On Tue, Feb 15, 2011 at 5:08 PM, Leonardo Carneiro <chesterman86@gmail.com> wrote:
On Tue, Feb 15, 2011 at 4:40 PM, Andrew Findlay <andrew.findlay@skills-1st.co.uk> wrote:
On Tue, Feb 15, 2011 at 04:04:57PM -0200, Leonardo Carneiro wrote:

> Hmm, still did not worked.
>
> If i do a ldapsearch specifying '-D cn=root,dc=dominio,dc=com,dc=br" and the
> password, the search goes ok. if i do not specify, is asks me for a sasl/md5
> authentication and fails, and just asks for a password. if i include a '-x'
> parameter, also does not work:
>
> chester@reploid:~$ ldapsearch -v -h 192.168.0.2 -b "dc=dominio,dc=com,dc=br"
> '(objectclass=*)' -LLL -x
> ldap_initialize( ldap://192.168.0.2 )
> filter: (objectclass=*)
> requesting: All userApplication attributes
> No such object (32)

You always need the -x flag. (You can only leave it out if
you supply SASL credentials, and that is a complexity we do
not need right now).


Things are just complicated the way they are. if this will bring a extra layer of complexity I WILL NOT use right now. :)
 
It seems that anon users still cannot see the suffix entry
at all.

Try adding this line just under your 'lastmod off' line:

access to * by * read

Make sure that you restart the slapd process after doing
this. Then try the search:

ldapsearch -x -v -h 192.168.0.2 -b "dc=dominio,dc=com,dc=br" '(objectclass=*)'

If you still get nothing, set SLAPD_OPTIONS="-d 128" in
/etc/default/slapd and restart the server. It should not go
into the background, and should produce some output on the
screen. DO NOT REBOOT with this setting in place.
Now retry just the search above, and post the debug output
along with the new state of the slapd config file.
Remove the "-d 128" again.


Putting the "-d 128" made the script that starts the server do not go into the background, but it did not throw any output, so i called the server "by hand" with the following command:

fileserver:/etc/ldap# /usr/sbin/slapd -h ldapi:/// ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d -d 128
@(#) $OpenLDAP: slapd 2.4.23 (Nov 22 2010 23:39:34) $
        @biber:/build/buildd-openldap_2.4.23-7-i386-mi96UQ/openldap-2.4.23/debian/build/servers/slapd
=> access_allowed: search access to "cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn=module{0},cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={0}core,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={1}cosine,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={2}nis,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={3}inetorgperson,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={4}samba,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "olcDatabase={-1}frontend,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to *
        by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * +0 break

Backend ACL: access to dn.base=""
        by * read

Backend ACL: access to dn.base="cn=subschema"
        by * read

=> access_allowed: search access to "olcDatabase={0}config,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to *
        by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * +0 break

/etc/ldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context
Backend ACL: access to *
        by * none

/etc/ldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context
=> access_allowed: search access to "olcDatabase={1}bdb,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)

Does these changes that we are making into slapd.conf really being processed? Normally, i see just the "-F /etc/ldap/slapd.d" flag and never the "-f /etc/ldap/slapd.conf".

I uninstalled the recommended upgrade from the first link (the one that told to upgrade from libnss-ldap and libpam-ldap to libnss-ldapd and libpam-ldapd). Now i can do 'su - [login]' and have normal access to files again.