[ldap] "no such object" 问题 [复制链接]

论坛徽章:: 1

2楼 [报告]

发表于 2006-07-03 23:04 |只看该作者

是不是ACL设置的问题？不用匿名search呢？

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

论坛徽章:: 0

3楼 [报告]

发表于 2006-07-04 10:44 |只看该作者

不是很了解LDAP,但应该没配ACL

[root@mail openldap]# cat slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include       /etc/openldap/schema/core.schema
include       /etc/openldap/schema/cosine.schema
include       /etc/openldap/schema/inetorgperson.schema
#include             /etc/openldap/schema/misc.schema
include       /etc/openldap/schema/nis.schema
include       /etc/openldap/schema/authldap.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral    ldap://root.openldap.org

pidfile       /var/run/slapd.pid
argsfile       /var/run/slapd.args

# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem

# Sample security restrictions
#    Require integrity protection (prevent hijacking)
#    Require 112-bit (3DES or better) encryption for updates
#    Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#    Root DSE: allow anyone to read it
#    Subschema (sub)entry DSE: allow anyone to read it
#    Other DSEs:
#             Allow self write access
#             Allow authenticated users read access
#             Allow anonymous users to authenticate
#    Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#    by self write
#    by users read
#    by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read"

#
# rootdn can always read and write EVERYTHING!

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database       ldbm
suffix       "dc=example,dc=com"
rootdn       "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(

and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw             secret
#rootpw       {crypt}ijFYNcSNctBYg
rootpw       {SSHA}nA/PaFL506QXlm1W4sTJfbPF+YC/noAv

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory    /var/lib/ldap

# Indices to maintain for this database
index objectClass                      eq
index cn                               eq
index mail,maildrop                   pres
index mailbox,quota,uidNumber,gidNumber eq

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#    bindmethod=sasl saslmech=GSSAPI
#    authcId=host/ldap-master.example.com@EXAMPLE.COM
loglevel                               4
[root@mail openldap]#

[root@mail openldap]# cat ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT    12
#TIMELIMIT    15
#DEREF       never
HOST 127.0.0.1
URI ldap://127.0.0.1
BASE dc=example,dc=com
#TLS_CACERTDIR /etc/openldap/cacerts

如果我不用匿名查询,
[root@mail openldap]# ldapsearch -LLL -b "uid=bammbamm,ou=it,ou=people,dc=example,dc=com"
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
      additional info: SASL(-13): user not found: no secret in database

sasl配置
[root@mail openldap]# cat /usr/lib/sasl2/slapd.conf
mech_list: DIGEST-MD5
我试着把rootpw改成plaintext或者是MD5, 不匿名查询出现一样的错误.

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

py

论坛徽章:: 1

4楼 [报告]

发表于 2006-07-04 22:59 |只看该作者

MD5是slapd.conf文件中rootpw的秘文，-x是使用simple search，和是否匿名search都没关系。
你现在一直在用anonymous bind，用rootdn试试。
ldapsearch -x -D "cn=Manager,dc=example,dc=com" -W -b "dc=example,dc=com" '(objectclass=*)'

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

论坛徽章:: 0

5楼 [报告]

发表于 2006-07-05 22:35 |只看该作者

谢谢, 结果如下.

[root@mail ~]# ldapsearch -x -D "cn=Manager,dc=example,dc=com" -W -b "dc=example,dc=com" "(objectclass=*)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

[root@mail ~]# ldapsearch -x -D "cn=Manager,dc=example,dc=com" -W -b "uid=bammbamm,ou=it,ou=people,dc=example,dc=com" "(objectclass=*)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=bammbamm,ou=it,ou=people,dc=example,dc=com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# bammbamm, it, people, example.com
dn: uid=bammbamm,ou=it,ou=people,dc=example,dc=com
uid: bammbamm
givenName: Bamm
sn: Bamm
cn: Bamm Bamm
userPassword:: YmFtbV9zZWNyZXQ=
homeDirectory: /var/spool/mail/bammbamm
mail: bamm@example.com
maildrop: postmaster@example.com
maildrop: bamm.bamm@example.com
maildrop: abuse@example.com
objectClass: CourierMailAlias
objectClass: CourierMailAccount
objectClass: inetOrgPerson
uidNumber: 1003
gidNumber: 1003
mailbox: /var/spool/mail/bammbamm/Maildir
quota: 5120000S

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

py

论坛徽章:: 1

6楼 [报告]

发表于 2006-07-06 15:02 |只看该作者

这是一个很有营养的错误，希望这样的错误更多一些

首先我看到你用的是ldbm，比较担心，我猜测你的数据是从ldif文件直接导入的。而且可能是用了slapadd做的导入？当然这就是一个猜想。
正常情况下执行上面的两个命令是可以查询到结果的，不会出现32 No such object（我已经测试过），楼主这样试试：
1。用#注销掉ldap.conf文件中的所有行
2。贴出你导入的ldif文件中“DN: dc=example,dc=com”的部分
3。重新启动slapd进程，指定日志level。slapd -d 256
4。进行如下查询：
ldapsearch -x -D "cn=Manager,dc=example,dc=com" -W -b "dc=example,dc=com" -s base "(objectclass=*)"
如果失败，把日志中显示出来的相关错误发出来

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

论坛徽章:: 0

7楼 [报告]

发表于 2006-07-06 17:00 |只看该作者

谢谢版主

如版主所说, 我的数据是从ldif文件直接导入的。而且是用了slapadd做的导入.我选用ldbm 是因为AS4自带的openldap 支持bdm好象有点问题.

[root@mail ~]# more ldap.example.com.ldif
#    Diese Datei wurde erstellt am 2004-06-29 um 23:51:06
#    von Softerra LDAP Administrator v3 [ http://www.ldapadministrator.com ]
version: 1
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: The Example Corporation
creatorsName: cn=manager,dc=example,dc=com
modifiersName: cn=manager,dc=example,dc=com
createTimestamp: 20040530141258Z
modifyTimestamp: 20040530141258Z
subschemaSubentry: cn=Subschema

[root@mail openldap]# ldapsearch -x -D "cn=Manager,dc=example,dc=com" -W -b "dc=example,dc=com" -s base "(objectclass=*)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope base
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

[root@mail ~]# slapd -d 256
@(#) $OpenLDAP: slapd 2.2.13 (Apr 20 2005 18:32:13) $
      root@decompose.build.redhat.com:/usr/src/build/557148-i386/BUILD/openldap-2.2.13/openldap-2.2.13/build-servers/servers/slapd
bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)
bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)
slapd starting
conn=0 fd=8 ACCEPT from IP=127.0.0.1:32887 (IP=0.0.0.0:389)
conn=0 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
conn=0 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
conn=0 op=0 RESULT tag=97 err=0 text=
connection_input: conn=0 deferring operation: binding
conn=0 op=1 SRCH base="dc=example,dc=com" scope=0 deref=0 filter="(objectClass=*)"
conn=0 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
conn=0 op=2 UNBIND
conn=0 fd=8 closed
conn=1 fd=8 ACCEPT from IP=127.0.0.1:32888 (IP=0.0.0.0:389)
conn=1 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
conn=1 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
conn=1 op=0 RESULT tag=97 err=0 text=
conn=1 op=1 SRCH base="dc=example,dc=com" scope=0 deref=0 filter="(objectClass=*)"
conn=1 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
conn=1 op=2 UNBIND
conn=1 fd=8 closed
conn=2 fd=8 ACCEPT from IP=127.0.0.1:32889 (IP=0.0.0.0:389)
conn=2 op=0 SRCH base="ou=people,dc=example,dc=com" scope=2 deref=0 filter="(maildrop=yahoo.com)"
conn=2 op=0 SRCH attr=mail
conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=2 op=1 SRCH base="ou=people,dc=example,dc=com" scope=2 deref=0 filter="(maildrop=yahoo.com)"
conn=2 op=1 SRCH attr=mail
conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=2 op=2 SRCH base="ou=people,dc=example,dc=com" scope=2 deref=0 filter="(maildrop=example.com)"
conn=2 op=2 SRCH attr=mail
conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=

[root@mail openldap]# cat ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT    12
#TIMELIMIT    15
#DEREF       never
#HOST 127.0.0.1
#URI ldap://127.0.0.1
#BASE dc=example,dc=com
#TLS_CACERTDIR /etc/openldap/cacerts

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

py

论坛徽章:: 1

8楼 [报告]

发表于 2006-07-06 20:04 |只看该作者

slapadd...看来和我想的一样
32 No such object意思很单纯，而且成因也一样单纯。就是找不到你指定的那个object，这个object的确存在于你的这个“树”上。但你指定的这个结点出现了问题，所以LDAP会认为你指定的这个结点不存在。从你的ldif文件中能看到，至少缺少了entryUUID，之后找不到结点就很正常了。
在不确定ldif文件的来源是否正确的时候要用ldapadd导入，ldapadd在导入的时候会判断没一个结点的没一个属性是否合法，但slapadd是server端的工具，不会对你的ldif文件做任何检测。
解决现在你的问题办法很多，但，最简单的办法就是重新导入。但你的跟结点有问题，那就先用ldapadd工具导入根结点ldif文件这样写：
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: The Example Corporation
然后再用slapadd导入其余的结点，最后再执行上面的ldapsearch看看查询结果。

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

论坛徽章:: 0

9楼 [报告]

发表于 2006-07-06 20:58 |只看该作者

分析得对

版主分析的对. 我发现如果base指向ou=people,dc=example,dc=com, 就可以. 不知道entry UUID为什么不对,不应该有createowner ... 等属性吗?
另外, 我暂时还不知道如何删掉现有的entry. 有结果再汇报.

[root@mail openldap]# ldapadd -x -v -f /root/maildrop.pdif
ldap_initialize( <DEFAULT> )
add objectClass:
      dcObject
      organization
add dc:
      example
add o:
      The Example Corporation
adding new entry "dc=example,dc=com"
modify complete
ldap_add: Strong(er) authentication required (

additional info: modifications require authentication

[root@mail openldap]# ldapsearch -x -LLL -b "dc=example,dc=com"
No such object (32)

[root@mail openldap]# ldapsearch -x -LLL -b "ou=people,dc=example,dc=com"
dn: ou=people,dc=example,dc=com
ou: people
description: All employees
objectClass: CourierMailAlias
objectClass: organizationalUnit
maildrop: all@example.com
mail: bamm@example.com
mail: pebble@example.com
mail: mcbricker@example.com
mail: flintstone@example.com
mail: rubble@example.com

dn: ou=it,ou=people,dc=example,dc=com
ou: it
objectClass: CourierMailAlias
objectClass: organizationalUnit
maildrop: it@example.com
mail: bamm@example.com

[root@mail openldap]# ldapsearch -x -LLL -b "uid=bammbamm,ou=it,ou=people,dc=example,dc=com"
dn: uid=bammbamm,ou=it,ou=people,dc=example,dc=com
uid: bammbamm
givenName: Bamm
sn: Bamm
cn: Bamm Bamm
userPassword:: YmFtbV9zZWNyZXQ=
homeDirectory: /var/spool/mail/bammbamm
mail: bamm@example.com
maildrop: postmaster@example.com
maildrop: bamm.bamm@example.com
maildrop: abuse@example.com
objectClass: CourierMailAlias
objectClass: CourierMailAccount
objectClass: inetOrgPerson
uidNumber: 1003
gidNumber: 1003
mailbox: /var/spool/mail/bammbamm/Maildir
quota: 5120000S

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？