[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: ldapsearches from remote host fail

To: Jay Osborne <jso077@eshop.wright.edu>
Subject: Re: ldapsearches from remote host fail
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 13 Dec 2005 08:44:46 +0100
Cc: openldap-software@OpenLDAP.org
In-reply-to: <439DEE65.3020105@eshop.wright.edu>
References: <439DEE65.3020105@eshop.wright.edu>
Note that the search base differs between the two searches.

Kurt

At 10:40 PM 12/12/2005, Jay Osborne wrote:
>I am stumped.  I have spent three days trying to figure this one out and I am no further than when I started.
>
>When I do a ldapsearch -x -h "myhost.mydomain.tld" from the host itself, I get a dump of all my ldap data.  When I run the exact same search from a remote host I get err=32 No Such Object.  It doesn't even matter if I authenticate (using -D and -W) with the rootdn and rootpw, the end result is the same.
>
>I have searched for hidden gotchas in the slapd.conf and conf.d directory.  I have enabled (-1) logging.  I have removed all ACLs, although I tried various incarnations including peer access.   The firewall has port 389 tcp open. This is a Gentoo machine with Openldap compiled as a portage package.  I have PAM authentication working on the localhost and even have a new test user login working.  I just can't figure out why an exact same search forced to the external ip address works from one machine but not another, It's a mystery to me.
>
>my /etc/openldap/ldap.conf
>
>BASE         dc=mydomain, dc=tld
>URI          ldap://myhost.mydomain.tld
>
>
>
>my /etc/openldap/slapd.conf
>
>include         /etc/openldap/schema/core.schema
>include         /etc/openldap/schema/cosine.schema
>include         /etc/openldap/schema/inetorgperson.schema
>include         /etc/openldap/schema/nis.schema
>include         /etc/openldap/schema/authldap.schema
>include         /etc/openldap/schema/dyngroup.schema
>include         /etc/openldap/schema/samba.schema
>include         /etc/openldap/schema/java.schema
>password-hash {md5}
>pidfile         /var/run/openldap/slapd.pid
>argsfile        /var/run/openldap/slapd.args
>loglevel 65535
>database        ldbm
>directory       /var/lib/openldap-ldbm
>index           objectClass     eq
>suffix          "dc=mydomain,dc=tdl"
>rootdn          "cn=Manager,dc=mydomain,dc=tld"
>rootpw {MD5}[MYPASSWORD]
>
>This the log of a connection
>Dec 12 15:49:12 www slapd[23298]: daemon: new connection on 11
>Dec 12 15:49:12 www slapd[23298]: conn=99 fd=11 ACCEPT from IP=xxx.xxx.xxx.xxx:33416 (IP=0.0.0.0:389)
>Dec 12 15:49:12 www slapd[23298]: daemon: added 11r
>Dec 12 15:49:12 www slapd[23298]: daemon: activity on:
>Dec 12 15:49:12 www slapd[23298]:  
>Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=6 active_threads=0 tvp=NULL
>Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=7 active_threads=0 tvp=NULL
>Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=8 active_threads=0 tvp=NULL
>Dec 12 15:49:12 www slapd[23298]: daemon: activity on 1 descriptors
>Dec 12 15:49:12 www slapd[23298]: daemon: activity on:
>Dec 12 15:49:12 www slapd[23298]:  11r
>Dec 12 15:49:12 www slapd[23298]:  
>Dec 12 15:49:12 www slapd[23298]: daemon: read activity on 11
>Dec 12 15:49:12 www slapd[23298]: connection_get(11)
>Dec 12 15:49:12 www slapd[23298]: connection_get(11): got connid=99
>Dec 12 15:49:12 www slapd[23298]: connection_read(11): checking for input on id=99
>Dec 12 15:49:12 www slapd[23298]: ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable)
>Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=6 active_threads=0 tvp=NULL
>Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=7 active_threads=0 tvp=NULL
>Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=8 active_threads=0 tvp=NULL
>Dec 12 15:49:12 www slapd[23346]: do_bind
>Dec 12 15:49:12 www slapd[23346]: >>> dnPrettyNormal: <>
>Dec 12 15:49:12 www slapd[23346]: <<< dnPrettyNormal: <>, <>
>Dec 12 15:49:12 www slapd[23346]: do_bind: version=3 dn="" method=128
>Dec 12 15:49:12 www slapd[23346]: conn=99 op=0 BIND dn="" method=128
>Dec 12 15:49:12 www slapd[23346]: send_ldap_result: conn=99 op=0 p=3
>Dec 12 15:49:12 www slapd[23346]: send_ldap_result: err=0 matched="" text=""
>Dec 12 15:49:12 www slapd[23346]: send_ldap_response: msgid=1 tag=97 err=0
>Dec 12 15:49:12 www slapd[23346]: conn=99 op=0 RESULT tag=97 err=0 text=
>Dec 12 15:49:12 www slapd[23346]: do_bind: v3 anonymous bind
>Dec 12 15:49:12 www slapd[23298]: daemon: activity on 1 descriptors
>Dec 12 15:49:12 www slapd[23298]: daemon: activity on:
>Dec 12 15:49:12 www slapd[23298]:  11r
>Dec 12 15:49:12 www slapd[23298]:  
>Dec 12 15:49:12 www slapd[23298]: daemon: read activity on 11
>Dec 12 15:49:12 www slapd[23298]: connection_get(11)
>Dec 12 15:49:12 www slapd[23298]: connection_get(11): got connid=99
>Dec 12 15:49:12 www slapd[23298]: connection_read(11): checking for input on id=99
>Dec 12 15:49:12 www slapd[23298]: ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable)
>Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=6 active_threads=0 tvp=NULL
>Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=7 active_threads=0 tvp=NULL
>Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=8 active_threads=0 tvp=NULL
>Dec 12 15:49:12 www slapd[23300]: do_search
>Dec 12 15:49:12 www slapd[23300]: >>> dnPrettyNormal: <>
>Dec 12 15:49:12 www slapd[23300]: <<< dnPrettyNormal: <>, <>
>Dec 12 15:49:12 www slapd[23300]: SRCH "" 2 0
>Dec 12 15:49:12 www slapd[23300]:     0 0 0
>Dec 12 15:49:12 www slapd[23300]: begin get_filter
>Dec 12 15:49:12 www slapd[23300]: PRESENT
>Dec 12 15:49:12 www slapd[23300]: end get_filter 0
>Dec 12 15:49:12 www slapd[23300]:     filter: (objectClass=*)
>Dec 12 15:49:12 www slapd[23300]:     attrs:
>Dec 12 15:49:12 www slapd[23300]:  
>Dec 12 15:49:12 www slapd[23300]: conn=99 op=1 SRCH base="" scope=2 deref=0 filter="(objectClass=*)"
>Dec 12 15:49:12 www slapd[23300]: send_ldap_result: conn=99 op=1 p=3
>Dec 12 15:49:12 www slapd[23300]: send_ldap_result: err=10 matched="" text=""
>Dec 12 15:49:12 www slapd[23300]: send_ldap_response: msgid=2 tag=101 err=32
>Dec 12 15:49:12 www slapd[23300]: conn=99 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
>Dec 12 15:49:12 www slapd[23298]: daemon: activity on 1 descriptors
>Dec 12 15:49:12 www slapd[23298]: daemon: activity on:
>Dec 12 15:49:12 www slapd[23298]:  11r
>Dec 12 15:49:12 www slapd[23298]:  
>Dec 12 15:49:12 www slapd[23298]: daemon: read activity on 11
>Dec 12 15:49:12 www slapd[23298]: connection_get(11)
>Dec 12 15:49:12 www slapd[23298]: connection_get(11): got connid=99
>Dec 12 15:49:12 www slapd[23298]: connection_read(11): checking for input on id=99
>Dec 12 15:49:12 www slapd[23298]: ber_get_next on fd 11 failed errno=0 (Success)
>Dec 12 15:49:12 www slapd[23298]: connection_read(11): input error=-2 id=99, closing.
>Dec 12 15:49:12 www slapd[23298]: connection_closing: readying conn=99 sd=11 for close
>Dec 12 15:49:12 www slapd[23298]: connection_close: deferring conn=99 sd=11
>Dec 12 15:49:12 www slapd[23346]: do_unbind
>Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=6 active_threads=0 tvp=NULL
>Dec 12 15:49:12 www slapd[23346]: conn=99 op=2 UNBIND
>
>
>When I try the exact same search from the localhost I get these type of log entries:
>
>Dec 12 15:52:52 www slapd[23346]: => access_allowed: read access to "uid=newuser,ou=People,dc=mydomain,dc=tld" "entry" requested
>Dec 12 15:52:52 www slapd[23346]: => access_allowed: backend default read access granted to "(anonymous)"
>
>I have searched Google, the mailing lists, Gentoo Forums, read "The ABCs of LDAP" and checked all the man pages.  Does anybody have any clue for what I am doing wrong.
References:
- ldapsearches from remote host fail
  - From: Jay Osborne <jso077@eshop.wright.edu>
Prev by Date: Re: Adding new schema file, slaptest says "AttributeType inappropriate matching rule..."
Next by Date: Re: Adding new schema file, slaptest says "AttributeType inappropriate matching rule..."
Index(es):
- Chronological
- Thread