[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP_ROOT_DSE with OpenLdap 2.2 - This "result.c" patch IS NOT REALLY needed if you use "ldapclient manual" command



Christian,

This "old" result.c patch only works for the old OpenLDAP 2.1.X. It is
used as "ldapclient init" command which is used to initialise Solaris9/8
Native LDAP Client against OpenLDAP Server fails due to error message
something like "Can't find ROOT_DSE".

For the new OpenLDAP 2.2.X, this patch IS NOT REALLY needed if you use
"ldapclient manual" command to initialise the Solarir9/8 Native LDAP
Client against OpenLDAP 2.2.X Server. Below are two examples, one for
Solaris9, the other Solaris8 (you need LDAPv2 patch 108893 for
Solaris8). 

Solaris9:

/usr/sbin/ldapclient -v manual -a profileName=default -a
domainName=example.com \
-a defaultSearchBase=dc=example,dc=com \
-a proxyDn=cn=proxyagent,ou=profile,dc=example,dc=com \
-a proxyPassword=password 192.168.1.168
# As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
# which contains a bug in "hosts:" entry, we need to repair it
sed -e '/^hosts:/s/ldap.*files$/files dns/' \
    -e '/^passwd:/a\
shadow:     files ldap' \
    /etc/nsswitch.ldap >/etc/nsswitch.work
cp /etc/nsswitch.work /etc/nsswitch.conf
# Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf
/etc/init.d/nscd stop
/etc/init.d/nscd start

Solaris8:

/usr/sbin/ldapclient -v \
   -P default \
   -d example.com \
   -D "cn=proxyagent,ou=profile,dc=example,dc=com" \
   -w "password" \
   192.168.1.168
# As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
# which contains a bug in "hosts:" entry, we need to repair it
sed -e '/^hosts:/s/ldap.*files$/files dns/' \
    -e '/^passwd:/a\
shadow:     files ldap' \
    /etc/nsswitch.ldap >/etc/nsswitch.work
cp /etc/nsswitch.work /etc/nsswitch.conf
# Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf
/etc/init.d/nscd stop
/etc/init.d/nscd start

Of couse, prior to running the above script(s), you should have already
created the "default" profile in OpenLDAP Server using
DUAConfigProfile.schema and "ldapadd ... -f default.ldif" where
default.ldif  looks something like:

dn: cn=default,ou=profile,dc=example,dc=com
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: simple
followReferrals: FALSE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
bindTimeLimit: 10
cn: default
credentialLevel: proxy
serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: group: ou=group,dc=example,dc=com?one
serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: netgroup: ou=Netgroup,dc=example,dc=com?one

Rgds
Gary

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Christian
Leber
Sent: Friday, March 04, 2005 8:20 AM
To: openldap-software@OpenLDAP.org
Subject: LDAP_ROOT_DSE with OpenLdap 2.2


Hello,

I'm using openldap for authentification, until now in version 2.1.30, to
get this working I had to apply this patch:

*** servers/slapd/result.c.orig	Mon Dec 11 16:56:48 2000
--- servers/slapd/result.c	Mon Dec 11 16:58:24 2000
***************
*** 628,634 ****
  			/* all addrs request, skip operational
attributes */
  			if( is_at_operational( desc->ad_type ) )
  			{
! 				continue;
  			}
  
  		} else {
--- 628,636 ----
  			/* all addrs request, skip operational
attributes */
  			if( is_at_operational( desc->ad_type ) )
  			{
! 				if (strcasecmp( e->e_dn, LDAP_ROOT_DSE
)) {
! 					continue;
! 				}
  			}
  
  		} else {
***************
*** 700,706 ****
  		if ( attrs == NULL ) {
  			/* all addrs request, skip operational
attributes */
  			if( is_at_operational( desc->ad_type ) ) {
! 				continue;
  			}
  
  		} else {
--- 702,711 ----
  		if ( attrs == NULL ) {
  			/* all addrs request, skip operational
attributes */
  			if( is_at_operational( desc->ad_type ) ) {
! 				/* Hack for solaris */
! 				if (strcasecmp( e->e_dn, LDAP_ROOT_DSE
)) {
! 					continue;
! 				}
  			}
  
  		} else {


with this I was able to use the openldap server for the user
authentification on solaris9 boxes, but with openldap 2.2 it doesn't
work anymore, I changed the patch so that i thought it should work:

--- orig/openldap-2.2.23/servers/slapd/result.c 2005-01-20
18:01:09.000000000 +0100
+++ openldap-2.2.23/servers/slapd/result.c      2005-03-04
01:14:30.000000000 +0100
@@ -909,7 +909,9 @@
                if ( rs->sr_attrs == NULL ) {
                        /* all attrs request, skip operational
attributes */
                        if( is_at_operational( desc->ad_type ) ) {
+                               if (strcasecmp( rs->sr_entry->e_dn, 
+ LDAP_ROOT_DSE )) {
                                continue;
+                               }
                        }

                } else {
@@ -1109,7 +1111,9 @@
                if ( rs->sr_attrs == NULL ) {
                        /* all attrs request, skip operational
attributes */
                        if( is_at_operational( desc->ad_type ) ) {
+                               if (strcasecmp( rs->sr_entry->e_dn, 
+ LDAP_ROOT_DSE )) {
                                continue;
+                               }
                        }

                } else {


What's my error or is there another possibility to get it working like
2.1 with the patch from above? (the configuration and the database
stayed of course the same with my 2.2 experiments)


Regards
Christian Leber

-- 
http://www.nosoftwarepatents.com