[Date Prev][Date Next] [Chronological] [Thread] [Top]

objectClass=posixAccount search anomaly.

To: openldap-technical@openldap.org
Subject: objectClass=posixAccount search anomaly.
From: Prentice Bisbal <prentice@ias.edu>
Date: Fri, 18 Dec 2009 14:44:06 -0500
User-agent: Thunderbird 2.0.0.23 (X11/20090812)

Dear OpenLDAP Tech list:

I can't tell if the problem below is with OpenLDAP, or nss_ldap. Since I
can reproduce the problem with the ldapsearch command, I'm inclined to
think it's with OpenLDAP. Any assistance will be greatly appreciated.

At the academic institution where are work, there are several different
departments that maintain their own LDAP directory:

dc=sns,dc=example,dc=edu
dc=math,dc=example,dc=edu
dc=itg,dc=example,dc=edu
dc=net,dc=example,dc=edu

and a top-level LDAP server that just contains referrals to the
individual  dept servers:

dc=example,dc=edu

We are now looking to share access to systems without duplicating
account information in all the LDAP servers. So if someone from math
would like to log into an SNS system, they can authenticate against
their credentials in the math LDAP directory, and get their account
information from there, too.

We are using an RHEL 5.4-based Linux distro.

To facilitate this, I added this to my /etc/openldap/slapd.conf:

database        ldap
suffix          "dc=example,dc=edu"
uri             ldaps://ldap.example.edu/

And in /etc/ldap.conf, I changed the base to dc=example, dc=edu. The
clients are still searching my local OpenLDAP server first.

After making these changes, 'getent passwd no longer works correctly,
and these ldapsearch no longer returns results

ldapsearch -x objectClass=posixAccount
ldapsearch -x -b dc=example,dc=edu objectClass=posixAccount
ldapsearch -x -b dc=sns,dc=example,dc=edu objectClass=posixAccount
ldapsearch -x -b dc=math,dc=example,dc=edu objectClass=posixAccount

However, these ldapsearches work as expected

ldapsearch -x objectClass=account
ldapsearch -x
ldapsearch -x objectClass=inetorgperson
ldapsearch -x objectClass=inetlocalmailrecipient
ldapsearch -x objectClass=top
ldapsearch -x -b dc=math,dc=example,dc=edu

Any ideas why the behavior is different for the posixAccount object
class vs. the other object classes? Is there any other configurations
for OpenLDAP that would achieve the same goal?

-- 
Prentice

Follow-Ups:
- Re: objectClass=posixAccount search anomaly.
  - From: Zdenek Styblik <stybla@turnovfree.net>

Prev by Date: Re: Re : OpenLDAP 2.4 - Problem with rewrite overlay
Next by Date: Syncrepl and rootdn
Index(es):
- Chronological
- Thread