Re: anonymous queries on second suffix subtrees

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


> On 1 May 2020, at 00:56, Mc Laughlin David Bruce (ID BD) <david.mclaughlin@xxxxxxxxxx> wrote:
> 
> Hi, Mark.
> 
> Your questions and comments have pointed me in the right direction and solved several
> mysteries about missing db files, etc.
> 
> I will remove both root suffixes and their respective databases and then re-create them using
> dscreate to create the instance and using dsconf (with the "--create-suffix" option) to add the
>  second root suffix.

Yep, that would work. You can also consider just using dsconf to remove any suffixes you have currently and to just re-add them without needing to re-create the instance :) 

> 
> Even with the https://directory.fedoraproject.org/docs/389ds/documentation.html site and the
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/  documentation,
> the product is so big that it is difficult to get an overview.

Yep, but that documentation is very helpful too :) 

> 
> I will not bother you again before the instance and its suffixes have been rebuilt.

Feel free to bother us anytime, we are here to help!

> 
> Thanks for your help,
> David
> 
> ___________________________________________________
> David McLaughlin
> ETH Zürich / Swiss Federal Institute of Technology
> Informatikdienste
> Basisdienste
> Mail, Archive & Directories group
> CH-8092 Zürich
>  
> Tel.: +41 44 632 3531
> e-mail: david.mclaughlin@xxxxxxxxxx
> 
> 
> From: Mark Reynolds <mreynolds@xxxxxxxxxx>
> Sent: 30 April 2020 4:21 PM
> To: Mc Laughlin David Bruce (ID BD); General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] anonymous queries on second suffix subtrees
>  
> 
> On 4/30/20 9:53 AM, Mc Laughlin David Bruce (ID BD) wrote:
>> Hi, Mark.
>> 
>> I did not expect a reply so soon!
>> 
>> When I query as "Directory Manager", I get the expected result.
>> 
>> I used the setup-ds.pl script to create the o=ethz,c=ch root suffx.
> You should be using dscreate to create your instance, not setup-ds.pl
>> I used "dsconf backend create" to add the second suffix (o=psi,c=ch).
> Did you add any entries to o=psi,c=ch ?
>> 
>> The subtrees are not properly connected to their respective root suffixes.
>> Could this problem be caused by missing entries in the two "root suffix" databases?
>> 
>> [root@el-dap ~]#
>> [root@el-dap ~]# /usr/bin/ldapsearch -H ldap://el-dap.ethz.ch/ -LLL -x -b 'o=psi,c=ch' '(ou=*)'
>> No such object (32)
> So you did not initialize this suffix.  It is empty.  
> When creating the backend you could have created the top database node entry by adding the "--create-suffix" option:
> # dsconf slapd-YOUR_INSTANCE backend create --suffix o=psi,c=ch --create-suffix
> Note - dscreate or dsconf do not add any aci's by default.  You have to add the aci's after initializing the database with some data.
>> [root@el-dap ~]#
>> 
>> 
>> Anonymous queries  on the two subtrees (ou=staff & ou=student) on root suffix (o=ethz,c=ch) 
>> return the expected result.
> So searches on "ou=staff,o=ethz,c=ch" work?  But just searching on "o=ethz,c=ch" does not?  I'm getting confused because you keep changing which suffixes work or don't work.  First it was subtree's under o=psi,c=ch that didn't return any results, now it's different subtrees under o=ethz,c=ch
> So if you are having issues with anything under "o=ethz,c=ch" then can you please run this search, and also clarify which subtrees work and don't work for anonymous searches under this suffix "o=ethz,c=ch":
> 
> # ldapsearch -D "cn=directory manager" -W -b "o=ethz,c=ch" aci=* aci
> Thanks,
> Mark
> 
>> 
>> However, anonymous queries on the o=ethz,c=ch root suffix  also return no records.
>> 
>> with best regards,
>> David
>> 
>> e-mail: david.mclaughlin@xxxxxxxxxx
>> 
>> 
>> From: Mark Reynolds <mreynolds@xxxxxxxxxx>
>> Sent: 30 April 2020 3:10 PM
>> To: General discussion list for the 389 Directory server project.; Mc Laughlin David Bruce (ID BD)
>> Subject: Re: [389-users] anonymous queries on second suffix subtrees
>>  
>> 
>> On 4/30/20 7:14 AM, Mc Laughlin David Bruce (ID BD) wrote:
>>> Hello, 389ers.
>>> 
>>> I am migrating a whitepages server from OpenLDAP to 389-DS.
>>> 
>>> My instance has a root suffix with two subtrees (for staff and students).
>>> Anonymous queries of the two root suffix subtrees return the expected results.
>>> 
>>> The instance also has a second suffix of "o=psi,c=ch" with three subtrees:
>>>   ou=contacts,o=psi,c=ch
>>>   ou=groups,o=psi,c=ch
>>>   ou=users,o=psi,c=ch
>>> 
>>> Anonymous queries of the three "o=psi,c=ch" subtrees return NO records.
>>> 
>>> I have added ACIs for the three "o=psi,c=ch" subtrees and restarted the instance, but
>>> anonymous queries of any of the three "o=psi,c=ch" subtrees STILL return no records.
>>> 
>>> Does anyone know how to allow anonymous queries?
>> First you don't need to restart the server when you add or change ACI's.  If you run the search as "cn=directory manager" does it return the results you expect?
>> Can you share all the ACI's you added to o=psi,c=ch subtrees?  Maybe gather all of them by using this search:
>>     # ldapsearch -D "cn=directory manager" -W -b "o=psi,c=ch" aci=* aci
>> Thanks,
>> Mark
>> 
>>> 
>>> Thanks,
>>>  David
>>> 
>>> [root@el-dap ~]#
>>> [root@el-dap ~]# /usr/bin/ldapsearch -H ldap://el-dap.ethz.ch/ -D "cn=Directory Manager" -W -x -b "ou=users,o=psi,c=ch" -s sub '(aci=*)' aci
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <ou=users,o=psi,c=ch> with scope subtree
>>> # filter: (aci=*)
>>> # requesting: aci
>>> #
>>> # users, psi, ch
>>> dn: ou=users,o=psi,c=ch
>>> aci: (target = "ldap:///ou=users,o=psi,c=ch";)(version 3.0; acl "Anonymous read
>>>  , search for users";allow (read, search) userdn = "ldap:///anyone";;)
>>> # search result
>>> search: 2
>>> result: 0 Success
>>> # numResponses: 2
>>> # numEntries: 1
>>> [root@el-dap ~]#
>>> 
>>> 
>>> [root@el-dap ~]#
>>> [root@el-dap ~]# /usr/bin/ldapsearch -H ldap://el-dap.ethz.ch/ -LLL -x -b 'ou=users,o=psi,c=ch' '(cn=*kohler*)'
>>> [root@el-dap ~]#
>>> 
>>> 
>>> [root@el-dap ~]#
>>> [root@el-dap ~]# tail /var/log/dirsrv/slapd-el-dap/access
>>> [30/Apr/2020:10:23:02.362530519 +0200] conn=5 fd=64 slot=64 connection from 129.132.65.9 to 129.132.65.9
>>> [30/Apr/2020:10:23:02.362748318 +0200] conn=5 op=0 BIND dn="" method=128 version=3
>>> [30/Apr/2020:10:23:02.362795436 +0200] conn=5 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000179605 dn=""
>>> [30/Apr/2020:10:23:02.363025956 +0200] conn=5 op=1 SRCH base="ou=users,o=psi,c=ch" scope=2 filter="(cn=*kohler*)" attrs=ALL
>>> [30/Apr/2020:10:23:02.363471926 +0200] conn=5 op=1 RESULT err=0 tag=101 nentries=0 etime=0.0000606595
>>> [30/Apr/2020:10:23:02.363649360 +0200] conn=5 op=2 UNBIND
>>> [30/Apr/2020:10:23:02.363680129 +0200] conn=5 op=2 fd=64 closed - U1
>>> [root@el-dap ~]#
>>> 
>>> ___________________________________________________
>>> David McLaughlin
>>> ETH Zürich / Swiss Federal Institute of Technology
>>> Informatikdienste
>>> Basisdienste
>>> Mail, Archive & Directories group
>>> CH-8092 Zürich
>>>  
>>> Tel.: +41 44 632 3531
>>> e-mail: david.mclaughlin@xxxxxxxxxx
>>> 
>>> 
>>> _______________________________________________
>>> 389-users mailing list -- 
>>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>> 
>>> To unsubscribe send an email to 
>>> 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>> 
>>> Fedora Code of Conduct: 
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> 
>>> List Guidelines: 
>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> 
>>> List Archives: 
>>> https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
>> -- 
>> 
>> 389 Directory Server Development Team
>> 
> -- 
> 
> 389 Directory Server Development Team
> 
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx

—
Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux