Fix insufficient access (50) error – Openldap

Are you trying to update Openldap global or config database configuration? Getting insufficient access error (50)?

So, What is the BIND dn (i.e username) you are using? The error simply says that BIND dn authentication successful but it does not have write access to database you are trying to modify.

# ldapmodify –axw ppsswwdd -D "cn=manager,dc=sunt,dc=com" -f db.ldif
modifying entry "olcDatabase={2}bdb,cn=config"
ldap_modify: Insufficient access (50)

You can fix this issue by providing “ROOTDN” of database as BIND dn.

Default  assumption

First database would be “config” also represented as “Zero” (0).

-It holds the global and other database configuration information. Stored under /etc/openldap/slapd.d

Second database would be “monitor” (1)

-Used for slapd status monitoring.

Third will be the back end DB “bdb” (2).

-It holds all other stuff such organization, user, host, password etc. Located by default in /var/lib/ldap. But it can be changed.

If you want to modify any of above database configuration user should have write access to config database.

Stop & Note

ROOTDN of config database – Needed to add/modify database or any configuration on the fly (online)

ROOTDN of bdb database – Needed to add/modify entry in bdb database such add user, host etc.

Set config database ROOTDN

Two possible solutions given here. Go with the one which you feel easy. Generate the encrypted password and keep handy.

#slappasswd

Solution 1

Edit the database configuration and append ROOTDN values.

#vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif

Under the attribute “olcReadOnly” append ROOTDN as below.

olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=sunt,dc=com
olcRootPW: {SSHA}ajC0JcQzEyVrAepHlLe0ACfQ5N/dTY/a

restart slapd service

#service slapd restart

Solution 2

Append ROOTDN and ROOTPW in “/etc/openldap/slapd.conf” under the config database section.

After modification file should looks like below.

database config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none
rootdn   cn=manager,dc=sunt,dc=com
rootpw   secret
rootpw   {SSHA}yt8guqPX6CrjkyraXlW1X4fG8KOTLo2y

Stop the slapd service.

#service slapd stop

Backup the current config files.

#mv /etc/openldap/slapd.d /etc/openldap/slapd.d_bkp1
#mkdir /etc/openldap/slapd.d
#chmod 700 /etc/openldap/slapd.d
#chown ldap:ldap /etc/openldap/slapd.d

Generate the dynamic configuration files using slaptest and start service.

#slaptest –f /etc/openldap/slapd.conf –F /etc/openldap/slapd.d
#service slapd start

Validate

# ldapmodify –axw ppsswwdd -D "cn=manager,dc=sunt,dc=com" -f db.ldif
modifying entry "olcDatabase={2}bdb,cn=config"

Now I am able to update the “config” database using “ROOTDN” as BIND dn. The beauty is, it does not need to bring down services.

This is my ldif file data. I am trying to update ACL rules for “bdb” database to enable user self-password reset. Finally I did it.

#cat db.ldif
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcaccess
olcaccess: {0}to attrs=userpassword,shadowlastchange,shadowWarning by self write by anonymous auth by * read
olcaccess: {1}to dn.base="" by * read
olcaccess: {2}to * by self write by * read

I am waiting for your feedback. Post here if any.

5 thoughts on “Fix insufficient access (50) error – Openldap

  1. I found your post just when I was ready to throw my laptop out of the window.
    Thank you for saving my laptop. Very kind of you to share this and I cannot understand why is’nt it the sane default.
    Best wishes!

Comments are closed.