getent works, ldapsearch doesn't?

dafydd2277 · 03-06-2012, 01:52 PM

Okay, I'm baffled. I'm connecting RHEL 5.[345] to a Red Hat Directory Server.

/etc/ldap.conf:

Code:

uri ldap://host1/ ldap://host2/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

/etc/nsswitch.conf:

Code:

[root@host ~]# grep ldap /etc/nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:      files ldap

getent passwd returns the test users.

However,

Code:

[root@host ~]# ldapsearch -nvx -H ldap://host1:389 -b ou=people,dc=test,dc=com
ldap_initialize( ldap://host1:389 )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=test,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

[root@host ~]#  ldapsearch -nvx -H ldap://host1:389 -D uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot -W -b ou=people,dc=test,dc=com
ldap_initialize( ldap://host1:389 )
Enter LDAP Password:
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=test,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

And, neither request returns data.

And this is the smaller problem. I have another host with the same /etc/ldap.conf and /etc/nsswitch.conf settings that won't return getent or ldapsearch.

Finally, running the ldapsearch on the ldap host, using "-h localhost" or "-H ldap://localhost" works fine.

I'm reasonably sure I'm forgetting something obvious... :-p

Any ideas?

Thanks!
David

Tinkster · 03-06-2012, 03:59 PM

First step with such problems ...

telnet host1 389
and
telnet host1 636

Cheers,
Tink

dafydd2277 · 03-06-2012, 04:35 PM

Heh. Step 1: "yum install telnet" (These test hosts are supposed to mimic a secure environment... ;-)

Port 389 gets responses. Port 636 refuses connections. Which is consistent with my not bothering to set up ldap+tls.

I'm reasonably sure I'm missing a setting on the clients, somewhere. At least as far as getent is concerned. If I can get getent passwd working on this one host that will allow forward progress. Then, the ldapsearch weirdness becomes a back-burner item.

Thanks!
David

dafydd2277 · 03-06-2012, 04:41 PM

Also, on the RH Directory Server host, I can do ldapsearch with "-h localhost," "-h host1," and "-H ldap://host1.d.n:389" and get identical output for each test.

Tinkster · 03-06-2012, 08:36 PM

Quote:

Originally Posted by dafydd2277

Heh. Step 1: "yum install telnet" (These test hosts are supposed to mimic a secure environment... ;-)

telnet is only a problem if you run a server - the telnet client is one
of a sysadmins most valuable tools for network diagnostics ;}

Quote:

Originally Posted by dafydd2277

Port 389 gets responses. Port 636 refuses connections. Which is consistent with my not bothering to set up ldap+tls.

So we've established that it's not a connectivity issue, or SE LInux.
Good ...

Tinkster · 03-06-2012, 08:41 PM

And a silly question: have you tried running your searches w/o the '-n'?

dafydd2277 · 03-07-2012, 10:13 AM

Quote:

Originally Posted by Tinkster

And a silly question: have you tried running your searches w/o the '-n'?

Okay, I knew I was an idiot. This new workstation is receiving good output for ldapsearch. Now that I've demonstrated that a connection to the ldap servers is functional, I have to figure out why getent won't show me the additional users.

Code:

[root@hmiwks04 ~]# ldapsearch -vx -H ldap://rhdirsrv1:389 -D uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot -W -b ou=people,dc=fed,dc=mtr | grep ^dn:
ldap_initialize( ldap://rhdirsrv1:389 )
Enter LDAP Password:
filter: (objectclass=*)
requesting: All userApplication attributes
dn: ou=People,dc=fed,dc=mtr
dn: cn=nsPwPolicyContainer,ou=People,dc=fed,dc=mtr
dn: uid=Joe,ou=People,dc=fed,dc=mtr
dn: uid=Karen,ou=People,dc=fed,dc=mtr
dn: uid=Laura,ou=People,dc=fed,dc=mtr
dn: uid=Sam,ou=People,dc=fed,dc=mtr
dn: uid=Tina,ou=People,dc=fed,dc=mtr
dn: uid=FordH,ou=People,dc=fed,dc=mtr
dn: uid=YoungS,ou=People,dc=fed,dc=mtr
dn: uid=HannahD,ou=People,dc=fed,dc=mtr
dn: uid=HauerR,ou=People,dc=fed,dc=mtr

[root@hmiwks04 ~]# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
...
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
postfix:x:89:89::/var/spool/postfix:/sbin/nologin

(The first five test users were a tester's idea. The last four are mine. Bonus points for guessing the movie inspiration...)

dafydd2277 · 03-07-2012, 10:20 AM

Quote:

Originally Posted by Tinkster

And a silly question: have you tried running your searches w/o the '-n'?

Yep. Definitely an idiot.

Code:

[root@hmiwks04 ~]# authconfig --enableldap --enableldapauth --update

Problem solved... :-p

I knew I was missing something simple...

Tinkster · 03-07-2012, 02:34 PM

Sweet! Pleased to hear you're away laughing.