[Date Prev][Date Next] [Chronological] [Thread] [Top]
Object not found

To: openldap-technical@openldap.org
Subject: Object not found
From: espeake@oreillyauto.com
Date: Wed, 28 Aug 2013 08:12:44 -0500
I have a user name readonly that we use in our applications to get uid's.
THis has worked in the past with our old LDAP solution.  We have moved to
2.4.31 on Ubuntu 12.04 with a n-way Multi master setup.

The slap cat for this database looks like this.

dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=oreillyauto,dc=com
olcAccess: {0}to attrs=userPassword by anonymous auth by * none
olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by
group/groupOfUniqueName
 s/uniqueMember="cn=System Administrators,ou=Groups,dc=oreillyauto,dc=com"
wri
 te by group/groupOfUniqueNames/uniqueMember="cn=LDAP
Admin,ou=Groups,dc=oreil
 lyauto,dc=com" write by * none break
olcAccess: {2}to attrs=userPassword by
group/groupOfUniqueNames/uniqueMember="
 cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous auth
by s
 elf write
olcAccess: {3}to attrs=uid by anonymous read by users read
olcAccess: {4}to attrs=ou,employeeNumber by users read
olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by
dn.subtree="o
 u=Users,dc=oreillyauto,dc=com" none by users read
olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com" by
dnattr=owner
  write by dnattr=uniqueMember read by * none
olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com" by self read
by

group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillya
 uto,dc=com" read by * none
olcAccess: {8}to * by self read by users read
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcLimits: {0}dn.exact="uid=syncrepl,ou=System,dc=oreillyauto,dc=com"
time.sof
 t=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcLimits: {1}dn.exact="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com"
time.so
 ft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcLimits: {2}dn.exact="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com"
time
 .soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: uid=admin,dc=oreillyauto,dc=com
olcRootPW:: c2VjcmV0
olcSyncUseSubentry: FALSE
olcDbCacheSize: 50000
olcDbCheckpoint: 512 30
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 150000
olcDbIndex: objectClass eq
olcDbIndex: cn eq
olcDbIndex: uid eq
olcDbIndex: oreillyGroup eq
olcDbIndex: locationEntry eq
olcDbIndex: counterNumber eq
olcDbIndex: businessCategory eq
olcDbIndex: locationNumber eq
olcDbIndex: position eq
olcDbIndex: title eq,subany
olcDbIndex: givenName eq,subany
olcDbIndex: functionListing eq
olcDbIndex: manager eq
olcDbIndex: sn eq,subany
olcDbIndex: nickName eq,subany
olcDbIndex: employeeNumber eq
olcDbIndex: ou eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbIndex: supervisor eq
olcDbIndex: status eq
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0
structuralObjectClass: olcHdbConfig
entryUUID: 91ce693e-9e13-1032-84c2-0151b658a842
createTimestamp: 20130820183919Z
creatorsName: cn=config
olcMirrorMode: TRUE
olcSyncrepl: {0}rid=004 provider=ldap://tntest-ldap-3.oreillyauto.com b
 inddn="uid=admin,dc=oreillyauto,dc=com" bindmethod=simple
credentials=<password>
 searchbase="dc=oreillyauto,dc=com" type=refreshAndPersist retry="5 5 5 +"
tim
 eout=1
olcSyncrepl: {1}rid=005 provider=ldap://tntest-ldap-1.oreillyauto.com
binddn="
 uid=admin,dc=oreillyauto,dc=com" bindmethod=simple credentials=<password>
searchb
 ase="dc=oreillyauto,dc=com" type=refreshAndPersist retry="5 5 5 +"
timeout=1
olcSyncrepl: {2}rid=006 provider=ldap://tntest-ldap-2.oreillyauto.com
binddn="
 uid=admin,dc=oreillyauto,dc=com" bindmethod=simple credentials=<password>
searchb
 ase="dc=oreillyauto,dc=com" type=refreshAndPersist retry="5 5 5 +"
timeout=1
entryCSN: 20130821193620.549061Z#000000#002#000000
modifiersName: uid=admin,dc=oreillyauto,dc=com
modifyTimestamp: 20130821193620Z

And the ldap logs show this:

Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=0 BIND
dn="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" method=128
Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=0 BIND
dn="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" mech=SIMPLE ssf=0
Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=0 RESULT tag=97
err=0 text=
Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=1 SRCH
base="uid=espeake,ou=Users,dc=oreillyauto,dc=com" scope=0 deref=3
filter="(objectClass=*)"
Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=1 SEARCH RESULT
tag=101 err=32 nentries=0 text=
Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=2 UNBIND
Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 fd=40 closed

We had one issue with this server not running a rebuild last night due to a
certificate error of the cacert not being found and we are addressing the
through the following article:

http://www.mikepilat.com/blog/2011/05/adding-a-certificate-authority-to-the-java-runtime/

Searching as the ldapadmin user I find the user.  So I am thinking that I
need to adjust the ACL here but I'm not seeing what is wrong.

Thanks,
Eric Speake
Web Systems Administrator
O'Reilly Auto Parts

This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
Follow-Ups:
- Re: Object not found
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
Prev by Date: OpenLDAP Samba4
Next by Date: Re: OpenLDAP Samba4
Index(es):
- Chronological
- Thread