Hi to all,
I just started to use my own .ldaprc file in $HOME: ------------- URI ldaps://provider01.example.net ldaps://provider02.example.net BASE dc=example,dc=net BINDDN uid=repl-user,ou=users,dc=example,dc=net TLS_REQCERT demand TLS_CACERT /opt/symas/etc/openldap/cacert.pem -------------
All options are working except "BINDDN". If I use the same user with "-D" it works, so the user is present. I expected that ldapsearch will ask for a password when using "BINDDN" but ldapsearch is executing as anonymous.
Did I miss something? If "yes" then what?
Stefan
Am 05.12.23 um 13:41 schrieb Stefan Kania:
Hi to all,
I just started to use my own .ldaprc file in $HOME:
URI ldaps://provider01.example.net ldaps://provider02.example.net BASE dc=example,dc=net BINDDN uid=repl-user,ou=users,dc=example,dc=net TLS_REQCERT demand TLS_CACERT /opt/symas/etc/openldap/cacert.pem
All options are working except "BINDDN". If I use the same user with "-D" it works, so the user is present. I expected that ldapsearch will ask for a password when using "BINDDN" but ldapsearch is executing as anonymous.
Just a hunch: Are you actually running ldapsearch as a user (read: not root)?
The man page for ldap.conf states: " BINDDN <dn>: Specifies the default bind DN to use when performing ldap operations. The bind DN must be specified as a Distinguished Name in LDAP format. This is a user-only option."
Did I miss something? If "yes" then what?
Stefan
Am 05.12.2023 um 13:42 schrieb Stefan Kania stefan@kania-online.de:
Hi to all,
I just started to use my own .ldaprc file in $HOME:
URI ldaps://provider01.example.net ldaps://provider02.example.net BASE dc=example,dc=net BINDDN uid=repl-user,ou=users,dc=example,dc=net TLS_REQCERT demand TLS_CACERT /opt/symas/etc/openldap/cacert.pem
All options are working except "BINDDN". If I use the same user with "-D" it works, so the user is present. I expected that ldapsearch will ask for a password when using "BINDDN" but ldapsearch is executing as anonymous.
What options you are using with your ldapsearc command ?
best regards Michael
Did I miss something? If "yes" then what?
Stefan
Am 05.12.23 um 14:24 schrieb Stefan Kania:
Am 05.12.23 um 13:50 schrieb Michael Wandel:
What options you are using with your ldapsearc command ?
just a "ldapsearch -x" so everything else should be read from .ldaprc.
You need to at least also use "-W" or else it will fallback to anonymous:
$ cat .ldaprc BASE dc=example,dc=de URI ldaps://ldap.example.de TLS_CACERT /home/myuser/ca.crt BINDDN uid=<myuser>,ou=users,dc=example,dc=de TLS_REQCERT allow
$ ldapwhoami -xW Enter LDAP Password: dn:uid=<myuser>,ou=Users,dc=example,dc=de
$ ldapwhoami -x anonymous
Am 05.12.23 um 14:32 schrieb Uwe Sauter:
Am 05.12.23 um 14:24 schrieb Stefan Kania:
Am 05.12.23 um 13:50 schrieb Michael Wandel:
What options you are using with your ldapsearc command ?
just a "ldapsearch -x" so everything else should be read from .ldaprc.
You need to at least also use "-W" or else it will fallback to anonymous:
$ cat .ldaprc BASE dc=example,dc=de URI ldaps://ldap.example.de TLS_CACERT /home/myuser/ca.crt BINDDN uid=<myuser>,ou=users,dc=example,dc=de TLS_REQCERT allow
$ ldapwhoami -xW Enter LDAP Password: dn:uid=<myuser>,ou=Users,dc=example,dc=de
$ ldapwhoami -x anonymous
It also makes sense that you need to specify "-W", "-w passwd", or "-y passwdfile" because there is no option to tell ldap* tools to use anonymous bind (in the rare case where you then might need it). So everytime you want to make an "named" bind you will need communicate that to the tools by specifying one of above options.
Am 05.12.23 um 14:32 schrieb Uwe Sauter:
You need to at least also use "-W" or else it will fallback to anonymous:
That was someting I did not test, because it's mentioned in the manpage. With -W it's working :-) Sometimes live is so easy :-)
Now I'm going to fiddle around a little bit to get ldap* work with SRV-Records instead of a fixed list for the ldap-servers
Am 05.12.2023 um 14:56 schrieb Stefan Kania stefan@kania-online.de:
Am 05.12.23 um 14:32 schrieb Uwe Sauter: You need to at least also use "-W" or else it will fallback to anonymous:
That was someting I did not test, because it's mentioned in the manpage. With -W it's working :-) Sometimes live is so easy :-)
Now I'm going to fiddle around a little bit to get ldap* work with SRV-Records instead of a fixed list for the ldap-servers
just look at ITS#9080
best regards Michael
openldap-technical@openldap.org
-
Michael Wandel -
Stefan Kania -
Uwe Sauter