I have now changed the global access control in slapd.conf to read:
##### Global access control
access to filter=(objectClass=OpenLDAProotDSE)
by * read
access to attrs=userPassword
by self write
by * auth
this now allows:
# ldapsearch -x -h localhost -s base -b "" +
to provide the return that was formerly only available from
# ldapsearch -x -h localhost -s base -b "" -D "XXX" -w "YYY" +
but phpldapadmin still makes the same complaint. When I look at the
traffic with tethereal I see that an anonymous bind is being made
successfully by phpldapadmin, but it appears that it might not be
calling for the base scope, it's difficult to tell from the dumps.
Howard Lowndes wrote:
O Plameras wrote:Howard Lowndes wrote:I am trying to get the rootDSE to work in openldap but phpldapadmin is coming back with:"Could not determine the root of your LDAP tree.It appears that the LDAP server has been configured to not reveal its root.Please specify it in config.php"There are a number of checks to ascertain this. These checks can't be donecompletely because there are additional info required but you have not supplied them. 1. Show us the output of # cat /etc/openldap/ldap.confOn the server where ldap service is running and also where the phpldapadmin is running this is a null file2. #slapcat is used to check a complete 'ldif' only on localhost. As a matter of fact, no need to start 'slapd' to run 'slapcat', and is not affected by 'access list' in your'slapd.conf'.That's what I thought. I think slapcat is just an extension of the db tools.3. #ldapsearch is used to check directory address info on any server depending on 'ldap.conf' and on the format of 'ldapsearch' command. A 'slapd' server is required to be running on the server being interrogated. Ldapsearch is affected by 'access list'in your 'slapd.conf'.4. Also, show us the output of #ldapsearch -x -h localhost -s base -b "" +# ldapsearch -x -h localhost -s base -b "" + # extended LDIF # # LDAPv3 # base <> with scope base # filter: (objectclass=*) # requesting: + # # search result search: 2 result: 0 Success # numResponses: 1but # ldapsearch -x -h localhost -s base -b "" -D "XXX" -w "YYY" + provides:# extended LDIF # # LDAPv3 # base <> with scope base # filter: (objectclass=*) # requesting: + # # dn: structuralObjectClass: OpenLDAProotDSE namingContexts: dc=lannet,dc=com,dc=au namingContexts: dc=buller,dc=com,dc=au namingContexts: dc=lannet,dc=com,dc=au namingContexts: dc=buller,dc=com,dc=au supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 1.2.840.113556.1.4.1339 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.334810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 2 supportedLDAPVersion: 3 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 subschemaSubentry: cn=Subschema # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 so has my global access control got something to do with it:Here is my slapd.conf: ##### Schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/redhat/autofs.schema ##### Allow LDAP v2 allow bind_v2 ##### Some files pidfile /var/run/slapd.pid argsfile /var/run/slapd.args rootDSE /var/lib/ldap/rootdse.ldif ##### Global access control access to attrs=userPassword by self write by * auth ##### Databases ##### LANNet database bdb suffix "dc=lannet,dc=com,dc=au" directory /var/lib/ldap mode 0600 rootdn XXX rootpw YYY index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub access to attrs=telephoneNumber, facsimileTelephoneNumber, mobile, street, l, st, postOfficeBox, postalCode, o by self write by * read ##### Buller database bdb suffix "dc=buller,dc=com,dc=au" directory /var/lib/ldap mode 0600 rootdn XXX rootpw YYY index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub access to attrs=telephoneNumber, facsimileTelephoneNumber, mobile, street, l, st, postOfficeBox, postalCode, o by self write by * read and here is my rootdse.ldif: dn: namingContexts: dc=lannet,dc=com,dc=au namingContexts: dc=buller,dc=com,dc=auWhat I am trying to achieve is to get multiple suffix dn into the directory structure. I can populate the database with slapadd, but when I run slapcat with the -b "<suffix>" option I see all of the entries not just the one for the suffix, but when I run ldapsearch I don't get much even though slapcat produces output:# ldapsearch -x -b "dc=lannet,dc=com,dc=au" # extended LDIF # # LDAPv3 # base <dc=lannet,dc=com,dc=au> with scope sub # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 Should the rootDSE file have more entries - if so, what?Try this command, #ldapsearch -x -h <ldap-server> -s base -b "" + O Plameras
-- Howard. LANNet Computing Associates - Your Linux people <http://lannetlinux.com> -- When you want a computer system that works, just choose Linux; When you want a computer system that works, just, choose Microsoft. -- Flatter government, not fatter government; abolish the Australian states. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
