On Tue, Feb 15, 2011 at 2:30 PM, Andrew Findlay < [email protected]> wrote:
> On Tue, Feb 15, 2011 at 02:13:40PM -0200, Leonardo Carneiro wrote: > > > To: Andrew Findlay <[email protected]> > > Please keep replies on the list so that other people can > benefit from the discussion in future. > > Sure. It was a distraction of mine. Gmail doesn't recognize lists quite well. > > > Aha! How many entries did that search return? Was is about the same > > > number that you would expect given your users and groups? > > > yep. they are all there. > > > > Did you previously have the LDAP server set up to refuse data to > > > anonymous users? > > > No, it could bind as anonymous and read any data. > > In that case leave the database alone: the problem is in the > configuration. Please post the slapd config. We need to see > all of it except for any passwords. here it is: # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit allow bind_v2 bind_anon_cred ###### i remember very well that this first line didn't have the 'bind_anon_cred' statement before the upgrade, but removing didn't change anything, so i keep it. # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema #schemacheck on # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel 8 256 16384 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb # The maximum number of entries that is returned for a search operation sizelimit 500 ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs # backend <other> ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # The base of your directory in database #1 suffix dc=dominio,dc=com,dc=br # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. rootdn cn=root,dc=dominio,dc=com,dc=br rootpw [supressed] # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 # for more information. # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Indexing options for database #1 index objectClass,uidNumber,gidNumber eq index cn,sn,displayName pres,sub,eq index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq index default sub index uid pres,sub,eq index uniqueMember eq,pres # Save the time that the entry gets modified, for database #1 lastmod off #Where to store the replica logs for database #1 #replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only #access to * by anonymous read # by dn="cn=root,dc=dominio,dc=com,dc=br" write # by anonymous auth # by self write # by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read ######### this last entry was commented. i uncommented to check if would change anything, but it haven't. # The admin dn has full write access, everyone else # can read everything. #access to * # by dn="cn=admin,dc=nodomain" write # by * read # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=nodomain" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be bdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database <other> # The base of your directory for database #2 #suffix "dc=debian,dc=org"
