[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearches from remote host fail



On Monday 12 December 2005 23:40, Jay Osborne wrote:
> I am stumped.  I have spent three days trying to figure this one out and
> I am no further than when I started.
>
> When I do a ldapsearch -x -h "myhost.mydomain.tld" from the host itself,
> I get a dump of all my ldap data.  When I run the exact same search from
> a remote host I get err=32 No Such Object.

You mean, when you run ldapsearch with the same parameters (the resulting 
search may be different if the environment it is run in differs, by 
configuration files etc etc). When testing with ldapsearch, it is sometimes 
useful to specify all relevant paramters that could be set in a config 
file ... so maybe try:

$ ldapsearch -x -h myhost.mydomain.tld -b dc=mydomain,dc=tld -s sub

> It doesn't even matter if I 
> authenticate (using -D and -W) with the rootdn and rootpw, the end
> result is the same.
>
> I have searched for hidden gotchas in the slapd.conf and conf.d
> directory.  I have enabled (-1) logging.  I have removed all ACLs,
> although I tried various incarnations including peer access.   The
> firewall has port 389 tcp open. This is a Gentoo machine with Openldap
> compiled as a portage package.  I have PAM authentication working on the
> localhost and even have a new test user login working.  I just can't
> figure out why an exact same search forced to the external ip address
> works from one machine but not another, It's a mystery to me.
>
> my /etc/openldap/ldap.conf
>
> BASE         dc=mydomain, dc=tld
> URI          ldap://myhost.mydomain.tld

Are these identical on both clients (localhost and remote)?

> This the log of a connection
> Dec 12 15:49:12 www slapd[23300]: do_search
> Dec 12 15:49:12 www slapd[23300]: >>> dnPrettyNormal: <>
> Dec 12 15:49:12 www slapd[23300]: <<< dnPrettyNormal: <>, <>
> Dec 12 15:49:12 www slapd[23300]: SRCH "" 2 0
> Dec 12 15:49:12 www slapd[23300]:     0 0 0
> Dec 12 15:49:12 www slapd[23300]: begin get_filter
> Dec 12 15:49:12 www slapd[23300]: PRESENT
> Dec 12 15:49:12 www slapd[23300]: end get_filter 0
> Dec 12 15:49:12 www slapd[23300]:     filter: (objectClass=*)
> Dec 12 15:49:12 www slapd[23300]:     attrs:
> Dec 12 15:49:12 www slapd[23300]:
> Dec 12 15:49:12 www slapd[23300]: conn=99 op=1 SRCH base="" scope=2
> deref=0 filter="(objectClass=*)"

The server is getting the empty basedn, not "dc=mydomain, dc=tld", which most 
likely doesn't have any entries below it in your database.

> Dec 12 15:49:12 www slapd[23300]: send_ldap_result: conn=99 op=1 p=3
> Dec 12 15:49:12 www slapd[23300]: send_ldap_result: err=10 matched=""
> text=""
> Dec 12 15:49:12 www slapd[23300]: send_ldap_response: msgid=2 tag=101
> err=32
> Dec 12 15:49:12 www slapd[23300]: conn=99 op=1 SEARCH RESULT tag=101
> err=32 nentries=0 text=




> When I try the exact same search from the localhost I get these type of
> log entries:
>
> Dec 12 15:52:52 www slapd[23346]: => access_allowed: read access to
> "uid=newuser,ou=People,dc=mydomain,dc=tld" "entry" requested
> Dec 12 15:52:52 www slapd[23346]: => access_allowed: backend default
> read access granted to "(anonymous)"

Unfortunately, you didn't include the log entry showing the details of this 
search (base, filter).

> I have searched Google, the mailing lists, Gentoo Forums, read "The ABCs
> of LDAP" and checked all the man pages.  Does anybody have any clue for
> what I am doing wrong.

First thing to do is ensure the server is getting the query you think you are 
giving it, which doesn't seem to be the case.

Regards,
Buchan
-- 
Buchan Milne
ISP Systems Specialist
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)

Attachment: pgpFCxTdIKViD.pgp
Description: PGP signature