我有一台LDAP服务器,可以成功搜索用户:
ldapsearch -h localhost -p 389 -b "dc=pieye,dc=org" "cn=Markus Proeller" -D "cn=admin,dc=pieye,dc=org" -W
Enter LDAP Password:
...
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
但是,如果我尝试与我的用户执行相同的搜索,我会得到以下输出:
ldapsearch -h localhost -p 389 -b "dc=pieye,dc=org" "cn=Markus Proeller" -D "cn=Markus Proeller,ou=people,dc=pieye,dc=org" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=pieye,dc=org> with scope subtree
# filter: cn=Markus Proeller
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
我希望两个binddn用户都能得到相同的结果。我的问题的背景与phabricator有关,因为LDAP认证在那里失败,因为它似乎也期望第二个命令的有效输出。
问题与LDAP用户权限有关(请参阅例如How to add rights to an user with olcAccess, in an OpenLDAP 2.4)。 我的问题通过使用以下ldap.ldif文件解决:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by self write by
dn="cn=admin,dc=pieye,dc=org" write by anonymous auth by * none
olcAccess: to * by self write by dn="cn=admin,dc=pieye,dc=org" write by users read by * none
该文件由:
应用ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f ldap.ldif