From what I understood, you are not able to get all entries. Looks like your are hitting admin limit exceeded.
If you want to search from a non-cn=Directory manager user. you need to add some attributes to user like below.
/usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com
dn: uid=test2,ou=People,dc=example,dc=com
changetype: modify
add: nssizelimit
nssizelimit: -1
-
add: nslookthroughlimit
nslookthroughlimit: -1
Figured out that it's probably better to just do it the bdb.ldif way. What I did was like the above, but I made a few changes.
olcAccess: {0}to attrs=userPassword,shadowLastChange,loginShell by dn="cn=manager,dc=bromosapien,dc=net" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=manager,dc=bromosapien,dc=net" write by group.exact="cn=LDAPADMIN,ou=Group,dc=bromosapien,dc=net" write by * read
What I did instead was, I labeled each line with braces and a number. I also added the ability for a user to change their login shell (because I allow Bash, ksh, and zsh, we default to bash). I then created a groupOfNames container inside of the Group OU. Like this.
dn: cn=LDAPADMIN,ou=Group,dc=bromosapien,dc=net
objectClass: groupOfNames
objectClass: top
cn: LDAPADMIN
member: uid=zera,ou=People,dc=angelsofclockwork,dc=net
member: uid=sithlord,ou=People,dc=angelsofclockwork,dc=net
Of course, this requires the memberOf overlay.
The memberOf overlay I used is below:
% vi modules.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: memberof
% vi memberof.ldif
dn: olcOverlay=memberof,olcDatabase={2}bdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
Best Answer
Read the documentation on the product. It appears that by default is does require security. That is a difference between 389 and OpenLDAP. If they were supposed to be exactly the same, then no one would have bothered forking 389 off into a different project, right?
Edit -
Despite your protestation below, "Read the documentation" is a great answer, and it's clear that you didn't. The end of this page explicitly tells you that you must use TLS with ldappasswd