Hello,
we fighting since upgrade from Buster to Bookworm with smaller and
bigger issues on our OpenLDAP. We use WebADM as IDM (Rcdevs) and this is
using OpenLDAP as backend. Since a long while on Bookworm, we have the
issues, that slapd stucks on operations, like on adding entries. For
example adding more than 1 CN entry to an existing OU. The only way to
get all working is again, to stop slapd, but systemctl stop slapd
doesn't work, you have to use kill -9 .. and that, pretty often.
So, I hoped, to get it working again, I cloned the VMs; cutted the
(normal) network and used a localhost bridge, so that both can see each
others, without issues. Then I've created a backup (slapcat); deleted
the db and slapd.d/cn=config ... and restored on both the DB. This part
worked without issues .. but:
```
cat /home/foo/sudo_single.ldif
dn:
cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local
objectclass: sudorole
objectclass: top
cn: jochoa_fra_dev_bookworm_02
sudorunasuser: ALL
sudooption: !authenticate
sudocommand: /bin/su
sudohost: fra-dev-bookworm-02.example.local
sudouser: jochoa(a)example.local
ldapadd -ZZ -c -x -D 'cn=webadmin,ou=Accounts,dc=example,dc=local' -W
-H ldap://fra-corp-auth-01.example.com:389 -f
/home/foo/sudo_single.ldif -vv
ldap_initialize( ldap://fra-corp-auth-01.example.com:389/??base )
Enter LDAP Password:
add objectclass:
sudorole
top
add cn:
jochoa_fra_dev_bookworm_02
add sudorunasuser:
ALL
add sudooption:
!authenticate
add sudocommand:
/bin/su
add sudohost:
fra-dev-bookworm-02.example.local
add sudouser:
jochoa(a)example.local
adding new entry
"cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local"
```
and then .. it just stucks, till I break with CTRL +C
The same happens via ApacheDirectory or using WebADM Gui ... sometimes
it works .. but often not.
````Â
eb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: activity on 1
descriptor
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: activity on:
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: 22r
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]:
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: read active on 22
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: connection_get(22)
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: connection_get(22): got
connid=1041
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: connection_read(22):
checking for input on id=1041
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: op tag 0x68, time
1740046822
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: conn=1041 op=1 do_add
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: conn=1041 op=1 do_add: dn
(cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local)
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: >>> dnPrettyNormal:
<cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local>
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: <<< dnPrettyNormal:
<cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local>,
<cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local>
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: conn=1041 op=1 ADD
dn="cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local"
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: => mdb_entry_get: ndn:
"cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local"
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: => mdb_entry_get: oc:
"(null)", at: "(null)"
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]:
mdb_dn2entry("cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local")
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: =>
mdb_dn2id("cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local")
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: <= mdb_dn2id: get failed:
MDB_NOTFOUND: No matching key/data pair found (-30798)
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: => mdb_entry_get: cannot
find entry:
"cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local"
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: mdb_entry_get: rc=32
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: ==> mdb_add:
cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_required entry
(cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local),
objectClass "sudoRole"
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_allowed type
"objectClass"
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_allowed type "cn"
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_allowed type
"sudoRunAsUser"
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_allowed type
"sudoOption"
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_allowed type
"sudoCommand"
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_allowed type
"sudoHost"
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_allowed type
"sudoUser"
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_allowed type
"structuralObjectClass"
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: activity on 1
descriptor
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: activity on:
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]:
Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: epoll: listen=8
active_threads=0 tvp=zero
```
If I try to stop the slapd om ldap1:
```
Feb 20 11:23:10 fra-corp-auth-01 slapd[710]: conn=1001 fd=20 closed
(slapd shutdown)
Feb 20 11:23:10 fra-corp-auth-01 slapd[710]: connection_closing:
readying conn=1041 sd=22 for close
Feb 20 11:23:10 fra-corp-auth-01 slapd[710]: connection_close: deferring
conn=1041 sd=22
Feb 20 11:23:10 fra-corp-auth-01 slapd[710]: connection_closing:
readying conn=1011 sd=23 for close
Feb 20 11:23:10 fra-corp-auth-01 slapd[710]: connection_close: deferring
conn=1011 sd=23
Feb 20 11:23:10 fra-corp-auth-01 slapd[710]: slapd shutdown: waiting for
4 operations/tasks to finish
```
strace shows:
```
futex(0x7f3e9a9ff990, FUTEX_WAIT_BITSET|FUTEX_CLOCK_REALTIME, 720, NULL,
FUTEX_BITSET_MATCH_ANY
```
So, if I stop all .. start slapd again .. all seems fine ..
* ldap2
```
Feb 20 11:49:32 fra-corp-auth-02 slapd[686]: conn=1209 op=2
syncprov_op_search: registered persistent search
Feb 20 11:49:32 fra-corp-auth-02 slapd[686]: conn=1209 op=2
syncprov_op_search: no change, skipping log replay
Feb 20 11:49:32 fra-corp-auth-02 slapd[686]: conn=1209 op=2
syncprov_op_search: nothing changed, finishing up initial search early
Feb 20 11:49:32 fra-corp-auth-02 slapd[686]: conn=1209 op=2
syncprov_sendinfo: refreshDelete cookie=
Feb 20 11:49:32 fra-corp-auth-02 slapd[686]: conn=1209 op=2
syncprov_search_response: detaching op
```
then I again try to use ldapadd .. and I see still:
* ldap2
```
...
Feb 20 11:54:35 fra-corp-auth-02 slapd[4696]: =>do_syncrepl rid=002
Feb 20 11:54:36 fra-corp-auth-02 slapd[4696]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Feb 20 11:54:36 fra-corp-auth-02 slapd[4696]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Feb 20 11:54:36 fra-corp-auth-02 slapd[4696]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Feb 20 11:54:36 fra-corp-auth-02 slapd[4696]: start_refresh: rid=002 a
refresh on rid=001 in progress, pausing
Feb 20 11:54:37 fra-corp-auth-02 slapd[4696]: =>do_syncrepl rid=002
Feb 20 11:54:38 fra-corp-auth-02 slapd[4696]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Feb 20 11:54:38 fra-corp-auth-02 slapd[4696]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Feb 20 11:54:38 fra-corp-auth-02 slapd[4696]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Feb 20 11:54:38 fra-corp-auth-02 slapd[4696]: start_refresh: rid=002 a
refresh on rid=001 in progress, pausing
Feb 20 11:54:39 fra-corp-auth-02 slapd[4696]: =>do_syncrepl rid=002
....
but .. a ldapsearch on ldap1 .. **still works** :-/
on ldap1 .. log is silent, except from my ldapsearch and ... I have to
kill -9 slapd on ldap1 again and start ..
I have no clue .. what else I can do .....
any hints ?
cu denny