-D 'cn=Directory Manager' It looks like your ldapsearch is using Directory Manager (the 389 equivalent to the root user). However I do not see where you have specified a bind DN in an ldap.conf file so possibly PAM is binding anonymously and an ACL is prohibiting the search? If this is a testing system you could specify Directory Manager as your bind DN for PAM just to test this assumption. Of course for production you'd want some non-DM DN to bind with. On Sun, Dec 29, 2013 at 02:54:13PM +0000, fosiul alam wrote: > Hi, > I need some help urgnelty.. as no idea why its acting funy. > > as far I belive, I have setup ldap server properly in test > environment, but actiting wired.. no idea why ... > > example > > [root@test ~]# id tuser > id: tuser: No such user > > > > > bellow command shows the correct info : > > [root@test ~]# /usr/bin/ldapsearch -xZZ -D 'cn=Directory Manager' -w > 'xxxxx' -b 'dc=fosiul,dc=lan' > # extended LDIF > # > # LDAPv3 > # base <dc=fosiul,dc=lan> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # fosiul.lan > dn: dc=fosiul,dc=lan > dc: fosiul > objectClass: domain > objectClass: top > > # uk, fosiul.lan > dn: l=uk,dc=fosiul,dc=lan > l: uk > objectClass: locality > objectClass: top > > # groups, uk, fosiul.lan > dn: ou=groups,l=uk,dc=fosiul,dc=lan > ou: groups > objectClass: organizationalUnit > objectClass: top > > # users, uk, fosiul.lan > dn: ou=users,l=uk,dc=fosiul,dc=lan > ou: users > objectClass: organizationalUnit > objectClass: top > > # IT, groups, uk, fosiul.lan > dn: cn=IT,ou=groups,l=uk,dc=fosiul,dc=lan > gidNumber: 3001 > objectClass: posixGroup > objectClass: top > uniqueMember: uid=fosiula,ou=users,l=uk,dc=fosiul,dc=lan > cn: IT > > # tuser, users, uk, fosiul.lan > dn: uid=tuser,ou=users,l=uk,dc=fosiul,dc=lan > givenName: Tuser > sn: User > uidNumber: 2001 > gidNumber: 3001 > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: posixAccount > cn: test User > homeDirectory: /home/tuser > userPassword:: e1NTSEF9cGlZclc1NjBaOXdtSGxkdVVKcGJ3TUhHZjN4eG55a2lUQUxhSVE9PQ= > = > uid: tuser > > # search result > search: 3 > result: 0 Success > > # numResponses: 7 > # numEntries: 6 > > > My : /etc/ldap.conf > > ------------------------------------ > > [root@test ~]# cat /etc/ldap.conf > # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ > # > > # This config is managed by puppet, all changes will be reverted > > > base dc=fosiul,dc=lan > bind_policy soft > # Search timelimit > #timelimit 30 > timelimit 1 > > # Bind/connect timelimit > #bind_timelimit 30 > bind_timelimit 1 > > #idle_timelimit 3600 > idle_timelimit 1 > bind_timeout 1 > nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon > > uri ldap://puppet-1.fosiul.lan > > ssl start_tls > tls_cacertfile /etc/openldap/cacerts/CRT.crt > pam_password md5 > pam_groupdn cn=IT,ou=groups,l=uk,dc=fosiul,dc=lan > pam_member_attribute uniqueMember > > tls_cacertdir /etc/openldap/cacerts > > > > > my /etc/openldap/ldap.conf : > ------------------------------------ > > # > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > > #BASE dc=example, dc=com > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > URI ldap://puppet-1.fosiul.lan/ > BASE dc=fosiul,dc=lan > TLS_CACERTDIR /etc/openldap/cacerts > tls_cacertfile /etc/openldap/cacerts/CRT.crt > > > > The Log From ldap server for bellow command > --------------------------------------------------------------------- > > [root@test ~]# id tuser > id: tuser: No such user > [root@test ~]# > > > [29/Dec/2013:14:49:14 +0000] conn=111 op=3 UNBIND > [29/Dec/2013:14:49:14 +0000] conn=111 op=3 fd=76 closed - U1 > [29/Dec/2013:14:49:14 +0000] conn=115 fd=76 slot=76 connection from > 192.168.0.40 to 192.168.0.35 > [29/Dec/2013:14:49:14 +0000] conn=115 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [29/Dec/2013:14:49:14 +0000] conn=115 op=0 RESULT err=0 tag=120 > nentries=0 etime=0 > [29/Dec/2013:14:49:14 +0000] conn=115 SSL 256-bit AES > [29/Dec/2013:14:49:14 +0000] conn=115 op=1 BIND dn="" method=128 version=3 > [29/Dec/2013:14:49:14 +0000] conn=115 op=1 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [29/Dec/2013:14:49:14 +0000] conn=115 op=2 SRCH > base="dc=fosiul,dc=lan" scope=2 > filter="(&(objectClass=posixAccount)(uid=tuser))" attrs="uid > userPassword uidNumber gidNumber cn homeDirectory loginShell gecos > description objectClass" > [29/Dec/2013:14:49:14 +0000] conn=115 op=2 RESULT err=0 tag=101 > nentries=0 etime=0 > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
