On Fri, Jun 20, 2025 at 10:59:45AM +0000, Windl, Ulrich wrote:
Hi!
I thought I had exported a subtree of out OpenLDAP 2.4 server, when I realized that the result is incomplete. So I started investigating (still OpenLDAP 2.4):
# ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b "$BASE" -s one -o ldif-wrap=no '(objectClass=ipService)'
### produces a lot of entries but at least one specific entry is missing!
When trying to add the entry I get "Already exists (68)" from ldapadd for cn=zip@6/ddp, "$BASE
# ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b "$BASE" -s one -o ldif-wrap=no '(cn=zip@6/ddp)'
Finds the entry
# ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b "$BASE" -s one -o ldif-wrap=no ' (&(objectClass=ipService)(cn=zip@6/ddp))'
Also finds the entry
# ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b "$BASE" -s one -o ldif-wrap=no '(&(objectClass=ipService))' | grep cn=zip
Results in no match
I don't have a sizelimit set when searching.
Adding options like "-z 99999 -l 30" had no effect.
Any ideas?
Hi Ulrich, what is the identity you're running the search as? How does it interact with ACLs? My best guess is that you don't have at least search access to objectClass=ipService or the (unchecked?) limit is hit. Check the logs as well.
And when "exporting" a DB, you should probably use slapcat.
Regards,