ldap_modify: Insufficient access (50)

I am running an OpenLDAP 2.4 server that uses the SSL service for communication. It works for lookups.

I am trying to add mirror mode replication.

So this is the command that I'm executing:

ldapmodify -D "cn=myuser,dc=mydomain,dc=com" -H ldaps://myloadbalancer -W -f /etc/ldap/ldif/server_id.ldif

Where this is my server_id.ldif:

dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 myserver1
olcServerID: 2 myserver2

and this is my cn\=config.ldif in the slapd.d tree of text files:

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: ff9689de-c61d-1031-880b-c3eb45d66183
creatorsName: cn=config
createTimestamp: 20121118224947Z
olcLogLevel: stats
olcTLSCertificateFile: /etc/ldap/certs/ldapscert.pem
olcTLSCertificateKeyFile: /etc/ldap/certs/ldapskey.pem
olcTLSCACertificateFile: /etc/ldap/certs/ldapscert.pem
olcTLSVerifyClient: never
entryCSN: 20121119022009.770692Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20121119022009Z

But unfortunately I'm getting this:

Enter LDAP Password: 
modifying entry "cn=config"
ldap_modify: Insufficient access (50)

If I try to specify the config database I get this:

ldapmodify -H 'ldaps://myloadbalancer/cn=config' -D "cn=myuser,cn=config" -W -f ./server_id.ldif 
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)}

Does anyone know how I can add the serverID to the config database so that I can complete the setup of mirror mode?


Solution 1:

It is exactly what is says on the tin. Your DN cn=myuser,dc=mydomain,dc=com does not have enough permissions to modify the cn=config tree. And when you are trying "to specify the config database" you are using an entirely different DN, cn=myuser,cn=config, which apparently either doesn't exist or you are using a wrong password.

To do modifications like these you need to work with an account privileged enough to modify the various databases. The "admin" account, i.e. the one account that always has all privileges, is specified in the attribute olcRootDN and its password is found in olcRootPW. For the cn=config database those attributes are found in olcDatabase={0}config,cn=config and for the "regular" database, usually of type HDB, in olcDatabase={1}hdb,cn=config.

Which tutorial or documentation did you follow? It doesn't seem like you understand completely what you are doing here.

Solution 2:

As I had a quite similar problem, I tried daff interesting solution but to no avail. Contrary to Lynn Owens I failed to add a password to the admin in olcDatabase={0}config,cn=config. I finally managed to modify my cn=config using commands like:

ldapmodify -Y EXTERNAL -H ldapi:/// -f somefile.ldif