LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-07-2014, 06:02 AM   #31
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,822

Rep: Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591

Quote:
I get : 32 No Such Object
It means that your user does not have read rights in the directory, meaning he cannot do searches.
Add:
Code:
access to *
 by users read
to slapd.conf, reload the service and try again.
PS: The above is the same as the rule above that you had to add in case you're using slapd.d
 
Old 02-07-2014, 09:02 AM   #32
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
I can not make everything readable by all users.

This user U101001 is member of the group tbook1, and in my rules this group can read all objects inside ou=tbook1,ou=contacten,ou=101001,dc=mydomain :
Code:
access to dn.one="ou=tbook1,ou=contacten,ou=101001,dc=mydomain"
        by group.exact="cn=admins,ou=101001,dc=mydomain" write
        by group.exact="cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" read
But the objects in ou=tbook1,ou=contacten,ou=101001,dc=mydomain are not shown...

I really don't understand because the exact same configuration works on another LDAP-server, however with another LDAP-version (no new stupid syntax).

Last edited by jonaskellens; 02-07-2014 at 09:04 AM.
 
Old 02-07-2014, 03:28 PM   #33
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,822

Rep: Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591
Quote:
I really don't understand because the exact same configuration works on another LDAP-server, however with another LDAP-version (no new stupid syntax).
I don't think it's a matter of ldap version, or because of the new syntax.
If the exact same configuration works in the old ldap server, then copy over the working slapd.conf and use it with the new server.
 
Old 02-12-2014, 07:59 AM   #34
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
When I start slapd with the slapd.conf file of the "old" openLDAP-server, then I get the following error :
Code:
[root@ldap1 openldap]# /sbin/service slapd start
Checking configuration files for slapd:                    [FAILED]
/etc/openldap/slapd.conf: line 100: unknown directive <defaultaccess> inside backend database definition.
slaptest: bad configuration file!
What I have in my slapd.conf file is the following :
Code:
database        bdb
suffix          "dc=mydomain"
rootdn          "cn=Manager,dc=mydomain"
rootpw         {SSHA}secret

defaultaccess   none

access to attrs=userPassword
        by * auth
...
...
Works fine on openLDAP version 2.3.43

Is there something else I should use on openldap version 2.4.23 ?

When I leave this out, I get no results (see post above) when I do a search. No problem with authentication. But problem with "no such object".

Same search gives results on "old" openLDAP-server.

Still don't know where the difference is situated.

Last edited by jonaskellens; 02-12-2014 at 08:08 AM.
 
Old 02-12-2014, 10:29 AM   #35
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,822

Rep: Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591
Quote:
/etc/openldap/slapd.conf: line 100: unknown directive <defaultaccess> inside backend database definition.
<snip>
Works fine on openLDAP version 2.3.43

Is there something else I should use on openldap version 2.4.23 ?
Looks like "defaultaccess" that was deprecated in 2.3.x has been removed in 2.4.x (see here).
You may delete or comment it out and see what you get.
Quote:
When I leave this out, I get no results (see post above) when I do a search. No problem with authentication. But problem with "no such object".
As I've told you, the user does not have read/search rights on the directory
 
Old 02-13-2014, 06:47 AM   #36
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
OK.

When I have a user "cn=U101001,ou=101001,dc=mydomain"

which is member of the group "cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain"

and I have the following rule :
Code:
access to dn.one="ou=tbook1,ou=contacten,ou=101001,dc=mydomain"
        by group.exact="cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" read
Shouldn't my user "cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" be able to get al the entries in "ou=tbook1,ou=contacten,ou=101001,dc=mydomain" ?
 
Old 02-13-2014, 01:24 PM   #37
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,822

Rep: Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591
Quote:
Shouldn't my user "cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" be able to get al the entries in "ou=tbook1,ou=contacten,ou=101001,dc=mydomain" ?
It should.
Are you sure there are entries under "ou=tbook1,ou=contacten,ou=101001,dc=mydomain"?
 
Old 02-14-2014, 05:27 AM   #38
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by bathory View Post
Are you sure there are entries under "ou=tbook1,ou=contacten,ou=101001,dc=mydomain"?
I use phpLDAPadmin to check my entries. And yes, there are entries in the tree "ou=tbook1,ou=contacten,ou=101001,dc=mydomain".

I can prove it when I log in with "root" :

Code:
[root@ldap1 ]# ldapsearch -x -D 'cn=Manager,dc=mydomain' -b "ou=tbook1,ou=contacten,ou=101001,dc=mydomain" -W
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <ou=tbook1,ou=contacten,ou=101001,dc=mydomain> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# tbook1, contacten, 101001, mydomain
dn: ou=tbook1,ou=contacten,ou=101001,dc=mydomain
ou: tbook1
objectClass: organizationalUnit
objectClass: top

...

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4
There are 4 results (I deleted them in my output).

So there are results to be shown, but the user "cn=U101001,ou=101001,dc=mydomain" - for some reason - has no rights...
 
Old 02-15-2014, 04:41 PM   #39
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,822

Rep: Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591
Quote:
There are 4 results (I deleted them in my output).

So there are results to be shown, but the user "cn=U101001,ou=101001,dc=mydomain" - for some reason - has no rights...
I've already told you that somehow the user has no search rights under that DN. Since there are entries under it, double check the ACLs and also make sure that this user belongs to the group cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain".
Other than that I don't know what else you have to check.
 
Old 02-17-2014, 03:13 AM   #40
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by bathory View Post
double check the ACLs and also make sure that this user belongs to the group cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain".
When I consult phpLDAPadmin, it says that the user is member of the group.

Is there some ldap-command to double check this ?
 
Old 02-17-2014, 05:07 AM   #41
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,822

Rep: Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591
Quote:
Is there some ldap-command to double check this ?
You can read the dn: cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain, to see who are the members of it:
Code:
ldapsearch -x -D 'cn=Manager,dc=mydomain' -W -b cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain
 
Old 02-19-2014, 07:22 AM   #42
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by bathory View Post
Code:
ldapsearch -x -D 'cn=Manager,dc=mydomain' -W -b cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain
Output :
Code:
# tbook1, gebruikers, 101001, mydomain
dn: cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain
cn: tbook1
member: cn=U101001,ou=101001,dc=mydomain
objectClass: groupOfNames
objectClass: top

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
Seems correct, no ?
 
Old 02-19-2014, 12:03 PM   #43
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,822

Rep: Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591Reputation: 1591
Yes, it seems correct.
Sorry but I don't know what else to think.
You could ask your question to openldap mailing lists to get a more accurate answer.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] ldap_bind: Invalid credentials (49) when trying OpenLDAP query Sma11T0wnITGuy Linux - Server 19 08-17-2016 06:12 PM
FreeBSD : OpenLDAP : ldap_bind: Invalid credentials (49) problem. Need Help id2login *BSD 12 06-05-2011 06:15 PM
[SOLVED] openldap ldap_bind: Invalid credentials (49) sanjaydelhi Linux - Newbie 9 03-16-2011 09:29 AM
ldap_bind: Invalid credentials (49) on OpenLDAP server gergaholic Linux - Server 7 11-08-2007 09:03 AM
ldap_bind: Invalid credentials (49) on OpenLDAP server gergaholic Fedora 2 11-05-2007 03:23 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration