I don't recommend using the official redhat packages for running a server (some versions have been known to be problematic). If I recall, RedHat includes them more for compatibility and dependency rather than running as a server.
With that said, try running your slapd with debug to see what the client is trying to do and why the server is rejected. It sure sounds like ACL issue from your explanation.
Sellers
On May 11, 2008, at 4:52 PM, The Hwyman wrote:
I'm running Red Hat Enterprise 5 (x86_64) and Openldap version 2.3.27 from official rpms. I have installed openldap, openldap-devel, openldap-clients, and openldap-servers.
The following command:
ldapsearch -x -b "dc=example,dc=com" '(uid=jsmith)'
produces the following results:
# extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (uid=jsmith) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
If I specify the jsmith user (or any other user) using -D -W, I get the same results. If I specify the rootdn user:
ldapsearch -x -D "cn=manager,dc=example,dc=com" -W -b "dc=example,dc=com" '(uid=jsmith)'
I get the following results:
# extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (uid=jsmith) # requesting: ALL #
# jsmith, users, example.com dn: uid=jsmith,ou=users,dc=example,dc=com uid: jsmith cn: jsmith homeDirectory: /home/jsmith uidNumber: xxx objectClass: posixAccount objectClass: shadowAccount objectClass: person gidNumber: xxx gecos: John Smith sn: Smith shadowLastChange: xxx userPassword:: xxx loginShell: /sbin/nologin
# search result search: 2 result: 0 Success
# numResponses: 2
# numEntries: 1
The problem is that I have not disabled annonymous or user access other than to set ACLs for the userPassword field. The user jsmith can't even do a search on himself.
I've tried slapacl and confirmed that annonymous as well as the jsmith user can read the uid field. I even tried reindexing using slapindex, but that didn't work either.
Here is my slapd.conf: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba3.schema include /etc/openldap/schema/qmail.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args database bdb suffix "dc=example,dc=com" rootdn "cn=manager,dc=example,dc=com" rootpw xxx access to attrs=userPassword by anonymous auth by self write by * none access to attrs=uid by * read directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
Am I missing something??
Thanks!