Hi!

 

I guess it depends on your objectClass:

For a posixAccount you might have a DN like uid=testuser,… If your users are named cn=testuser instead the search criteria may be different.

Also you don’t mean uidNumber,right?

 

As Quanah suggested, provide one sample record at least.

Anotherreason for failure could be a lack of permissions to search for the attribute.

 

Regards,

Ulrich

 

From: tmp 2810 <t2810mp@gmail.com>
Sent: Wednesday, November 6, 2024 2:24 PM
To: openldap-technical@openldap.org
Subject: [EXT] Trouble with UID Filter in OpenLDAP (slapd meta): Missing Schema or Configuration Issue?

 

Hi! I think I'm finally able to configure slapd with a meta backend, but I'm experiencing a strange issue when I perform a search with ldapsearch and try to filter by uid. If I use "uid=user" it doesn't work, but if I use "cn=user" it does work, and I need the searches to be by uid.

I understand this could be related to the schemas I’m loading, but I thought uid was a standard attribute already loaded in core.schema.

Just in case, I'm using Debian 12, and these are the schemas available:

collective.schema
corba.schema
core.schema
cosine.schema
dsee.schema
duaconf.schema
dyngroup.schema
inetorgperson.schema
java.schema
misc.schema
msuser.schema
namedobject.schema
nis.schema
openldap.schema
pmi.schema

These are the schemas I’m using to test:

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema

And as a detail, I find that this part referring to uid (I might be mistaken) is commented out:

attributetype ( 0.9.2342.19200300.100.1.1
NAME ( 'uid' 'userid' )
DESC 'RFC1274: user identifier'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

but when I try to uncomment it, I get the error:

672b6c65.324d8768 0x7febb561d200 /etc/ldap/schema/core.schema: line 564 attributetype: Duplicate attributeType: "0.9.2342.19200300.100.1.1"

 

Just in case, here’s my configuration. Could it be that something is missing so that a user can log in against this slapd?

Since my applications search by uid (some are very legacy and I can't modify them), I'm unable to verify if everything is correctly set up to make a connection. The only indication that it’s working is that I can retrieve all users with ldapsearch and their attributes, but I can't filter by uid.

 

 

 

 

##########################################

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema



modulepath /usr/lib/ldap
moduleload back_meta.la
moduleload back_ldap.la


database meta

suffix "dc=proxy"
rootdn "cn=admin,dc=proxy"
rootpw 1234


## example.com
uri             "ldaps://ldap.google.com/dc=proxy"
suffixmassage   "dc=proxy" "dc=example,dc=com"
lastmod  off
readonly on
rebind-as-user yes
chase-referrals yes
idassert-bind   bindmethod=simple
                        binddn="uid=ldap,ou=Users,dc=example,dc=com"
                        credentials="secret-password"
                        tls_reqcert=demand
                        tls_reqsan=demand
                        tls_cert=/root/ldapcerts/ldap.crt
                        tls_key=/root/ldapcerts/ldap.key
                        tls_cacert=/root/ldapcerts/ca/gtsr1.pem
idassert-authzFrom "*"

 

###############################

 

 

 Thanks for all the help!