Upgrade to 2.3.40 -> failed index
by Paul B. Henson
I've been running OpenLDAP 2.3.35 for almost a year with no problems
(Gentoo Linux, w/DB 4.5). I upgraded to 2.3.40 last week, and had a
meltdown this morning during an account purge.
There had been some updates to the directory after upgrading, but no
deletes. During my delete run, there were some index errors:
-----
[successful deletes]
Feb 3 03:50:36 derp idmgmt[3722]: error deleting user cjlindsay: DN index
delete failed (LDAP)
[successful deletes]
Feb 3 03:56:55 derp idmgmt[3722]: error deleting user ddshah: DN index
delete failed (LDAP)
[successful deletes]
Feb 3 04:00:10 derp idmgmt[3722]: error binding to directory: internal
error (LDAP)
-----
After the index errors, LDAP stopped working. The logs on the master
showed:
-----
Feb 3 03:50:36 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): file dn2id.bdb
has LSN 8388745/33900185
, past end of log at 137/33937441
Feb 3 03:50:36 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): Commonly
caused by moving a database fr
om one transactional database
Feb 3 03:50:36 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): environment to
another without clearing
the database LSNs, or removing
Feb 3 03:50:36 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): all of the log
files from a database en
vironment
Feb 3 04:00:10 fosse slapd[5129]: bdb(dc=csupomona,dc=edu):
DB_ENV->log_flush: LSN of 8388745/33900
185 past current end-of-log of 137/37666668
Feb 3 04:00:10 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): Database
environment corrupt; the wrong
log files may have been removed or incompatible database files imported
from another environment
Feb 3 04:00:10 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): PANIC:
DB_RUNRECOVERY: Fatal error, run
database recovery
Feb 3 04:00:10 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): dn2id.bdb:
unable to flush page: 3118
Feb 3 04:00:10 fosse slapd[5129]: bdb(dc=csupomona,dc=edu):
txn_checkpoint: failed to flush the buf
fer cache: DB_RUNRECOVERY: Fatal error, run database recovery
Feb 3 04:00:10 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): PANIC: fatal
region error detected; run
recovery
-----
I restarted slapd, resulting in:
-----
Feb 3 06:55:53 fosse slapd[5129]: bdb_db_close: txn_checkpoint failed:
DB_RUNRECOVERY: Fatal error, run database recovery (-30975)
Feb 3 06:55:53 fosse slapd[5129]: bdb(dc=csupomona,dc=edu): PANIC: fatal
region error detected; run recovery
Feb 3 06:55:53 fosse slapd[5129]: bdb_db_close: close failed:
DB_RUNRECOVERY: Fatal error, run database recovery (-30975)
Feb 3 06:55:53 fosse slapd[5129]: slapd stopped.
Feb 3 06:56:02 fosse slapd[11055]: @(#) $OpenLDAP: slapd 2.3.40 (Jan 31
2008 21:55:32) $
portage@fosse:/var/tmp/portage/net-nds/openldap-2.3.40-r1/work/openldap-2.3.40/servers/slapd
- Server is unavailable
Feb 3 06:56:18 fosse slapd[11056]: hdb_db_open: unclean shutdown detected;
attempting recovery.
Feb 3 06:56:20 fosse slapd[11056]: slapd starting
-----
I have two syncrepl slaves, both had failed at the exact same time with the
exact same logs:
-----
Feb 3 04:00:11 filmore slapd[5127]: bdb(dc=csupomona,dc=edu):
DB_ENV->log_flush: LSN of 8388762/370
13381 past current end-of-log of 154/40862130
Feb 3 04:00:11 filmore slapd[5127]: bdb(dc=csupomona,dc=edu): Database
environment corrupt; the wro
ng log files may have been removed or incompatible database files imported
from another environment
Feb 3 04:00:11 filmore slapd[5127]: bdb(dc=csupomona,dc=edu): PANIC:
DB_RUNRECOVERY: Fatal error, r
un database recovery
Feb 3 04:00:11 filmore slapd[5127]: bdb(dc=csupomona,dc=edu): dn2id.bdb:
unable to flush page: 3118
Feb 3 04:00:11 filmore slapd[5127]: bdb(dc=csupomona,dc=edu):
txn_checkpoint: failed to flush the b
uffer cache: DB_RUNRECOVERY: Fatal error, run database recovery
Feb 3 04:00:11 filmore slapd[5127]: bdb(dc=csupomona,dc=edu): PANIC: fatal
region error detected; r
un recovery
Feb 3 04:00:11 filmore slapd[5127]: null_callback: error code 0x50
Feb 3 06:57:41 filmore slapd[5127]: bdb_db_close: txn_checkpoint failed:
DB_RUNRECOVERY: Fatal error, run database recovery (-30975)
Feb 3 06:57:41 filmore slapd[5127]: bdb(dc=csupomona,dc=edu): PANIC: fatal
region error detected; run recovery
Feb 3 06:57:41 filmore slapd[5127]: bdb_db_close: close failed:
DB_RUNRECOVERY: Fatal error, run database recovery (-30975)
Feb 3 06:57:41 filmore slapd[5127]: slapd stopped.
Feb 3 06:57:49 filmore slapd[20722]: @(#) $OpenLDAP: slapd 2.3.40 (Jan 28
2008 18:22:34) $
portage@filmore:/var/tmp/portage/net-nds/openldap-2.3.40-r1/work/openldap-2.3.40/servers/slapd
Feb 3 06:57:49 filmore slapd[20723]: hdb_db_open: unclean shutdown
detected; attempting recovery.
Feb 3 06:57:51 filmore slapd[20723]: slapd starting
-----
After a restart, things seemed to be working ok. I deleted one object by
hand with no problem. But then on deleting the second, I received the same
index failure.
Finally, I shut everything down, did a slapcat to ldif, deleted the entire
DB, and then a slapadd to regenerate from scratch.
So far, so good after that. I restarted my batch delete, it's been running
for 20 minutes with no errors (fingers crossed).
What happened? It can't be local corruption, all three servers failed
exactly the same way. I didn't upgrade bdb, it's the exact same version
that's been running. I didn't think I needed to rebuild the db on an
upgrade from 2.3.35 to 2.3.40, was I mistaken? Should I have done a
dump/reload? Was this failure possibly a bug in 2.3.40? A bug in 2.3.35
exposed by the upgrade?
Any thoughts much appreciated...
Thanks much...
--
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | henson(a)csupomona.edu
California State Polytechnic University | Pomona CA 91768
14 years, 6 months
Multiple passwords
by Adrian Overbury
Hi,
I'm trying to make a system account in LDAP that has multiple
passwords, one of which is time-limited. Basically, it's your run-of-
the-mill posix/shadowAccount object, with your common-or-garden
userPassword attribute. Everything works so far. But now I want to
add a couple of new attributes, tempPassword and
tempPasswordTimestamp. tempPassword will contain a long random string
of characters hashed somehow (crypt, sha, md5, I don't care) generated
by the service-management software my company develops.
tempPasswordTimestamp is what one of its underlying systems will use
to determine all tempPasswords that have expired.
Now, I created the attribute tempPassword, and made it SUP
userPassword, but it doesn't seem to have inherited any of
userPassword's functionality, like the ability to hash the entered
string with a given scheme (like if I entered {SSHA}password I'd end
up with a SHA-1 hashed password) and automatic encoding to base64.
I know (or, at least, I *think* that userPassword is a multi-valued
attribute, so I could just enter another userPassword and let it auth
off that, but that defeats the purpose, which is to create a secure
password that operators in our service-management software can use to
log in to this user's account at the push of a button, without having
to actually *know* the user's password. The password itself will be
at least 20 characters long, consisting of uppercase, lowercase,
numbers and special characters, so it'll be as secure as we can make
it. All of it relies on me being able to create a new password
attribute and auth off it, though, so, anyone able to help?
Regards,
Adrian
14 years, 6 months
large ldap server recommendation
by ram
Hi,
I am using ldap for authentication & addressbook for a large
mailserver setup with around 300k users ( this will grow to 500k )
The ldap server is a 8GB Ram box with RHEL-5 with
openldap-servers-2.3.27-5
I am confused what database type to use ldbm or bdb. Currently I have
the users on bdb with lot of problems. The ldap server dies all of a
sudden and I have to recover the data to get it started
my DB_CONFIG file is
------
# Note: most DB_CONFIG settings will take effect only upon rebuilding
# the DB environment.
set_cachesize 0 524288000 0
set_lg_regionmax 1048576
set_lg_max 10485760
set_lg_bsize 20485760
set_tmp_dir /tmp
# Note: special DB_CONFIG flags are no longer needed for "quick"
# slapadd(8) or slapindex(8) access (see their -q option).
set_flags DB_LOG_AUTOREMOVE
set_flags DB_LOG_INMEMORY
set_flags DB_TXN_NOSYNC
-------------
Can someone help me
Thanks
Ram
14 years, 6 months
ACL or a default deny policy
by Olivier Nicole
Hi,
I am implementing a directory with OPENLdap and I woul dlike that
anonymous users could only read ceratin attributes, while all other
attributes are accessible to authenticated users only.
# ACL 1: Data that the user can change and that the world can see
access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th"
attrs=sn,givenName
by group="cn=groupadmin..." write
by self write
by * read
# ACL 2: Personnal data, that user can change and the world can not see
access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th"
attrs=gecos,description
by group="cn=groupadmin..." write
by self write
by * none
# ACL 3: any attributes that is not explcitely allowed above is denied
access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th"
by group="cn=groupadmin..." write
by dn.subtree="ou=csim,dc=cs,dc=ait,dc=ac,dc=th" read
by * none
But this is not working. If I do like this, anonymous search will see
nothing from the user.
I found out some where that the attribute objectClass should always be exposed, so I tried to add it in the ACL 1, but that is not working either, I must haave a last ACL of the form
access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th"
by group="cn=groupadmin..." write
by dn.subtree="ou=csim,dc=cs,dc=ait,dc=ac,dc=th" read
by * read
and I don't see where my reasoning is getting wrong.
Thanks in advance,
Olivier
14 years, 6 months
Fw: err code definitions
by Vinh.CTR.Hoang@faa.gov
Nevermind, I found it somewhere else,
Thanks,
Vinh
----- Forwarded by Vinh CTR Hoang/ACT/CNTR/FAA on 02/04/2008 04:50 PM
-----
Vinh CTR Hoang/ACT/CNTR/FAA
AJW-177, Comm Infrastructure Eng Team
02/04/2008 04:48 PM
To
Pierangelo Masarati <ando(a)sys-net.it>
cc
openldap-software(a)openldap.org
Subject
Re: err code definitions
I could not find any thing said what each tag code means in RFC 4511. Is
there any other document?
Thanks,
Vinh
Pierangelo Masarati <ando(a)sys-net.it>
02/04/2008 02:53 PM
To
Vinh CTR Hoang/ACT/CNTR/FAA@FAA
cc
openldap-software(a)openldap.org
Subject
Re: err code definitions
Vinh.CTR.Hoang(a)faa.gov wrote:
> Hi all, I was wondering there were any documentation on the tag and
error
> codes definitions that show up in slapd log files.
> When I try to l login as a user, ldap seems to reject me and puts in log
> "RESULT tag =97 err=0 text= " I know the password is
> the correct one since I can issue the login command in a shell and try
to
> login, it doesn't tell me that my login is incorrect.
> However it will not let me login through telnet or the regular login
> prompt.
>
> I'm on Solaris 9 btw.
RFC 4511
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
14 years, 6 months
err code definitions
by Vinh.CTR.Hoang@faa.gov
Hi all, I was wondering there were any documentation on the tag and error
codes definitions that show up in slapd log files.
When I try to l login as a user, ldap seems to reject me and puts in log
"RESULT tag =97 err=0 text= " I know the password is
the correct one since I can issue the login command in a shell and try to
login, it doesn't tell me that my login is incorrect.
However it will not let me login through telnet or the regular login
prompt.
I'm on Solaris 9 btw.
Thanks,
Vinh
14 years, 6 months
cn=config and cn=monitor questions
by Ron Aitchison
I'm using 2.4.7 on Freebsd (5.4 and 6.2) and have a couple of questions:
I had a couple of nasty signal 11 crashes trying to start cn=monitor
using cn=config (OK - a tad ambitious) which obviously lost all my
configuration changes:
Question 1:
Is there anyway I can force or control an update to the cn=config LDIF
files in slapd.d
To get cn=monitor running I finally dropped back into slapd.conf and
reconverted to slapd.d now I have three more questions about cn=monitor:
Question 2:
The log section in the 2.4 manual (18.4.5) has a slightly bizarre
explanation suggesting that the log values are controlled via the
description attribute. Whereas the description attribute under
cn=log,cn=monitor suggests that they are controlled via managedInfo
attributes which seems more sensible. Perhaps someone could confirm.
Question 3:
I have a olcLogLevel attribute of any (-1) visible through cn=config but
was surprised this was not used to initialize the log settings of
cn=log,cn=monitor.
I added a managedInfo attribute under cn=log,cn=monitor (for ACL) which
did precisely zilch (it did not add a logging object which I would have
expected). Further after a stop/start the managedInfo attribute had
disappeared from cn=log,cn=monitor.
Question 4:
Where is/are the schema/objectclasses for cn=monitor stored! I tried to
get them using cn=subschema,cn=monitor - nada.
Thanks in advance for any help
--
Ron Aitchison www.zytrax.com
ZYTRAX ron(a)zytrax.com
tel: 514-315-4296
Suite 22
6201 Chemin Cote St. Luc
Hampstead QC H3X 2H2 Canada
Author: Pro DNS and BIND (Apress) ISBN 1-59059-494-0
14 years, 6 months
Multimaster Replication
by Stephan Jennewein
Hi,
I tried to do a Multimaster Replication the replication works quite nice, but
since I activated it I can't edit my ldap directory. When ever I try to I
get "server is unwilling to perform". It seems as I'm not authenticated, but
I am. I use openldap 2.4.7 in debian testing.
Here is the logfile:
daemon: read active on 17
connection_get(17)
connection_get(17): got connid=3
connection_read(17): checking for input on id=3
conn=3 op=0 do_bind
>>> dnPrettyNormal: <cn=admin,dc=bar,dc=de>
<<< dnPrettyNormal: <cn=admin,dc=bar,dc=de>, <cn=admin,dc=bar,dc=de>
conn=3 op=0 BIND dn="cn=admin,dc=bar,dc=de" method=128
do_bind: version=3 dn="cn=admin,dc=bar,dc=de" method=128
==> bdb_bind: dn: cn=admin,dc=bar,dc=de
conn=3 op=0 BIND dn="cn=admin,dc=bar,dc=de" mech=SIMPLE ssf=0
do_bind: v3 bind: "cn=admin,dc=bar,dc=de" to "cn=admin,dc=bar,dc=de"
send_ldap_result: conn=3 op=0 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=0
conn=3 op=0 RESULT tag=97 err=0 text=
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: epoll: listen=9 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on:
17r
daemon: read active on 17
connection_get(17)
connection_get(17): got connid=3
connection_read(17): checking for input on id=3
conn=3 op=1 do_add
conn=3 op=1 do_add: dn (ou=foo,dc=bar,dc=de)
>>> dnPrettyNormal: <ou=foo,dc=bar,dc=de>
<<< dnPrettyNormal: <ou=foo,dc=bar,dc=de>, <ou=foo,dc=bar,dc=de>
conn=3 op=1 ADD dn="ou=foo,dc=bar,dc=de"
bdb_dn2entry("ou=foo,dc=bar,dc=de")
=> bdb_dn2id("ou=foo,dc=bar,dc=de")
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found
(-30990)
bdb_referrals: tag=106 target="ou=foo,dc=bar,dc=de" matched="dc=bar,dc=de"
send_ldap_result: conn=3 op=1 p=3
send_ldap_result: err=53 matched="" text="shadow context; no update referral"
send_ldap_response: msgid=2 tag=105 err=53
conn=3 op=1 RESULT tag=105 err=53 text=shadow context; no update referral
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: epoll: listen=9 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
Config for Host 1 and 2 are equal:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/sudo.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel any
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload syncprov.la
moduleload accesslog.la
sizelimit 500
tool-threads 1
backend bdbdatabase bdb
suffix "dc=bar,dc=de"
rootdn "cn=admin,dc=bar,dc=de"
rootpw "f00b4r"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectclass,entryCSN,entryUUID eq
lastmod on
checkpoint 512 30access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=bar,dc=de" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=bar,dc=de" write
by * read
syncrepl rid=000
provider=ldap://legs.bar.de
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc= bar,dc=de"
attrs=*
schemachecking=on
bindmethod=simple
binddn="cn=admin,dc=bar,dc=de"
credentials="f00b4r"
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
14 years, 6 months
How to fetch ca server certificate from LDAP server using library call
by Digambar Sawant
Hi,
Is there any way to fetch the CA certificate from LDAP server using OpenLDAP
C SDK?
I am using openldap-2.0.3 libraries.
Consider that the AAA server is running securely with following files:
1. server certificate
2. ca certficate
3. server key
On client side, how do I get the ca certficate? I don't want to copy it
manually by doing scp/http.
Is there any library call available to accomplish this?
Please help.
Thanks,
Digambar
14 years, 6 months
