No Root DSE returned from OpenLDAP

ldap openldap

I'm trying to set up an OpenLDAP server on ubuntu 9.10, which uses slapd version 2.4.18.

After initializing and populating a new hdb database, everything seems OK, but I can not get the server to return a root DSE. Running

ldapsearch -x -W -D 'cn=manager,dc=example,dc=org' \
    -b '' -s base '(objectclass=*)' +

just returns

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#

# search result
search: 2
result: 0 Success

# numResponses: 1

My hdb database ACLs are set up as follows:

olcAccess: to attrs=userPassword,shadowLastChange
  by self write
  by anonymous auth
  by dn.base="cn=manager,dc=example,dc=org" write
  by * none
olcAccess: to dn.base=""
  by * read
olcAccess: to *
  by self write
  by dn.base="cn=manager,dc=example,dc=org" write
  by * read

From my experience this setup should have returned a valid root DSE, so if anyone could give me a clue as to what is going on...


Isn't the Root DSE supposed to be queried anonymously, before binding as a user? So you shouldn't be using -W or -D at all.

My OpenLDAP server responds to the following:

$ ldapsearch -x -b '' -s base

with 

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

This is actually filed as bug #427842 agains Ubuntu 9.10 (karmic).

To fix this, copy the following to fixRootDSE.ldif:

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcAccess
olcAccess: to dn.base="" by * read
olcAccess: to dn.base="cn=subschema" by * read

And execute

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f fixRootDSE.ldif

This should give anonymous access to the root DSE.


You can get the namingContexts using ldapsearch using optional attributes (+ flag)

You need

  • -s base
  • -b base
  • optional attributes + flag

In total, 

    $ ldapsearch -x -b '' -s base +

As mentionned in this post https://superuser.com/questions/740877/how-do-i-query-the-available-base-dns-in-an-openldap-server

Related

How to escape spaces in systemd unit files?
Which virtualization platforms should I choose, Xen or OpenVZ? [closed]
SSH compression
Best practices or experience with company wide Username policies and resolving duplicates
"Zinc Whisker" issues?
Get SID by its objectSid using ldapsearch
DMARC failed, but SPF pass
How to mount a .bin image file in linux
How can I install a headless JDK on an Ubuntu Jaunty server?
apt-get install -t testing appX VS apt-get install appX/testing
Why does everybody recommend Dban over more fundamental methods?
Why do modern routers not require clock settings anymore?