Closed eest closed 2 years ago
arthurdejong
commented
2 years ago You might get away with searching on cn=com if all your search bases have that as part of their root but I'm not sure if the LDAP protocol supports that. If you find something that works with ldapsearch but doesn't with things you can specify in nslcd.conf, please let me know.
eest
commented
2 years ago Hello,
Limiting to cn=com wont work because we have entries spread over multiple TLDs. (dc=se, dc=nu, etc).
ldapsearch defaults to an empty base:
$ ldapsearch -H ldaps://ldap.example.com uid=username uid
[...]
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: uid=username
# requesting: uid
#
[...]
uid: username... as opposed to:
$ ldapsearch -H ldaps://ldap.example.com -b 'dc=se' uid=username uid
[...]
# extended LDIF
#
# LDAPv3
# base <dc=se> with scope subtree
# filter: uid=username
# requesting: uid
#
[...]
uid: usernameNote how the base changes between <> and <dc=se> above. The first query is able to find users living under both dc=se and dc=nu while the second one of course only finds people under dc=se. I have not figured out how to supply such an empty base to nslcd.conf.
quanah
commented
2 years ago The empty base ("") is a perfectly valid base for LDAP, if nslcd does not support it, then that's a bug in nslcd.
arthurdejong
commented
2 years ago @quanah thanks for the explanation. How is an empty base normally configured in ldap.conf? The manual page suggests to not use double quotes so this seems invalid:
base ""this also seems weird (no idea if this is valid at all):
baseIs having an empty base a reasonable default value (nslcd now falls back to getting the naming context form the rootDSE)?
arthurdejong
commented
2 years ago Hmm, with ldap_search_ext(ld, "", LDAP_SCOPE_SUBTREE, "(&(objectClass=posixAccount)(uid=arthur))",...) I get "No such object". Using NULL as base instead of "" has the same result. This is with Debian's OpenLDAP client library 2.4.59 and slapd 2.4.47 on the server. Also ldapsearch -H ldaps://server/ uid=arthur uid returned the same.
After adding olcDefaultSearchBase to the olcFrontendConfig object it worked!
quanah
commented
2 years ago It's not necessary to do the above if the server is configured to serve from the empty base (i.e., the database has suffix ""). That's an uncommon configuration. However, the empty base is always present, but provides minimal information, and you have to scope the search appropriately, i.e.:
ldapsearch ... -s base -b ""
when the suffix of the database is something other than "" (like dc=example,dc=com or whatever).
Hello,
In the LDAP directory I am using there are accounts (passwd entries) spread over multiple top-level bases in the tree. This makes it tricky to define a base. Currently we are just configuring multiple bases, one for each top-level directory, which of course leads to doing multiple lookups for each thing being looked up which is mostly just adding extra queries for no real gain.
I have not been able to figure out a way to define an "empty" base. Leaving it out is not possible, and setting it to
""or''does not work either. Is there a way? Should there be a way?