August 2013 - openldap-technical

OpenLDAP 2.4.36 slapd stop with assertion fail message

by "POISSON Frédéric"

Hello, I'm testing the latest release of OpenLDAP 2.4.36 and my slapd stop while i'm doing a change on cn=config. My tests are with my own compilation of OpenLDAP on a RHEL6 server but i see the same problem with "LTB project RPMs" http://ltb-project.org/wiki/download#openldap with RHEL6 package. My aim is to modify cn=config like this in order to implement TLS, here is my ldif : dn: cn=config changetype: modify add: olcTLSRandFile olcTLSRandFile: /dev/random The server shutdown when i add this entry and with slapd option "-d 255" i have : slapd: result.c:813: slap_send_ldap_result: Assertion `!((rs->sr_err)<0)' failed. /etc/init.d/slapd: line 285: 5461 Aborted $SLAPD_BIN -h "$SLAPD_SERVICES" $SLAPD_PARAMS Notice that i test this ldif modification on release 2.4.35 without problem. Is there any changes inside cn=config behavior with release 2.4.36 that i don't see ? Thanks in advance, Regards, PS: In attachment my cn=config with slapcat, and the lines when starting slapd with debug -d 255. -- Frederic Poisson

7 years, 7 months

2
1
0 / 0

Re: Antw: Re: Object not found

by espeake＠oreillyauto.com

Eric Speake Web Systems Administrator O'Reilly Auto Parts From: "Ulrich Windl" <Ulrich.Windl(a)rz.uni-regensburg.de> To: <espeake(a)oreillyauto.com> Date: 08/29/2013 01:46 AM Subject: Antw: Re: Object not found Eric, following you progress on LDAP, why don't you use a working simple starting configuration and then try simple steps towards getting where you want to be at the end? Only proceed if the current configuration works as intended; if not either undo or fix it. Something like: olcAccess: {0}to * by dn.base="uid=syncrepl,ou=system,dc=whatever" read by group/organizationalRole/roleOccupant.exact="cn=LDAP-Manager,dc=whatever" write by * break olcAccess: {1}to attrs=userPassword by self write by * auth olcAccess: {2}to attrs=shadowLastChange by self write by * read olcAccess: {3}to attrs=userPKCS12 by self read by * none olcAccess: {4}to * by * read You can leave out rule {0}, because that's some local extension used here (use a group for Managers). Also I can recommend turning on auth logging for your tests. In LDIF-format: dn: cn=config changetype: modify add: olcLogLevel olcLogLevel: ACL - I also recommend doing frequent database dumps per slapcat, so you can revert to a working configuration once you messed up things. However when using replication, be aware that restoring one node to an older configuration, the older node may be overwritten if the other nodes still have a newer configuration. To all: Is there an option to slapadd to make any entries actually added being "new" (i.e. ignoring CSNs and modification timestamps in the LDIF)? Regards, Ulrich >>> <espeake(a)oreillyauto.com> schrieb am 29.08.2013 um 05:25 in Nachricht <OF5EFEDB5F.26657526-ON86257BD6.001209FD-86257BD6.0012CADD@LocalDomain>: > Okay so I have the access list figured out and everything looks good except > now the credentials for my user aren't working. I get an error 49 (invalid > credentials) I have reentered the password for the user. There is one > other user that will not autenticate. Both of thes users are in the ou > System. The base admin account can login and get the informatio. Here is > the new access list. > > olcAccess: {0}to * by > dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by > dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by > dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by > dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by > dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write by * > break > olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by > group/groupOfUniqueNames/uniqueMember="cn=System > Administrators,ou=Groups,dc=oreillyauto,dc=com" write > by group/groupOfUniqueNames/uniqueMember="cn=LDAP > Admin,ou=Groups,dc=oreillyauto,dc=com" write by * none break > olcAccess: {2}to attrs=userPassword by > group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillya > uto,dc=com" > write by anonymous auth by self write > olcAccess: {3}to attrs=uid by anonymous read by users read > olcAccess: {4}to attrs=ou,employeeNumber by users read > olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by > dn.subtree="ou=Users,dc=oreillyauto,dc=com" none by users read > olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com" by > dnattr=owner write by dnattr=uniqueMember read by * none > olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com by self read > by > group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillya > uto,dc=com" > read by * none > olcAccess: {8}to * by self read by users read > > The two users that I need to work are: > readOnlyUser > dn="uid=readOnlyUser,ou=System,dc=oreilly,dc=com > and > ldapadmin dn="uid=ldapadmin, ou=System,dc=oreulllyauto,dc=com > > Here is the search and result: > > root@tntest-ldap-3:/var/lib/ldap# ldapsearch -Wx -D > "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" -b > "dc=oreillyauto,dc=com" -H ldap://<ldap-server>.oreillyauto.com uid=espeake > uid dsplayName employeeNumber > Enter LDAP Password: > ldap_bind: Invalid credentials (49) > > any and all ideas are welcomed. > Eric Speake > Web Systems Administrator > O'Reilly Auto Parts > > > > From: Quanah Gibson-Mount <quanah(a)zimbra.com> > To: espeake(a)oreillyauto.com, openldap-technical(a)openldap.org > Date: 08/28/2013 11:35 AM > Subject: Re: Object not found > Sent by: openldap-technical-bounces(a)OpenLDAP.org > > > > --On Wednesday, August 28, 2013 8:12 AM -0500 espeake(a)oreillyauto.com > wrote: > >> >> I have a user name readonly that we use in our applications to get uid's. >> THis has worked in the past with our old LDAP solution. We have moved to >> 2.4.31 on Ubuntu 12.04 with a n-way Multi master setup. >> >> The slap cat for this database looks like this. >> >> dn: olcDatabase={1}hdb,cn=config >> objectClass: olcDatabaseConfig >> objectClass: olcHdbConfig >> olcDatabase: {1}hdb >> olcDbDirectory: /var/lib/ldap >> olcSuffix: dc=oreillyauto,dc=com >> olcAccess: {0}to attrs=userPassword by anonymous auth by * none >> olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by >> group/groupOfUniqueName >> s/uniqueMember="cn=System > Administrators,ou=Groups,dc=oreillyauto,dc=com" >> wri >> te by group/groupOfUniqueNames/uniqueMember="cn=LDAP >> Admin,ou=Groups,dc=oreil >> lyauto,dc=com" write by * none break >> olcAccess: {2}to attrs=userPassword by >> group/groupOfUniqueNames/uniqueMember=" >> cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous auth >> by s >> elf write > > Hi, > > You need to spend some time reading the manual pages and admin guide on > access rules for slapd. > > It is immediately obvious that rule {2) will never evaluate because of rule > > {0}. Those shouldn't even be separate rule lines, they should be a single > rule. I haven't looked further because that was so blatant, I'm guessing > you have any number of other issues in your access lines. > > --Quanah > > -- > > Quanah Gibson-Mount > Lead Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration > > > -- > This message has been scanned for viruses and dangerous content, > and is believed to be clean. > Message id: 898DB600A44.A073B > > > > > This communication and any attachments are confidential, protected by > Communications Privacy Act 18 USCS § 2510, solely for the use of the intended > recipient, and may contain legally privileged material. If you are not the > intended recipient, please return or destroy it immediately. Thank you. Here what shows up in the log. I am high lighting what I thought would have been the issue but it appears to be a double-negative so it is not where it is getting denied. Just must be missing it because it looks like it really working. Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: conn=1027 op=0 BIND dn="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" method=128 Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (userPassword) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: auth access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => acl_get: [1] attr userPassword Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => acl_mask: access to entry "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com", attr "userPassword" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => acl_mask: to value by "", (=0) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= check a_dn_pat: uid=syncrepl,ou=system,dc=oreillyauto,dc=com Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= check a_dn_pat: uid=readonlyuser,ou=system,dc=oreillyauto,dc=com Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= check a_dn_pat: uid=ldapadmin,ou=system,dc=oreillyauto,dc=com Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= check a_dn_pat: uid=newuseradmin,ou=system,dc=oreillyauto,dc=com Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= check a_dn_pat: uid=passwordadmin,ou=system,dc=oreillyauto,dc=com Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= acl_mask: no more <who> clauses, returning =0 (stop) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => slap_access_allowed: auth access denied by =0 Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: no more rules Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 slapd[18777]: last message repeated 3 times Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= acl_access_allowed: granted to database root Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (objectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (objectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (uid) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "uid" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (description) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "description" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (objectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (objectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (uid) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "uid" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (description) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "description" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdPolicySubentry) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdPolicySubentry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (structuralObjectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "structuralObjectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (entryUUID) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryUUID" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (creatorsName) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "creatorsName" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (createTimestamp) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "createTimestamp" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdHistory) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdHistory" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdPolicySubentry) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdPolicySubentry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (structuralObjectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "structuralObjectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (entryUUID) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryUUID" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (creatorsName) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "creatorsName" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (createTimestamp) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "createTimestamp" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdHistory) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdHistory" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (pwdHistory) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (userPassword) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (pwdHistory) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdChangedTime) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdChangedTime" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (userPassword) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdFailureTime) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdFailureTime" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdChangedTime) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdChangedTime" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdFailureTime) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdFailureTime" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (pwdFailureTime) Aug 29 08:53:32 slapd[18777]: last message repeated 5 times Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (entryCSN) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryCSN" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (modifiersName) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "modifiersName" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (modifyTimestamp) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "modifyTimestamp" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (entryDN) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryDN" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (entryDN) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (subschemaSubentry) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "subschemaSubentry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (subschemaSubentry) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (hasSubordinates) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "hasSubordinates" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (hasSubordinates) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) -- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 28CE360097D.AE572 This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

7 years, 7 months

2
10
0 / 0

Error message with memberof overlay

by Sylvain

Hi ! In my logs, I saw lot of lines like this (we have a poor script which refresh the base with delete/add primitives) : memberof_value_modify DN="uid=v6971,ou=people,dc=xxx,dc=com" delete memberOf="cn=VAC,ou=groups,dc=xxx,dc=com" failed err=16 I can reproduce the problem with a small LDIF : # 1st part dn: uid=V6971,ou=people,dc=xxx,dc=com changetype: delete dn: uid=V6971,ou=people,dc=xxx,dc=com changetype: add objectClass... # 2nd part dn: cn=VAC,ou=groups,dc=xxx,dc=com changetype: delete dn: cn=VAC,ou=groups,dc=xxx,dc=com changetype: add objectClass... In the logs (shown below), we saw that problem occurs only on the delete of cn=VAC but if I reduce the LDIF to that (2nd part), I have no more the problem !? I don't understand... Here the logs with all the LDIF : Aug 30 12:01:42 ldap1 slapd[1229]: conn=363692 fd=32 ACCEPT from IP= 192.168.0.1:48049 (IP=0.0.0.0:389) Aug 30 12:01:42 ldap1 slapd[1229]: conn=363692 op=0 BIND dn="cn=portail,ou=ldapusers,dc=xxx,dc=com" method=128 Aug 30 12:01:42 ldap1 slapd[1229]: conn=363692 op=0 BIND dn="cn=portail,ou=ldapusers,dc=xxx,dc=com" mech=SIMPLE ssf=0 Aug 30 12:01:42 ldap1 slapd[1229]: conn=363692 op=0 RESULT tag=97 err=0 text= --> Aug 30 12:01:42 ldap1 slapd[1229]: conn=363692 op=1 DEL dn="cn=VAC,ou=groups,dc=xxx,dc=com" --> Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=1: memberof_value_modify DN="uid=v6971,ou=people,dc=xxx,dc=com" delete memberOf="cn=VAC,ou=groups,dc=xxx,dc=com" failed err=16 Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=1 RESULT tag=107 err=0 text= Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=2 ADD dn="cn=VAC,ou=groups,dc=xxx,dc=com" Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=2 RESULT tag=105 err=0 text= Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=3 DEL dn="uid=V6971,ou=people,dc=xxx,dc=com" Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=3 RESULT tag=107 err=0 text= Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=4 ADD dn="uid=V6971,ou=people,dc=xxx,dc=com" Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=4 RESULT tag=105 err=0 text= Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=5 UNBIND Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 fd=32 closed And here the logs with only the 2nd part of LDIF : Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 fd=107 ACCEPT from IP= 192.168.0.1:43599 (IP=0.0.0.0:389) Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=0 BIND dn="cn=portail,ou=ldapusers,dc=xxx,dc=com" method=128 Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=0 BIND dn="cn=portail,ou=ldapusers,dc=xxx,dc=com" mech=SIMPLE ssf=0 Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=0 RESULT tag=97 err=0 text= --> Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=1 DEL dn="cn=VAC,ou=groups,dc=xxx,dc=com" Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=1 RESULT tag=107 err=0 text= Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=2 ADD dn="cn=VAC,ou=groups,dc=xxx,dc=com" Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=2 RESULT tag=105 err=0 text= Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=3 UNBIND Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 fd=107 closed For information, here the configuration of memberOf overlay : dn: olcOverlay={0}memberof, olcDatabase={1}hdb, cn=config olcMemberOfMemberAD: member olcMemberOfRefInt: FALSE olcOverlay: memberof olcMemberOfDangling: ignore objectClass: olcMemberOf objectClass: olcOverlayConfig olcMemberOfMemberOfAD: memberOf olcMemberOfGroupOC: groupOfNames We run OpenLDAP 2.4.31 replicated onto another host on Debian Wheezy. Do you have an idea on the problem ? Thanks, Sylvain

7 years, 7 months

2
3
0 / 0

Limit value count of multivalued attribute?

by Ole

Hi, i'm searching a solution to limit the number of values for multivalued attributes. For example, my users can wirte multivalued "mail". But they should set only 20 mailaddress in max, not 20.000. Is there a way to do this with overlays? Regards Ole

7 years, 7 months

3
2
0 / 0

RE: ldapadd "ldap_bind: Invalid credentials (49)"

by Clint Petty

-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Thursday, August 29, 2013 3:10 PM To: Clint Petty Subject: RE: ldapadd "ldap_bind: Invalid credentials (49)" --On Thursday, August 29, 2013 10:06 PM +0000 Clint Petty <cpetty(a)luthresearch.com> wrote: >> # /etc/init.d/slapd debug -1 -u ldap -F /usr/local/etc/openldap/slapd.d >> # -H ldapi:/// >> slapd: [INFO] Using /etc/default/slapd for configuration >> slapd: [INFO] Halting OpenLDAP... >> slapd: [INFO] Can't read PID file, to stop OpenLDAP try: >> /etc/init.d/slapd forcestop slapd: [INFO] No db_recover done >> slapd: [INFO] Launching OpenLDAP... >> slapd: [OK] File descriptor limit set to 1024 >> 521fc4a1 @(#) $OpenLDAP: slapd 2.4.36 (Aug 21 2013 09:39:54) $ >> clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2.4.36/ >> servers/slapd 521fc4a1 /usr/local/openldap/etc/openldap/slapd.conf: line >> 5: unknown directive <dn:> >outside backend info and database >> definitions. 521fc4a1 slapd stopped. >> 521fc4a1 connections_destroy: nothing to destroy. > Hi Clint, > The point is to use a ">" with the text *I* wrote, not the text you write. > That's standard quoting of replies (as you will see my email client does > automatically). > In the above, you used /etc/init.d/slapd, rather than the slapd *binary*. > The above indicates you are using an invalid slapd.conf file localted in > /usr/local/openldap/etc/openldap. I thought you used cn=config? > You may need to examine /etc/default/slapd to see how to fix it to use > cn=config? etc. At this point, you may want to ask the LTB project for > guidance on configuring their servers correctly. > --Quanah _________________________________________________________________ # /usr/local/openldap/libexec/slapd -d -1 -u ldap -F /usr/local/etc/openldap/slapd.d -h ldapi:/// ldap_url_parse_ext(ldap://localhost/) ldap_init: trying /usr/local/openldap/etc/openldap/ldap.conf ldap_init: using /usr/local/openldap/etc/openldap/ldap.conf ldap_init: HOME env is /root ldap_init: trying /root/ldaprc ldap_init: trying /root/.ldaprc ldap_init: trying ldaprc ldap_init: LDAPCONF env is NULL ldap_init: LDAPRC env is NULL 521fc7d9 @(#) $OpenLDAP: slapd 2.4.36 (Aug 21 2013 09:39:54) $ clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2.4.36/servers/slapd ldap_pvt_gethostbyname_a: host=ip-10-15-2-169, r=0 521fc7d9 daemon_init: ldapi:/// 521fc7d9 daemon_init: listen on ldapi:/// 521fc7d9 daemon_init: 1 listeners to open... ldap_url_parse_ext(ldapi:///) 521fc7d9 daemon: listener initialized ldapi:/// 521fc7d9 daemon_init: 1 listeners opened ldap_create 521fc7d9 slapd init: initiated server. 521fc7d9 slap_sasl_init: initialized! 521fc7d9 bdb_back_initialize: initialize BDB backend 521fc7d9 bdb_back_initialize: Berkeley DB 4.6.21: (September 27, 2007) 521fc7d9 hdb_back_initialize: initialize HDB backend 521fc7d9 hdb_back_initialize: Berkeley DB 4.6.21: (September 27, 2007) 521fc7d9 mdb_back_initialize: initialize MDB backend 521fc7d9 mdb_back_initialize: MDB 0.9.7: (January 10, 2013) 521fc7d9 ==> translucent_initialize 521fc7d9 backend_startup_one: starting "cn=config" 521fc7d9 ldif_read_file: Permission denied for "/usr/local/etc/openldap/slapd.d/cn=config.ldif" 521fc7d9 send_ldap_result: conn=-1 op=0 p=0 521fc7d9 send_ldap_result: err=80 matched="" text="internal error (cannot read some entry file)" 521fc7d9 slapd destroy: freeing system resources. 521fc7d9 slapd stopped. 521fc7d9 connections_destroy: nothing to destroy. # My /etc/default/slapd file looks like this: #==================================================================== # Configuration example of OpenLDAP's init script #==================================================================== # IP and port to listen IP="*" SSLIP="*" PORT="389" SSLPORT="636" # OpenLDAP directory and files SLAPD_PATH="/usr/local/openldap" SLAPD_PID_FILE="$SLAPD_PATH/var/run/slapd.pid" SLAPD_CONF="$SLAPD_PATH/etc/openldap/slapd.conf" SLAPD_CONF_DIR="" SLAPD_SERVICES="ldap://$IP:$PORT ldaps://$SSLIP:$SSLPORT" SLAPD_PARAMS="" SLAPD_BIN="$SLAPD_PATH/libexec/slapd" SLAPD_USER="ldap" SLAPD_GROUP="ldap" SLAPD_SYSLOG_LOCAL_USER="local4" DATA_PATH="auto" SLAPADD_BIN="$SLAPD_PATH/sbin/slapadd" SLAPADD_PARAMS="-q" SLAPCAT_BIN="$SLAPD_PATH/sbin/slapcat" SLAPINDEX_BIN="$SLAPD_PATH/sbin/slapindex" SLAPTEST_BIN="$SLAPD_PATH/sbin/slaptest" SLURPD_PID_FILE="$SLAPD_PATH/var/run/slurpd.pid" SLURPD_PARAMS="" SLURPD_BIN="$SLAPD_PATH/libexec/slurpd" # BerkeleyDB directory and files BDB_PATH="/usr/local/berkeleydb" DB_ARCHIVE_BIN="$BDB_PATH/bin/db_archive" DB_RECOVER_BIN="$BDB_PATH/bin/db_recover" RECOVER_AT_STARTUP="0" # Backup BACKUP_AT_SHUTDOWN="0" BACKUP_PATH="/var/backups/openldap" BACKUP_SUFFIX="`date +%Y%m%d%H%M%S`.ldif" BACKUP_COMPRESS_EXT="" # gz, bz2, ... BACKUP_COMPRESS_BIN="" # /bin/gzip, /bin/bzip2, ... BACKUP_UNCOMPRESS_BIN="" # /bin/gunzip, /bin/bunzip2, ... # Other TIMEOUT="30" # Max time to stop process FD_LIMIT="1024" # Max file descriptor DEBUG_LEVEL="256" # Debug loglevel SPECIAL_QUOTE="1" # Quote some command line parameters (eg: LDAP filters) Clint

7 years, 7 months

2
19
0 / 0

Re : Antw: Re: OpenLDAP 2.4.36 slapd crash with "assertion failed" message

by "POISSON Frédéric"

Hello, I open ITS number 7676 (cf http://www.openldap.org/its/index.cgi/Incoming?id=7676;selectid=7676;stat...). Thanks all, Le 30/08/13, Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de> a écrit : > >>> Quanah Gibson-Mount <quanah(a)zimbra.com> schrieb am 29.08.2013 um 20:46 in > Nachricht <435F5EA8223A74BCD46762EC(a)[192.168.1.22]>: > > --On Thursday, August 29, 2013 4:17 PM +0200 "\"POISSON Frédéric\"" > > <frederic.poisson(a)admin.gmessaging.net> wrote: > > > >> Ok i have downloaded all the debuginfo package on my RHEL6.2 server, and > >> also i have to install with "--nodeps" options the package > >> glibc-debuginfo-2.12-1.47.el6_2.12.x86_64.rpm because it require the > >> glibc-debuginfo-common rpm package which do not found on Redhat website. > > > > Please file an ITS at http://www.openldap.org/its on this issue. > > > > Include your full cn=config (minus passwords), ldapmodify command, and the > > full backtrace from gdb you collected. > > ...and be aware that your gdb backtrace may include credentials (in non-obious > encoding) also... ;-) > > > > > Thanks. > > > > --Quanah > > > > > > -- > > > > Quanah Gibson-Mount > > Lead Engineer > > Zimbra, Inc > > -------------------- > > Zimbra :: the leader in open source messaging and collaboration > > > > -- Frederic Poisson

7 years, 7 months

1
0
0 / 0

OpenLDAP 2.4.36 slapd crash with "assertion failed" message

by "POISSON Frédéric"

Ok i have downloaded all the debuginfo package on my RHEL6.2 server, and also i have to install with "--nodeps" options the package glibc-debuginfo-2.12-1.47.el6_2.12.x86_64.rpm because it require the glibc-debuginfo-common rpm package which do not found on Redhat website. Here is now the result : # gdb /usr/local/openldap/libexec/slapd 12945 GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/local/openldap/libexec/slapd...Reading symbols from /usr/lib/debug/usr/local/openldap/libexec/slapd.debug...done. done. Attaching to program: /usr/local/openldap/libexec/slapd, process 12945 Reading symbols from /usr/local/berkeleydb/lib64/libdb-4.6.so...Reading symbols from /usr/lib/debug/usr/local/berkeleydb/lib64/libdb-4.6.so.debug... warning: "/usr/lib/debug/usr/local/berkeleydb/lib64/libdb-4.6.so.debug": separate debug info file has no debug info (no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/local/berkeleydb/lib64/libdb-4.6.so Reading symbols from /lib64/libpthread.so.0...Reading symbols from /usr/lib/debug/lib64/libpthread-2.12.so.debug...done. [Thread debugging using libthread_db enabled] [New Thread 0x7f823ed22700 (LWP 12947)] done. Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /usr/lib64/libsasl2.so.2...Reading symbols from /usr/lib/debug/usr/lib64/libsasl2.so.2.0.23.debug...done. done. Loaded symbols for /usr/lib64/libsasl2.so.2 Reading symbols from /usr/lib64/libssl.so.10...Reading symbols from /usr/lib/debug/usr/lib64/libssl.so.1.0.0.debug...done. done. Loaded symbols for /usr/lib64/libssl.so.10 Reading symbols from /usr/lib64/libcrypto.so.10...Reading symbols from /usr/lib/debug/usr/lib64/libcrypto.so.1.0.0.debug...done. done. Loaded symbols for /usr/lib64/libcrypto.so.10 Reading symbols from /lib64/libcrypt.so.1...Reading symbols from /usr/lib/debug/lib64/libcrypt-2.12.so.debug...done. done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /lib64/libresolv.so.2...Reading symbols from /usr/lib/debug/lib64/libresolv-2.12.so.debug...done. done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /usr/lib64/libltdl.so.7...Reading symbols from /usr/lib/debug/usr/lib64/libltdl.so.7.2.1.debug...done. done. Loaded symbols for /usr/lib64/libltdl.so.7 Reading symbols from /lib64/libc.so.6...Reading symbols from /usr/lib/debug/lib64/libc-2.12.so.debug...done. done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib64/ld-2.12.so.debug...done. done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib64/libdl.so.2...Reading symbols from /usr/lib/debug/lib64/libdl-2.12.so.debug...done. done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libgssapi_krb5.so.2...Reading symbols from /usr/lib/debug/lib64/libgssapi_krb5.so.2.2.debug...done. done. Loaded symbols for /lib64/libgssapi_krb5.so.2 Reading symbols from /lib64/libkrb5.so.3...Reading symbols from /usr/lib/debug/lib64/libkrb5.so.3.3.debug...done. done. Loaded symbols for /lib64/libkrb5.so.3 Reading symbols from /lib64/libcom_err.so.2...Reading symbols from /usr/lib/debug/lib64/libcom_err.so.2.1.debug...done. done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /lib64/libk5crypto.so.3...Reading symbols from /usr/lib/debug/lib64/libk5crypto.so.3.1.debug...done. done. Loaded symbols for /lib64/libk5crypto.so.3 Reading symbols from /lib64/libz.so.1...Reading symbols from /usr/lib/debug/lib64/libz.so.1.2.3.debug...done. done. Loaded symbols for /lib64/libz.so.1 Reading symbols from /lib64/libfreebl3.so...Reading symbols from /usr/lib/debug/lib64/libfreebl3.so.debug...done. done. Loaded symbols for /lib64/libfreebl3.so Reading symbols from /lib64/libkrb5support.so.0...Reading symbols from /usr/lib/debug/lib64/libkrb5support.so.0.1.debug...done. done. Loaded symbols for /lib64/libkrb5support.so.0 Reading symbols from /lib64/libkeyutils.so.1...Reading symbols from /usr/lib/debug/lib64/libkeyutils.so.1.3.debug...done. done. Loaded symbols for /lib64/libkeyutils.so.1 Reading symbols from /lib64/libselinux.so.1...Reading symbols from /usr/lib/debug/lib64/libselinux.so.1.debug...done. done. Loaded symbols for /lib64/libselinux.so.1 Reading symbols from /lib64/libnss_files.so.2...Reading symbols from /usr/lib/debug/lib64/libnss_files-2.12.so.debug...done. done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /usr/lib64/sasl2/libsasldb.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libsasldb.so.2.0.23.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libsasldb.so Reading symbols from /lib64/libdb-4.7.so...Reading symbols from /usr/lib/debug/lib64/libdb-4.7.so.debug...done. done. Loaded symbols for /lib64/libdb-4.7.so Reading symbols from /usr/lib64/sasl2/libanonymous.so...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libanonymous.so.2.0.23.debug...done. done. Loaded symbols for /usr/lib64/sasl2/libanonymous.so 0x0000003a00c0804d in pthread_join (threadid=140197376435968, thread_return=0x0) at pthread_join.c:89 89 lll_wait_tid (pd->tid); (gdb) backtrace full #0 0x0000003a00c0804d in pthread_join (threadid=140197376435968, thread_return=0x0) at pthread_join.c:89 __ignore = -512 _tid = 12947 _buffer = {__routine = 0x3a00c07f20 <cleanup>, __arg = 0x7f823ed22d28, __canceltype = 1053960656, __prev = 0x0} oldtype = 0 pd = 0x7f823ed22700 self = 0x7f8281c967c0 result = 0 #1 0x000000000043a0e9 in slapd_daemon () at daemon.c:2929 i = <value optimized out> rc = <value optimized out> #2 0x0000000000426435 in main (argc=11, argv=<value optimized out>) at main.c:1012 i = <value optimized out> no_detach = 0 rc = -12 urls = 0x1aad010 "ldap://*:25389 ldaps://*:25636" username = 0x1aad080 "root" groupname = 0x1aad0a0 "\026\065U" sandbox = 0x0 syslogUser = 160 pid = <value optimized out> waitfds = {9, 10} g_argc = 11 g_argv = <value optimized out> configfile = 0x0 configdir = 0x1aad040 "/usr/local/openldap/etc/openldap/slapd.d" serverName = <value optimized out> scp = <value optimized out> scp_entry = <value optimized out> debug_unknowns = 0x0 syslog_unknowns = 0x0 serverNamePrefix = <value optimized out> slapd_pid_file_unlink = 1 slapd_args_file_unlink = 1 firstopt = <value optimized out> __PRETTY_FUNCTION__ = "main" (gdb) continue Continuing. [New Thread 0x7f823e521700 (LWP 11522)] [New Thread 0x7f823dd20700 (LWP 11523)] Program received signal SIGABRT, Aborted. [Switching to Thread 0x7f823e521700 (LWP 11522)] 0x0000003a00432885 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig); (gdb) backtrace full #0 0x0000003a00432885 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 resultvar = 0 pid = 12945 selftid = 11522 #1 0x0000003a00434065 in abort () at abort.c:92 save_stage = 2 act = {__sigaction_handler = {sa_handler = 0x5dc95e, sa_sigaction = 0x5dc95e}, sa_mask = {__val = {249113688989, 140197368029312, 0, 140197368029552, 249112713062, 206158430232, 140197368029568, 140197368029344, 249112620008, 206158430256, 140197368029600, 140197128851280, 117, 117, 0, 140736009787411}}, sa_flags = 5579917, sa_restorer = 0x5dc857} sigs = {__val = {32, 0 <repeats 15 times>}} #2 0x0000003a0042b9fe in __assert_fail_base (fmt=<value optimized out>, assertion=0x5dc95e "!((rs->sr_err)<0)", file=0x5dc857 "result.c", line=<value optimized out>, function=<value optimized out>) at assert.c:96 str = 0x7f8230104f50 "" total = 4096 #3 0x0000003a0042bac0 in __assert_fail (assertion=0x5dc95e "!((rs->sr_err)<0)", file=0x5dc857 "result.c", line=813, function=0x5dcb40 "slap_send_ldap_result") at assert.c:105 No locals. #4 0x0000000000450bed in slap_send_ldap_result (op=0x7f8230002660, rs=0x7f823e520950) at result.c:813 tmp = 0x0 otext = 0x7f823e51f394 "" oref = 0x0 __PRETTY_FUNCTION__ = "slap_send_ldap_result" #5 0x000000000042d567 in config_back_modify (op=<value optimized out>, rs=<value optimized out>) at bconfig.c:5926 cfb = <value optimized out> ce = <value optimized out> last = 0xd00000000 ml = <value optimized out> ca = {argc = 2, argv = 0x7f8230103ef0, argv_size = 513, line = 0x7f8230102bf0 "/dev/random", tline = 0x7f8230103ed0 "", fname = 0x5d1f79 "slapd", lineno = 0, log = "olcTLSRandFile: value #0", '\000' <repeats 4099 times>, reply = {err = 0, msg = '\000' <repeats 255 times>}, depth = 0, valx = -1, values = {v_int = 806375360, v_uint = 806375360, v_long = 140197128851392, v_ulong = 140197128851392, v_ber_t = 140197128851392, v_string = 0x7f8230104fc0 "/dev/random", v_bv = {bv_len = 140197128851392, bv_val = 0x0}, v_dn = {vdn_dn = { bv_len = 140197128851392, bv_val = 0x0}, vdn_ndn = {bv_len = 0, bv_val = 0x0}}, v_ad = 0x7f8230104fc0}, rvalue_vals = 0x0, rvalue_nvals = 0x0, op = 0, type = 4, ca_op = 0x7f8230002660, be = 0x88e960, bi = 0x0, ca_entry = 0x1b300d8, ca_private = 0x1b2f970, cleanup = 0x427a70 <config_tls_cleanup>, table = Cft_Global} rdn = {bv_len = 2, bv_val = 0x1b2fe30 "cn=config"} ptr = <value optimized out> rad = 0x1ada450 do_pause = <value optimized out> #6 0x000000000045745b in fe_op_modify (op=0x7f8230002660, rs=0x7f823e520950) at modify.c:303 update = <value optimized out> repl_user = <value optimized out> op_be = <value optimized out> bd = 0x88e960 textbuf = "8,\000\060\202\177", '\000' <repeats 18 times>, "\003\000\000\000\000\000\000\000\020/Z\000\000\000\000\000Â7Z\000\000\000\000\000`s¬\001\000\000\000\000ð\035\000\060\202\177\000\000\200ªG\000\000\000\000\000\066¢E\000\000\000\000\000\016\000\000\000\000\000\000\000+&\000\060\202\177", '\000' <repeats 18 times>, "\v\000\000\000\000\000\000\000ð+\020\060\202\177\000\000 +\000\060\202\177\000\000\020,\020\060\202\177\000\000\000\000\000\000\000\000\000\000\200\036¯\001", '\000' <repeats 28 times>, "\237nE\000\000\000\000\000\000\bR>\202\177\000\000p\tR>\202\177\000\000\000\001\000\000\000\000\000\000`&\000\060\202\177\000\000\210&\000\060\202\177\000\000\230&"... #7 0x0000000000457d86 in do_modify (op=0x7f8230002660, rs=0x7f823e520950) at modify.c:177 dn = {bv_len = 9, bv_val = 0x7f8230002617 "cn=config"} textbuf = "\027)\000\060\202\177\000\000Ð+\000\060\202\177\000\000\000\060\020\000\000\000\000\000\000@\000\000\000\000\000\000\000\020\002\000\000\000\000\000\060\000\020\000\000\000\000\000\004\000\000\000\000\000\000\000 \000\000\000\000\000\000\000\000\001\000\000\000\000\000\000\001\000\001\000\060@\000\000[\b\000\000\200\000\000\000\227\000\000\000n\001", '\000' <repeats 20 times>, "\020\000\000\000\000\000 \000\000\060\202\177\000\000\001\000\000\000\000\000\000\000°\nR>\202\177\000\000Ð'\000\060\202\177\000\000Ñ\227G\000:", '\000' <repeats 13 times>, "\020\000\000\000\000\000\001\000\000\000\000\000\000\000\031\001\\\000\000\000\000\000\000\000\020\000\000\000\000\000û\237E\000\000\000\000\000 +\000\060\202"... tmp = <value optimized out> #8 0x000000000043fb79 in connection_operation (ctx=0x7f823e520ab0, arg_v=0x7f8230002660) at connection.c:1155 rc = 80 cancel = <value optimized out> op = 0x7f8230002660 rs = {sr_type = REP_RESULT, sr_tag = 0, sr_msgid = 0, sr_err = -12, sr_matched = 0x0, sr_text = 0x7f823e51f394 "", ---Type <return> to continue, or q <return> to quit--- sr_ref = 0x0, sr_ctrls = 0x0, sr_un = {sru_search = {r_entry = 0x0, r_attr_flags = 0, r_operational_attrs = 0x0, r_attrs = 0x0, r_nentries = 0, r_v2ref = 0x0}, sru_sasl = {r_sasldata = 0x0}, sru_extended = {r_rspoid = 0x0, r_rspdata = 0x0}}, sr_flags = 0} tag = 102 opidx = SLAP_OP_MODIFY conn = 0x1bbad20 memctx = 0x7f8230002ba0 memctx_null = 0x0 memsiz = 1048576 __PRETTY_FUNCTION__ = "connection_operation" #9 0x0000000000440365 in connection_read_thread (ctx=0x7f823e520ab0, argv=<value optimized out>) at connection.c:1291 rc = <value optimized out> cri = {op = 0x7f8230002660, func = 0, arg = 0x0, ctx = 0x7f823e520ab0, nullop = <value optimized out>} s = <value optimized out> #10 0x0000000000595b80 in ldap_int_thread_pool_wrapper (xpool=0x1add680) at tpool.c:688 pool = 0x1add680 task = 0x7f8238000a20 work_list = <value optimized out> ctx = {ltu_id = 140197368043264, ltu_key = {{ltk_key = 0x43e990, ltk_data = 0x7f8230002a90, ltk_free = 0x43ea60 <conn_counter_destroy>}, {ltk_key = 0x492f40, ltk_data = 0x7f8230002ba0, ltk_free = 0x492f60 <slap_sl_mem_destroy>}, {ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0} <repeats 27 times>, { ltk_key = 0x0, ltk_data = 0x3a00c07e8a, ltk_free = 0}, {ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0}, { ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0}}} kctx = <value optimized out> keyslot = 936 hash = <value optimized out> __PRETTY_FUNCTION__ = "ldap_int_thread_pool_wrapper" #11 0x0000003a00c077f1 in start_thread (arg=0x7f823e521700) at pthread_create.c:301 __res = <value optimized out> pd = 0x7f823e521700 now = <value optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140197368043264, -7363636271228307732, 140197376425120, 140197368043968, 0, 3, 7407127774185469676, -7369267418370066708}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = { prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = <value optimized out> pagesize_m1 = <value optimized out> sp = <value optimized out> freesize = <value optimized out> #12 0x0000003a004e5ccd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 No locals. (gdb) continue Continuing. [Thread 0x7f823dd20700 (LWP 11523) exited] [Thread 0x7f823e521700 (LWP 11522) exited] [Thread 0x7f823ed22700 (LWP 12947) exited] Program terminated with signal SIGABRT, Aborted. The program no longer exists. (gdb) quit Regards, Le 29/08/13, Aaron Richton <richton(a)nbcs.rutgers.edu> a écrit : > On Thu, 29 Aug 2013, "POISSON Fr?d?ric" wrote: > > >Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.23-13.el6.x86_64 db4-4.7.25-16.el6.x86_64 glibc-2.12-1.47.el6_2.12.x86_64 keyutils-libs-1.4-3.el6.x86_64 krb5-libs-1.9-22.el6_2.1.x86_64 > >libcom_err-1.41.12-11.el6.x86_64 libselinux-2.0.94-5.2.el6.x86_64 libtool-ltdl-2.2.6-15.5.el6.x86_64 nss-softokn-freebl-3.12.9-11.el6.x86_64 openssl-1.0.0-20.el6_2.4.x86_64 zlib-1.2.3-27.el6.x86_64 > > Admittedly the slapd symbols are the most important and may (or may not) be sufficient, but it'd be kinder on our eyes if you followed this advice and got a fresh backtrace? > > > -- Frederic Poisson

7 years, 7 months

3
2
0 / 0

Q: duplicate contextCSN; remove it?

by Ulrich Windl

Hi! When I examine my slapcat of the config database (multi-master replication), I see a duplicate contextCSN; one of them seems obsolete: contextCSN: 20130722065709.189194Z#000000#000#000000 contextCSN: 20130729112421.079210Z#000000#001#000000 Can I remove one of those, and if so, how? I tried once, but the CSN re-appered, maybe from an other master... Or are those expected to be there? Regards, Ulrich

7 years, 7 months

3
4
0 / 0

RE: ldapadd "ldap_bind: Invalid credentials (49)"

by Clint Petty

-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Thursday, August 29, 2013 3:10 PM To: Clint Petty Subject: RE: ldapadd "ldap_bind: Invalid credentials (49)" --On Thursday, August 29, 2013 10:06 PM +0000 Clint Petty <cpetty(a)luthresearch.com> wrote: >> # /etc/init.d/slapd debug -1 -u ldap -F /usr/local/etc/openldap/slapd.d >> # -H ldapi:/// >> slapd: [INFO] Using /etc/default/slapd for configuration >> slapd: [INFO] Halting OpenLDAP... >> slapd: [INFO] Can't read PID file, to stop OpenLDAP try: >> /etc/init.d/slapd forcestop slapd: [INFO] No db_recover done >> slapd: [INFO] Launching OpenLDAP... >> slapd: [OK] File descriptor limit set to 1024 >> 521fc4a1 @(#) $OpenLDAP: slapd 2.4.36 (Aug 21 2013 09:39:54) $ >> clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2.4.36/ >> servers/slapd 521fc4a1 /usr/local/openldap/etc/openldap/slapd.conf: line >> 5: unknown directive <dn:> >outside backend info and database >> definitions. 521fc4a1 slapd stopped. >> 521fc4a1 connections_destroy: nothing to destroy. > Hi Clint, > The point is to use a ">" with the text *I* wrote, not the text you write. > That's standard quoting of replies (as you will see my email client does > automatically). > In the above, you used /etc/init.d/slapd, rather than the slapd *binary*. > The above indicates you are using an invalid slapd.conf file localted in > /usr/local/openldap/etc/openldap. I thought you used cn=config? > You may need to examine /etc/default/slapd to see how to fix it to use > cn=config? etc. At this point, you may want to ask the LTB project for > guidance on configuring their servers correctly. > --Quanah _________________________________________________________________ # /usr/local/openldap/libexec/slapd -d -1 -u ldap -F /usr/local/etc/openldap/slapd.d -h ldapi:/// ldap_url_parse_ext(ldap://localhost/) ldap_init: trying /usr/local/openldap/etc/openldap/ldap.conf ldap_init: using /usr/local/openldap/etc/openldap/ldap.conf ldap_init: HOME env is /root ldap_init: trying /root/ldaprc ldap_init: trying /root/.ldaprc ldap_init: trying ldaprc ldap_init: LDAPCONF env is NULL ldap_init: LDAPRC env is NULL 521fc7d9 @(#) $OpenLDAP: slapd 2.4.36 (Aug 21 2013 09:39:54) $ clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2.4.36/servers/slapd ldap_pvt_gethostbyname_a: host=ip-10-15-2-169, r=0 521fc7d9 daemon_init: ldapi:/// 521fc7d9 daemon_init: listen on ldapi:/// 521fc7d9 daemon_init: 1 listeners to open... ldap_url_parse_ext(ldapi:///) 521fc7d9 daemon: listener initialized ldapi:/// 521fc7d9 daemon_init: 1 listeners opened ldap_create 521fc7d9 slapd init: initiated server. 521fc7d9 slap_sasl_init: initialized! 521fc7d9 bdb_back_initialize: initialize BDB backend 521fc7d9 bdb_back_initialize: Berkeley DB 4.6.21: (September 27, 2007) 521fc7d9 hdb_back_initialize: initialize HDB backend 521fc7d9 hdb_back_initialize: Berkeley DB 4.6.21: (September 27, 2007) 521fc7d9 mdb_back_initialize: initialize MDB backend 521fc7d9 mdb_back_initialize: MDB 0.9.7: (January 10, 2013) 521fc7d9 ==> translucent_initialize 521fc7d9 backend_startup_one: starting "cn=config" 521fc7d9 ldif_read_file: Permission denied for "/usr/local/etc/openldap/slapd.d/cn=config.ldif" 521fc7d9 send_ldap_result: conn=-1 op=0 p=0 521fc7d9 send_ldap_result: err=80 matched="" text="internal error (cannot read some entry file)" 521fc7d9 slapd destroy: freeing system resources. 521fc7d9 slapd stopped. 521fc7d9 connections_destroy: nothing to destroy. # Clint

7 years, 7 months

2
1
0 / 0

Re: Antw: Problems recovering my ldap db[Solved]

by Ger Hooton

I just started over with a new DB Thanks for your help //Ger ----------------original message----------------- From: "Ulrich Windl" Ulrich.Windl(a)rz.uni-regensburg.de To: ghooton(a)scins.ie Date: Thu, 29 Aug 2013 08:07:51 +0200 ------------------------------------------------- >>>> ghooton(a)scins.ie schrieb am 28.08.2013 um 18:37 in Nachricht > 8004e8d0438c1185f5c2c6b474f7cea0.squirrel(a)www.scins.ie : >> Hi all, I am >> recovering form a disaster. when I do slapcat I can see all the info > > Hi! > > I think it depends on the type of desaster: For human error or filesystem > corruption, you must probably restore your last successful database dump. If > the machine just crashed (and the filesystem configuration was sane), there > shouldn't be a problem with automatic recovery (IMHO). > > Regards, > Ulrich > >> stored in the ldap db However, when I do ldapsearch >> I cannot see anything. When I do slapcat -l backup.ldif I get : >> unclean shutdown >> detected; attempting recovery >> recovery skipped in read-only mode. >> Run manual >> recovery if errors are encountered >> >> I am using Debian 6 2.6.32-5-amd64 and :- >> ldapsearch -VV >> ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.23 (Dec 16 2012 11:48:21) $ >> >> root@carillon :/tmp/buildd/openldap-2.4.23/debian/build/clients/too >> ls >> (LDAP library: OpenLDAP 20423) >> >> >> //Ger > > > > -- Scoil Chroí Íosa Blarney. Blarney. Co. Cork

7 years, 7 months

1
0
0 / 0

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2013