Hello,

I have a working openLDAP server version 2.3.43. My configuration there works : the correct users have the correct access.

I have set up a new openLDAP-server with newer version 2.3.43.

I have no working openLDAP on version 2.3.43.

I have tried with the new syntax and with the command /usr/sbin/slaptest -f /etc/openldap/slapd.conf -v to use the build in converion tool, but I always got : ldap_bind: Invalid credentials (49)

So I forgot this conversion and continued with the "old" slapd.conf file.

But in this configuration (which is just a copy/paste of my openLDAP 2.3.43) no user can query the LDAP entries.


So this is the setup :

I have a user : cn=U101001,ou=101001,dc=mydomain
This user is member of the group : cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain
These members can read entries in the tree : ou=tbook1,ou=contacten,ou=101001,dc=mydomain

I have in slapd.conf :

access to dn.one="ou=tbook1,ou=contacten,ou=101001,dc=mydomain"
        by group.exact="cn=admins,ou=101001,dc=mydomain" write
        by group.exact="cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" read


This user cn=U101001,ou=101001,dc=mydomain really exists (if you should doubt) :

# extended LDIF
#
# LDAPv3
# base <cn=U101001,ou=101001,dc=mydomain> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# U101001, 101001, mydomain
dn: cn=U101001,ou=101001,dc=mydomain
cn: U101001
sn: U101001
objectClass: inetOrgPerson
objectClass: top
userPassword:: e1NTSEF9OVBTNmltR3ZpUEhzK1JRQVpickNVdVR5cS9Iejg5TzY=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


The group
cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain also really exists (if you should doubt) :

# tbook1, gebruikers, 101001, mydomain
dn: cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain
cn: tbook1
member: cn=U101001,ou=101001,dc=mydomain
objectClass: groupOfNames
objectClass: top

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


When I query the LDAP-tree
ou=tbook1,ou=contacten,ou=101001,dc=mydomain with my root-account (cn=Manager,dc=mydomain), the I get results :

[root@ldap1 ]# ldapsearch -x -D 'cn=Manager,dc=mydomain' -b "ou=tbook1,ou=contacten,ou=101001,dc=mydomain" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=tbook1,ou=contacten,ou=101001,dc=mydomain> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# tbook1, contacten, 101001, mydomain
dn: ou=tbook1,ou=contacten,ou=101001,dc=mydomain
ou: tbook1
objectClass: organizationalUnit
objectClass: top

...<cut>...

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4


But when I query this same LDAP-tree with my user
cn=U101001,ou=101001,dc=mydomain, I get :

[root@ldap1 openldap]# ldapsearch -x -D 'cn=U101001,ou=101001,dc=mydomain' -b "dc=mydomain" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mydomain> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1



I also have phpLDAPadmin installed and there I see that there are definitely enries in the LDAP-directory
ou=tbook1,ou=contacten,ou=101001,dc=mydomain.

So why does my user
cn=U101001,ou=101001,dc=mydomain fails to get results ??



Kind regards,

Jonas.