[Samba] Srvtools causes smbldap_open: cannot access LDAP when not root

Tony Earnshaw tonye at billy.demon.nl
Tue Mar 1 10:02:42 GMT 2005

Doug Campbell:


> Sorry, I forgot to put some of these answers in last time :(
> slapd appears to be running as user ldap when I run  ps aux
> I enabled it to start automatically on boot up using the chkconfig
> utility in FC3.
> All config files are owned by root and have root as their group with the
> one exception of slapd.conf which has ldap as it's group

> The DB files are owned by ldap and the group is ldap.


> I don't have any certificates to deal with as I am not using SSL/TLS.  I
> actually tried to do this as a learning exercise but couldn't get it to
> work based on the documentation I read.

Try http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html

> "cn=Manager,dc=swro,dc=local" is the rootdn user in slapd.conf
> I wanted to have a proxy user but again when I tried using the example
> slapd.conf files for ACLs they never worked even though I followed the
> examples as given.

You *have* to get ACLs working. You can't possibly use OpenLDAP (in
production, at least) without some quite complex ACLs.

> if I just type ldapsearch at the console, it will prompt me for a
> password. I don't know what password it is asking though.  I tried all
> that I have used and there is still no luck.  The error I get is "user not
> found: no
> secret in database".  If instead I type ldapsearch -x.  It displays
> information from my ldap store.  If I now switch users to a non-root user
>  and execute the same two commands, I also get the same two results.

'man ldapsearch'. ldapsearch without -x assumes that you are asking for
SASL support that you have configured in slapd.conf, and you haven't. The
fact that you get the same results for root or a non-root user doesn't
have anything to do with the Unix user that you are logged in as; slapd
doesn't care about the Unix )posix) user. It only cares about users in DNs
that you feed it.

> Does that give a better idea of what might be wrong in my setup?

Yes. I have to agree with Craig White here (I usually do ;) LDAP for me is
the be-all and end-all. i use it for across-platform authentication in
production for *everything* It is the corner stone to all services that my
users may use. If an application doesn't work with it, then that
application is useless to me. Examples of apps that use a single login and
password at one site I administer (runs 3 servers under RHAS3 using the
same LDAP DSA) are postfix smtp, Courier IMAP, Linux Terminal Server
Project, Pykota print quota admin, ssh and a Samba PDC. To be able to
master the LDAP part thoroughly, I chose to use source code and subscribe
to the 4-5 mailing lists dealing with this. Craig does the same.

Get samba working without LDAP first, then make sure you master every
possible aspect of openldap and are completely confident with it. Then you
can adapt what you've done to Samba.



mail: tonye at billy.demon.nl

More information about the samba mailing list