Hello,
I have a working openLDAP server version 2.3.43. My configuration
there works : the correct users have the correct access.
I have set up a new openLDAP-server with newer version 2.3.43.
I have no working openLDAP on version 2.3.43.
I have tried with the new syntax and with the command
/usr/sbin/slaptest -f /etc/openldap/slapd.conf -v to use the build
in converion tool, but I always got : ldap_bind: Invalid
credentials (49)
So I forgot this conversion and continued with the "old"
slapd.conf file.
But in this configuration (which is just a copy/paste of my
openLDAP 2.3.43) no user can query the LDAP entries.
So this is the setup :
I have a user : cn=U101001,ou=101001,dc=mydomain
This user is member of the group :
cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain
These members can read entries in the tree :
ou=tbook1,ou=contacten,ou=101001,dc=mydomain
I have in slapd.conf :
access to dn.one="ou=tbook1,ou=contacten,ou=101001,dc=mydomain"
by group.exact="cn=admins,ou=101001,dc=mydomain" write
by
group.exact="cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" read
This user cn=U101001,ou=101001,dc=mydomain really exists (if you
should doubt) :
# extended LDIF
#
# LDAPv3
# base <cn=U101001,ou=101001,dc=mydomain> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# U101001, 101001, mydomain
dn: cn=U101001,ou=101001,dc=mydomain
cn: U101001
sn: U101001
objectClass: inetOrgPerson
objectClass: top
userPassword::
e1NTSEF9OVBTNmltR3ZpUEhzK1JRQVpickNVdVR5cS9Iejg5TzY=
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
The group cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain
also really exists (if you should doubt) :
# tbook1, gebruikers, 101001, mydomain
dn: cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain
cn: tbook1
member: cn=U101001,ou=101001,dc=mydomain
objectClass: groupOfNames
objectClass: top
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
When I query the LDAP-tree ou=tbook1,ou=contacten,ou=101001,dc=mydomain
with my root-account (cn=Manager,dc=mydomain),
the I get results :
[root@ldap1 ]# ldapsearch -x -D 'cn=Manager,dc=mydomain' -b
"ou=tbook1,ou=contacten,ou=101001,dc=mydomain" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=tbook1,ou=contacten,ou=101001,dc=mydomain> with
scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# tbook1, contacten, 101001, mydomain
dn: ou=tbook1,ou=contacten,ou=101001,dc=mydomain
ou: tbook1
objectClass: organizationalUnit
objectClass: top
...<cut>...
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
But when I query this same LDAP-tree with my user cn=U101001,ou=101001,dc=mydomain,
I get :
[root@ldap1 openldap]# ldapsearch -x -D
'cn=U101001,ou=101001,dc=mydomain' -b "dc=mydomain" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mydomain> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
I also have phpLDAPadmin installed and there I see that there are
definitely enries in the LDAP-directory ou=tbook1,ou=contacten,ou=101001,dc=mydomain.
So why does my user cn=U101001,ou=101001,dc=mydomain
fails to get results ??
Kind regards,
Jonas.