Hi All,
I encountered one issue when configuring the LDAP client. My question is how to configure the LDAP client to make it get the users and groups information from two sub domains. The base domain of the LDAP server is "dc=main,dc=com", and under the base domain, there are more than one sub domains. Such as, sub domain 1 ("dc=sub1,dc=main,dc=com"), sub domain 2 ("dc=sub2,dc=main,dc=com"), sub domain 3 ("dc=sub3,dc=main,dc=com"), ....
Now I just wanna list the users and groups information from sub domain sub1 and sub domain sub2 (by command "getent passwd"). The information from sub domain sub3 must be excluded.
My test env is : Rehl6.2_x86_64, openldap-2.4.23
I have tried the following way: Step1, configure the LDAP server. I used the access control item "olcAccess" in file /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif olcAccess: to dn.subtree="dc=sub1,dc=main,dc=com" by dn="uid=user1,dc=sub1,dc=main,dc=com" read olcAccess: to dn.subtree="dc=sub2,dc=main,dc=com" by dn="uid=user1,dc=sub1,dc=main,dc=com" read
See above, I added the access controls, they mean that only the user "uid=user1,dc=sub1,dc=main,dc=com" can access the information of the two sub domains (sub1 and sub2). After added the configurations, I restarted slapd service in server side.
Step2, configure the LDAP client, in /etc/nslcd and /etc/pam_ldap.conf, I modified the items blow:
base dc=main,dc=com binddn uid=user1,dc=sub1,dc=main,dc=com bindpw ***
Then restart the service nslcd, but I can't get any users information by command "getent passwd" in LDAP client side. ( I confirmed my others configuration are correct, if I change the base to "base dc=sub1,dc=main,dc=com", I can get all the information from sub1). I think the problem is from LDAP server side, the user "uid=user1,dc=sub1,dc=main,dc=com" in sub domain "sub1" is only allowed to access the sub doamins (sub1 and sub2) by access control. But I can't change the "base" from "dc=main,dc=com" to "dc=sub1,dc=main,dc=com" or "dc=sub2,dc=main,dc=com". That's because only one sub domain can be the "base", so I only can get the information from one of the sub domains, but this is not my purpose. Then I try to set the search scope to "scope sub", but still can't work.
Any comments? I will be really appreciated for your feedback.
openldap-technical@openldap.org