[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Question about attributes shown in ldapsearch
Hi
I'm seeking some guidance in tracking down a problem that I believe is
happening in my OpenLDAP installation. I'll start with the basic
question and work up to the detail. When I issue:
ldapsearch -x "objectclass=*"
I get a list of attributes that does not seem to be complete. In
particular the sn attribute is missing, as well as a lot of others that
show up in slapcat. I believe this has happened after a power failure
resulted in a corrupted database. I tried "slapd_db_recover -ev" and
also "slapindex -v", which recovered the database apparently without
reporting any problems.
Does anyone have any experience of this, or can give me some start in
tracking down the problem?
Prior to this event the setup was working fine. I have checked schema
files, config files and various ownership/modes on all ldap files and
they seem OK (at least to my limited knowledge). Nothing is showing up
in the LDAP or system logs.
Now for the background. I have setup a samba/LDAP unified authentication
system (test only at this stage) following the Idealx smbldap howto and
using their tools. This uses TLS security and authenticates samba and
Linux. Everything worked flawlessly and I left it alone for a while
until I found after the powerout event that I couldn't authenticate into
Linux. Restoration of the database gives me Linux access but not samba
access.
Check of the samba log files showed that attempts to authenticate via
samba was resulting in a failure to access one of the LDAP attributes
necessary for that authentication. That's when I discovered that
ldapsearch couldn't access them either. TLS seems OK because a -ZZ
switch on ldapsearch works identically with no problems.
The setup is Fedora core 2, openldap 2.1.29, samba 3.0.10 (these were
the latest available updates for FC2).
Here is the output from "ldapsearch -x "cn=ksarkies"
------------------------------------------------------------------------
# ksarkies, Users, trinity.asn.au
dn: uid=ksarkies,ou=Users,dc=trinity,dc=asn,dc=au
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSAMAccount
cn: ksarkies
uid: ksarkies
uidNumber: 1044
gidNumber: 513
homeDirectory: /home/ksarkies
loginShell: /bin/bash
gecos: System User
description: System User
# search result
search: 3
result: 0 Success
--------------------------------------------------------------------------
and the corresponding slapcat section:
--------------------------------------------------------------------------
n: uid=ksarkies,ou=Users,dc=trinity,dc=asn,dc=au
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSAMAccount
cn: ksarkies
sn: ksarkies
uid: ksarkies
uidNumber: 1044
gidNumber: 513
homeDirectory: /home/ksarkies
loginShell: /bin/bash
gecos: System User
description: System User
structuralObjectClass: inetOrgPerson
entryUUID: 1f078310-28b8-1029-9e18-a0ab643bde17
creatorsName: cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au
createTimestamp: 20050314093517Z
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-3175078009-3471862928-2418466962-3088
sambaPrimaryGroupSID: S-1-5-21-3175078009-3471862928-2418466962-513
sambaHomeDrive: H:
sambaLMPassword: FDAA9CC986D8531CF9393D97E7A1873C
sambaAcctFlags: [U]
sambaNTPassword: 046A591315771599567334815D69EADF
sambaPwdLastSet: 1110792959
sambaPwdMustChange: 1114680959
userPassword:: e1NTSEF9SVQ1RHY3aXVNcjJNa29RcFpxSzQwQ0duVzMrUHUxbVU=
entryCSN: 2005031409:35:59Z#0x0002#0#0000
modifiersName: cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au
modifyTimestamp: 20050314093559Z
----------------------------------------------------------------------------
For completeness a log of an "ldapsearch -x 'sn=ksarkies'" in the syslog
level 1 is shown below but doesn't really seem to say much to me anyway.
Also puzzling is why samba and smbldap-tools are mentioned (these are
administrative accounts for access to LDAP by samba and smbldap-tools
respectively, which should not be invoked by this command). Sorry - I'm
floundering a bit here.
-------------------------------------------------------------------------
Mar 25 17:30:12 hta41 slapd[21014]: => key_read
Mar 25 17:30:12 hta41 slapd[21014]: <= bdb_index_read 1 candidates
Mar 25 17:30:12 hta41 slapd[21014]: <= bdb_equality_candidates: id=1,
first=53, last=53
Mar 25 17:30:12 hta41 slapd[21014]: bdb_search_candidates: id=1 first=53
last=53
Mar 25 17:30:12 hta41 slapd[21014]: ====> bdb_cache_return_entry_r( 1 ):
created (0)
Mar 25 17:30:12 hta41 slapd[21014]: entry_decode:
"uid=ksarkies,ou=Users,dc=trinity,dc=asn,dc=au"
Mar 25 17:30:12 hta41 slapd[21014]: <=
entry_decode(uid=ksarkies,ou=Users,dc=trinity,dc=asn,dc=au)
Mar 25 17:30:12 hta41 slapd[21014]: => string_expand: pattern:
cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au
Mar 25 17:30:12 hta41 slapd[21014]: => string_expand: expanded:
cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au
Mar 25 17:30:12 hta41 slapd[21014]: => regex_matches: string:^I
Mar 25 17:30:12 hta41 slapd[21014]: => regex_matches: rc: 1 no matches
Mar 25 17:30:12 hta41 slapd[21014]: => string_expand: pattern:
cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au
Mar 25 17:30:12 hta41 slapd[21014]: => string_expand: expanded:
cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au
Mar 25 17:30:12 hta41 slapd[21014]: => regex_matches: string:^I
Mar 25 17:30:12 hta41 slapd[21014]: => regex_matches: rc: 1 no matches
Mar 25 17:30:12 hta41 slapd[21014]: bdb_search: 53 does not match filter
Mar 25 17:30:12 hta41 slapd[21014]: ====> bdb_cache_return_entry_r( 53
): created (0)
Mar 25 17:30:12 hta41 slapd[21014]: send_search_result: err=0 matched=""
text=""
Mar 25 17:30:12 hta41 slapd[21014]: send_ldap_response: msgid=2 tag=101
err=0
Mar 25 17:30:12 hta41 slapd[21014]: connection_get(10): got connid=0
Mar 25 17:30:12 hta41 slapd[21014]: connection_read(10): checking for
input on id=0
Mar 25 17:30:12 hta41 slapd[21014]: do_unbind
Mar 25 17:30:12 hta41 slapd[21014]: ber_get_next on fd 10 failed errno=0
(Success)
Mar 25 17:30:12 hta41 slapd[21014]: connection_read(10): input error=-2
id=0, closing.
Mar 25 17:30:12 hta41 slapd[21014]: connection_closing: readying conn=0
sd=10 for close
Mar 25 17:30:12 hta41 slapd[21014]: connection_close: deferring conn=0
sd=10
Mar 25 17:30:12 hta41 slapd[21014]: connection_resched: attempting
closing conn=0 sd=10
Mar 25 17:30:12 hta41 slapd[21014]: connection_close: deferring conn=0
sd=10
Mar 25 17:30:12 hta41 slapd[21014]: connection_resched: attempting
closing conn=0 sd=10
Mar 25 17:30:12 hta41 slapd[21014]: connection_close: conn=0 sd=10
-----------------------------------------------------------------------
SLAPD.CONF:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
schemacheck on
lastmod on
TLSCertificateFile /etc/openldap/tls/servercert.pem
TLSCertificateKeyFile /etc/openldap/tls/serverkey.pem
TLSCACertificateFile /etc/ssl/demoCA/cacert.pem
TLSCipherSuite :SSLv3
TLSVerifyClient never
database bdb
suffix "dc=trinity,dc=asn,dc=au"
rootdn "cn=manager,dc=trinity,dc=asn,dc=au"
rootpw {SSHA}2mS+wPO1yQrGgj2D5qK0oj4lLNYCaSeB
directory /var/lib/ldap
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
by dn="cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au" write
by dn="cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au" write
by dn="cn=nssldap,ou=DSA,dc=trinity,dc=asn,dc=au" write
by self write
by anonymous auth
by * none
access to
attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid,loginShell
by dn="cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au" write
by dn="cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au" write
by * read
access to attrs=description,telephoneNumber
by dn="cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au" write
by dn="cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au" write
by self write
by * read
access to
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
by dn="cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au" write
by dn="cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au" write
by self read
by * none
access to dn.base="dc=trinity,dc=asn,dc=au"
by dn="cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au" write
by dn="cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au" write
by * none
access to dn="ou=Users,dc=trinity,dc=asn,dc=au"
by dn="cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au" write
by dn="cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au" write
by * none
access to dn="ou=Groups,dc=trinity,dc=asn,dc=au"
by dn="cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au" write
by dn="cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au" write
by * none
access to dn="ou=Computers,dc=trinity,dc=asn,dc=au"
by dn="cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au" write
by dn="cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au" write
by * none
access to *
by self read# this can be omitted but we leave it: there could be
other branches
# in the directory
by * none
-------------------------------------------------------------------------
LDAP.CONF:
HOST hta41
BASE dc=trinity,dc=asn,dc=au
tls_cacert /etc/ssl/demoCA/cacert.pem
-------------------------------------------------------------------------
If you got this far, thanks for your patience
Ken Sarkies