Ldapadd works, but ldapsearch doesn’t (openldap)

debian-squeezeldapopenldap

I use just installed Debian 6 with openldap 2.4. I have CentOS box too with openldap 2.3.
I make .ldif file from centOS (working configuration) box and successfully add all entries from ldif to Debian's openldap. After this, I try to use

ldapsearch -xLLL

and get an error

No such object (32)

command

ldapsearch -xLLL -b dc=pgtk,dc=edu,dc=ru

also doesn't work. I just can't understand what's wrong?

here is my slapd.conf

loglevel 0

modulepath /usr/lib/ldap
moduleload back_bdb.la

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/samba.schema

database bdb
suffix "dc=pgtk,dc=edu,dc=ru"
directory /var/lib/ldap

rootdn "cn=root,dc=pgtk,dc=edu,dc=ru"
rootpw {SSHA}Fq0LHya+lD4356rE5B91snwP5390fDUg

index objectClass                       eq,pres
index ou,cn,sn,mail,givenname           eq,pres,sub,approx
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index entryCSN,entryUUID                eq
index sambaSID,sambaPrimaryGroupSID     eq
index sambaDomainName                   eq

access to attrs=userPassword
    by dn.base="uid=ldap,ou=Users,dc=pgtk,dc=edu,dc=ru" write
    by self write
    by anonymous auth
access to attrs=sambaLMPassword
    by dn.base="uid=ldap,ou=Users,dc=pgtk,dc=edu,dc=ru" write
    by self write
    by anonymous auth
access to attrs=sambaNTPassword
    by dn.base="uid=ldap,ou=Users,dc=pgtk,dc=edu,dc=ru" write
    by self write
    by anonymous auth
access to *
    by dn.base="uid=ldap,ou=Users,dc=pgtk,dc=edu,dc=ru" write
    by * read

and my ldap.conf

BASE    dc=pgtk,dc=edu,dc=ru
URI     ldap://192.168.0.249

So, where I was wrong?
Best regards, thanks a lot for wasting your time.

P.S.

ldapsearch on Debian with -h and -b parameters can successfully print ldap content from CentOS LDAP server.
LDAP Account manager (LAM) on Debian box shows Debian's LDAP content.
slapcat without any parameters on Debian box prints LDAP content.

Best Answer

I found solution! It was the access rights. Shoud be global access rule

access to * by * read

before any database and access rights definition. Stupid mistake, but I thought that

access to *
    by dn.base="uid=ldap,ou=Users,dc=pgtk,dc=edu,dc=ru" write
    by * read

enough for complete read access for all objects to all persons. In openldap 2.3 on CentOS box it's enough. Seems like openldap 2.4 has little different access rights politics.

Thanks all again for wasting your time!

Related Solutions

Ldap – Using OpenLDAP to proxy to an Novell eDirectory LDAP Server

Since you are having issues with eDirectory, you are quite lucky, since you can use DSTrace with the LDAP option on to see what is going on, from the eDirectory server view.

Once you know what is being asked, and what the server is responding you can effectively troubleshoot the issue.

Basic eDirectory schema is complaint with LDAP and any standard LDAP schema should work for the most part. To get some specific features you might need some additional support, but that does not sound like your issue.

If you have access to the 10.10.1.27 box, try and look at it via http://10.10.1.27:8008 (or possibly port 8010, or 8028 depending if you are running eDirectory on Netware, Windows or a Unix variant respectively). This should redirect you to an https:// connection one port number higher (8009, 8010, or 8030 (ya 2 not 1)). Look for iMonitor or Dstrace, and then clear all the other flags, and enable the LDAP flag. Then the Dstrace Live icon will refresh on each click with the latest transactions.

Now as to your issue of:

there's almost no hierarchy. (I can set a base DN and view a particular object... but if I set the real base DN... I can only see it... and no children.)

I would suspect this issue is more about not doing the right kind of query. Sounds like you are doing Entry not Subtree queries. This will be very obvious in Dstrace, as you will see a query event that looks something like:

10:19:01 B68BEBA0 LDAP: (10.1.1.42:55133)(0x0002:0x63) Search request:
base: "ou=people,o=acme,dc=com"
scope:2 dereference:3 sizelimit:1 timelimit:0 attrsonly:0
filter: "(&(objectClass=inetorgperson)(acme7DigitName=gxc1234))"
no attributes
10:19:01 B68BEBA0 LDAP: (10.1.1.42:55133)(0x0002:0x63) Empty attribute list implies all user attributes
10:19:01 B68BEBA0 LDAP: (10.1.1.42:55133)(0x0002:0x63) Sending search result entry "cn=gxc1234,ou=UNK,ou=People,o=acme,dc=com" to connection 0xa07e6c0

There the scope: 2 tells you it is an entry search. You want to see it do a subtree (0) level search in order to get what you are looking for.

You can read more about how I used this sort of tooling to debug the nonsense that SAP's GRC web interface does for LDAP data retrieval.

Centos – How to add ACIs to OpenLDAP properly

Figured out that it's probably better to just do it the bdb.ldif way. What I did was like the above, but I made a few changes.

olcAccess: {0}to attrs=userPassword,shadowLastChange,loginShell by dn="cn=manager,dc=bromosapien,dc=net" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=manager,dc=bromosapien,dc=net" write by group.exact="cn=LDAPADMIN,ou=Group,dc=bromosapien,dc=net" write by * read

What I did instead was, I labeled each line with braces and a number. I also added the ability for a user to change their login shell (because I allow Bash, ksh, and zsh, we default to bash). I then created a groupOfNames container inside of the Group OU. Like this.

dn: cn=LDAPADMIN,ou=Group,dc=bromosapien,dc=net
objectClass: groupOfNames
objectClass: top
cn: LDAPADMIN
member: uid=zera,ou=People,dc=angelsofclockwork,dc=net
member: uid=sithlord,ou=People,dc=angelsofclockwork,dc=net

Of course, this requires the memberOf overlay.

The memberOf overlay I used is below:

% vi modules.ldif

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: memberof

% vi memberof.ldif

dn: olcOverlay=memberof,olcDatabase={2}bdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

Best Answer

Related Solutions

Ldap – Using OpenLDAP to proxy to an Novell eDirectory LDAP Server

Centos – How to add ACIs to OpenLDAP properly

Related Topic