[Fedora-directory-users] defaultsearchbase and empty base dn subtree searches
Rich Megginson
rmeggins at redhat.com
Mon Apr 14 15:26:02 UTC 2008
Aleksander Adamowski wrote:
> Hi!
>
> I'm migrating from OpenLDAP to Fedora Directory.
>
> In the OpenLDAP infrastructure, I had used proxy LDAP servers (the
> slapd-ldap backend) to direct requests to slapd-bdb backend OpenLDAP
> instances with failover in case of failure.
> In addition to that, using the rwm overlay, the slapd-ldap instance
> did request rewriting of queries that specify empty base dn.
>
> The configuration for slapd-ldap instance was:
>
> database ldap
> suffix ""
> uri "ldap://localhost:392/,ldaps://otherserver:636/"
> timeout 24
> idle-timeout 16
> overlay rwm
> rwm-rewriteEngine on
> rwm-rewriteContext searchBase
> rwm-rewriteRule "$" "o=MyDefaultBase" ":"
>
> I've read a thread from 2006-02 on this list
> (https://www.redhat.com/archives/fedora-directory-users/2006-February/msg00108.html)
> that it's possible to get a similar behaviour on FDS by modifying
> dse.ldif.
>
> I've stopped the FDS instance, modified
> /etc/dirsrv/slapd-instancename/dse.ldif and started FDS again:
>
> dn:
> objectClass: top
> objectClass: extensibleObject
> defaultsearchbase: o=MyDefaultBase
> aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read
> access"; allow(
> read,search,compare) userdn="ldap:///anyone";)
> creatorsName: cn=server,cn=plugins,cn=config
> modifiersName: cn=server,cn=plugins,cn=config
> createTimestamp: 20080411165538Z
> modifyTimestamp: 20080411165538Z
>
> However, it still doesn't return anything when clients search with
> empty base:
>
> # /usr/lib64/mozldap/ldapsearch -b 'o=MyDefaultBase' -s sub uid=olo uid
> version: 1
> dn: uid=olo,ou=People,o=MyDefaultBase
> uid: olo
>
> # /usr/lib64/mozldap/ldapsearch -b '' -s sub uid=olo uid
> ldap_search: No such object
>
> Maybe it's relevant that the host in question takes part in
> multi-master replication setup of 3 FDS servers.
>
defaultSearchBase is not a server side thing. It only works if clients
understand how to use it. There is no way to make Fedora DS do a
subtree search from base "" unless you write a C code plugin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080414/628c411e/attachment.bin>
More information about the Fedora-directory-users
mailing list