8

I'm trying to set up an OpenLDAP server on ubuntu 9.10, which uses slapd version 2.4.18.

After initializing and populating a new hdb database, everything seems OK, but I can not get the server to return a root DSE. Running

ldapsearch -x -W -D 'cn=manager,dc=example,dc=org' \
    -b '' -s base '(objectclass=*)' +

just returns

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#

# search result
search: 2
result: 0 Success

# numResponses: 1

My hdb database ACLs are set up as follows:

olcAccess: to attrs=userPassword,shadowLastChange
  by self write
  by anonymous auth
  by dn.base="cn=manager,dc=example,dc=org" write
  by * none
olcAccess: to dn.base=""
  by * read
olcAccess: to *
  by self write
  by dn.base="cn=manager,dc=example,dc=org" write
  by * read

From my experience this setup should have returned a valid root DSE, so if anyone could give me a clue as to what is going on...

  • On my config ldapsearch fail to retrive rootDN but my `LDAP Admin` can retrieve them before I enter any password/credential. – MUY Belgium Aug 29 '19 at 07:57

6 Answers6

4

Isn't the Root DSE supposed to be queried anonymously, before binding as a user? So you shouldn't be using -W or -D at all.

My OpenLDAP server responds to the following:

$ ldapsearch -x -b '' -s base

with 

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
ptman
  • 28,394
  • 2
  • 30
  • 45
  • You're right, if the ldap server is configured right, you don't need to bind a user. But I get the same result both when I query anonymously and bind a user. And I don't get a unauthenticated response. So somehow the server don't answer any details about itself. –  Nov 05 '09 at 18:33
4

This is actually filed as bug #427842 agains Ubuntu 9.10 (karmic).

To fix this, copy the following to fixRootDSE.ldif:

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcAccess
olcAccess: to dn.base="" by * read
olcAccess: to dn.base="cn=subschema" by * read

And execute

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f fixRootDSE.ldif

This should give anonymous access to the root DSE.

1

You can get the namingContexts using ldapsearch using optional attributes (+ flag)

You need

  • -s base
  • -b base
  • optional attributes + flag

In total, 

    $ ldapsearch -x -b '' -s base +

As mentionned in this post https://superuser.com/questions/740877/how-do-i-query-the-available-base-dns-in-an-openldap-server

MUY Belgium
  • 251
  • 3
  • 17
0

For anyone else trying to solve this, make sure your slapd.conf contains the ACLs to allow access to the rootDSE as without any configuration there is also no access:

# Sample access control policy:
#   Root DSE: allow anyone to read it
#   Subschema (sub)entry DSE: allow anyone to read it
#   Other DSEs:
#       Allow self write access
#       Allow authenticated users read access
#       Allow anonymous users to authenticate
#   Directives needed to implement policy:

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read

The rootDSE should be accessible without authentication.

DustWolf
  • 131
  • 4
0

For those who will get this error in Apache Directory Studio.

If you can see root DSE content in other browsers or ldapsearch, try create new connection. It helped me. I think it is a bug in Apache DS.

rominf
  • 121
  • 6
  • For others passing by, and having Apache DS or PHPLdapAdmin bug where Root DSE has no children, this is more likely to be a server problem (especially since LDAPAdmin does not have encounter it) – mveroone Jun 05 '18 at 05:48
0

For those who will get this error in Apache Directory Studio. also a restart on the studio helped.

Vinish George
  • 23
  • 1
  • 5