Tom's picture
Tom - Wed, 2014/03/19 - 21:23

I am trying to add a new schema to the OpenLDAP turnkey box.

I logged into phpldapadmin and clicked import and pasted my ldif into the box.

dn: cn=openssh,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh
olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DES
 C 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DESC
  'MANDATORY: OpenSSH LPK objectclass' STRUCTURAL MUST ( sshPublicKey $ uid )
 )

Clicking next gave me an error : 

  Could not add the object to the LDAP server.
LDAP said: Insufficient access
Error number: 0x32 (LDAP_INSUFFICIENT_ACCESS)
Description: You do not have sufficient permissions to perform that operation.
  LDIF text import
Could not add object cn=openssh,cn=schema,cn=config
LDAP said: Insufficient access
Error number: 0x32 (LDAP_INSUFFICIENT_ACCESS)
Description: You do not have sufficient permissions to perform that operation.
Forum: 
Support
Tags: 
openldap
Jeremy Davis's picture

Jeremy Davis - Thu, 2014/03/20 - 04:45

Unfortunately I am not really up with LDAP (let-alone the TKL OpenLDAP appliance) so I can't provide much specific help - beyond my ninja Googlefu skills! :)

Following a quick google I have come to the conclusion that it is being caused by a lack of user permissions (surprise, surprise...!)

So I dug a little deeper to see why that might be... (Thinking that perhaps the TKL OpenLDAP appliance was misconfigured). And whilst TBH I didn't understand half of what I read it seems to me that the default Debian install of OpenLDAP (as used by the TKL OpenLDAP appliance) is REALLY locked down...! (This is what gave me the hint). A little more digging and I found this which may be enough to get you over the line (although it applies to Debian Squeeze (basis of TKL v12.x appliances, TKL v13.x is based on Debian Wheezy). I didn't test it though, so no guarantees.

If that helps then awesome; otherwise I suggest that you try the OpenLDAP 'Technical' mailing list and hopefully they may be able to give some assistance, or at least point you in the right direction...

if/when you find a resolution it'd be great if you could post back as it will no doubt save others some headache... Thanks.

Eric's picture

Eric - Tue, 2014/05/06 - 22:49

A simple approach to add a LDAP schema in ldif format: make a file with the schema (e.g. sudo.ldif) and add it under the root account with:

ldapadd -Y EXTERNAL -H ldapi:/// -f sudo.ldif

To check if the schema is added use:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn

Note: a "schema" file must be converted to ldif before you can add it.

Add new comment