I don't recommend using the official redhat packages for running a
server (some versions have been known to be problematic). If I
recall, RedHat includes them more for compatibility and dependency
rather than running as a server.
With that said, try running your slapd with debug to see what the
client is trying to do and why the server is rejected. It sure sounds
like ACL issue from your explanation.
Sellers
On May 11, 2008, at 4:52 PM, The Hwyman wrote:
I'm running Red Hat Enterprise 5 (x86_64) and Openldap version 2.3.27
from official rpms. I have installed openldap, openldap-devel,
openldap-clients, and openldap-servers.
The following command:
ldapsearch -x -b "dc=example,dc=com" '(uid=jsmith)'
produces the following results:
--
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (uid=jsmith)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
--
If I specify the jsmith user (or any other user) using -D -W, I get
the
same results. If I specify the rootdn user:
ldapsearch -x -D "cn=manager,dc=example,dc=com" -W -b
"dc=example,dc=com" '(uid=jsmith)'
I get the following results:
--
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (uid=jsmith)
# requesting: ALL
#
# jsmith, users, example.com
dn: uid=jsmith,ou=users,dc=example,dc=com
uid: jsmith
cn: jsmith
homeDirectory: /home/jsmith
uidNumber: xxx
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
gidNumber: xxx
gecos: John Smith
sn: Smith
shadowLastChange: xxx
userPassword:: xxx
loginShell: /sbin/nologin
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
--
The problem is that I have not disabled annonymous or user access
other
than to set ACLs for the userPassword field. The user jsmith can't
even do a search on himself.
I've tried slapacl and confirmed that annonymous as well as the jsmith
user can read the uid field. I even tried reindexing using slapindex,
but that didn't work either.
Here is my slapd.conf:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba3.schema
include /etc/openldap/schema/qmail.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=example,dc=com"
rootdn "cn=manager,dc=example,dc=com"
rootpw xxx
access to attrs=userPassword
by anonymous auth
by self write
by * none
access to attrs=uid
by * read
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
Am I missing something??
Thanks!
