On Wed, Feb 16, 2011 at 8:43 AM, Andrew Findlay <
[email protected]> wrote:
> On Tue, Feb 15, 2011 at 05:08:43PM -0200, Leonardo Carneiro wrote:
>
> > fileserver:/etc/ldap# /usr/sbin/slapd -h ldapi:/// ldap:/// -g openldap
> -u
> > openldap -F /etc/ldap/slapd.d -d 128
>
> Aha! Your server is using LDAP-based config so it is ignoring the config
> file entirely.
>
> > Does these changes that we are making into slapd.conf really being
> > processed? Normally, i see just the "-F /etc/ldap/slapd.d" flag and never
> > the "-f /etc/ldap/slapd.conf".
>
> I suspect the config file was converted to a config dir during the
> Debian upgrade process, so the file is now being ignored.
>
> I also suspect that there may not be a valid password set on the
> cn=config suffix, so you will not be able to manage the server through
> LDAP either.
>
> One solution is to change the startup process to use the config file (-f
> option) rather than the config dir (-F option). Once you have a file
> that does what you want you have the option of converting it to a
> directory:
>
> Move aside the existing config directory /etc/ldap/slapd.d
> and make a new one with the same ownership and permissions.
>
> Start slapd with both the -f and the -F options.
>
> If you are going to do this, I suggest adding a rootpw for the config
> database first. Append this to your slapd.conf file:
>
> ########################################################################
> database config
>
> rootdn "cn=config"
> rootpw example
> ########################################################################
>
> You will then be able to do normal LDAP operations on the config:
>
> ldapsearch -x -D cn=config -w example -b cn=config '(objectclass=*)'
>
> I think we're really near to success here =D.
The new slapd.d was created successfully and now i can do searches
anonymously. Searches like:
ldapsearch -x -h server -D cn=config -w [passwd] -b cn=config
ldapsearch -x -h server -b "dc=dominio,dc=com,dc=br"
are working ok now. Unfortunally, services are not able to do the search
yet. At least with the configuration that was working before the upgrade.
I notice some of my services do bind as cn=root,dc=dominio,dc=com,dc=br.
Here it is a example of the apache:
AuthBasicProvider ldap
AuthName "who are you?"
AuthzLDAPAuthoritative OFF
AuthLDAPURL "ldap://
192.168.0.2/ou=users,dc=dominio,dc=com,dc=br?uid"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN OFF
AuthLDAPBindDN "cn=root,dc=dominio,dc=com,dc=br"
AuthLDAPBindPassword "[password]"
Require ldap-group
cn=devteam,ou=groups,dc=dominio,dc=com,dc=br
In the apache log, it just seams that the apache did bind it to ldap, but
the search results were null. It should work ok know, since i can even bind
anonymous, write?
