Hi all:
I'm running OpenLDAP 2.3.27 from CentOS 5.2 to build from scratch an
LDAP tree based on Phamm sample LDIF files.
I have these database definition in slapd.conf:
database bdb
suffix "dc=redtube,dc=com"
rootdn "cn=manager,dc=redtube,dc=com"
rootpw {SSHA}5b3FNT6a3PrldYD/X58ghCXa7vhUOO24
directory /var/lib/ldap
mode 660
index objectClass eq
index cn,mail eq,subinitial
index vd,delete eq,pres
index accountActive,forwardActive eq,pres
index smtpAuth eq,pres
index sn,uid,displayName pres,eq,sub
index uidNumber,gidNumber eq
index default sub
I always do the following:
1. # rm /var/lib/ldap/*
(to be sure i'm starting from scratch)
2. # slapadd -b dc=redtube,dc=com redtube.ldif
After step (2) I can see that /var/lib/ldap/alock has rw-r--r-- and all
the other files have -w----r-T as permissions and are owned by root.root
. Is that correct?
Well, as far as I know they should be owned by ldap user and ldap group
with 0660 permissions asigned (based on "mode" directive in slapd.conf).
So I do the following:
3. # chown ldap.ldap /var/lib/ldap/*
# chmod 660 /var/lib/ldap/*
(/var/lib/ldap directory is 0700 and owned by ldap.ldap already)
4. I check against posible errors and then start OpenLDAP:
# slapd -Tt
# service ldap start
5. OpenLDAP starts correctly, it works perfectly. I can even do
modificatons to the LDAP tree adding entries based on attributes like
vd, cn, mail, among others.
I'm aware that there are no uid.bdb created yet in /var/lib/ldap, so I
guess that's ok.
My problem comes when I try to perform some operation that causes
OpenLDAP to create an index file in /var/lib/ldap.
In example, when I try to log in with rootdn trough phpldapadmin I get
something like this in logs:
Dec 30 11:31:22 ha1 slapd[1889]: conn=5 fd=12 ACCEPT from
IP=127.0.0.1:38395 (IP=0.0.0.0:389) Dec 30 11:31:22 ha1
slapd[1889]: conn=5 op=0 BIND dn="" method=128
Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=0 RESULT
tag=97 err=0 text= Dec 30
11:31:22 ha1 slapd[1889]: conn=5 op=1 SRCH base="dc=redtube,dc=com"
scope=2 deref=0 filter="(uid=cn=manager,dc=redtube,dc=com)"
Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=1 SRCH attr=dn
Dec 30 11:31:22 ha1 slapd[1889]:
bdb(dc=redtube,dc=com): /var/lib/ldap/uid.bdb: Permission denied
Dec 30 11:31:22 ha1 slapd[1889]: bdb_db_cache: db_open(uid) failed:
Permission denied (13) Dec 30 11:31:22 ha1
slapd[1889]: <= bdb_equality_candidates: (uid) index_param failed (13)
Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=1 SEARCH
RESULT tag=101 err=0 nentries=0 text= Dec 30
11:31:22 ha1 slapd[1889]: conn=5 op=2 UNBIND
Dec 30 11:31:22 ha1 slapd[1889]: conn=5
fd=12 closed
I don't know why phpldapadmin performs a search based on a filter like
"(uid=cn=manager,dc=redtube,dc=com)" but well, it doesn't matter to me.
Then I stop and start OpenLDAP and I start getting this:
# /etc/init.d/ldap stop
Stopping slapd: [ OK ]
# /etc/init.d/ldap start
Checking configuration files for slapd: bdb_db_open: unclean shutdown
detected; attempting recovery.
bdb_db_open: Warning - No DB_CONFIG file found in directory
/var/lib/ldap: (2)
Expect poor performance for suffix dc=mailtest,dc=com.
bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if
errors are encountered.
config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
Question is: Why can't OpenLDAP create /var/lib/ldap/uid.bdb? Why is
getting permission denied messages? The hole directory /var/lib/ldap is
owned by ldap user with 660 permissions.
Can anybody help me? Thanks