I'm having a really weird issue where any new user I create in 389 DS is not able to browse the directory.

What I mean is that the user binds without any issue, but when you use any directory browser client the user sees nothing in the tree. Also, I've been collaborating with a few in house developers who are writing LDAP auth into their applications - and for both (Java and Perl using the LDAP libraries) they get the same behavior - they are able to bind but the directory is empty.

Now if you use any user account that was created before (maybe a week or two ago - I'm not sure) then everything suceeds without any issue.

Also, I have a replication consumer and if I connect to it with the new credential everything works fine as well.

Using Apache Directory Studio (it's mainly what I use for troubleshooting when 389-console breaks) when I try to connect the error I get is:

"Missing schema location in RootDSE, using default schema"

Apparently it is referring to the subschemaSubentry attribute in the RootDSE - I can verify that it is there however and seems to be readable by all including anonymous.

If I use the JNDI provider for apacheDS then I get the same error followed by 4 LDAP error 53s (unwilling to perform).

Any ideas? This is our production LDAP server and I'm getting a bit desperate, I have backups from every week and I'm considering just turning it back until the issue disappears - but it would forever trouble me not to figure out what happenned and how to fix it in the future.

Thanks in advance for any input.

Andrei Wasylyk Systems Analyst