Modifying cn=config in OpenLDAP without rootDN password

Modifying cn=config in OpenLDAP without rootDN password

Using a configures “admin” user and the corresponding password, I successfully created a bind user uid=bind_user,ou=users,dc=work,dc=com on an OpenLDAP server. The bind user needed escalated privileges, but as the cn=admin,dc=work,dc=com user didn’t have write access to the cn=config database, all my efforts running commands such as ldapmodify on the bind user, resulted in this error message:

ldap_modify: Insufficient access (50)

I didn’t have access to the rootDN password, so I was kind of stuck for a while.

Then I was advised to try ldapvi, which writes directly to the database. It turned out to work perfectly, so I though I’d advise other to try the same approach.

To start, I simply issued a command such as this on the linux command line:

EDITOR=vim ldapvi -Y EXTERNAL -h ldapi:/// -b cn=config

Once in, I needed to locate the database which held my LDAP user objects. In my particular case, it was easy, as I simply located the database which held the access rights for the cn=admin,dc=work,dc=com user:

olcAccess: {2}to * by self write by dn="cn=admin,dc=work,dc=com" write by * read

To provide my bind user write access to the objects in the above mentioned database, I simply updated the line to look like this:

olcAccess: {2}to * by self write by dn="cn=admin,dc=work,dc=com" write by dn="uid=bind_user,ou=users,dc=work,dc=com" write by * read

After exiting ldapvi and confirming that the changes be written to the LDAP, I had successfully managed to give escalated privileges to an LDAP user, without having access to the rootDN password.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: