LDAP filter used by Apache always returns no entries

Question

I had LDAP authentication working with Apache, but I keep getting 401s, and I'm not sure what I changed in the interim. I even had authentication for specific URLs based on group membership. I tried to simplify as much as I could but am still getting 401s.

Apache Configuration:

Order deny,allow
AuthName "Authentication Required"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl ldap://localhost:389/ou=people,dc=mysite,dc=com?uid
Require valid-user
Satisfy all

Apache Log:

[Sun Jun 17 23:47:51.454443 2018] [auth_basic:error] [pid 10801] [client 98.113.59.60:52870] AH01618: user myusername not found: / 

OpenLDAP log:

[17-06-2018 23:47:51] slapd debug  conn=1150 fd=24 ACCEPT from IP=127.0.0.1:38178 (IP=0.0.0.0:389)
[17-06-2018 23:47:51] slapd debug  conn=1150 op=0 BIND dn="" method=128
[17-06-2018 23:47:51] slapd debug  conn=1150 op=0 RESULT tag=97 err=0 text=
[17-06-2018 23:47:51] slapd debug  conn=1150 op=1 SRCH base="ou=people,dc=mysite,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=myusername))"
[17-06-2018 23:47:51] slapd debug  conn=1150 op=1 SRCH attr=uid
[17-06-2018 23:47:51] slapd debug  conn=1150 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=

I figured I'd try to replicate the filter in the OpenLDAP log. First, a little sanity check, checking that people actually exists:

$ ldapsearch -x -b "dc=mysite,dc=com" -s one
# extended LDIF
#
# LDAPv3
# base <dc=mysite,dc=com> with scope oneLevel
# filter: (objectclass=*)
# requesting: ALL
#

# ... stuff

# people, mysite.com
dn: ou=people,dc=mysite,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people

# ... stuff

Now checking that the user actually exists:

$ ldapsearch -x -b "ou=people,dc=mysite,dc=com" -s one
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=mysite,dc=com> with scope oneLevel
# filter: (objectclass=*)
# requesting: ALL
#

# ... stuff

# My User, people, mysite.com
dn: cn=My User,ou=people,dc=mysite,dc=com
givenName: My
gidNumber: 500
homeDirectory: /home/users/myusername
sn: User
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uid: myusername
cn: My User
loginShell: /bin/bash
uidNumber: 2000

Neat! The person exists. Now when I copy the filter from the OpenLDAP logs to the command line, I get no entries:

$ ldapsearch -x -b "ou=people,dc=mysite,dc=com" "(&(objectClass=*)(uid=myusername))" uid
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=mysite,dc=com> with scope subtree
# filter: (&(objectClass=*)(uid=myusername))
# requesting: uid 
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Now, if I insert at least one asterisk into the uid portion of the filter, it returns the requested entry. I can put the asterisk at the end or at the beginning or in the middle. I can put as many or as few as I want. It doesn't matter.

$ ldapsearch -x -b "ou=people,dc=mysite,dc=com" "(&(objectClass=*)(uid=my*user*name))" uid
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=mysite,dc=com> with scope subtree
# filter: (&(objectClass=*)(uid=my*user*name))
# requesting: uid 
#

# My User, people, mysite.com
dn: cn=My User,ou=people,dc=mysite,dc=com
uid: myusername

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I'm running Ubuntu 16.04. How can I resolve this so I can authenticate into Apache using UID?

edit: I also found I could no longer SSH using LDAP uids.

Answer 1

Since the filter (&(objectClass=*)(uid=my*user*name)) hitting substring matching rule does work (with (objectClass=*) always evaluating to true) I suspect that you've added an eq-index to your slapd configuration after adding the user entry without re-indexing your database.

See also: OpenLDAP FAQ: How do I add an index after populating the database?