为什么slapd请求后端加载不同于要求的dn？

Question

当我实际要求dn = "cn=kerberoskdc,cn=config,dc=example,dc=com"

时，有人可以解释为什么slapd请求其后端加载与专有名称'cn=user,dc=example,dc=com', 'user'相对应的数据

代码：

require 'net/ldap'
con = Net::LDAP.new
con.host = 'localhost'
con.port = 389
con.auth 'cn=user,dc=example,dc=com', 'user'

if con.bind
  puts con.get_operation_result
else
  puts con.get_operation_result
end

的slapd.conf：

include         /private/etc/openldap/schema/core.schema
include         /private/etc/openldap/schema/cosine.schema
include         /private/etc/openldap/schema/nis.schema
include         /private/etc/openldap/schema/inetorgperson.schema

pidfile         /private/var/db/openldap/run/slapd.pid
argsfile        /private/var/db/openldap/run/slapd.args

 modulepath     /usr/libexec/openldap
 moduleload     back_bdb.la

access to *
        by self write
        by * read
        by anonymous auth

database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=admin,dc=example,dc=com"

rootpw          {SSHA}VPu01KnHRk2FZtTi52W6LNFqr4nJazyK

directory       /private/var/db/openldap/openldap-data

index   objectClass     eq

详细信息服务器消息：

 ... 
    5a41d4ae <<< dnPrettyNormal: <cn=user,dc=example,dc=com>, <cn=user,dc=example,dc=com>
    5a41d4ae conn=1000 op=0 BIND dn="cn=user,dc=example,dc=com" method=128
    5a41d4ae do_bind: version=3 dn="cn=user,dc=example,dc=com" method=128
    5a41d4ae ==> bdb_bind: dn: cn=user,dc=example,dc=com
    5a41d4ae bdb_dn2entry("cn=user,dc=example,dc=com")
    5a41d4ae => bdb_dn2id("dc=example,dc=com")
    5a41d4ae <= bdb_dn2id: got id=0x5
    5a41d4ae => bdb_dn2id("cn=user,dc=example,dc=com")
    5a41d4ae <= bdb_dn2id: got id=0x17
    5a41d4ae entry_decode: "cn=user,dc=example,dc=com"
    5a41d4ae <= entry_decode(cn=user,dc=example,dc=com)
    5a41d4ae => bdb_search
    5a41d4ae bdb_dn2entry("cn=kerberoskdc,cn=config,dc=example,dc=com")
    5a41d4ae => bdb_dn2id("cn=config,dc=example,dc=com")
    5a41d4ae <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988)
    5a41d4ae entry_decode: "dc=example,dc=com"
    5a41d4ae <= entry_decode(dc=example,dc=com)
    5a41d4ae => access_allowed: disclose access to "dc=example,dc=com" "entry" requested
    5a41d4ae => acl_get: [1] attr entry
    5a41d4ae => acl_mask: access to entry "dc=example,dc=com", attr "entry" requested
    5a41d4ae => acl_mask: to all values by "cn=kerberoskdc,cn=config,dc=example,dc=com", (=0) 
    5a41d4ae <= check a_dn_pat: self
    5a41d4ae <= check a_dn_pat: *
    5a41d4ae <= acl_mask: [2] applying read(=rscxd) (stop)
    5a41d4ae <= acl_mask: [2] mask: read(=rscxd)
    5a41d4ae => slap_access_allowed: disclose access granted by read(=rscxd)
    5a41d4ae => access_allowed: disclose access granted by read(=rscxd)
    5a41d4ae send_ldap_result: conn=-1 op=0 p=0
    5a41d4ae send_ldap_result: err=10 matched="dc=example,dc=com" text=""
    5a41d4ae Entry *odusers_copy_entry(Operation *): Unable to locate cn=kerberoskdc,cn=config,dc=example,dc=com (32)
    5a41d4ae odusers_copy_krbrealm: No entry associated with KerberosKDC cn=kerberoskdc,cn=config,dc=example,dc=com
    5a41d4ae odusers_krb_auth: could not retrieve krb realm while authing user
    5a41d4ae send_ldap_result: conn=1000 op=0 p=3
    5a41d4ae send_ldap_result: err=50 matched="" text=""
    5a41d4ae send_ldap_response: msgid=1 tag=97 err=50
    ....

终端输出：

fail
#<OpenStruct extended_response=nil, code=50, error_message="", matched_dn="", message="Insufficient Access Rights">

Answer 1

这是一个适用于我的OpenLDAP服务器的解决方法，我在OS X El Capitan中的Ruby on Rails开发环境中使用。我找到了答案here。它更像是一种解决方法，而不是解决方案。

1. 将'database hdb'替换为slapd.conf中的'database ldif'。
2. 删除'module load back_hdb.la'
3. slapd将在您删除任何其他特定于数据库的配置（例如索引）之后才会运行。

这是我的slapd.conf：

include   /usr/local/etc/openldap/schema/core.schema
include   /usr/local/etc/openldap/schema/cosine.schema
include   /usr/local/etc/openldap/schema/inetorgperson.schema


# NO SECURITY - no access clause
# defaults to anonymous access for read
# only rootdn can write

# NO REFERRALS

# DON'T bother with ARGS file unless you feel strongly
# slapd scripts stop scripts need this to work
pidfile /var/run/slapd.pid

# enable a lot of logging - we might need it
# but generates huge logs
loglevel  -1 

# MODULELOAD definitions
# not required (comment out) before version 2.3
#moduleload back_hdb.la

# NO TLS-enabled connections

# backend definition not required

#######################################################################
# bdb database definitions
# 
# replace example and com below with a suitable domain
# 
# If you don't have a domain you can leave it since example.com
# is reserved for experimentation or change them to my and inc
#
#######################################################################

database ldif
suffix "dc=example, dc=com"

# root or superuser
rootdn "cn=matt, dc=example, dc=com"
rootpw {SSHA}d+/KMakRv0dLLXp4Qu0ezvfcdpHQA4pU
# The database directory MUST exist prior to running slapd AND 
# change path as necessary
directory /var/db/openldap/openldap-data

# Indices to maintain for this directory
# unique id so equality match only
#index  uid eq
# allows general searching on commonname, givenname and email
#index  cn,gn,mail eq,sub
# allows multiple variants on surname searching
#index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
#index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
#index default eq,sub
# indices missing - uses default eq,sub
#index telephonenumber

## other database parameters
## read more in slapd.conf reference section
#cachesize 10000
#checkpoint 128 15