[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldapsearches from remote host fail

I am stumped. I have spent three days trying to figure this one out and I am no further than when I started.

When I do a ldapsearch -x -h "myhost.mydomain.tld" from the host itself, I get a dump of all my ldap data. When I run the exact same search from a remote host I get err=32 No Such Object. It doesn't even matter if I authenticate (using -D and -W) with the rootdn and rootpw, the end result is the same.

I have searched for hidden gotchas in the slapd.conf and conf.d directory. I have enabled (-1) logging. I have removed all ACLs, although I tried various incarnations including peer access. The firewall has port 389 tcp open. This is a Gentoo machine with Openldap compiled as a portage package. I have PAM authentication working on the localhost and even have a new test user login working. I just can't figure out why an exact same search forced to the external ip address works from one machine but not another, It's a mystery to me.

my /etc/openldap/ldap.conf

BASE         dc=mydomain, dc=tld
URI          ldap://myhost.mydomain.tld



my /etc/openldap/slapd.conf

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/authldap.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/java.schema
password-hash {md5}
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
loglevel 65535
database        ldbm
directory       /var/lib/openldap-ldbm
index           objectClass     eq
suffix          "dc=mydomain,dc=tdl"
rootdn          "cn=Manager,dc=mydomain,dc=tld"
rootpw {MD5}[MYPASSWORD]

This the log of a connection
Dec 12 15:49:12 www slapd[23298]: daemon: new connection on 11
Dec 12 15:49:12 www slapd[23298]: conn=99 fd=11 ACCEPT from IP=xxx.xxx.xxx.xxx:33416 (IP=0.0.0.0:389)
Dec 12 15:49:12 www slapd[23298]: daemon: added 11r
Dec 12 15:49:12 www slapd[23298]: daemon: activity on:
Dec 12 15:49:12 www slapd[23298]: Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=6 active_threads=0 tvp=NULL
Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=7 active_threads=0 tvp=NULL
Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=8 active_threads=0 tvp=NULL
Dec 12 15:49:12 www slapd[23298]: daemon: activity on 1 descriptors
Dec 12 15:49:12 www slapd[23298]: daemon: activity on:
Dec 12 15:49:12 www slapd[23298]: 11r
Dec 12 15:49:12 www slapd[23298]: Dec 12 15:49:12 www slapd[23298]: daemon: read activity on 11
Dec 12 15:49:12 www slapd[23298]: connection_get(11)
Dec 12 15:49:12 www slapd[23298]: connection_get(11): got connid=99
Dec 12 15:49:12 www slapd[23298]: connection_read(11): checking for input on id=99
Dec 12 15:49:12 www slapd[23298]: ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable)
Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=6 active_threads=0 tvp=NULL
Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=7 active_threads=0 tvp=NULL
Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=8 active_threads=0 tvp=NULL
Dec 12 15:49:12 www slapd[23346]: do_bind
Dec 12 15:49:12 www slapd[23346]: >>> dnPrettyNormal: <>
Dec 12 15:49:12 www slapd[23346]: <<< dnPrettyNormal: <>, <>
Dec 12 15:49:12 www slapd[23346]: do_bind: version=3 dn="" method=128
Dec 12 15:49:12 www slapd[23346]: conn=99 op=0 BIND dn="" method=128
Dec 12 15:49:12 www slapd[23346]: send_ldap_result: conn=99 op=0 p=3
Dec 12 15:49:12 www slapd[23346]: send_ldap_result: err=0 matched="" text=""
Dec 12 15:49:12 www slapd[23346]: send_ldap_response: msgid=1 tag=97 err=0
Dec 12 15:49:12 www slapd[23346]: conn=99 op=0 RESULT tag=97 err=0 text=
Dec 12 15:49:12 www slapd[23346]: do_bind: v3 anonymous bind
Dec 12 15:49:12 www slapd[23298]: daemon: activity on 1 descriptors
Dec 12 15:49:12 www slapd[23298]: daemon: activity on:
Dec 12 15:49:12 www slapd[23298]: 11r
Dec 12 15:49:12 www slapd[23298]: Dec 12 15:49:12 www slapd[23298]: daemon: read activity on 11
Dec 12 15:49:12 www slapd[23298]: connection_get(11)
Dec 12 15:49:12 www slapd[23298]: connection_get(11): got connid=99
Dec 12 15:49:12 www slapd[23298]: connection_read(11): checking for input on id=99
Dec 12 15:49:12 www slapd[23298]: ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable)
Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=6 active_threads=0 tvp=NULL
Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=7 active_threads=0 tvp=NULL
Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=8 active_threads=0 tvp=NULL
Dec 12 15:49:12 www slapd[23300]: do_search
Dec 12 15:49:12 www slapd[23300]: >>> dnPrettyNormal: <>
Dec 12 15:49:12 www slapd[23300]: <<< dnPrettyNormal: <>, <>
Dec 12 15:49:12 www slapd[23300]: SRCH "" 2 0
Dec 12 15:49:12 www slapd[23300]: 0 0 0
Dec 12 15:49:12 www slapd[23300]: begin get_filter
Dec 12 15:49:12 www slapd[23300]: PRESENT
Dec 12 15:49:12 www slapd[23300]: end get_filter 0
Dec 12 15:49:12 www slapd[23300]: filter: (objectClass=*)
Dec 12 15:49:12 www slapd[23300]: attrs:
Dec 12 15:49:12 www slapd[23300]: Dec 12 15:49:12 www slapd[23300]: conn=99 op=1 SRCH base="" scope=2 deref=0 filter="(objectClass=*)"
Dec 12 15:49:12 www slapd[23300]: send_ldap_result: conn=99 op=1 p=3
Dec 12 15:49:12 www slapd[23300]: send_ldap_result: err=10 matched="" text=""
Dec 12 15:49:12 www slapd[23300]: send_ldap_response: msgid=2 tag=101 err=32
Dec 12 15:49:12 www slapd[23300]: conn=99 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
Dec 12 15:49:12 www slapd[23298]: daemon: activity on 1 descriptors
Dec 12 15:49:12 www slapd[23298]: daemon: activity on:
Dec 12 15:49:12 www slapd[23298]: 11r
Dec 12 15:49:12 www slapd[23298]: Dec 12 15:49:12 www slapd[23298]: daemon: read activity on 11
Dec 12 15:49:12 www slapd[23298]: connection_get(11)
Dec 12 15:49:12 www slapd[23298]: connection_get(11): got connid=99
Dec 12 15:49:12 www slapd[23298]: connection_read(11): checking for input on id=99
Dec 12 15:49:12 www slapd[23298]: ber_get_next on fd 11 failed errno=0 (Success)
Dec 12 15:49:12 www slapd[23298]: connection_read(11): input error=-2 id=99, closing.
Dec 12 15:49:12 www slapd[23298]: connection_closing: readying conn=99 sd=11 for close
Dec 12 15:49:12 www slapd[23298]: connection_close: deferring conn=99 sd=11
Dec 12 15:49:12 www slapd[23346]: do_unbind
Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=6 active_threads=0 tvp=NULL
Dec 12 15:49:12 www slapd[23346]: conn=99 op=2 UNBIND


When I try the exact same search from the localhost I get these type of log entries:

Dec 12 15:52:52 www slapd[23346]: => access_allowed: read access to "uid=newuser,ou=People,dc=mydomain,dc=tld" "entry" requested
Dec 12 15:52:52 www slapd[23346]: => access_allowed: backend default read access granted to "(anonymous)"

I have searched Google, the mailing lists, Gentoo Forums, read "The ABCs of LDAP" and checked all the man pages. Does anybody have any clue for what I am doing wrong.