On Thu, Feb 17, 2011 at 7:50 AM, Buchan Milne bgmilne@staff.telkomsa.netwrote:
On Wednesday, 16 February 2011 20:37:45 Leonardo Carneiro wrote:
On Wed, Feb 16, 2011 at 8:43 AM, Andrew Findlay <
andrew.findlay@skills-1st.co.uk> wrote:
On Tue, Feb 15, 2011 at 05:08:43PM -0200, Leonardo Carneiro wrote:
In the original question:
Hello everyone,
I upgraded my debian machine from lenny to squeeze (the new stable) that comes with samba 3.5.6 and openldap 2.4.23. this machines works primarily as a PDC.
i have 3 services authenticating on ldap: samba, apache and redmine. samba is acting very weird, but it's kinda working, but redmine and apache aren't working at all.
So, I take it Apache was upgraded as well? From what version? To what version?
fileserver:/etc/ldap# /usr/sbin/slapd -h ldapi:/// ldap:/// -g
openldap
-u
openldap -F /etc/ldap/slapd.d -d 128
Aha! Your server is using LDAP-based config so it is ignoring the
config
file entirely.
Does these changes that we are making into slapd.conf really being processed? Normally, i see just the "-F /etc/ldap/slapd.d" flag and never the "-f /etc/ldap/slapd.conf".
I suspect the config file was converted to a config dir during the Debian upgrade process, so the file is now being ignored.
I also suspect that there may not be a valid password set on the cn=config suffix, so you will not be able to manage the server through LDAP either.
One solution is to change the startup process to use the config file
(-f
option) rather than the config dir (-F option). Once you have a file that does what you want you have the option of converting it to a
directory: Move aside the existing config directory /etc/ldap/slapd.d and make a new one with the same ownership and permissions.
Start slapd with both the -f and the -F options.If you are going to do this, I suggest adding a rootpw for the config database first. Append this to your slapd.conf file:
########################################################################
database config
rootdn "cn=config" rootpw example
########################################################################
You will then be able to do normal LDAP operations on the config:
ldapsearch -x -D cn=config -w example -b cn=config '(objectclass=*)'
I think we're really near to success here =D.
The new slapd.d was created successfully and now i can do searches anonymously. Searches like:
ldapsearch -x -h server -D cn=config -w [passwd] -b cn=config ldapsearch -x -h server -b "dc=dominio,dc=com,dc=br"
are working ok now. Unfortunally, services are not able to do the search yet. At least with the configuration that was working before the upgrade.
I notice some of my services do bind as cn=root,dc=dominio,dc=com,dc=br. Here it is a example of the apache:
AuthBasicProvider ldap AuthName "who are you?" AuthzLDAPAuthoritative OFF AuthLDAPURL "ldap://192.168.0.2/ou=users,dc=dominio,dc=com,dc=br?uid" AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN OFF AuthLDAPBindDN "cn=root,dc=dominio,dc=com,dc=br" AuthLDAPBindPassword "[password]" Require ldap-group cn=devteam,ou=groups,dc=dominio,dc=com,dc=br
If you now have Apache 2.2.x, either you have include only some of the relevant statements, or you are missing a "Satisfy" statement, e.g. "Satisfy All".
In the apache log, it just seams that the apache did bind it to ldap, but the search results were null. It should work ok know, since i can even
bind
anonymous, write?
Show the log of the LDAP search by apache, so we can be sure.
But, when upgrading from Apache 2.0 to Apache 2.2, one thing that messed me around for a few hours was the 'Satisfy' statement. Without it, the behaviour didn't make sense ...
Regards, Buchan
I don't have that "Satisfy" statement. The upgrade was from 2.2.9 to 2.2.16. I'll check the logs to see what filter apache was trying to do. In fact, i'm very noob in the syntax of the filters in ldapsearch, but everything i tried didn't work it out. I'll grab the logs and post back here.