Re: Using Replication Slave For Authentication

[Sergiy Stepanenko <ses863@mail.usask.ca>]

I guess your backend is bdb or hdb.
Run

ldapsearch -LL -H <your_ldap_host> -x -D <rootdn> -w <rootpw> -b 
"cn=config" * +

and see what it produces. But before you do that open slapd.conf if you 
use flat file configuration and check what exactly configured for rootdn 
and rootpw because if "backend default search access denied to 
"cn=admin,dc=domain,dc=com" then you have a problem in config.

It is much easier to talk if I know what is configured actually, because 
snippets of log and config file dont tell whole story.

Cheers


> Putting loglevel to -1 (everything) and logging in with ApacheDS as cn=admin,dc=domain,dc=com (which is supposed to supersede any ACL rules and have read/write to everything I believe) I find a whole lot of "access granted" lines and then towards the end":
>
> =>  access_allowed: search access to "cn=config" "entry" requested
> =>  slap_access_allowed: backend default search access denied to "cn=admin,dc=domain,dc=com"
> =>  access_allowed: no more rules
> send_ldap_result: conn=0 op=8 p=3
> send_ldap_result: err=32 matched="" text=""
>
> Error 32 means object doesn't exist (I think).  Which would be true, our LDAP tree has no cn=config.  We get the same error on the primary server, so I suppose it is ApacheDS trying to look for what would be in the Apache LDAP implementation.  But that's the only error I can find, everything else is miles and miles of "search access granted".
>
> I tried to get it to list DN="dc=domain,dc=com" by hand from ApacheDS, and it would not return anything (it says "No base DN returned from server.") although in the logs it shows:
>
> conn=6 op=3 SRCH base="dc=domain,dc=com" scope=0 deref=3 filter="(objectClass=*)"
> conn=6 op=3 SRCH attr=hasSubordinates objectClass
> =>  hdb_search
> bdb_dn2entry("dc=domain,dc=com")
> =>  access_allowed: search access to "dc=domain,dc=com" "entry" requested
> <= root access granted
> access_allowed: search access granted by manage(=mwrscxd)
> base_candidates: base: "dc=domains,dc=com" (0x00000001)
> send_ldap_result: conn=6 op=3 p=3
> send_ldap_result: err=0 matched="" text=""
> send_ldap_response: msgid=4 tag=101 err=0
>
> But when I run the ldapsearch command (as any user) from other computers on the network it returns the DN's information... So I am thoroughly confused...  I am pretty sure it is not logging in as anonymous, but I have no idea why only the ldapsearch command is the only thing that can authenticate and retrieve information.  It is the same version of openldap as the primary server, it has the same exact config, it has all the same schema loaded, it has the exact full ldap tree.  I'm going to explode!@$#@
>
> -a


--
Sergiy Stepanenko
Systems Administrator
Information Technology Services
University of Saskatchewan
-----------------------------------
phone:    (306) 966-2762
email:sergiy.stepanenko@usask.ca