[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Newbie with a base suffix searching problem
Greg Retkowski wrote:
> On Tue, 29 Dec 1998, Kurt D. Zeilenga wrote:
> > At 02:01 AM 12/29/98 -0500, Rahul Dave wrote:
> > >Hi,
> > >I've been trying to set up OpenLDAP with ldap_nss on
> > >my cluster. I use the migration(from NIS) scripts to populate
> > >the database, and, issuing
> > >ldapsearch -h sentinel -v -b "dc=eniac2000" 'objectclass=*'
> > >
> > >will list all the entries
> > >
> > >However,
> > >ldapsearch -h sentinel -v 'objectclass=*'
> > >
> > >wont. What gives? I specified the base in defaultbase.ldap and in
> > >ldap.conf. This is on a Redhat 5.0 machine, updated with all RedHat Patches.
> > >(Intel).
>
> I believe up untill recently openldap didn't use the 'base' directive in
> ldap.conf.
OpenLDAP ldap.conf(5) is completely new to 1.1. Before that we used
hardcoded defaults (ldapconfig.h).
> If your using rpm's (found at rage.net) then you'll see that
> problem. Unfortuately I've been slacking over the holidays and haven't
> gotten to building the new RPM's. I'll get em out by the end of the year.
>
> >
> > You may not have placed the ldap.conf in the right directory, generally:
> > /usr/local/etc/openldap/ldap.conf ($sysconfdir/$subdir/ldap.conf)
>
> On the linux RPM's, this is in /etc/ldap, to conform to Linux's
> filesystem standard.
I would recommend installing OpenLDAP configuration files into etc
by just changing the sysconfdir and NOT the subdir. Install OpenLDAP in
/etc/openldap, not /etc/ldap. This keeps OpenLDAP files separate and
distinct from other system files (or even other LDAP implementations).
> > OpenLDAP ldap.conf won't understand 'ldap_version'
> ...
> > OpenLDAP won't understand a binddn.
> ...
> > OpenLDAP won't understand a bindpw. Note: the OpenLDAP ldap.conf
> > is for user defaulting. It should WORLD readable and hence not
> > contain any authorization/authentication information.
>
> These settings are for the nss_ldap (and pam_ldap) libraries.
These applications should have (and actually do) separate and distict
configuration files from OpenLDAP. IFF they placed in OpenLDAP's
$sysyconf/openldap (regradless of what that might be set to on a
particular platform), they should be named 'application.conf'. i.e.:
nss_ldap.conf
pam_ldap.conf
(this is the current naming scheme for compatible applications as
demonstrated by slapd.conf, ud.conf, etc.). However, if they are
kepted in their own directory, I could careless what they are named.
> I believe
> the ldap tools from openldap will ignore any strange settings in there
> used for other programs.
Currently, yes, but I won't rely on that behavior long term.
> I guess this presents another problem, specifically in packaging.
> The ldap.conf file is used by a variety of things for configuration
> information. Thus ldap.conf (and ldap.conf.5) conflicts between packages.
OpenLDAP ldap.conf was designed to be specific to OpenLDAP and be
application neutral. I rather not see it bloated with settings for
specific applications. Configuration files for nss_ldap/pam_ldap should
remain separate!
> I think we may need to do some syncronization between projects to
> standardize ldap.conf, each project has the option to ignore configuration
> parameters that dont apply. I've already got an ldap.conf.5 manpage for
> nss_ldap and pam_ldap typed up, I could send it your way if it'll help.
I believe these configurations should be separate and distinct...
Kurt