[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldapsearches from remote host fail
On Mon, 2005-12-12 at 16:40 -0500, Jay Osborne wrote:
> I am stumped. I have spent three days trying to figure this one out and
> I am no further than when I started.
>
> When I do a ldapsearch -x -h "myhost.mydomain.tld" from the host itself,
> I get a dump of all my ldap data. When I run the exact same search from
> a remote host I get err=32 No Such Object. It doesn't even matter if I
> authenticate (using -D and -W) with the rootdn and rootpw, the end
> result is the same.
>
> I have searched for hidden gotchas in the slapd.conf and conf.d
> directory. I have enabled (-1) logging. I have removed all ACLs,
> although I tried various incarnations including peer access. The
> firewall has port 389 tcp open. This is a Gentoo machine with Openldap
> compiled as a portage package. I have PAM authentication working on the
> localhost and even have a new test user login working. I just can't
> figure out why an exact same search forced to the external ip address
> works from one machine but not another, It's a mystery to me.
>
> my /etc/openldap/ldap.conf
>
> BASE dc=mydomain, dc=tld
> URI ldap://myhost.mydomain.tld
>
>
>
> my /etc/openldap/slapd.conf
>
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/authldap.schema
> include /etc/openldap/schema/dyngroup.schema
> include /etc/openldap/schema/samba.schema
> include /etc/openldap/schema/java.schema
> password-hash {md5}
> pidfile /var/run/openldap/slapd.pid
> argsfile /var/run/openldap/slapd.args
> loglevel 65535
> database ldbm
> directory /var/lib/openldap-ldbm
> index objectClass eq
> suffix "dc=mydomain,dc=tdl"
> rootdn "cn=Manager,dc=mydomain,dc=tld"
> rootpw {MD5}[MYPASSWORD]
>
> This the log of a connection
> Dec 12 15:49:12 www slapd[23298]: daemon: new connection on 11
> Dec 12 15:49:12 www slapd[23298]: conn=99 fd=11 ACCEPT from
> IP=xxx.xxx.xxx.xxx:33416 (IP=0.0.0.0:389)
> Dec 12 15:49:12 www slapd[23298]: daemon: added 11r
> Dec 12 15:49:12 www slapd[23298]: daemon: activity on:
> Dec 12 15:49:12 www slapd[23298]:
> Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=6
> active_threads=0 tvp=NULL
> Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=7
> active_threads=0 tvp=NULL
> Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=8
> active_threads=0 tvp=NULL
> Dec 12 15:49:12 www slapd[23298]: daemon: activity on 1 descriptors
> Dec 12 15:49:12 www slapd[23298]: daemon: activity on:
> Dec 12 15:49:12 www slapd[23298]: 11r
> Dec 12 15:49:12 www slapd[23298]:
> Dec 12 15:49:12 www slapd[23298]: daemon: read activity on 11
> Dec 12 15:49:12 www slapd[23298]: connection_get(11)
> Dec 12 15:49:12 www slapd[23298]: connection_get(11): got connid=99
> Dec 12 15:49:12 www slapd[23298]: connection_read(11): checking for
> input on id=99
> Dec 12 15:49:12 www slapd[23298]: ber_get_next on fd 11 failed errno=11
> (Resource temporarily unavailable)
> Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=6
> active_threads=0 tvp=NULL
> Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=7
> active_threads=0 tvp=NULL
> Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=8
> active_threads=0 tvp=NULL
> Dec 12 15:49:12 www slapd[23346]: do_bind
> Dec 12 15:49:12 www slapd[23346]: >>> dnPrettyNormal: <>
> Dec 12 15:49:12 www slapd[23346]: <<< dnPrettyNormal: <>, <>
> Dec 12 15:49:12 www slapd[23346]: do_bind: version=3 dn="" method=128
> Dec 12 15:49:12 www slapd[23346]: conn=99 op=0 BIND dn="" method=128
> Dec 12 15:49:12 www slapd[23346]: send_ldap_result: conn=99 op=0 p=3
> Dec 12 15:49:12 www slapd[23346]: send_ldap_result: err=0 matched=""
> text=""
> Dec 12 15:49:12 www slapd[23346]: send_ldap_response: msgid=1 tag=97 err=0
> Dec 12 15:49:12 www slapd[23346]: conn=99 op=0 RESULT tag=97 err=0 text=
> Dec 12 15:49:12 www slapd[23346]: do_bind: v3 anonymous bind
> Dec 12 15:49:12 www slapd[23298]: daemon: activity on 1 descriptors
> Dec 12 15:49:12 www slapd[23298]: daemon: activity on:
> Dec 12 15:49:12 www slapd[23298]: 11r
> Dec 12 15:49:12 www slapd[23298]:
> Dec 12 15:49:12 www slapd[23298]: daemon: read activity on 11
> Dec 12 15:49:12 www slapd[23298]: connection_get(11)
> Dec 12 15:49:12 www slapd[23298]: connection_get(11): got connid=99
> Dec 12 15:49:12 www slapd[23298]: connection_read(11): checking for
> input on id=99
> Dec 12 15:49:12 www slapd[23298]: ber_get_next on fd 11 failed errno=11
> (Resource temporarily unavailable)
> Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=6
> active_threads=0 tvp=NULL
> Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=7
> active_threads=0 tvp=NULL
> Dec 12 15:49:12 www slapd[23298]: daemon: select: listen=8
> active_threads=0 tvp=NULL
> Dec 12 15:49:12 www slapd[23300]: do_search
> Dec 12 15:49:12 www slapd[23300]: >>> dnPrettyNormal: <>
> Dec 12 15:49:12 www slapd[23300]: <<< dnPrettyNormal: <>, <>
> Dec 12 15:49:12 www slapd[23300]: SRCH "" 2 0
^^^ I bet ldapsearch on the remote host is unable to read the ldap.conf
on the local host, since it's using a different default base. what if
you use "-b" like the rest of the world do?
> I have searched Google, the mailing lists, Gentoo Forums, read "The ABCs
> of LDAP" and checked all the man pages. Does anybody have any clue for
> what I am doing wrong.
Typically, Google is very good at answering well posed questions. It
appears you have a little insight into what these tools are doing, and
you're unable to catch the clues logging is trying to give you.
p.
Ing. Pierangelo Masarati
Responsabile Open Solution
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------