On Tue, Feb 15, 2011 at 5:08 PM, Leonardo Carneiro <[email protected]>wrote:
> On Tue, Feb 15, 2011 at 4:40 PM, Andrew Findlay < > [email protected]> wrote: > >> On Tue, Feb 15, 2011 at 04:04:57PM -0200, Leonardo Carneiro wrote: >> >> > Hmm, still did not worked. >> > >> > If i do a ldapsearch specifying '-D cn=root,dc=dominio,dc=com,dc=br" and >> the >> > password, the search goes ok. if i do not specify, is asks me for a >> sasl/md5 >> > authentication and fails, and just asks for a password. if i include a >> '-x' >> > parameter, also does not work: >> > >> > chester@reploid:~$ ldapsearch -v -h 192.168.0.2 -b >> "dc=dominio,dc=com,dc=br" >> > '(objectclass=*)' -LLL -x >> > ldap_initialize( ldap://192.168.0.2 ) >> > filter: (objectclass=*) >> > requesting: All userApplication attributes >> > No such object (32) >> >> You always need the -x flag. (You can only leave it out if >> you supply SASL credentials, and that is a complexity we do >> not need right now). >> >> > Things are just complicated the way they are. if this will bring a extra > layer of complexity I WILL NOT use right now. :) > > >> It seems that anon users still cannot see the suffix entry >> at all. >> >> Try adding this line just under your 'lastmod off' line: >> >> access to * by * read >> >> Make sure that you restart the slapd process after doing >> this. Then try the search: >> >> ldapsearch -x -v -h 192.168.0.2 -b "dc=dominio,dc=com,dc=br" >> '(objectclass=*)' >> >> If you still get nothing, set SLAPD_OPTIONS="-d 128" in >> /etc/default/slapd and restart the server. It should not go >> into the background, and should produce some output on the >> screen. DO NOT REBOOT with this setting in place. >> Now retry just the search above, and post the debug output >> along with the new state of the slapd config file. >> Remove the "-d 128" again. >> >> >> Putting the "-d 128" made the script that starts the server do not go into > the background, but it did not throw any output, so i called the server "by > hand" with the following command: > > fileserver:/etc/ldap# /usr/sbin/slapd -h ldapi:/// ldap:/// -g openldap -u > openldap -F /etc/ldap/slapd.d -d 128 > @(#) $OpenLDAP: slapd 2.4.23 (Nov 22 2010 23:39:34) $ > > > @biber:/build/buildd-openldap_2.4.23-7-i386-mi96UQ/openldap-2.4.23/debian/build/servers/slapd > => access_allowed: search access to "cn=config" "objectClass" requested > <= root access granted > => access_allowed: search access granted by manage(=mwrscxd) > => access_allowed: search access to "cn=module{0},cn=config" "objectClass" > requested > <= root access granted > => access_allowed: search access granted by manage(=mwrscxd) > => access_allowed: search access to "cn=schema,cn=config" "objectClass" > requested > <= root access granted > => access_allowed: search access granted by manage(=mwrscxd) > => access_allowed: search access to "cn={0}core,cn=schema,cn=config" > "objectClass" requested > <= root access granted > => access_allowed: search access granted by manage(=mwrscxd) > => access_allowed: search access to "cn={1}cosine,cn=schema,cn=config" > "objectClass" requested > <= root access granted > => access_allowed: search access granted by manage(=mwrscxd) > => access_allowed: search access to "cn={2}nis,cn=schema,cn=config" > "objectClass" requested > <= root access granted > => access_allowed: search access granted by manage(=mwrscxd) > => access_allowed: search access to > "cn={3}inetorgperson,cn=schema,cn=config" "objectClass" requested > <= root access granted > => access_allowed: search access granted by manage(=mwrscxd) > => access_allowed: search access to "cn={4}samba,cn=schema,cn=config" > "objectClass" requested > <= root access granted > => access_allowed: search access granted by manage(=mwrscxd) > => access_allowed: search access to "olcDatabase={-1}frontend,cn=config" > "objectClass" requested > <= root access granted > => access_allowed: search access granted by manage(=mwrscxd) > Backend ACL: access to * > by > dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage > by * +0 break > > Backend ACL: access to dn.base="" > by * read > > Backend ACL: access to dn.base="cn=subschema" > by * read > > => access_allowed: search access to "olcDatabase={0}config,cn=config" > "objectClass" requested > <= root access granted > => access_allowed: search access granted by manage(=mwrscxd) > Backend ACL: access to * > by > dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage > by * +0 break > > /etc/ldap/slapd.d: line 1: warning: cannot assess the validity of the ACL > scope within backend naming context > Backend ACL: access to * > by * none > > /etc/ldap/slapd.d: line 1: warning: cannot assess the validity of the ACL > scope within backend naming context > => access_allowed: search access to "olcDatabase={1}bdb,cn=config" > "objectClass" requested > <= root access granted > => access_allowed: search access granted by manage(=mwrscxd) > > Does these changes that we are making into slapd.conf really being > processed? Normally, i see just the "-F /etc/ldap/slapd.d" flag and never > the "-f /etc/ldap/slapd.conf". > I uninstalled the recommended upgrade from the first link (the one that told to upgrade from libnss-ldap and libpam-ldap to libnss-ldapd and libpam-ldapd). Now i can do 'su - [login]' and have normal access to files again.
