[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Samba auth on replicated LDAP: no admin user
Op 07-12-15 om 01:09 schreef Quanah Gibson-Mount:
> --On Sunday, December 06, 2015 10:43 PM +0100 Paul van der Vlis
> <paul@vandervlis.nl> wrote:
>
>> Op 06-12-15 om 22:27 schreef Quanah Gibson-Mount:
>>> --On Sunday, December 06, 2015 10:13 PM +0100 Paul van der Vlis
>>> <paul@vandervlis.nl> wrote:
>>>
>>>> ldapsearch -x -b "cn=admin,dc=domain,dc=nl" -H ldapi:///
>>>
>>> The above is an anonymous search. Do your acls actually allow results to
>>> be returned with anonymous searches?
>>
>> Yes. Something like this gives "0 Success" on the replicated server:
>> ldapsearch -x -b "cn=paul,ou=users,dc=domain,dc=nl" -H ldapi:///
>
> Not sure what your point is. Do you mean it actually returns that user
> entry *as well* as returning success?
Correct.
> There are very few instances
> where it will /not/ return success.
On the replication it says: "no such object". And that's the problem I
want to fix.
> Do not confuse a success result
> with meaning that your ACLs are correct.
So far I know the ACL's are correct. This system works many years with
many Linux clients, now they also want Windows. On the location of the
master, they allready have a few Windows PC's for some years, and the
authentication works fine.
>> And the ldapsearch with cn=admin works fine on the master.
>
> Again, as I noted before, this could be a rootdn that doesn't actually
> exist in the data backed database.
>
> Again, you should slapcat both the master and replica and confirm their
> contents match.
I expect they don't match ;-)
> You may also which to see if your admin user actually exists in the data
> db on the master, or if it is a rootdn that only exists in the
> configuration.
It will be a only in cn=config.
This is the way I create a LDAP admin:
-----
cat <<EOF >slapd-database.ldif
dn: olcDatabase={1}hdb,cn=config
changeType: modify
replace: olcDbConfig
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
-
replace: olcRootPW
olcRootPW: ${LDAP_ADMIN_HASH}
EOF
ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-database.ldif
-----
See more here: https://wiki.debian.org/nfs4-kerberos-ldap
I am the author of the article.
With regards,
Paul van der Vlis.
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/