[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Newbie with a base suffix searching problem

To: "Kurt D. Zeilenga" <Kurt@openldap.org>
Subject: Re: Newbie with a base suffix searching problem
From: Greg Retkowski <greg@rage.net>
Date: Tue, 29 Dec 1998 16:40:12 -0800 (PST)
Cc: Rahul Dave <rahul@reno.cis.upenn.edu>, openldap-general@openldap.org
In-reply-to: <3.0.5.32.19981229074957.00954c30@localhost>

On Tue, 29 Dec 1998, Kurt D. Zeilenga wrote:
> At 02:01 AM 12/29/98 -0500, Rahul Dave wrote:
> >Hi,
> >I've been trying to set up OpenLDAP with ldap_nss on
> >my cluster. I use the migration(from NIS) scripts to populate
> >the database, and, issuing
> >ldapsearch -h sentinel -v -b "dc=eniac2000" 'objectclass=*'
> >
> >will list all the entries
> >
> >However, 
> >ldapsearch -h sentinel -v 'objectclass=*'
> >
> >wont. What gives? I specified the base in defaultbase.ldap and in
> >ldap.conf. This is on a Redhat 5.0 machine, updated with all RedHat Patches.
> >(Intel).

I believe up untill recently openldap didn't use the 'base' directive in
ldap.conf. If your using rpm's (found at rage.net) then you'll see that
problem. Unfortuately I've been slacking over the holidays and haven't
gotten to building the new RPM's. I'll get em out by the end of the year.

> 
> You may not have placed the ldap.conf in the right directory, generally: 
> /usr/local/etc/openldap/ldap.conf ($sysconfdir/$subdir/ldap.conf) 

On the linux RPM's, this is in /etc/ldap, to conform to Linux's
filesystem standard. 

> OpenLDAP ldap.conf won't understand 'ldap_version'
...
> OpenLDAP won't understand a binddn.
...
> OpenLDAP won't understand a bindpw.  Note: the OpenLDAP ldap.conf
> is for user defaulting.  It should WORLD readable and hence not
> contain any authorization/authentication information.

These settings are for the nss_ldap (and pam_ldap) libraries. I believe
the ldap tools from openldap will ignore any strange settings in there
used for other programs.

I've made changes to nss_ldap so that you can put auth information in
ldap.sec (and make it 0700), therefore root-owned processes authenticate,
everybody else binds anonymously. You can then hide things like your
'userpassword' attribute with ACL's while the machine can still 'see' this
data to allow login. If you want to hide data such as usernames, I'd
recomend regulating this data to anonymous binds using IP/domain based
ACL's.

I guess this presents another problem, specifically in packaging.
The ldap.conf file is used by a variety of things for configuration
information. Thus ldap.conf (and ldap.conf.5) conflicts between packages.
I think we may need to do some syncronization between projects to
standardize ldap.conf, each project has the option to ignore configuration
parameters that dont apply. I've already got an ldap.conf.5 manpage for
nss_ldap and pam_ldap typed up, I could send it your way if it'll help.

-- Greg

<a href="mailto:greg@rage.net";>|\/\/|   Greg Retkowski   |\/\/|</a><br>
<a href="http://www.rage.net/";>|/\/\|"Save the Factories"|/\/\|</a><br>

Follow-Ups:
- RE: Newbie with a base suffix searching problem
  - From: "Luke Howard" <lukeh@xedoc.com.au>
- Re: Newbie with a base suffix searching problem
  - From: "Kurt D. Zeilenga" <Kurt@openldap.org>
- Re: Newbie with a base suffix searching problem
  - From: Rahul Dave <rahul@reno.cis.upenn.edu>

References:
- Re: Newbie with a base suffix searching problem
  - From: "Kurt D. Zeilenga" <Kurt@openldap.org>

Prev by Date: Re: Newbie with a base suffix searching problem
Next by Date: RE: Newbie with a base suffix searching problem
Index(es):
- Chronological
- Thread