Hello,
I have a working openLDAP server version 2.3.43. My configuration there works : the correct users have the correct access.
I have set up a new openLDAP-server with newer version 2.3.43.
I have no working openLDAP on version 2.3.43.
I have tried with the new syntax and with the command /usr/sbin/slaptest -f /etc/openldap/slapd.conf -v to use the build in converion tool, but I always got : ldap_bind: Invalid credentials (49)
So I forgot this conversion and continued with the "old" slapd.conf file.
But in this configuration (which is just a copy/paste of my openLDAP 2.3.43) no user can query the LDAP entries.
So this is the setup :
I have a user : cn=U101001,ou=101001,dc=mydomain This user is member of the group : cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain These members can read entries in the tree : ou=tbook1,ou=contacten,ou=101001,dc=mydomain
I have in slapd.conf :
access to dn.one="ou=tbook1,ou=contacten,ou=101001,dc=mydomain" by group.exact="cn=admins,ou=101001,dc=mydomain" write by group.exact="cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" read
This user cn=U101001,ou=101001,dc=mydomain really exists (if you should doubt) :
# extended LDIF # # LDAPv3 # base <cn=U101001,ou=101001,dc=mydomain> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# U101001, 101001, mydomain dn: cn=U101001,ou=101001,dc=mydomain cn: U101001 sn: U101001 objectClass: inetOrgPerson objectClass: top userPassword:: e1NTSEF9OVBTNmltR3ZpUEhzK1JRQVpickNVdVR5cS9Iejg5TzY=
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
The group cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain also really exists (if you should doubt) :
# tbook1, gebruikers, 101001, mydomain dn: cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain cn: tbook1 member: cn=U101001,ou=101001,dc=mydomain objectClass: groupOfNames objectClass: top
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
When I query the LDAP-tree ou=tbook1,ou=contacten,ou=101001,dc=mydomain with my root-account (cn=Manager,dc=mydomain), the I get results :
[root@ldap1 ]# ldapsearch -x -D 'cn=Manager,dc=mydomain' -b "ou=tbook1,ou=contacten,ou=101001,dc=mydomain" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=tbook1,ou=contacten,ou=101001,dc=mydomain> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# tbook1, contacten, 101001, mydomain dn: ou=tbook1,ou=contacten,ou=101001,dc=mydomain ou: tbook1 objectClass: organizationalUnit objectClass: top
...<cut>...
# search result search: 2 result: 0 Success
# numResponses: 5 # numEntries: 4
But when I query this same LDAP-tree with my user cn=U101001,ou=101001,dc=mydomain, I get :
[root@ldap1 openldap]# ldapsearch -x -D 'cn=U101001,ou=101001,dc=mydomain' -b "dc=mydomain" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=mydomain> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 32 No such object
# numResponses: 1
I also have phpLDAPadmin installed and there I see that there are definitely enries in the LDAP-directory ou=tbook1,ou=contacten,ou=101001,dc=mydomain.
So why does my user cn=U101001,ou=101001,dc=mydomain fails to get results ??
Kind regards,
Jonas.