[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd : what is error 32 ?



Hi all,

this is the second answer to my question, thanks folks 
i found it now.

Hallvard B Furuseth wrote:
> 
> Harry Rüter writes:
> > You see, error no 32, but what does it mean ?
> > Where can i find documentation about the error-constants ?
> 
> include/ldap.h says:
> #define LDAP_NO_SUCH_OBJECT             0x20

This would mean, that the replica-server can't find this
entry,
although it's there, as the replica database is an exact
copy
of the master.
Is it an access-problem ?
What makes the difference, as the configuration-files are
almost the same.

Here are the files:

-----------------------slapd.conf----------------------
### Schemadaten einbinden ###

include	/etc/openldap/schema/core.schema
include	/etc/openldap/schema/cosine.schema
include	/etc/openldap/schema/inetorgperson.schema
include	/etc/openldap/schema/nis.schema
include	/etc/openldap/schema/qmail.schema
include	/etc/openldap/schema/samba.schema
include /etc/openldap/schema/krb5-kdc.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/turbo.schema
include /etc/openldap/schema/mull.schema


#include /etc/openldap/schema/netscape-profile.schema

schemacheck on

loglevel -1

### SSL-Zertifikat laden ###

TLSCertificateFile      /etc/openldap/cert/server.pem
TLSCertificateKeyFile   /etc/openldap/cert/server.pem
TLSCACertificateFile    /etc/openldap/cert/server.pem

### Falls SASL-Authentifizierung benutzt wird: ###

srvtab     /etc/krb5.keytab
sasl-host  486dx66.hrnet.de
sasl-realm HRNET.DE


pidfile    /var/run/slapd.pid
argsfile   /var/run/slapd.args

### Definition f?r die Datenbank ###

lastmod         on
database	ldbm
suffix		"dc=hrnet,dc=de"

#
# Der privilegierte Account darf in dieser Datenbank
# alles lesen und schreiben. Nicht zu verwechseln mit
# dem Sysuser root, der im Verzeichnis eingetragen
# ist und dem mit ACL seine Rechte zugewiesen werden
#
rootdn		"cn=Root,dc=hrnet,dc=de"
#
#
#rootpw {SSHA}LYa78OCW8jPOWEKfy0RR1uizrdEEuVpN
rootpw {KERBEROS}ldapRoot@HRNET.DE

#
# Das Verzeichnis *muss* existieren, bevor slapd
# gestartet wird und sollte nur f?r slapd lesbar sein
directory	/var/lib/ldap

#
# Index Definition
#index	objectClass	eq

index objectClass,rid,uid,uidNumber,gidNumber,memberUid,ou
eq

replica         host=486dx66.hrnet.de:3389
                tls=yes
                bindmethod=sasl
                saslmech=GSSAPI
replogfile      /var/lib/ldap.replica/replog


### Definition der Access Control List (ACL) ###

#access to *
#   by * write



#access to
dn=".*,ou=Roaming,ou=accounts,ou=mynetwork,o=myorganization,dc=hrnet,dc=de"
#  by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
#  by dn="uid=ldapAdmin.+\+realm=HRNET.DE" write
#  by dnattr=owner write
#  by self write
#  by * none

#access to dn="nsliProfileName=(.*),uid=(.*)"

access to dn="nsliProfileName=(.*)"
   by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
   by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
   by dnattr=owner write
   by * none

access to dn=".*,nsliProfileName=(.*)"
   by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
   by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
   by dn="uid=$1.+\+realm=HRNET.DE" write
   by dnattr=owner write
   by * none



# User darf eigene Attribute ?ndern,
# alle andere sehen nichts
access  to attr=loginShell
	by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
        by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
	by self write
	by * none
#
# User darf eigene Attribute ?ndern,
# authentifizierte User lesen
# alle andere sehen nichts
access to
attr=telephoneNumber,seeAlso,description,audio,businessCategory,carLicense,displayName,homePhone,homePostalAddress,jpegPhoto,labeledURI,mobile,pager,photo,homeTelephoneNumber,favouriteDrink
	by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
        by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
	by self write
	by users read
	by * none

access to attr=dc,o,ou,uid
	by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
        by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
	by * read

#
# User darf eigene Attribute ?ndern,
# alle andere k?nnen lesen


access to
attr=cn,givenName,sn,gecos,initials,title,photo,mailcn,krbName,krb5PrincipalName
	by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
        by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
	by self write
	by * read
#
# User darf eigene Passw?rter ?ndern.
# anonymous auth macht nur f?r userPasswort Sinn,
# st?rt sonst aber nicht.
# Der Samba Server muss hier schreibrecht haben!
access to attr=userPassword,lmPassword,ntPassword
	by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
        by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
	by self write
	by anonymous auth
	by * none
#
# User darf eigene Attribute lesen,
# alle andere sehen nichts
access to attr=accountStatus,mailQuota,registeredAddress
	by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
        by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
	by self read
	by * none
##
# Grundregel, damit annonyme User das Verzeichnis
# durchsuchen k?nnen


access to attr=entry,objectClass
   by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
   by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
   by * read
#
# Default Policy: wenn keine der oben angelegten
# Regeln zieht, d?rfen authentifizierte User lesen
# und alle anderen sehen nichts.

access to *
   by self write 
   by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
   by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
   by * read
   

-------------------------------------------------------

-----------------------slapd.conf.replica----------------------
include	/etc/openldap/schema/core.schema
include	/etc/openldap/schema/cosine.schema
include	/etc/openldap/schema/inetorgperson.schema
include	/etc/openldap/schema/nis.schema
include	/etc/openldap/schema/qmail.schema
include	/etc/openldap/schema/samba.schema
include /etc/openldap/schema/krb5-kdc.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/turbo.schema
include /etc/openldap/schema/mull.schema


#include /etc/openldap/schema/netscape-profile.schema

schemacheck on

# 16 + 128 + 256 + 2048
#
loglevel -1

### SSL-Zertifikat laden ###

TLSCertificateFile      /etc/openldap/cert/server.pem
TLSCertificateKeyFile   /etc/openldap/cert/server.pem
TLSCACertificateFile    /etc/openldap/cert/server.pem

### Falls SASL-Authentifizierung benutzt wird: ###

srvtab     /etc/krb5.keytab.slurpd
sasl-host  486dx66.hrnet.de
sasl-realm HRNET.DE

### Definition f?r die Datenbank ###

lastmod         on
database	ldbm
suffix		"dc=hrnet,dc=de"


pidfile                 /var/run/slapd.replica.pid
argsfile                /var/run/slapd.replica.args

#
# Der privilegierte Account darf in dieser Datenbank
# alles lesen und schreiben. Nicht zu verwechseln mit
# dem Sysuser root, der im Verzeichnis eingetragen
# ist und dem mit ACL seine Rechte zugewiesen werden
#
rootdn		"cn=Root,dc=hrnet,dc=de"
#
#
#rootpw {SSHA}LYa78OCW8jPOWEKfy0RR1uizrdEEuVpN
rootpw {KERBEROS}ldapRoot@HRNET.DE

updatedn   "uid=ldapreplicator.\+realm=HRNET.DE"

#
# Das Verzeichnis *muss* existieren, bevor slapd
# gestartet wird und sollte nur f?r slapd lesbar sein
directory	/var/lib/ldap.replica

#
# Index Definition
#index	objectClass	eq

index objectClass,rid,uid,uidNumber,gidNumber,memberUid,ou
eq

### Definition der Access Control List (ACL) ###


access to dn="nsliProfileName=(.*)"
   by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
   by dn="uid=ldapreplicator.\+realm=HRNET.DE"   
   by dnattr=owner write
   by * none

access to dn=".*,nsliProfileName=(.*)"
   by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
   by dn="uid=ldapreplicator.\+realm=HRNET.DE"
   by dn="uid=$1.+\+realm=HRNET.DE" write
   by dnattr=owner write
   by * none



# User darf eigene Attribute ?ndern,
# alle andere sehen nichts
access  to attr=loginShell
	by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
        by dn="uid=ldapreplicator.\+realm=HRNET.DE"
	by self write
	by * none
#
# User darf eigene Attribute ?ndern,
# authentifizierte User lesen
# alle andere sehen nichts
access to
attr=telephoneNumber,seeAlso,description,audio,businessCategory,carLicense,displayName,homePhone,homePostalAddress,jpegPhoto,labeledURI,mobile,pager,photo,homeTelephoneNumber,favouriteDrink
	by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
        by dn="uid=ldapreplicator.\+realm=HRNET.DE"
	by self write
	by users read
	by * none

access to attr=dc,o,ou,uid
	by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
        by dn="uid=ldapreplicator.\+realm=HRNET.DE"
	by * read

#
# User darf eigene Attribute ?ndern,
# alle andere k?nnen lesen


access to
attr=cn,givenName,sn,gecos,initials,title,photo,mailcn,krbName,krb5PrincipalName
	by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
        by dn="uid=ldapreplicator.\+realm=HRNET.DE"
	by self write
	by * read
#
# User darf eigene Passw?rter ?ndern.
# anonymous auth macht nur f?r userPasswort Sinn,
# st?rt sonst aber nicht.
# Der Samba Server muss hier schreibrecht haben!
access to attr=userPassword,lmPassword,ntPassword
	by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
        by dn="uid=ldapreplicator.\+realm=HRNET.DE"
	by self write
	by anonymous auth
	by * none
#
# User darf eigene Attribute lesen,
# alle andere sehen nichts
access to attr=accountStatus,mailQuota,registeredAddress
	by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
        by dn="uid=ldapreplicator.\+realm=HRNET.DE"        
	by dn="uid=ldapAdmin.+\+realm=HRNET.DE" write
	by self read
	by * none
##
# Grundregel, damit annonyme User das Verzeichnis
# durchsuchen k?nnen


access to attr=entry,objectClass
   by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
   by dn="uid=ldapreplicator.\+realm=HRNET.DE"   
   by * read
#
# Default Policy: wenn keine der oben angelegten
# Regeln zieht, d?rfen authentifizierte User lesen
# und alle anderen sehen nichts.

access to *
   by self write 
   by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
   by dn="uid=ldapreplicator.\+realm=HRNET.DE"
   by * read
   

---------------------------------------------------------------


Please help me to find a solution to this annoying problem.

Thanks Harry