superhausi |
10-25-2005 03:23 AM |
ldapsearch with incomplete base returns no results
Hi
I'm trying to get my server using openldap for passwd-replacement. I followed the guide located at www . gentoo . org/doc/en/ldap-howto.xml (sorry, but I have less than 5 posts, so no URL here) and the login just works well using ldap.
I tried installing phpldapadmin for administrating the directory, but went into a problem when trying to create a new posixAccount using it. The GID and loginShell parameters stay empty. The slapd log says, that the search command came with the base "dc=com" (my domain is always substituted with domain.com).
The problem is, that the following command returns the expected result:
ldapsearch -WD "uid=root,dc=domain,dc=com" -H "ldaps://auth.domain.com"
But as soon as I specify a base-DN that is not the complete "dc=domain,dc=com", I get the following:
Code:
ldapsearch -WD "uid=root,dc=domain,dc=com" -H "ldaps://auth.domain.com" -b "dc=com"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
The second thing is just a small question. Now, that ldap auth works for me, I could remove some users/groups from the passwd/shadow/group file. The question is, if that is generally a good or a bad idea and if, what users I should leave as they are. I won't delete the root anyway, because I'd like to be able to login without ldap running. Also, removing the ldap user won't make much sense. But all those groups / users that are never used during boot up (games, audio, video, ...) could imo be removed. What do you think? How did you do that?
For the first question:
My /etc/openldap/ldap.conf:
Code:
# Also tried with the base directive...
#BASE dc=domain, dc=com
URI ldaps://auth.domain.com:636/
TLS_REQCERT allow
TLS_CACERT /var/ssl/cacert.org.crt
My /etc/openldap/slapd.conf:
Code:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
password-hash {md5}
#TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
#TLSCACertificateFile /var/ssl/cacert.org.crt
#TLSCertificateFile /var/ssl/auth.domain.com.crt
#TLSCertificateKeyFile /var/ssl/auth.domain.com.key
TLSCACertificateFile /var/ssl/auth.domain.com.pem
TLSCertificateFile /var/ssl/auth.domain.com.pem
TLSCertificateKeyFile /var/ssl/auth.domain.com.pem
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
checkpoint 32 30 # <kbyte> <min>
suffix "dc=domain,dc=com"
rootdn "uid=root,dc=domain,dc=com"
rootpw {MD5}*********************
directory /var/lib/openldap-data
index objectClass eq
access to *
by users read
by anonymous auth
by * none
access to attrs=userPassword,gecos,description,loginShell
by self write
access to attrs="userPassword"
by dn="uid=root,dc=domain,dc=com" write
by anonymous auth
by self write
by * none
Thanks for all replies in advance.
|