Modifying cn=config in OpenLDAP without rootDN password
Using a configures “admin” user and the corresponding password, I successfully created a bind user uid=bind_user,ou=users,dc=work,dc=com
on an OpenLDAP server. The bind user needed escalated privileges, but as the cn=admin,dc=work,dc=com
user didn’t have write access to the cn=config database, all my efforts running commands such as ldapmodify
on the bind user, resulted in this error message:
ldap_modify: Insufficient access (50)
I didn’t have access to the rootDN password, so I was kind of stuck for a while.
Then I was advised to try ldapvi
, which writes directly to the database. It turned out to work perfectly, so I though I’d advise other to try the same approach.
To start, I simply issued a command such as this on the linux command line:
EDITOR=vim ldapvi -Y EXTERNAL -h ldapi:/// -b cn=config
Once in, I needed to locate the database which held my LDAP user objects. In my particular case, it was easy, as I simply located the database which held the access rights for the cn=admin,dc=work,dc=com
user:
olcAccess: {2}to * by self write by dn="cn=admin,dc=work,dc=com" write by * read
To provide my bind user write access to the objects in the above mentioned database, I simply updated the line to look like this:
olcAccess: {2}to * by self write by dn="cn=admin,dc=work,dc=com" write by dn="uid=bind_user,ou=users,dc=work,dc=com" write by * read
After exiting ldapvi
and confirming that the changes be written to the LDAP, I had successfully managed to give escalated privileges to an LDAP user, without having access to the rootDN password.