[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Samba auth on replicated LDAP: no admin user

Op 07-12-15 om 01:09 schreef Quanah Gibson-Mount:
> --On Sunday, December 06, 2015 10:43 PM +0100 Paul van der Vlis
> <paul@vandervlis.nl> wrote:
> 
>> Op 06-12-15 om 22:27 schreef Quanah Gibson-Mount:
>>> --On Sunday, December 06, 2015 10:13 PM +0100 Paul van der Vlis
>>> <paul@vandervlis.nl> wrote:
>>>
>>>> ldapsearch -x -b "cn=admin,dc=domain,dc=nl" -H ldapi:///
>>>
>>> The above is an anonymous search. Do your acls actually allow results to
>>> be returned with anonymous searches?
>>
>> Yes. Something like this gives "0 Success" on the replicated server:
>> ldapsearch -x -b "cn=paul,ou=users,dc=domain,dc=nl" -H ldapi:///
> 
> Not sure what your point is.  Do you mean it actually returns that user
> entry *as well* as returning success?  

Correct.

> There are very few instances
> where it will /not/ return success.  

On the replication it says: "no such object". And that's the problem I
want to fix.

> Do not confuse a success result
> with meaning that your ACLs are correct.

So far I know the ACL's are correct. This system works many years with
many Linux clients, now they also want Windows. On the location of the
master, they allready have a few Windows PC's for some years, and the
authentication works fine.

>> And the ldapsearch with cn=admin works fine on the master.
> 
> Again, as I noted before, this could be a rootdn that doesn't actually
> exist in the data backed database.
> 
> Again, you should slapcat both the master and replica and confirm their
> contents match.

I expect they don't match ;-)

> You may also which to see if your admin user actually exists in the data
> db on the master, or if it is a rootdn that only exists in the
> configuration.

It will be a only in cn=config.

This is the way I create a LDAP admin:
-----
cat <<EOF >slapd-database.ldif
dn: olcDatabase={1}hdb,cn=config
changeType: modify
replace: olcDbConfig
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
-
replace: olcRootPW
olcRootPW: ${LDAP_ADMIN_HASH}
EOF
ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-database.ldif
-----

See more here: https://wiki.debian.org/nfs4-kerberos-ldap
I am the author of the article.

With regards,
Paul van der Vlis.


> --Quanah
> 
> 
> -- 
> 
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration



-- 
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/