OpenLDap Problems

James Bourne jbourne at hardrock.org
Mon Jan 31 18:45:31 UTC 2005 

On Fri, 28 Jan 2005, Nick Bernstein wrote:

> (8)     Slapadd -f /etc/openldap/slapd.conf -x -v -f /tmp/base.ldif

Not sure but likely this was a typo.

...
> (12) Open a java ldap browser (connects, ONLY shows "dc=shuba, dc=com" - no
> children)
> 
> (13) Try to connect using the Manager user, no dice.

Make sure you use the ldap tools, it could be the java ldap browser as well.

> slapadd -f /etc/openldap/slapd.conf -v -l /tmp/user.ldif
> 
> added: "uid=foo,ou=People,dc=shuba,dc=com" (00000050)
> 
>  
> 
> << changes foo->bar, and increase the uid/gid by one, same file >> 
...
> adding new entry "uid=bar,ou=People,dc=shuba,dc=com"
> 
> ldap_add: Operations error

slapadd and ldapmodify are not equal beasts.  You will have to authenticate
to use ldapmodify I would think (unless you're using kerb and you have a
valid ticket).  Only those allowed to write by your ACLs will be able to
perform this operation.  Also, turn on logging in slapd.conf (loglevel 128
to start should help, that's ACLs) and use debugging in ldapmodify (-d #)

> So that's the first thing. Second, Nothing comes back when I use ldapsearch,
> even when asking for anything: 
> 
>             ldapsearch -x  -b '' -s base '(objectclass=*)'

Because of two things:
1) -b should be your searchbase dc=shuba,dc=com
2) -s (scope) should be sub if you want it to search the entire tree

The results you had returned from that ldap search is actually normal.

> suffix            "dc=shuba,dc=com"

Make sure that both the object dc=shuba,dc=com exists in your tree.  That's
very important.  Try authenticating to the tree as well using a simple bind
(-x) and also in your slapd.conf I think you'll need to add at least these
access rules.  From the default slapd.conf:

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
       by self write
       by users read
       by anonymous auth
access to * by "uid=Manager,dc=shuba,dc=com" write

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")

Hope that helps
Regards
James

-- 
James Bourne                  | Email:            jbourne at hardrock.org          
UNIX Systems Administration   | WWW:           http://www.hardrock.org
Custom UNIX Programming       | Linux:  The choice of a GNU generation
----------------------------------------------------------------------
 "All you need's an occasional kick in the philosophy." Frank Herbert

More information about the redhat-sysadmin-list mailing list