On Wednesday, 16 February 2011 20:37:45 Leonardo Carneiro wrote: > On Wed, Feb 16, 2011 at 8:43 AM, Andrew Findlay < > > [email protected]> wrote: > > On Tue, Feb 15, 2011 at 05:08:43PM -0200, Leonardo Carneiro wrote:
In the original question: > Hello everyone, > > I upgraded my debian machine from lenny to squeeze (the new stable) > that comes with samba 3.5.6 and openldap 2.4.23. this machines works > primarily as a PDC. > > i have 3 services authenticating on ldap: samba, apache and redmine. > samba is acting very weird, but it's kinda working, but redmine and > apache aren't working at all. So, I take it Apache was upgraded as well? From what version? To what version? > > > fileserver:/etc/ldap# /usr/sbin/slapd -h ldapi:/// ldap:/// -g openldap > > > > -u > > > > > openldap -F /etc/ldap/slapd.d -d 128 > > > > Aha! Your server is using LDAP-based config so it is ignoring the config > > file entirely. > > > > > Does these changes that we are making into slapd.conf really being > > > processed? Normally, i see just the "-F /etc/ldap/slapd.d" flag and > > > never the "-f /etc/ldap/slapd.conf". > > > > I suspect the config file was converted to a config dir during the > > Debian upgrade process, so the file is now being ignored. > > > > I also suspect that there may not be a valid password set on the > > cn=config suffix, so you will not be able to manage the server through > > LDAP either. > > > > One solution is to change the startup process to use the config file (-f > > option) rather than the config dir (-F option). Once you have a file > > that does what you want you have the option of converting it to a > > > > directory: > > Move aside the existing config directory /etc/ldap/slapd.d > > and make a new one with the same ownership and permissions. > > > > Start slapd with both the -f and the -F options. > > > > If you are going to do this, I suggest adding a rootpw for the config > > database first. Append this to your slapd.conf file: > > > > ######################################################################## > > database config > > > > rootdn "cn=config" > > rootpw example > > ######################################################################## > > > > You will then be able to do normal LDAP operations on the config: > > > > ldapsearch -x -D cn=config -w example -b cn=config '(objectclass=*)' > > > > I think we're really near to success here =D. > > The new slapd.d was created successfully and now i can do searches > anonymously. Searches like: > > ldapsearch -x -h server -D cn=config -w [passwd] -b cn=config > ldapsearch -x -h server -b "dc=dominio,dc=com,dc=br" > > are working ok now. Unfortunally, services are not able to do the search > yet. At least with the configuration that was working before the upgrade. > > I notice some of my services do bind as cn=root,dc=dominio,dc=com,dc=br. > Here it is a example of the apache: > > AuthBasicProvider ldap > AuthName "who are you?" > AuthzLDAPAuthoritative OFF > AuthLDAPURL "ldap:// > 192.168.0.2/ou=users,dc=dominio,dc=com,dc=br?uid" > AuthLDAPGroupAttribute memberUid > AuthLDAPGroupAttributeIsDN OFF > AuthLDAPBindDN "cn=root,dc=dominio,dc=com,dc=br" > AuthLDAPBindPassword "[password]" > Require ldap-group > cn=devteam,ou=groups,dc=dominio,dc=com,dc=br If you now have Apache 2.2.x, either you have include only some of the relevant statements, or you are missing a "Satisfy" statement, e.g. "Satisfy All". > In the apache log, it just seams that the apache did bind it to ldap, but > the search results were null. It should work ok know, since i can even bind > anonymous, write? Show the log of the LDAP search by apache, so we can be sure. But, when upgrading from Apache 2.0 to Apache 2.2, one thing that messed me around for a few hours was the 'Satisfy' statement. Without it, the behaviour didn't make sense ... Regards, Buchan
