[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: after restart slapd server I cannot search single record in ldap servers



> Hello,
>
> I set up an slapd with slapd-meta backend. I have two Active Directory
> servers which don't share any portion of naming context. I would like
> to get one virtual domain. I configure it and it works fine until I
> restart slapd server. When I restart slapd server then I am unable to
> search in my ldap servers single record.
>
> When I search one single record (samAccountName=testdom1) then I have
> got 0 result.
>
> root@slapd:~# ldapsearch -b 'dc=dom,dc=com' -h 172.30.14.190 -p 389 -D
> 'cn=Manager,dc=dom,dc=com' -w secret '(samAccountName=testdom1)'
> # extended LDIF
> #
> # LDAPv3
> # base <dc=dom,dc=com> with scope subtree
> # filter: (samAccountName=testdom1)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
> root@slapd:~#
>
> In the log (full debug) I have:
>
> Jul 27 16:12:17 dom slapd[12096]: daemon: read active on 9
> Jul 27 16:12:17 dom slapd[12096]: daemon: epoll: listen=7
> active_threads=0 tvp=NULL
> Jul 27 16:12:17 dom slapd[12096]: daemon: epoll: listen=8
> active_threads=0 tvp=NULL
> Jul 27 16:12:17 dom slapd[12096]: connection_get(9)
> Jul 27 16:12:17 dom slapd[12096]: connection_get(9): got connid=1000
> Jul 27 16:12:17 dom slapd[12096]: connection_read(9): checking for
> input on id=1000
> Jul 27 16:12:17 dom slapd[12096]: op tag 0x42, time 1311775937
> Jul 27 16:12:17 dom slapd[12096]: ber_get_next on fd 9 failed errno=0
> (Success)
> Jul 27 16:12:17 dom slapd[12096]: connection_read(9): input error=-2
> id=1000, closing.
> Jul 27 16:12:17 dom slapd[12096]: connection_closing: readying
> conn=1000 sd=9 for close
> Jul 27 16:12:17 dom slapd[12096]: connection_close: deferring conn=1000
> sd=9
> Jul 27 16:12:17 dom slapd[12096]: conn=1000 op=2 do_unbind
> Jul 27 16:12:17 dom slapd[12096]: conn=1000 op=2 UNBIND
> Jul 27 16:12:17 dom slapd[12096]: connection_resched: attempting
> closing conn=1000 sd=9
> Jul 27 16:12:17 dom slapd[12096]: connection_close: deferring conn=1000
> sd=9
> Jul 27 16:12:17 dom slapd[12096]: daemon: activity on 1 descriptor
> Jul 27 16:12:17 dom slapd[12096]: daemon: activity on:
> Jul 27 16:12:17 dom slapd[12096]:
> Jul 27 16:12:17 dom slapd[12096]: daemon: epoll: listen=7
> active_threads=0 tvp=NULL
> Jul 27 16:12:17 dom slapd[12096]: daemon: epoll: listen=8
> active_threads=0 tvp=NULL
> Jul 27 16:12:17 dom slapd[12096]: conn=1000 op=1 SEARCH RESULT tag=101
> err=0 nentries=0 text=
> Jul 27 16:12:17 dom slapd[12096]: connection_resched: attempting
> closing conn=1000 sd=9
> Jul 27 16:12:17 dom slapd[12096]: connection_close: conn=1000 sd=9
> Jul 27 16:12:17 dom slapd[12096]: =>meta_back_conn_destroy: fetching
> conn=1000 DN="cn=manager,dc=dom,dc=com"
> Jul 27 16:12:17 dom slapd[12096]: daemon: removing 9
> Jul 27 16:12:17 dom slapd[12096]: conn=1000 fd=9 closed
>
> Then when I search full list of record (samAccountName=*) I have got
> full list of records from two ldap servers.
>
> root@slapd:~# ldapsearch -b 'dc=dom,dc=com' -h 172.30.14.190 -p 389 -D
> 'cn=Manager,dc=dom,dc=com' -w secret '(samAccountName=*)'
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 39
> # numEntries: 38
> root@slapd:~#
>
> And this is the trick. From now... When I again search one single
> record I got correct result - until I restart slapd server again. I
> don't know what can be wrong. Any ideas?

You need to define samAccountName in the schema of the proxy, with an
appropriate EQUALITY matching rule, otherwise the proxy does not know that
it can be used in an equality filter, and your filter gets screwed.  You
can check this by using "trace" logging on the proxy (slapd -d
stats,trace).

p.

> root@slapd:~# ldapsearch -b 'dc=dom,dc=com' -h 172.30.14.190 -p 389 -D
> 'cn=Manager,dc=dom,dc=com' -w secret '(samAccountName=testdom1)'
> # extended LDIF
> #
> # LDAPv3
> # base <dc=dom,dc=com> with scope subtree
> # filter: (samAccountName=testdom1)
> # requesting: ALL
> #
>
> # testdom1, dom.com
> dn: cn=testdom1,dc=dom,dc=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: USER
> cn: testdom1
> givenName: testdom1
> distinguishedName: cn=testdom1,dc=dom,dc=com
> INSTANCETYPE: 4
> WHENCREATED: 20110726100434.0Z
> WHENCHANGED: 20110726160313.0Z
> DISPLAYNAME: testdom1
> USNCREATED: 24630
> USNCHANGED: 24756
> name: testdom1
> OBJECTGUID:: +ERwSjOp5Uex1n86v5CurA==
> USERACCOUNTCONTROL: 66048
> BADPWDCOUNT: 0
> CODEPAGE: 0
> COUNTRYCODE: 0
> BADPASSWORDTIME: 129561692315625000
> LASTLOGOFF: 0
> LASTLOGON: 129561692402968750
> PWDLASTSET: 129561697935781250
> PRIMARYGROUPID: 513
> OBJECTSID:: AQUAAAAAAAUVAAAAMkafw9OC5FYbZ2/5UwQAAA==
> ACCOUNTEXPIRES: 9223372036854775807
> LOGONCOUNT: 0
> SAMACCOUNTNAME: testdom1
> SAMACCOUNTTYPE: 805306368
> USERPRINCIPALNAME: testdom1@dom1.com
> OBJECTCATEGORY: CN=Person,CN=Schema,CN=Configuration,DC=dom1,DC=com
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> root@slapd:~#
>
> The log:
>
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to
> "cn=testdom1,dc=dom,dc=com" "BADPWDCOUNT" requested
> Jul 27 16:19:22 dom slapd[12096]: <= root access granted
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access
> granted by manage(=mwrscxd)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in
> cache (CODEPAGE)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to
> "cn=testdom1,dc=dom,dc=com" "CODEPAGE" requested
> Jul 27 16:19:22 dom slapd[12096]: <= root access granted
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access
> granted by manage(=mwrscxd)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in
> cache (COUNTRYCODE)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to
> "cn=testdom1,dc=dom,dc=com" "COUNTRYCODE" requested
> Jul 27 16:19:22 dom slapd[12096]: <= root access granted
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access
> granted by manage(=mwrscxd)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in
> cache (BADPASSWORDTIME)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to
> "cn=testdom1,dc=dom,dc=com" "BADPASSWORDTIME" requested
> Jul 27 16:19:22 dom slapd[12096]: <= root access granted
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access
> granted by manage(=mwrscxd)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in
> cache (LASTLOGOFF)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to
> "cn=testdom1,dc=dom,dc=com" "LASTLOGOFF" requested
> Jul 27 16:19:22 dom slapd[12096]: <= root access granted
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access
> granted by manage(=mwrscxd)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in
> cache (LASTLOGON)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to
> "cn=testdom1,dc=dom,dc=com" "LASTLOGON" requested
> Jul 27 16:19:22 dom slapd[12096]: <= root access granted
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access
> granted by manage(=mwrscxd)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in
> cache (PWDLASTSET)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to
> "cn=testdom1,dc=dom,dc=com" "PWDLASTSET" requested
> Jul 27 16:19:22 dom slapd[12096]: <= root access granted
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access
> granted by manage(=mwrscxd)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in
> cache (PRIMARYGROUPID)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to
> "cn=testdom1,dc=dom,dc=com" "PRIMARYGROUPID" requested
> Jul 27 16:19:22 dom slapd[12096]: <= root access granted
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access
> granted by manage(=mwrscxd)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in
> cache (OBJECTSID)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to
> "cn=testdom1,dc=dom,dc=com" "OBJECTSID" requested
> Jul 27 16:19:22 dom slapd[12096]: <= root access granted
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access
> granted by manage(=mwrscxd)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in
> cache (ACCOUNTEXPIRES)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to
> "cn=testdom1,dc=dom,dc=com" "ACCOUNTEXPIRES" requested
> Jul 27 16:19:22 dom slapd[12096]: <= root access granted
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access
> granted by manage(=mwrscxd)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in
> cache (LOGONCOUNT)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to
> "cn=testdom1,dc=dom,dc=com" "LOGONCOUNT" requested
> Jul 27 16:19:22 dom slapd[12096]: <= root access granted
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access
> granted by manage(=mwrscxd)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in
> cache (SAMACCOUNTNAME)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to
> "cn=testdom1,dc=dom,dc=com" "SAMACCOUNTNAME" requested
> Jul 27 16:19:22 dom slapd[12096]: <= root access granted
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access
> granted by manage(=mwrscxd)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in
> cache (SAMACCOUNTTYPE)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to
> "cn=testdom1,dc=dom,dc=com" "SAMACCOUNTTYPE" requested
> Jul 27 16:19:22 dom slapd[12096]: <= root access granted
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access
> granted by manage(=mwrscxd)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in
> cache (USERPRINCIPALNAME)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to
> "cn=testdom1,dc=dom,dc=com" "USERPRINCIPALNAME" requested
> Jul 27 16:19:22 dom slapd[12096]: <= root access granted
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access
> granted by manage(=mwrscxd)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in
> cache (OBJECTCATEGORY)
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to
> "cn=testdom1,dc=dom,dc=com" "OBJECTCATEGORY" requested
> Jul 27 16:19:22 dom slapd[12096]: <= root access granted
> Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access
> granted by manage(=mwrscxd)
> Jul 27 16:19:22 dom slapd[12096]: conn=1003 op=1 ENTRY
> dn="cn=testdom1,dc=dom,dc=com"
> Jul 27 16:19:22 dom slapd[12096]: <= send_search_entry: conn 1003 exit.
> Jul 27 16:19:22 dom slapd[12096]: send_ldap_result: conn=1003 op=1 p=3
> Jul 27 16:19:22 dom slapd[12096]: send_ldap_result: err=0 matched=""
> text=""
> Jul 27 16:19:22 dom slapd[12096]: send_ldap_response: msgid=2 tag=101
> err=0
> Jul 27 16:19:22 dom slapd[12096]: conn=1003 op=1 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Jul 27 16:19:22 dom slapd[12096]: daemon: activity on 1 descriptor
> Jul 27 16:19:22 dom slapd[12096]: daemon: activity on:
> Jul 27 16:19:22 dom slapd[12096]:  9r
> Jul 27 16:19:22 dom slapd[12096]:
> Jul 27 16:19:22 dom slapd[12096]: daemon: read active on 9
> Jul 27 16:19:22 dom slapd[12096]: daemon: epoll: listen=7
> active_threads=0 tvp=NULL
> Jul 27 16:19:22 dom slapd[12096]: daemon: epoll: listen=8
> active_threads=0 tvp=NULL
> Jul 27 16:19:22 dom slapd[12096]: connection_get(9)
> Jul 27 16:19:22 dom slapd[12096]: connection_get(9): got connid=1003
> Jul 27 16:19:22 dom slapd[12096]: connection_read(9): checking for
> input on id=1003
> Jul 27 16:19:22 dom slapd[12096]: op tag 0x42, time 1311776362
> Jul 27 16:19:22 dom slapd[12096]: ber_get_next on fd 9 failed errno=0
> (Success)
> Jul 27 16:19:22 dom slapd[12096]: connection_read(9): input error=-2
> id=1003, closing.
> Jul 27 16:19:22 dom slapd[12096]: connection_closing: readying
> conn=1003 sd=9 for close
> Jul 27 16:19:22 dom slapd[12096]: connection_close: deferring conn=1003
> sd=9
> Jul 27 16:19:22 dom slapd[12096]: conn=1003 op=2 do_unbind
> Jul 27 16:19:22 dom slapd[12096]: conn=1003 op=2 UNBIND
> Jul 27 16:19:22 dom slapd[12096]: connection_resched: attempting
> closing conn=1003 sd=9
> Jul 27 16:19:22 dom slapd[12096]: connection_close: deferring conn=1003
> sd=9
> Jul 27 16:19:22 dom slapd[12096]: daemon: activity on 1 descriptor
> Jul 27 16:19:22 dom slapd[12096]: daemon: activity on:
> Jul 27 16:19:22 dom slapd[12096]:
> Jul 27 16:19:22 dom slapd[12096]: daemon: epoll: listen=7
> active_threads=0 tvp=NULL
> Jul 27 16:19:22 dom slapd[12096]: daemon: epoll: listen=8
> active_threads=0 tvp=NULL
> Jul 27 16:19:22 dom slapd[12096]: connection_resched: attempting
> closing conn=1003 sd=9
> Jul 27 16:19:22 dom slapd[12096]: connection_close: conn=1003 sd=9
> Jul 27 16:19:22 dom slapd[12096]: =>meta_back_conn_destroy: fetching
> conn=1003 DN="cn=manager,dc=dom,dc=com"
> Jul 27 16:19:22 dom slapd[12096]: daemon: removing 9
> Jul 27 16:19:22 dom slapd[12096]: conn=1003 fd=9 closed
>
>
>
>
> My OpenLDAP version:
>
> root@slapd:~# slapd -V
> @(#) $OpenLDAP: slapd 2.4.23 (Jul 26 2011 14:53:23) $
>         root@slapd:/root/openldap-2.4.23/servers/slapd
>
>
>
>
> My slapd.conf:
>
> root@slapd:~# cat /usr/local/etc/openldap/slapd.conf
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include         /usr/local/etc/openldap/schema/core.schema
>
> # Define global ACLs to disable default read access.
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral       ldap://root.openldap.org
>
> pidfile         /usr/local/var/run/slapd.pid
> argsfile        /usr/local/var/run/slapd.args
>
> # Load dynamic backend modules:
> # modulepath    /usr/local/libexec/openldap
> # moduleload    back_bdb.la
> # moduleload    back_hdb.la
> # moduleload    back_ldap.la
>
> loglevel 0xFFFF
>
> access to * by * read
>
> #######################################################################
> # database definitions
> #######################################################################
>
> database        meta
> suffix          "dc=dom,dc=com"
> rootdn          "cn=Manager,dc=dom,dc=com"
> rootpw          secret
> chase-referrals no
> #nretries       forever
> nretries        3
> # 1 sec timeout for binds
> bind-timeout    1000000
> #norefs         true
> dncache-ttl     DISABLED
> conn-ttl        90
> idle-timeout    1m30s
> onerr           CONTINUE
>
> # ldap1
> uri             "ldap://dc1.dom1.com:389/dc=dom,dc=com";
> suffixmassage   "dc=dom,dc=com" "cn=Users,dc=dom1,dc=com"
> idassert-bind   bindmethod=simple
>                 binddn="cn=LDAPconnector,cn=Users,dc=dom1,dc=com"
>                 credentials="pass"
>                 mode=none
>                 flags=non-prescriptive
>
> # ldap2
> uri             "ldap://dc2.dom2.com:389/dc=dom,dc=com";
> suffixmassage   "dc=dom,dc=com" "cn=Users,dc=dom2,dc=com"
> idassert-bind   bindmethod=simple
>                 binddn="cn=LDAPconnector2,cn=Users,dc=dom2,dc=com"
>                 credentials="pass"
>                 mode=none
>                 flags=non-prescriptive
>
> root@slapd:~#
>
>
> King regards,
> Marcin
>
>