Closed eest closed 2 years ago
You might get away with searching on cn=com
if all your search bases have that as part of their root but I'm not sure if the LDAP protocol supports that. If you find something that works with ldapsearch
but doesn't with things you can specify in nslcd.conf
, please let me know.
Hello,
Limiting to cn=com
wont work because we have entries spread over multiple TLDs. (dc=se
, dc=nu
, etc).
ldapsearch
defaults to an empty base:
$ ldapsearch -H ldaps://ldap.example.com uid=username uid
[...]
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: uid=username
# requesting: uid
#
[...]
uid: username
... as opposed to:
$ ldapsearch -H ldaps://ldap.example.com -b 'dc=se' uid=username uid
[...]
# extended LDIF
#
# LDAPv3
# base <dc=se> with scope subtree
# filter: uid=username
# requesting: uid
#
[...]
uid: username
Note how the base changes between <>
and <dc=se>
above. The first query is able to find users living under both dc=se
and dc=nu
while the second one of course only finds people under dc=se
. I have not figured out how to supply such an empty base to nslcd.conf
.
The empty base ("") is a perfectly valid base for LDAP, if nslcd does not support it, then that's a bug in nslcd.
@quanah thanks for the explanation. How is an empty base normally configured in ldap.conf? The manual page suggests to not use double quotes so this seems invalid:
base ""
this also seems weird (no idea if this is valid at all):
base
Is having an empty base a reasonable default value (nslcd now falls back to getting the naming context form the rootDSE)?
Hmm, with ldap_search_ext(ld, "", LDAP_SCOPE_SUBTREE, "(&(objectClass=posixAccount)(uid=arthur))",...)
I get "No such object". Using NULL
as base instead of ""
has the same result. This is with Debian's OpenLDAP client library 2.4.59 and slapd 2.4.47 on the server. Also ldapsearch -H ldaps://server/ uid=arthur uid
returned the same.
After adding olcDefaultSearchBase to the olcFrontendConfig object it worked!
It's not necessary to do the above if the server is configured to serve from the empty base (i.e., the database has suffix ""). That's an uncommon configuration. However, the empty base is always present, but provides minimal information, and you have to scope the search appropriately, i.e.:
ldapsearch ... -s base -b ""
when the suffix of the database is something other than "" (like dc=example,dc=com or whatever).
Hello,
In the LDAP directory I am using there are accounts (passwd entries) spread over multiple top-level bases in the tree. This makes it tricky to define a base. Currently we are just configuring multiple bases, one for each top-level directory, which of course leads to doing multiple lookups for each thing being looked up which is mostly just adding extra queries for no real gain.
I have not been able to figure out a way to define an "empty" base. Leaving it out is not possible, and setting it to
""
or''
does not work either. Is there a way? Should there be a way?