[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd : what is error 32 ?
Hi all,
this is the second answer to my question, thanks folks
i found it now.
Hallvard B Furuseth wrote:
>
> Harry Rüter writes:
> > You see, error no 32, but what does it mean ?
> > Where can i find documentation about the error-constants ?
>
> include/ldap.h says:
> #define LDAP_NO_SUCH_OBJECT 0x20
This would mean, that the replica-server can't find this
entry,
although it's there, as the replica database is an exact
copy
of the master.
Is it an access-problem ?
What makes the difference, as the configuration-files are
almost the same.
Here are the files:
-----------------------slapd.conf----------------------
### Schemadaten einbinden ###
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/qmail.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/krb5-kdc.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/turbo.schema
include /etc/openldap/schema/mull.schema
#include /etc/openldap/schema/netscape-profile.schema
schemacheck on
loglevel -1
### SSL-Zertifikat laden ###
TLSCertificateFile /etc/openldap/cert/server.pem
TLSCertificateKeyFile /etc/openldap/cert/server.pem
TLSCACertificateFile /etc/openldap/cert/server.pem
### Falls SASL-Authentifizierung benutzt wird: ###
srvtab /etc/krb5.keytab
sasl-host 486dx66.hrnet.de
sasl-realm HRNET.DE
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
### Definition f?r die Datenbank ###
lastmod on
database ldbm
suffix "dc=hrnet,dc=de"
#
# Der privilegierte Account darf in dieser Datenbank
# alles lesen und schreiben. Nicht zu verwechseln mit
# dem Sysuser root, der im Verzeichnis eingetragen
# ist und dem mit ACL seine Rechte zugewiesen werden
#
rootdn "cn=Root,dc=hrnet,dc=de"
#
#
#rootpw {SSHA}LYa78OCW8jPOWEKfy0RR1uizrdEEuVpN
rootpw {KERBEROS}ldapRoot@HRNET.DE
#
# Das Verzeichnis *muss* existieren, bevor slapd
# gestartet wird und sollte nur f?r slapd lesbar sein
directory /var/lib/ldap
#
# Index Definition
#index objectClass eq
index objectClass,rid,uid,uidNumber,gidNumber,memberUid,ou
eq
replica host=486dx66.hrnet.de:3389
tls=yes
bindmethod=sasl
saslmech=GSSAPI
replogfile /var/lib/ldap.replica/replog
### Definition der Access Control List (ACL) ###
#access to *
# by * write
#access to
dn=".*,ou=Roaming,ou=accounts,ou=mynetwork,o=myorganization,dc=hrnet,dc=de"
# by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
# by dn="uid=ldapAdmin.+\+realm=HRNET.DE" write
# by dnattr=owner write
# by self write
# by * none
#access to dn="nsliProfileName=(.*),uid=(.*)"
access to dn="nsliProfileName=(.*)"
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
by dnattr=owner write
by * none
access to dn=".*,nsliProfileName=(.*)"
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
by dn="uid=$1.+\+realm=HRNET.DE" write
by dnattr=owner write
by * none
# User darf eigene Attribute ?ndern,
# alle andere sehen nichts
access to attr=loginShell
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
by self write
by * none
#
# User darf eigene Attribute ?ndern,
# authentifizierte User lesen
# alle andere sehen nichts
access to
attr=telephoneNumber,seeAlso,description,audio,businessCategory,carLicense,displayName,homePhone,homePostalAddress,jpegPhoto,labeledURI,mobile,pager,photo,homeTelephoneNumber,favouriteDrink
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
by self write
by users read
by * none
access to attr=dc,o,ou,uid
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
by * read
#
# User darf eigene Attribute ?ndern,
# alle andere k?nnen lesen
access to
attr=cn,givenName,sn,gecos,initials,title,photo,mailcn,krbName,krb5PrincipalName
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
by self write
by * read
#
# User darf eigene Passw?rter ?ndern.
# anonymous auth macht nur f?r userPasswort Sinn,
# st?rt sonst aber nicht.
# Der Samba Server muss hier schreibrecht haben!
access to attr=userPassword,lmPassword,ntPassword
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
by self write
by anonymous auth
by * none
#
# User darf eigene Attribute lesen,
# alle andere sehen nichts
access to attr=accountStatus,mailQuota,registeredAddress
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
by self read
by * none
##
# Grundregel, damit annonyme User das Verzeichnis
# durchsuchen k?nnen
access to attr=entry,objectClass
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
by * read
#
# Default Policy: wenn keine der oben angelegten
# Regeln zieht, d?rfen authentifizierte User lesen
# und alle anderen sehen nichts.
access to *
by self write
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapadmin.+\+realm=HRNET.DE" write
by * read
-------------------------------------------------------
-----------------------slapd.conf.replica----------------------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/qmail.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/krb5-kdc.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/turbo.schema
include /etc/openldap/schema/mull.schema
#include /etc/openldap/schema/netscape-profile.schema
schemacheck on
# 16 + 128 + 256 + 2048
#
loglevel -1
### SSL-Zertifikat laden ###
TLSCertificateFile /etc/openldap/cert/server.pem
TLSCertificateKeyFile /etc/openldap/cert/server.pem
TLSCACertificateFile /etc/openldap/cert/server.pem
### Falls SASL-Authentifizierung benutzt wird: ###
srvtab /etc/krb5.keytab.slurpd
sasl-host 486dx66.hrnet.de
sasl-realm HRNET.DE
### Definition f?r die Datenbank ###
lastmod on
database ldbm
suffix "dc=hrnet,dc=de"
pidfile /var/run/slapd.replica.pid
argsfile /var/run/slapd.replica.args
#
# Der privilegierte Account darf in dieser Datenbank
# alles lesen und schreiben. Nicht zu verwechseln mit
# dem Sysuser root, der im Verzeichnis eingetragen
# ist und dem mit ACL seine Rechte zugewiesen werden
#
rootdn "cn=Root,dc=hrnet,dc=de"
#
#
#rootpw {SSHA}LYa78OCW8jPOWEKfy0RR1uizrdEEuVpN
rootpw {KERBEROS}ldapRoot@HRNET.DE
updatedn "uid=ldapreplicator.\+realm=HRNET.DE"
#
# Das Verzeichnis *muss* existieren, bevor slapd
# gestartet wird und sollte nur f?r slapd lesbar sein
directory /var/lib/ldap.replica
#
# Index Definition
#index objectClass eq
index objectClass,rid,uid,uidNumber,gidNumber,memberUid,ou
eq
### Definition der Access Control List (ACL) ###
access to dn="nsliProfileName=(.*)"
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapreplicator.\+realm=HRNET.DE"
by dnattr=owner write
by * none
access to dn=".*,nsliProfileName=(.*)"
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapreplicator.\+realm=HRNET.DE"
by dn="uid=$1.+\+realm=HRNET.DE" write
by dnattr=owner write
by * none
# User darf eigene Attribute ?ndern,
# alle andere sehen nichts
access to attr=loginShell
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapreplicator.\+realm=HRNET.DE"
by self write
by * none
#
# User darf eigene Attribute ?ndern,
# authentifizierte User lesen
# alle andere sehen nichts
access to
attr=telephoneNumber,seeAlso,description,audio,businessCategory,carLicense,displayName,homePhone,homePostalAddress,jpegPhoto,labeledURI,mobile,pager,photo,homeTelephoneNumber,favouriteDrink
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapreplicator.\+realm=HRNET.DE"
by self write
by users read
by * none
access to attr=dc,o,ou,uid
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapreplicator.\+realm=HRNET.DE"
by * read
#
# User darf eigene Attribute ?ndern,
# alle andere k?nnen lesen
access to
attr=cn,givenName,sn,gecos,initials,title,photo,mailcn,krbName,krb5PrincipalName
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapreplicator.\+realm=HRNET.DE"
by self write
by * read
#
# User darf eigene Passw?rter ?ndern.
# anonymous auth macht nur f?r userPasswort Sinn,
# st?rt sonst aber nicht.
# Der Samba Server muss hier schreibrecht haben!
access to attr=userPassword,lmPassword,ntPassword
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapreplicator.\+realm=HRNET.DE"
by self write
by anonymous auth
by * none
#
# User darf eigene Attribute lesen,
# alle andere sehen nichts
access to attr=accountStatus,mailQuota,registeredAddress
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapreplicator.\+realm=HRNET.DE"
by dn="uid=ldapAdmin.+\+realm=HRNET.DE" write
by self read
by * none
##
# Grundregel, damit annonyme User das Verzeichnis
# durchsuchen k?nnen
access to attr=entry,objectClass
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapreplicator.\+realm=HRNET.DE"
by * read
#
# Default Policy: wenn keine der oben angelegten
# Regeln zieht, d?rfen authentifizierte User lesen
# und alle anderen sehen nichts.
access to *
by self write
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
by dn="uid=ldapreplicator.\+realm=HRNET.DE"
by * read
---------------------------------------------------------------
Please help me to find a solution to this annoying problem.
Thanks Harry