91f52935c4af
creatorsName: cn=config
createTimestamp: 20200807074746Z
entryCSN: 20200807074746.355242Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20200807074746Z

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to *  by * none
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=config
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: 570fed11-408d-42a2-bf96-3e063cc8276e
creatorsName: cn=config
createTimestamp: 20200807074746Z
entryCSN: 20200807074746.355548Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20200807074746Z

dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/openldap/openldap-data
olcSuffix: dc=mydomain,dc=tld
olcRootDN: cn=admin,dc=mydomain,dc=tld
olcRootPW:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
olcDbIndex: objectClass eq
structuralObjectClass: olcMdbConfig
entryUUID: 5e4e308d-3243-4dd0-aa45-d289eb5575ab
creatorsName: cn=config
createTimestamp: 20200807074746Z
entryCSN: 20200807074746.355490Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20200807074746Z

我無法使用 SASL 身份驗證編輯 cn=config 數據庫:

ldapmodify -Y EXTERNAL -H ldapi:/// -f anything.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Insufficient access (50)

我無法使用根 dncn=config進行身份驗證:

ldapmodify -H ldapi:/// -D cn=config -f anything.ldif
ldap_bind: Server is unwilling to perform (53)
   additional info: unauthenticated bind (DN with no password) disallowed

現在。既然我似乎對此沒有任何權限,我該如何編輯此數據庫中的任何內容?我可以嘗試使用gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authwitholcAccess或添加olcRootPWfor訪問權限,cn=config但我無權執行此操作。

我該如何解決這是一個先有雞還是先有蛋的問題?

我不確定這是否是一個好習慣,但我可以通過手動添加一個來解決這個olcRootPW問題/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif

引用自:https://serverfault.com/questions/1045685