soup4you2
June 17th, 2003, 12:01
ok i'll run you through a brief setup of something and hopefully somebody can point out my error because this is just pissing me off...

ok i have on my test/playbox a directory.ldif that says:


dn: ou=addressbook, dc=bsdhound, dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
objectClass: organizationalUnit
dc: bsdhound
o: BSDHound Web Services
ou: addressbook


i run

ldapadd -D 'dc=bsdhound,dc=com' -x -W -f directory.ldif

and it says that it inserted no problem....

then to test it i run

ldapsearch -b 'ou=addressbook, dc=bsdhound,dc=com' '(objectclass=*)'

and get the output

[code:1:5efc7bff1e]
version: 2

#
# filter: (objectclass=*)
# requesting: ALL
#

# addressbook, bsdhound, com
dn: ou=addressbook, dc=bsdhound, dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
objectClass: organizationalUnit
dc: bsdhound
o: BSDHound Web Services
ou: addressbook

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[/code:1:5efc7bff1e]

ok good or at least i think it is...

so now to add in a contact or 2...

i made a file contact.ldif that states:

[code:1:5efc7bff1e]
dn: cn=Firstname1 Lastname1 ou=addressbook, dc=bsdhound, dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: Firstname1 Lastname1
gn: Firstname1
sn: Lastname1
mail: user1@bsdhound.com

dn: cn=Firstname2 Lastname2 ou=addressbook, dc=bsdhound, dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: Firstname2 Lastname2
gn: Firstname2
sn: Lastname2
mail: user2@bsdhound.com
[/code:1:5efc7bff1e]

then i add them in the same mannor as above and it says it inserted both no problems....

now if i execute a search

ldapsearch -b 'ou=addressbook, dc=bsdhound,dc=com' '(objectclass=*)'

i dont see them...... i also tryied replacing the objectclass=* to cn=*

but nothing... any ideas?

tarballed
June 17th, 2003, 14:34
Just a couple of quick things here.

Have you setup any ACL's on the LDAP tree? If so, try disabling them and the n re-running your search.

Also, try just running a quick search like so:

[code:1:94bf97ad00]ldapsearch -x[/code:1:94bf97ad00]

to see what happens.

Let me know. I will continue to look at this.

Tarballed

soup4you2
June 17th, 2003, 15:55
yep they show up...

and if i perform a search

ldapsearch -b 'dc=bsdhound,dc=com' '(objectclass=*)'

minus the addressbook they show up...

i just deleted the databases hopeing if i redo it i might fix it...lol funny how that works...

but i would like to see where my error lies.. this is my first experience w/ ldap so i'm pretty clueless but verry interested.. and anxiosuly awaiting my new book...

tarballed
June 17th, 2003, 17:37
So was it the ACL's causing the problems?

Let me know if you have any more questions. I have been working with LDAP a lot lately, so hopefully I can help you in areas that I struggled in which wiill save youa lot of time.

Tarballed

soup4you2
June 17th, 2003, 17:52
no havent made it as far as learning ACL's for it yet....

i'm able to see the names in search now.. i redid everything...

next question though...

every field needs a objectClass

such as
objectClass: inetOrgPerson contains various fields like
sn gn cn labeledURI

is there a list someplace where i can see all these options i can give... that also states what objectClass i need to define?

like whats the one for a homepage url or something... how would i figure this out?

tarballed
June 17th, 2003, 18:04
I have the perfect page for you. This page flat out rocks:

http://ldap.akbkhome.com/?click=1048919987?click=1049133255?click=105588404 3



It has a explanation for everything as well. Very valuable.

Tarballed

soup4you2
June 17th, 2003, 18:46
nice thanks for the info.... website downloaded and saved for future reference

soup4you2
June 17th, 2003, 20:17
found this website also.... really slick site

http://www.cio.ufl.edu/projects/directory/ldap-schema/

soup4you2
June 19th, 2003, 22:07
been reading through my book and Wow...

it did mention a REALLY nice GUI frontend for ldap
the one i've been using is GQ over at http://biot.com/gq/

Really sweet.... my life suddenly became a lot easier...

tarballed
June 19th, 2003, 23:11
Oh, my bad soup4you2. I should have mentioned that tool.

It is a great little tool. Really makes things easier. I tried a few tools and biot was by far, the best one that I found.

I tried directory administrator, but I did not like it either. biot is much better.

Sorry bout that...

T.

soup4you2
June 20th, 2003, 09:44
i do have a question on the ACL's though...

what would it take to make it so it allows actual user accounts READ access but not allow anonymous

i figured out

access to *
by anonymous none

but i cant seem to figure out how to make my user account get access...


perhaps you could give me a little example or walkthrough...

thanks in advance

tarballed
June 20th, 2003, 14:22
Well, if you just want to make sure only user accounts can have access and not anonymous, try this:

access to *
by * auth

Basically, if someone trys to browse the LDAP tree, the user will need to authenticate against LDAP by 'auth'. If the account does not exist in LDAP, they will not be able to gain any type of access at all.

ACL's are very powerful and flexible. They take a bit to learn, but once you have the hang of it, it becomes quite easy.

Also, dont forget that ACL's are "First match win" basis. Meaning, if you put the following in your ACL list:

access to *
by * read

access to *
by * auth

This wont work. Basically, the first ACL will allow everyone, anonymous to, read access to your tree even though the second ACL is applied.

Tarballed