0

I use just installed Debian 6 with openldap 2.4. I have CentOS box too with openldap 2.3. I make .ldif file from centOS (working configuration) box and successfully add all entries from ldif to Debian's openldap. After this, I try to use

ldapsearch -xLLL

and get an error

No such object (32)

command

ldapsearch -xLLL -b dc=pgtk,dc=edu,dc=ru

also doesn't work. I just can't understand what's wrong?

here is my slapd.conf

loglevel 0

modulepath /usr/lib/ldap
moduleload back_bdb.la

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/samba.schema

database bdb
suffix "dc=pgtk,dc=edu,dc=ru"
directory /var/lib/ldap

rootdn "cn=root,dc=pgtk,dc=edu,dc=ru"
rootpw {SSHA}Fq0LHya+lD4356rE5B91snwP5390fDUg

index objectClass                       eq,pres
index ou,cn,sn,mail,givenname           eq,pres,sub,approx
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index entryCSN,entryUUID                eq
index sambaSID,sambaPrimaryGroupSID     eq
index sambaDomainName                   eq

access to attrs=userPassword
    by dn.base="uid=ldap,ou=Users,dc=pgtk,dc=edu,dc=ru" write
    by self write
    by anonymous auth
access to attrs=sambaLMPassword
    by dn.base="uid=ldap,ou=Users,dc=pgtk,dc=edu,dc=ru" write
    by self write
    by anonymous auth
access to attrs=sambaNTPassword
    by dn.base="uid=ldap,ou=Users,dc=pgtk,dc=edu,dc=ru" write
    by self write
    by anonymous auth
access to *
    by dn.base="uid=ldap,ou=Users,dc=pgtk,dc=edu,dc=ru" write
    by * read

and my ldap.conf

BASE    dc=pgtk,dc=edu,dc=ru
URI     ldap://192.168.0.249

So, where I was wrong? Best regards, thanks a lot for wasting your time.

P.S.

  1. ldapsearch on Debian with -h and -b parameters can successfully print ldap content from CentOS LDAP server.

  2. LDAP Account manager (LAM) on Debian box shows Debian's LDAP content.

  3. slapcat without any parameters on Debian box prints LDAP content.

gooamoko
  • 163
  • 1
  • 8
  • just making sure, ldap.conf is in /etc/openldap/ldap.conf right? b/c that is what is used for querying. – Nikolas Sakic Apr 24 '13 at 14:10
  • In Debian 6 there is no /etc/openldap directory (like in CentOS). There is only /etc/ldap directory. In the begining, slapd.conf was missed, cos openldap 2.4 uses LDIF format for config and config data stores into /etc/ldap/slapd.d. But openldap 2.4 admin guide has a chapter with explanations of converting old slapd.conf into new format. – gooamoko Apr 24 '13 at 14:20
  • hmm I haven't done this on Debian system. However, in RHEL we have 2 ldap.conf files. One in /etc/ and the other in /etc/openldap/. The one in /etc/ is used for authentication process, if you're machine is using ldap for logging in. The one in /etc/openldap/ldap.conf is used to querying, i.e. ldapsearch. The filename is the same, ldap.conf. Maybe you need a ldap.conf in /etc/ldap/. Did you try running ldapsearch in verbose/debug mode and see if there is any output that might give you a clue? – Nikolas Sakic Apr 24 '13 at 16:08
  • I know about two files ldap.conf in RHEL, cos I am using CentOS. Thanks a lot for advices. I'll try something tomorrow... I need some sleep. – gooamoko Apr 24 '13 at 16:51

1 Answers1

0

I found solution! It was the access rights. Shoud be global access rule

access to * by * read

before any database and access rights definition. Stupid mistake, but I thought that

access to *
    by dn.base="uid=ldap,ou=Users,dc=pgtk,dc=edu,dc=ru" write
    by * read

enough for complete read access for all objects to all persons. In openldap 2.3 on CentOS box it's enough. Seems like openldap 2.4 has little different access rights politics.

Thanks all again for wasting your time!

gooamoko
  • 163
  • 1
  • 8