LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 10-25-2005, 03:23 AM   #1
superhausi
LQ Newbie
 
Registered: Jul 2004
Posts: 4

Rep: Reputation: 0
ldapsearch with incomplete base returns no results


Hi

I'm trying to get my server using openldap for passwd-replacement. I followed the guide located at www . gentoo . org/doc/en/ldap-howto.xml (sorry, but I have less than 5 posts, so no URL here) and the login just works well using ldap.
I tried installing phpldapadmin for administrating the directory, but went into a problem when trying to create a new posixAccount using it. The GID and loginShell parameters stay empty. The slapd log says, that the search command came with the base "dc=com" (my domain is always substituted with domain.com).

The problem is, that the following command returns the expected result:
ldapsearch -WD "uid=root,dc=domain,dc=com" -H "ldaps://auth.domain.com"
But as soon as I specify a base-DN that is not the complete "dc=domain,dc=com", I get the following:
Code:
ldapsearch -WD "uid=root,dc=domain,dc=com" -H "ldaps://auth.domain.com" -b "dc=com"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
The second thing is just a small question. Now, that ldap auth works for me, I could remove some users/groups from the passwd/shadow/group file. The question is, if that is generally a good or a bad idea and if, what users I should leave as they are. I won't delete the root anyway, because I'd like to be able to login without ldap running. Also, removing the ldap user won't make much sense. But all those groups / users that are never used during boot up (games, audio, video, ...) could imo be removed. What do you think? How did you do that?

For the first question:
My /etc/openldap/ldap.conf:
Code:
# Also tried with the base directive...
#BASE		dc=domain, dc=com
URI		ldaps://auth.domain.com:636/
TLS_REQCERT	allow
TLS_CACERT	/var/ssl/cacert.org.crt
My /etc/openldap/slapd.conf:
Code:
include		/etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

password-hash	{md5}

#TLSCipherSuite        HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
#TLSCACertificateFile  /var/ssl/cacert.org.crt
#TLSCertificateFile    /var/ssl/auth.domain.com.crt
#TLSCertificateKeyFile /var/ssl/auth.domain.com.key
TLSCACertificateFile  /var/ssl/auth.domain.com.pem
TLSCertificateFile    /var/ssl/auth.domain.com.pem
TLSCertificateKeyFile /var/ssl/auth.domain.com.pem

pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args

database	bdb
checkpoint	32	30 # <kbyte> <min>

suffix		"dc=domain,dc=com"
rootdn		"uid=root,dc=domain,dc=com"
rootpw		{MD5}*********************

directory	/var/lib/openldap-data
index	objectClass	eq

access to *
  by users read
  by anonymous auth
  by * none

access to attrs=userPassword,gecos,description,loginShell
  by self write

access to attrs="userPassword"
  by dn="uid=root,dc=domain,dc=com" write
  by anonymous auth
  by self write
  by * none
Thanks for all replies in advance.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sync incomplete on E Baracuda Linux - Laptop and Netbook 0 11-07-2005 01:24 AM
OpenLDAP, ldapsearch: how to list all attributes Hko Linux - Networking 0 08-15-2004 10:43 AM
Knoppix is incomplete? Craigwd Debian 2 05-30-2004 01:01 PM
incomplete installation pirozzi Linux - Laptop and Netbook 1 10-25-2003 09:08 AM
incomplete programs ampex189 Linux - Software 3 10-11-2003 11:37 PM


All times are GMT -5. The time now is 02:20 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration