Re: ldapsearch and 389ds

Mark Reynolds <mareynol@xxxxxxxxxx> · Fri, 3 Jun 2016 17:06:11 -0400

    On 06/03/2016 03:18 PM, Job Cacka
      wrote:

      As I was investigating this, I realized I missed a bunch of log entries. My script 'createusr test06032016d' runs three commands, and at least one of them looks like it 'spawns?' another process in the 389ds server.  I think it is the first 'conn=66087' entries that really matter.

here is the more complete set of logs:

[03/Jun/2016:12:02:39 -0700] conn=66087 fd=85 slot=85 connection from 192.168.x.y to 192.168.x.z
[03/Jun/2016:12:02:39 -0700] conn=66087 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[03/Jun/2016:12:02:39 -0700] conn=66087 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[03/Jun/2016:12:02:39 -0700] conn=66087 SSL 256-bit AES
[03/Jun/2016:12:02:39 -0700] conn=66087 op=1 BIND dn="cn=Directory Manager" method=128 version=3
[03/Jun/2016:12:02:39 -0700] conn=66087 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[03/Jun/2016:12:02:39 -0700] conn=66087 op=2 SRCH base="dc=domain,dc=com" scope=2 filter="(&(objectClass=posixAccount)(uid=test06032016d))" attrs=ALL
[03/Jun/2016:12:02:39 -0700] conn=66087 op=2 RESULT err=0 tag=101 nentries=0 etime=0

    Here there are NO entries that match this filter in
    "dc=domain,dc=com": 
    (&(objectClass=posixAccount)(uid=test06032016d))

      [03/Jun/2016:12:02:39 -0700] conn=66087 op=3 SRCH base="sambaDomainName=MYWORKGROUP,dc=domain,dc=com" scope=0 filter="(objectClass=sambaUnixIdPool)" attrs="uidNumber"
[03/Jun/2016:12:02:39 -0700] conn=66087 op=3 RESULT err=0 tag=101 nentries=1 etime=0

    We found this entry (nentries=1)

      [03/Jun/2016:12:02:39 -0700] conn=66087 op=4 MOD dn="sambaDomainName=MYWORKGROUP,dc=domain,dc=com"
[03/Jun/2016:12:02:39 -0700] conn=66087 op=4 RESULT err=0 tag=103 nentries=0 etime=0

    We modify it

      [03/Jun/2016:12:02:39 -0700] conn=66087 op=5 SRCH base="dc=domain,dc=com" scope=2 filter="(&(objectClass=posixAccount)(uidNumber=1761))" attrs=ALL
[03/Jun/2016:12:02:39 -0700] conn=66087 op=5 RESULT err=0 tag=101 nentries=0 etime=0 notes=U

    We do NOT find any entry matching (nentries=0): 
    "(&(objectClass=posixAccount)(uidNumber=1761))"

      [03/Jun/2016:12:02:39 -0700] conn=66087 op=6 SRCH base="ou=GROUPS,dc=domain,dc=com" scope=2 filter="(&(objectClass=posixGroup)(gidNumber=513))" attrs=ALL
[03/Jun/2016:12:02:39 -0700] conn=66087 op=6 RESULT err=0 tag=101 nentries=0 etime=0

    Again no entry

      [03/Jun/2016:12:02:39 -0700] conn=66087 op=-1 fd=85 closed - B1

[03/Jun/2016:12:02:39 -0700] conn=66088 fd=85 slot=85 connection from 192.168.x.y to 192.168.x.z
[03/Jun/2016:12:02:40 -0700] conn=66088 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[03/Jun/2016:12:02:40 -0700] conn=66088 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[03/Jun/2016:12:02:40 -0700] conn=66088 SSL 256-bit AES
[03/Jun/2016:12:02:40 -0700] conn=66088 op=1 BIND dn="cn=Directory Manager" method=128 version=3
[03/Jun/2016:12:02:40 -0700] conn=66088 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[03/Jun/2016:12:02:40 -0700] conn=66088 op=2 SRCH base="dc=domain,dc=com" scope=2 filter="(&(objectClass=posixAccount)(uid=test06032016d))" attrs=ALL
[03/Jun/2016:12:02:40 -0700] conn=66088 op=2 RESULT err=0 tag=101 nentries=0 etime=0

    No matching entry again

      [03/Jun/2016:12:02:40 -0700] conn=66088 op=-1 fd=85 closed - B1

[03/Jun/2016:12:02:40 -0700] conn=66089 fd=85 slot=85 connection from 192.168.x.y to 192.168.x.z
[03/Jun/2016:12:02:40 -0700] conn=66089 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[03/Jun/2016:12:02:40 -0700] conn=66089 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[03/Jun/2016:12:02:40 -0700] conn=66089 SSL 256-bit AES
[03/Jun/2016:12:02:40 -0700] conn=66089 op=1 BIND dn="cn=Directory Manager" method=128 version=3
[03/Jun/2016:12:02:40 -0700] conn=66089 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[03/Jun/2016:12:02:40 -0700] conn=66089 op=2 SRCH base="ou=GROUPS,dc=domain,dc=com" scope=2 filter="(&(objectClass=posixGroup)(cn=Domain Users))" attrs=ALL
[03/Jun/2016:12:02:40 -0700] conn=66089 op=2 RESULT err=0 tag=101 nentries=1 etime=0

    We do find this group (nentries=1)

      [03/Jun/2016:12:02:40 -0700] conn=66089 op=3 SRCH base="dc=domain,dc=com" scope=2 filter="(&(objectClass=posixAccount)(uid=test06032016d))" attrs=ALL
[03/Jun/2016:12:02:40 -0700] conn=66089 op=3 RESULT err=0 tag=101 nentries=0 etime=0

    No matching entries

      [03/Jun/2016:12:02:40 -0700] conn=66089 op=4 UNBIND
[03/Jun/2016:12:02:40 -0700] conn=66089 op=4 fd=85 closed - U1

[03/Jun/2016:12:02:40 -0700] conn=24 op=5428 SRCH base="dc=domain,dc=com" scope=2 filter="(&(objectClass=posixAccount)(uid=test06032016d))" attrs="userPassword cn gidNumber uidNumber loginShell objectClass gecos uid homeDirectory"
[03/Jun/2016:12:02:40 -0700] conn=24 op=5428 RESULT err=0 tag=101 nentries=0 etime=0

    No matching entries.

    So, either there are simply no entries in your database, or they are
    missing the objectclass "posixAccount/posixGroup"

    Try these ldapsearches:

    ldapsearch -H ldaps://ds1.domain.com -D "cn=directory manager" -w "pass" -xLLL -b "dc=domain,dc=com" uid=test06032016d    

ldapsearch -H ldaps://ds1.domain.com -D "cn=directory manager" -w "pass" -xLLL -b "dc=domain,dc=com" uidNumber=1761

ldapsearch -H ldaps://ds1.domain.com -D "cn=directory manager" -w "pass" -xLLL -b "dc=domain,dc=com" gidNumber=513

If these searches do not return any results then there are no entries.  If they are returned check for the objectclasses posixAccount and posixGroup (for the gidNumber search)

    Mark

      --
389-users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx

--
389-users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx