ldap端口超时设置_ldap_modify：更改密码时访问不足(50)

我正在尝试在CentOS 6.7上的新OpenLDAP安装上修改LDAP管理员密码(类似于RHEL 6.7).

我创建了一个名为change_ldap_password.ldif的文件：

# Hash your password:

# slappasswd -h {SSHA} -s "my_password"

# I also tried {1}hdb instead of {0}config

dn: olcDatabase={0}config,cn=config

changetype: modify

add: olcRootPW

olcRootPW: {SSHA}YP8q2haCD1POSzQC3GAuBdrfaHh+/Y49

当我以root身份运行以下命令时,出现访问错误：

# ldapmodify -x -W -D "cn=admin,dc=my_domain,dc=com" -f ./change_ldap_password.ldif

Enter LDAP Password:

modifying entry "olcDatabase={0}config,cn=config"

ldap_modify: Insufficient access (50)

这是ldapwhoami的输出：

# ldapwhoami -x -W -D "cn=admin,dc=com"

Enter LDAP Password:

dn:cn=admin,dc=com

这是在cn = config中grel for olcRoot的结果：

# grep -R olcRoot /etc/openldap/slapd.d/cn=config

/etc/openldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif:olcRootDN: cn=admin,dc=com

/etc/openldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif:olcRootPW:: ...

这是ldapmodify的调试信息：

# ldapmodify -x -W -D "cn=admin,dc=com" -f ./change_ldap_password.ldif -d1

ldap_create

Enter LDAP Password:

ldap_sasl_bind

ldap_send_initial_request

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_host: TCP localhost:389

ldap_new_socket: 4

ldap_prepare_socket: 4

ldap_connect_to_host: Trying 127.0.0.1:389

ldap_pvt_connect: fd: 4 tm: -1 async: 0

attempting to connect:

connect errno: 111

ldap_close_socket: 4

ldap_int_open_connection

ldap_connect_to_path

ldap_new_socket: 4

ldap_connect_to_path: Trying /var/run/ldapi

ldap_connect_timeout: fd: 4 tm: -1 async: 0

ldap_ndelay_on: 4

ldap_close_socket: 4

ldap_int_open_connection

ldap_connect_to_host: TCP localhost:636

ldap_new_socket: 4

ldap_prepare_socket: 4

ldap_connect_to_host: Trying 127.0.0.1:636

ldap_pvt_connect: fd: 4 tm: -1 async: 0

attempting to connect:

connect success

TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly

TLS: using moznss security dir /etc/openldap/certs prefix .

TLS: certificate [CN=my_server.my_domain.com] is valid

TLS certificate verification: subject: CN=my_server.my_domain.com,issuer: CN=my_server.my_domain.com,cipher: AES-256,security level: high,secret key bits: 256,total key bits: 256,cache hits: 0,cache misses: 0,cache not reusable: 0

ldap_open_defconn: successful

ldap_send_server_request

ber_scanf fmt ({it) ber:

ber_scanf fmt ({i) ber:

ber_flush2: 50 bytes to sd 4

ldap_result ld 0x184a340 msgid 1

wait4msg ld 0x184a340 msgid 1 (infinite timeout)

wait4msg continue ld 0x184a340 msgid 1 all 1

** ld 0x184a340 Connections:

* host: (null) port: 636 (default)

refcnt: 2 status: Connected

last used: Fri Oct 30 14:04:24 2015

** ld 0x184a340 Outstanding Requests:

* msgid 1,origid 1,status InProgress

outstanding referrals 0,parent count 0

ld 0x184a340 request count 1 (abandoned 0)

** ld 0x184a340 Response Queue:

Empty

ld 0x184a340 response count 0

ldap_chkResponseList ld 0x184a340 msgid 1 all 1

ldap_chkResponseList returns ld 0x184a340 NULL

ldap_int_select

read1msg: ld 0x184a340 msgid 1 all 1

ber_get_next

ber_get_next: tag 0x30 len 12 contents:

read1msg: ld 0x184a340 msgid 1 message type bind

ber_scanf fmt ({eAA) ber:

read1msg: ld 0x184a340 0 new referrals

read1msg: mark request completed,ld 0x184a340 msgid 1

request done: ld 0x184a340 msgid 1

res_errno: 0,res_error: <>,res_matched: <>

ldap_free_request (origid 1,msgid 1)

ldap_parse_result

ber_scanf fmt ({iAA) ber:

ber_scanf fmt (}) ber:

ldap_msgfree

modifying entry "olcDatabase={0}config,cn=config"

ldap_modify_ext

ldap_send_initial_request

ldap_send_server_request

ber_scanf fmt ({it) ber:

ber_scanf fmt ({) ber:

ber_flush2: 102 bytes to sd 4

ldap_result ld 0x184a340 msgid 2

wait4msg ld 0x184a340 msgid 2 (timeout 100000 usec)

wait4msg continue ld 0x184a340 msgid 2 all 1

** ld 0x184a340 Connections:

* host: (null) port: 636 (default)

refcnt: 2 status: Connected

last used: Fri Oct 30 14:04:24 2015

** ld 0x184a340 Outstanding Requests:

* msgid 2,origid 2,parent count 0

ld 0x184a340 request count 1 (abandoned 0)

** ld 0x184a340 Response Queue:

Empty

ld 0x184a340 response count 0

ldap_chkResponseList ld 0x184a340 msgid 2 all 1

ldap_chkResponseList returns ld 0x184a340 NULL

ldap_int_select

read1msg: ld 0x184a340 msgid 2 all 1

ber_get_next

ber_get_next: tag 0x30 len 12 contents:

read1msg: ld 0x184a340 msgid 2 message type modify

ber_scanf fmt ({eAA) ber:

read1msg: ld 0x184a340 0 new referrals

read1msg: mark request completed,ld 0x184a340 msgid 2

request done: ld 0x184a340 msgid 2

res_errno: 50,res_matched: <>

ldap_free_request (origid 2,msgid 2)

ldap_parse_result

ber_scanf fmt ({iAA) ber:

ber_scanf fmt (}) ber:

ldap_msgfree

ldap_err2string

ldap_modify: Insufficient access (50)

ldap_free_connection 1 1

ldap_send_unbind

ber_flush2: 7 bytes to sd 4

ldap_free_connection: actually freed

如果我输入了错误的密码,则错误会从“访问权限不足”更改为“无效凭据”：

ldap_bind: Invalid credentials (49)

如何通过ldap_modify：访问(50)错误？

为什么根标识为LDAP管理员无权更改密码？

如果这是推荐的解决方案,我可以重新安装slapd.我想在进一步前进之前解决此错误.

编辑：在ldapi：///上转到cn = config会出现以下错误：

# ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config' -d1

ldap_url_parse_ext(ldapi:///)

ldap_create

ldap_url_parse_ext(ldapi:///??base)

ldap_sasl_interactive_bind: user selected: EXTERNAL

ldap_int_sasl_bind: EXTERNAL

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_path

ldap_new_socket: 3

ldap_connect_to_path: Trying /var/run/ldapi

ldap_connect_timeout: fd: 3 tm: -1 async: 0

ldap_ndelay_on: 3

ldap_close_socket: 3

ldap_msgfree

ldap_err2string

ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

我想我在/etc/openldap/ldap.conf中定义了ldapi：//但是我不确定ldapi：///

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

BASE dc=my_domain,dc=com

#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

URI ldap:// ldapi:// ldaps://

#SIZELIMIT 12

#TIMELIMIT 15

#DEREF never

TLS_CACERTDIR /etc/openldap/certs

编辑2：我得到了相同的ldap_sasl_interactive_bind_s：停止防火墙(服务iptables停止)后无法联系LDAP服务器(-1)错误,所以防火墙不是问题.