I discovered that the reason this search failed is because samba was binding anonymously on the 20538 connection, and my ACLs are set up to deny access for anonymous binds. My conf file is set up to bind with the cn=Manager dn. Why would Samba ever bind to ldap anonymously?
Tony Earnshaw wrote:
tor, 07.04.2005 kl. 20.10 skrev Ben Davis:
I tried this and it still did not work. The problem as far as I can tell is that samba is not even attempting to search for the user after it adds it. The very last operations in my slapd.log after the error occured, were:
This is not so:
conn=20539 op=1 SRCH base="dc=pca-wichita,dc=com" scope=2 filter="(&(objectClass=posixAccount)(uid=melisa$))"
This is a search, scope sub, for (&(objectClass=posixAccount)(uid=melisa$))
conn=20539 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=20539 op=2 SRCH
This is the log entry that says that no object is found. I.e., there is either no combination of objectClass=posixAccount and uid=melisa$, or the LDAP ACL prohibits it being read.
Do a search with 'ldapsearch -x' and the same filter. If it doesn't return anything, the object probably doesn't exist. Don't get led astray by nss, it's not used here.
The samba ldapsam backend and tools (not idealx) are first class and brilliantly written.
--Tonni
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba