[Date Prev][Date Next] [Chronological] [Thread] [Top]

Question about attributes shown in ldapsearch



Hi

I'm seeking some guidance in tracking down a problem that I believe is
happening in my OpenLDAP installation. I'll start with the basic
question and work up to the detail. When I issue:

ldapsearch -x "objectclass=*"

I get a list of attributes that does not seem to be complete. In
particular the sn attribute is missing, as well as a lot of others that
show up in slapcat. I believe this has happened after a power failure
resulted in a corrupted database. I tried "slapd_db_recover -ev" and
also "slapindex -v", which recovered the database apparently without
reporting any problems.

Does anyone have any experience of this, or can give me some start in
tracking down the problem?

Prior to this event the setup was working fine. I have checked schema
files, config files and various ownership/modes on all ldap files and
they seem OK (at least to my limited knowledge). Nothing is showing up
in the LDAP or system logs.

Now for the background. I have setup a samba/LDAP unified authentication
system (test only at this stage) following the Idealx smbldap howto and
using their tools. This uses TLS security and authenticates samba and
Linux. Everything worked flawlessly and I left it alone for a while
until I found after the powerout event that I couldn't authenticate into
Linux. Restoration of the database gives me Linux access but not samba
access.

Check of the samba log files showed that attempts to authenticate via
samba was resulting in a failure to access one of the LDAP attributes
necessary for that authentication. That's when I discovered that
ldapsearch couldn't access them either. TLS seems OK because a -ZZ
switch on ldapsearch works identically with no problems.

The setup is Fedora core 2, openldap 2.1.29, samba 3.0.10 (these were
the latest available updates for FC2).

Here is the output from "ldapsearch -x "cn=ksarkies"
------------------------------------------------------------------------
# ksarkies, Users, trinity.asn.au
dn: uid=ksarkies,ou=Users,dc=trinity,dc=asn,dc=au
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSAMAccount
cn: ksarkies
uid: ksarkies
uidNumber: 1044
gidNumber: 513
homeDirectory: /home/ksarkies
loginShell: /bin/bash
gecos: System User
description: System User

# search result
search: 3
result: 0 Success
--------------------------------------------------------------------------

and the corresponding slapcat section:
--------------------------------------------------------------------------
n: uid=ksarkies,ou=Users,dc=trinity,dc=asn,dc=au
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSAMAccount
cn: ksarkies
sn: ksarkies
uid: ksarkies
uidNumber: 1044
gidNumber: 513
homeDirectory: /home/ksarkies
loginShell: /bin/bash
gecos: System User
description: System User
structuralObjectClass: inetOrgPerson
entryUUID: 1f078310-28b8-1029-9e18-a0ab643bde17
creatorsName: cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au
createTimestamp: 20050314093517Z
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-3175078009-3471862928-2418466962-3088
sambaPrimaryGroupSID: S-1-5-21-3175078009-3471862928-2418466962-513
sambaHomeDrive: H:
sambaLMPassword: FDAA9CC986D8531CF9393D97E7A1873C
sambaAcctFlags: [U]
sambaNTPassword: 046A591315771599567334815D69EADF
sambaPwdLastSet: 1110792959
sambaPwdMustChange: 1114680959
userPassword:: e1NTSEF9SVQ1RHY3aXVNcjJNa29RcFpxSzQwQ0duVzMrUHUxbVU=
entryCSN: 2005031409:35:59Z#0x0002#0#0000
modifiersName: cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au
modifyTimestamp: 20050314093559Z
----------------------------------------------------------------------------

For completeness a log of an "ldapsearch -x 'sn=ksarkies'" in the syslog
level 1 is shown below but doesn't really seem to say much to me anyway.
Also puzzling is why samba and smbldap-tools are mentioned (these are
administrative accounts for access to LDAP by samba and smbldap-tools
respectively, which should not be invoked by this command). Sorry - I'm
floundering a bit here.

-------------------------------------------------------------------------
Mar 25 17:30:12 hta41 slapd[21014]: => key_read
Mar 25 17:30:12 hta41 slapd[21014]: <= bdb_index_read 1 candidates
Mar 25 17:30:12 hta41 slapd[21014]: <= bdb_equality_candidates: id=1,
first=53, last=53
Mar 25 17:30:12 hta41 slapd[21014]: bdb_search_candidates: id=1 first=53
last=53
Mar 25 17:30:12 hta41 slapd[21014]: ====> bdb_cache_return_entry_r( 1 ):
created (0)
Mar 25 17:30:12 hta41 slapd[21014]: entry_decode:
"uid=ksarkies,ou=Users,dc=trinity,dc=asn,dc=au"
Mar 25 17:30:12 hta41 slapd[21014]: <=
entry_decode(uid=ksarkies,ou=Users,dc=trinity,dc=asn,dc=au)
Mar 25 17:30:12 hta41 slapd[21014]: => string_expand: pattern: 
cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au
Mar 25 17:30:12 hta41 slapd[21014]: => string_expand: expanded:
cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au
Mar 25 17:30:12 hta41 slapd[21014]: => regex_matches: string:^I
Mar 25 17:30:12 hta41 slapd[21014]: => regex_matches: rc: 1 no matches
Mar 25 17:30:12 hta41 slapd[21014]: => string_expand: pattern: 
cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au
Mar 25 17:30:12 hta41 slapd[21014]: => string_expand: expanded:
cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au
Mar 25 17:30:12 hta41 slapd[21014]: => regex_matches: string:^I
Mar 25 17:30:12 hta41 slapd[21014]: => regex_matches: rc: 1 no matches
Mar 25 17:30:12 hta41 slapd[21014]: bdb_search: 53 does not match filter
Mar 25 17:30:12 hta41 slapd[21014]: ====> bdb_cache_return_entry_r( 53
): created (0)
Mar 25 17:30:12 hta41 slapd[21014]: send_search_result: err=0 matched=""
text=""
Mar 25 17:30:12 hta41 slapd[21014]: send_ldap_response: msgid=2 tag=101
err=0
Mar 25 17:30:12 hta41 slapd[21014]: connection_get(10): got connid=0
Mar 25 17:30:12 hta41 slapd[21014]: connection_read(10): checking for
input on id=0
Mar 25 17:30:12 hta41 slapd[21014]: do_unbind
Mar 25 17:30:12 hta41 slapd[21014]: ber_get_next on fd 10 failed errno=0
(Success)
Mar 25 17:30:12 hta41 slapd[21014]: connection_read(10): input error=-2
id=0, closing.
Mar 25 17:30:12 hta41 slapd[21014]: connection_closing: readying conn=0
sd=10 for close
Mar 25 17:30:12 hta41 slapd[21014]: connection_close: deferring conn=0
sd=10
Mar 25 17:30:12 hta41 slapd[21014]: connection_resched: attempting
closing conn=0 sd=10
Mar 25 17:30:12 hta41 slapd[21014]: connection_close: deferring conn=0
sd=10
Mar 25 17:30:12 hta41 slapd[21014]: connection_resched: attempting
closing conn=0 sd=10
Mar 25 17:30:12 hta41 slapd[21014]: connection_close: conn=0 sd=10
-----------------------------------------------------------------------

SLAPD.CONF:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

schemacheck on
lastmod  on

TLSCertificateFile /etc/openldap/tls/servercert.pem
TLSCertificateKeyFile /etc/openldap/tls/serverkey.pem
TLSCACertificateFile /etc/ssl/demoCA/cacert.pem
TLSCipherSuite :SSLv3
TLSVerifyClient never

database        bdb
suffix          "dc=trinity,dc=asn,dc=au"
rootdn          "cn=manager,dc=trinity,dc=asn,dc=au"
rootpw          {SSHA}2mS+wPO1yQrGgj2D5qK0oj4lLNYCaSeB

directory	/var/lib/ldap

index objectClass             eq
index cn                      pres,sub,eq
index sn                      pres,sub,eq
index uid                     pres,sub,eq
index displayName             pres,sub,eq
index uidNumber               eq
index gidNumber               eq
index memberUid               eq
index sambaSID                eq
index sambaPrimaryGroupSID    eq
index sambaDomainName         eq
index default                 sub

access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
      by dn="cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au" write
      by dn="cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au" write
      by dn="cn=nssldap,ou=DSA,dc=trinity,dc=asn,dc=au" write
      by self write
      by anonymous auth
      by * none
access to
attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid,loginShell
      by dn="cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au" write
      by dn="cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au" write
      by * read
access to attrs=description,telephoneNumber
      by dn="cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au" write
      by dn="cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au" write
      by self write
      by * read
access to
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
      by dn="cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au" write
      by dn="cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au" write
      by self read
      by * none
access to dn.base="dc=trinity,dc=asn,dc=au"
      by dn="cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au" write
      by dn="cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au" write
      by * none
access to dn="ou=Users,dc=trinity,dc=asn,dc=au"
      by dn="cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au" write
      by dn="cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au" write
      by * none
access to dn="ou=Groups,dc=trinity,dc=asn,dc=au"
      by dn="cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au" write
      by dn="cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au" write
      by * none
access to dn="ou=Computers,dc=trinity,dc=asn,dc=au"
      by dn="cn=samba,ou=DSA,dc=trinity,dc=asn,dc=au" write
      by dn="cn=smbldap-tools,ou=DSA,dc=trinity,dc=asn,dc=au" write
      by * none
access to *
      by self read# this can be omitted but we leave it: there could be
other branches
# in the directory

      by * none

-------------------------------------------------------------------------
LDAP.CONF:

HOST hta41
BASE dc=trinity,dc=asn,dc=au

tls_cacert /etc/ssl/demoCA/cacert.pem
-------------------------------------------------------------------------

If you got this far, thanks for your patience

Ken Sarkies