Useless ldapwhoami behavior?

[Jaap Winius <jwinius@umrk.nl>]

Hi all,

The utility of the "ldapwhoami" tool is a mystery to me. As opposed to  
the usual Unix "whoami" command, which prints the effective userid,  
"ldapwhoami" doesn't seem to print the matching LDAP DN... at least  
not for me.

My test setup includes an OpenLDAP server and a separate client. The  
server's slapd.conf includes these ACLs:

   access to attrs=userPassword,shadowLastChange
           by dn="cn=admin,dc=umrk,dc=nl" write
           by anonymous auth
           by self write
           by * none

   access to dn.base=""
           by * read

   access to *
           by dn="cn=admin,dc=umrk,dc=nl" write
           by * read

My LDAP DIT includes an account for a normal user with a password.  
Without any problem I can use this to login to the client host, but  
when I want to test, or verify, the account's LDAP DN, all I get is  
this:

   ~$ ldapwhoami -x
   anonymous
   ~$ _

Even stranger, if I supply the account's DN and password (although  
this would seem a useless thing to do, since it's the very same info  
I'm asking for), I get this error:

   ~$ ldapwhoami -x -D "cn=testuser,dc=umrk,dc=nl" -w testpass
   ldap_bind: Invalid credentials (49)
   ~$ _

On the other hand, this does work if I supply the admin DN and password:

   ~$ ldapwhoami -x -D "cn=admin,dc=umrk,dc=nl" -w adminpass
   dn:cn=admin,dc=umrk,dc=nl
   ~$ _

The "ldapsearch" command is the same: I can get a response when  
binding anonymously ("-x"), as well as when binding as the admin user,  
but not when I use a normal user account, which results in the same  
error 49 as above.

This behavior seems rather useless to me. Surely I've made a mistake  
somewhere. Can anyone say what it might be?

Thanks,

Jaap