On 1 May 2020, at 00:56, Mc Laughlin David Bruce (ID BD)
<david.mclaughlin(a)id.ethz.ch> wrote:
Hi, Mark.
Your questions and comments have pointed me in the right direction and solved several
mysteries about missing db files, etc.
I will remove both root suffixes and their respective databases and then re-create them
using
dscreate to create the instance and using dsconf (with the "--create-suffix"
option) to add the
second root suffix.
Yep, that would work. You can also consider just using dsconf to remove any suffixes you
have currently and to just re-add them without needing to re-create the instance :)
I will not bother you again before the instance and its suffixes have been rebuilt.
Thanks for your help,
David
___________________________________________________
David McLaughlin
ETH Zürich / Swiss Federal Institute of Technology
Informatikdienste
Basisdienste
Mail, Archive & Directories group
CH-8092 Zürich
Tel.: +41 44 632 3531
e-mail: david.mclaughlin(a)id.ethz.ch
From: Mark Reynolds <mreynolds(a)redhat.com>
Sent: 30 April 2020 4:21 PM
To: Mc Laughlin David Bruce (ID BD); General discussion list for the 389 Directory server
project.
Subject: Re: [389-users] anonymous queries on second suffix subtrees
On 4/30/20 9:53 AM, Mc Laughlin David Bruce (ID BD) wrote:
> Hi, Mark.
>
> I did not expect a reply so soon!
>
> When I query as "Directory Manager", I get the expected result.
>
> I used the setup-ds.pl script to create the o=ethz,c=ch root suffx.
You should be using dscreate to create your instance, not setup-ds.pl
> I used "dsconf backend create" to add the second suffix (o=psi,c=ch).
Did you add any entries to o=psi,c=ch ?
>
> The subtrees are not properly connected to their respective root suffixes.
> Could this problem be caused by missing entries in the two "root suffix"
databases?
>
> [root@el-dap ~]#
> [root@el-dap ~]# /usr/bin/ldapsearch -H ldap://el-dap.ethz.ch/ -LLL -x -b
'o=psi,c=ch' '(ou=*)'
> No such object (32)
So you did not initialize this suffix. It is empty.
When creating the backend you could have created the top database node entry by adding
the "--create-suffix" option:
# dsconf slapd-YOUR_INSTANCE backend create --suffix o=psi,c=ch --create-suffix
Note - dscreate or dsconf do not add any aci's by default. You have to add the
aci's after initializing the database with some data.
> [root@el-dap ~]#
>
>
> Anonymous queries on the two subtrees (ou=staff & ou=student) on root suffix
(o=ethz,c=ch)
> return the expected result.
So searches on "ou=staff,o=ethz,c=ch" work? But just searching on
"o=ethz,c=ch" does not? I'm getting confused because you keep changing
which suffixes work or don't work. First it was subtree's under o=psi,c=ch that
didn't return any results, now it's different subtrees under o=ethz,c=ch
So if you are having issues with anything under "o=ethz,c=ch" then can you
please run this search, and also clarify which subtrees work and don't work for
anonymous searches under this suffix "o=ethz,c=ch":
# ldapsearch -D "cn=directory manager" -W -b "o=ethz,c=ch" aci=* aci
Thanks,
Mark
>
> However, anonymous queries on the o=ethz,c=ch root suffix also return no records.
>
> with best regards,
> David
>
> e-mail: david.mclaughlin(a)id.ethz.ch
>
>
> From: Mark Reynolds <mreynolds(a)redhat.com>
> Sent: 30 April 2020 3:10 PM
> To: General discussion list for the 389 Directory server project.; Mc Laughlin David
Bruce (ID BD)
> Subject: Re: [389-users] anonymous queries on second suffix subtrees
>
>
> On 4/30/20 7:14 AM, Mc Laughlin David Bruce (ID BD) wrote:
>> Hello, 389ers.
>>
>> I am migrating a whitepages server from OpenLDAP to 389-DS.
>>
>> My instance has a root suffix with two subtrees (for staff and students).
>> Anonymous queries of the two root suffix subtrees return the expected results.
>>
>> The instance also has a second suffix of "o=psi,c=ch" with three
subtrees:
>> ou=contacts,o=psi,c=ch
>> ou=groups,o=psi,c=ch
>> ou=users,o=psi,c=ch
>>
>> Anonymous queries of the three "o=psi,c=ch" subtrees return NO
records.
>>
>> I have added ACIs for the three "o=psi,c=ch" subtrees and restarted the
instance, but
>> anonymous queries of any of the three "o=psi,c=ch" subtrees STILL
return no records.
>>
>> Does anyone know how to allow anonymous queries?
> First you don't need to restart the server when you add or change ACI's. If
you run the search as "cn=directory manager" does it return the results you
expect?
> Can you share all the ACI's you added to o=psi,c=ch subtrees? Maybe gather all
of them by using this search:
> # ldapsearch -D "cn=directory manager" -W -b "o=psi,c=ch"
aci=* aci
> Thanks,
> Mark
>
>>
>> Thanks,
>> David
>>
>> [root@el-dap ~]#
>> [root@el-dap ~]# /usr/bin/ldapsearch -H ldap://el-dap.ethz.ch/ -D
"cn=Directory Manager" -W -x -b "ou=users,o=psi,c=ch" -s sub
'(aci=*)' aci
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=users,o=psi,c=ch> with scope subtree
>> # filter: (aci=*)
>> # requesting: aci
>> #
>> # users, psi, ch
>> dn: ou=users,o=psi,c=ch
>> aci: (target = "ldap:///ou=users,o=psi,c=ch")(version 3.0; acl
"Anonymous read
>> , search for users";allow (read, search) userdn =
"ldap:///anyone";)
>> # search result
>> search: 2
>> result: 0 Success
>> # numResponses: 2
>> # numEntries: 1
>> [root@el-dap ~]#
>>
>>
>> [root@el-dap ~]#
>> [root@el-dap ~]# /usr/bin/ldapsearch -H ldap://el-dap.ethz.ch/ -LLL -x -b
'ou=users,o=psi,c=ch' '(cn=*kohler*)'
>> [root@el-dap ~]#
>>
>>
>> [root@el-dap ~]#
>> [root@el-dap ~]# tail /var/log/dirsrv/slapd-el-dap/access
>> [30/Apr/2020:10:23:02.362530519 +0200] conn=5 fd=64 slot=64 connection from
129.132.65.9 to 129.132.65.9
>> [30/Apr/2020:10:23:02.362748318 +0200] conn=5 op=0 BIND dn=""
method=128 version=3
>> [30/Apr/2020:10:23:02.362795436 +0200] conn=5 op=0 RESULT err=0 tag=97 nentries=0
etime=0.0000179605 dn=""
>> [30/Apr/2020:10:23:02.363025956 +0200] conn=5 op=1 SRCH
base="ou=users,o=psi,c=ch" scope=2 filter="(cn=*kohler*)" attrs=ALL
>> [30/Apr/2020:10:23:02.363471926 +0200] conn=5 op=1 RESULT err=0 tag=101
nentries=0 etime=0.0000606595
>> [30/Apr/2020:10:23:02.363649360 +0200] conn=5 op=2 UNBIND
>> [30/Apr/2020:10:23:02.363680129 +0200] conn=5 op=2 fd=64 closed - U1
>> [root@el-dap ~]#
>>
>> ___________________________________________________
>> David McLaughlin
>> ETH Zürich / Swiss Federal Institute of Technology
>> Informatikdienste
>> Basisdienste
>> Mail, Archive & Directories group
>> CH-8092 Zürich
>>
>> Tel.: +41 44 632 3531
>> e-mail: david.mclaughlin(a)id.ethz.ch
>>
>>
>> _______________________________________________
>> 389-users mailing list --
>> 389-users(a)lists.fedoraproject.org
>>
>> To unsubscribe send an email to
>> 389-users-leave(a)lists.fedoraproject.org
>>
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>
>> List Guidelines:
>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>
>> List Archives:
>>
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> --
>
> 389 Directory Server Development Team
>
--
389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs