Hi.
My company has decided to migrate from Oracle Directory Server 7.0 (ODSEE ) to OpenLDAP due to end of life supportability issues .
I've installed the RHEL 6.9 OpenLDAP bundled product and have a working suffix based on cn=config vs. slapd.conf model but cannot get the accesslog overlays/DB's to work properly (ldapsearch returns accesslog records but never completes and instead hangs showing "ldap_int_select" . Need to ctl -c to exit )
Here's the details:
- more /etc/redhat-release o Red Hat Enterprise Linux Server release 6.9 (Santiago) - yum list installed | grep openldap o compat-openldap.x86_64 1:2.3.43-2.el6 o openldap.x86_64 2.4.40-16.el6 o openldap-clients.x86_64 2.4.40-16.el6 o openldap-devel.x86_64 2.4.40-16.el6 o openldap-servers.x86_64 2.4.40-16.el6 - ldapsearch -Q -Y EXTERNAL -H ldapi:/// -LLL -b "olcDatabase={2}bdb,cn=config" | egrep "olcRo|olcSu" < - -------- main suffix DB o olcSuffix: dc=mydomain,dc=ca o olcRootDN: cn=dev13,dc=mydomain,dc=ca o olcRootPW: {SSHA}ZODaH7MZuRjuG+FTzIZvdPg5edL2WDjg - ldapsearch -Q -Y EXTERNAL -H ldapi:/// -LLL -b "olcDatabase={3}bdb,cn=config" < - ---accesslog DB and overlay o dn: olcDatabase={3}bdb,cn=config o objectClass: olcDatabaseConfig o objectClass: olcBdbConfig o olcDatabase: {3}bdb o olcDbDirectory: /var/lib/ldap/accesslog o olcSuffix: cn=accesslog o olcRootDN: cn=dev13,dc=mydomain,dc=ca o olcDbIndex: default eq o olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart - o dn: olcOverlay={0}accesslog,olcDatabase={3}bdb,cn=config o objectClass: olcOverlayConfig o objectClass: olcAccessLogConfig o olcOverlay: {0}accesslog o olcAccessLogDB: cn=accesslog o olcAccessLogOps: writes reads session o olcAccessLogPurge: 07+00:00 01+00:00 o olcAccessLogSuccess: TRUE - ldapsearch -Q -Y EXTERNAL -H ldapi:/// -LLL -b "cn=module{0},cn=config" |< - --------------loaded modules o dn: cn=module{0},cn=config o objectClass: olcModuleList o cn: module{0} o olcModulePath: /usr/lib64/openldap o olcModuleLoad: {0}syncprov.la o olcModuleLoad: {1}accesslog.la
When I execute the ldapsearch on cn=accesslog I get the following ( ctl-c needed to exit from the hang ) :
ldapsearch -d 1 -H ldap:// -v -x -LLL -D "cn=dev13,dc=mailposte,dc=ca" -b cn=accesslog -W ldap_url_parse_ext(ldap://) ldap_initialize( ldap://:389/??base ) ldap_create ldap_url_parse_ext(ldap://:389/??base) Enter LDAP Password:
... stuff omitted due to length ...
reqDN: reqStart=20170620210816.000003Z,cn=accesslog ldap_get_attribute_ber ber_scanf fmt ({mM}) ber: reqResult: 0 ldap_get_attribute_ber ber_scanf fmt ({mM}) ber: reqMod: objectClass:+ auditSearch reqMod: structuralObjectClass:+ auditSearch reqMod: reqStart:+ 20170620210816.000003Z reqMod: reqEnd:+ 20170620210816.000004Z reqMod: reqType:+ search reqMod: reqSession:+ 18446744073709551615 reqMod: reqAuthzID:+ cn=dev13,dc=mailposte,dc=ca reqMod: reqDN:+ cn=accesslog reqMod: reqResult:+ 0 reqMod: reqScope:+ one reqMod: reqDerefAliases:+ never reqMod: reqAttrsOnly:+ TRUE reqMod: reqFilter:+ (reqStart<=20170613210816Z) reqMod: reqAttr:+ 1.1 reqMod: reqEntries:+ 0 reqMod: reqTimeLimit:+ -1 reqMod: reqSizeLimit:+ -1 reqMod: entryUUID:+ 52bef5ee-ea48-1036-9807-2fa6ad6fded4 reqMod: creatorsName:+ cn=dev13,dc=mailposte,dc=ca reqMod: createTimestamp:+ 20170620210816Z reqMod: entryCSN:+ 20170620210816.416676Z#000000#000#000000 reqMod: modifiersName:+ cn=dev13,dc=mailposte,dc=ca reqMod: modifyTimestamp:+ 20170620210816Z ldap_get_attribute_ber ber_scanf fmt ({mM}) ber: reqEntryUUID: 52bef5ee-ea48-1036-9807-2fa6ad6fded4 ldap_get_attribute_ber ldap_msgfree ldap_result ld 0x14c91c0 msgid -1 wait4msg ld 0x14c91c0 msgid -1 (infinite timeout) wait4msg continue ld 0x14c91c0 msgid -1 all 0 ** ld 0x14c91c0 Connections: * host: (null) port: 389 (default) refcnt: 2 status: Connected last used: Wed Jun 21 13:46:58 2017
** ld 0x14c91c0 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x14c91c0 request count 1 (abandoned 0) ** ld 0x14c91c0 Response Queue: Empty ld 0x14c91c0 response count 0 ldap_chkResponseList ld 0x14c91c0 msgid -1 all 0 ldap_chkResponseList returns ld 0x14c91c0 NULL ldap_int_select ^C
When I do an strace of the working suffix ( dc=mydomain,dc=ca ) I get the following termination :
- strace ldapsearch -d 1 -H ldap:// -v -x -LLL -D "cn=dev13,dc=mydomain,dc=ca" -b dc=mydomain,dc=ca -w my_passwd
..... stuff omitted due to length ....
write(3, "0\5\2\1\3B\0", 7) = 7 shutdown(3, SHUT_RDWR) = 0 close(3) = 0 write(2, "ldap_free_connection: actually f"..., 37ldap_free_connection: actually freed ) = 37 exit_group(0) = ? +++ exited with 0 +++
When I do an strace of cn=accesslog I get the following termination :
- strace ldapsearch -d 1 -H ldap:// -v -x -LLL -D "cn=dev13,dc=mydomain,dc=ca" -b cn=accesslog -w my_passwd
..... stuff omitted due to length ....
write(1, "reqEntryUUID: 52bef5ee-ea48-1036"..., 51reqEntryUUID: 52bef5ee-ea48-1036-9807-2fa6ad6fded4) = 51 write(2, "ldap_get_attribute_ber\n", 23ldap_get_attribute_ber) = 23 write(2, "ldap_msgfree\n", 13ldap_msgfree) = 13 write(2, "ldap_result ld 0x24381e0 msgid -"..., 34ldap_result ld 0x24381e0 msgid -1) = 34 write(2, "wait4msg ld 0x24381e0 msgid -1 ("..., 50wait4msg ld 0x24381e0 msgid -1 (infinite timeout)) = 50 write(2, "wait4msg continue ld 0x24381e0 m"..., 46wait4msg continue ld 0x24381e0 msgid -1 all 0) = 46 write(2, "** ld 0x24381e0 Connections:\n", 29** ld 0x24381e0 Connections:) = 29 write(2, "* host: (null) port: 389 (defa"..., 37* host: (null) port: 389 (default)) = 37 write(2, " refcnt: 2 status: Connected\n", 31 refcnt: 2 status: Connected) = 31 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3477, ...}) = 0 write(2, " last used: Wed Jun 21 14:07:30"..., 39 last used: Wed Jun 21 14:07:30 2017) = 39 write(2, "\n", 1) = 1 write(2, "** ld 0x24381e0 Outstanding Requ"..., 38** ld 0x24381e0 Outstanding Requests:) = 38 write(2, " * msgid 2, origid 2, status In"..., 41 * msgid 2, origid 2, status InProgress) = 41 write(2, " outstanding referrals 0, pare"..., 43 outstanding referrals 0, parent count 0) = 43 write(2, " ld 0x24381e0 request count 1 ("..., 45 ld 0x24381e0 request count 1 (abandoned 0)) = 45 write(2, "** ld 0x24381e0 Response Queue:\n", 32** ld 0x24381e0 Response Queue:) = 32 write(2, " Empty\n", 9 Empty) = 9 write(2, " ld 0x24381e0 response count 0\n", 32 ld 0x24381e0 response count 0) = 32 write(2, "ldap_chkResponseList ld 0x24381e"..., 49ldap_chkResponseList ld 0x24381e0 msgid -1 all 0) = 49 write(2, "ldap_chkResponseList returns ld "..., 47ldap_chkResponseList returns ld 0x24381e0 NULL) = 47 write(2, "ldap_int_select\n", 16ldap_int_select) = 16 poll([{fd=3, events=POLLIN|POLLPRI}], 1, -1 < - ------------------------------- This means poll is waiting for something on this File descriptor which never gets returned ^C Process 7844 detached <detached ...>
Here is the ldif file used for moduleload by ldapadd :
cat addModule.ldif
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib64/openldap #olcModuleLoad: {0}back_bdb olcModuleLoad: syncprov.la olcModuleLoad: accesslog.la
Here is the ldif file to add the accesslog db and overlay by ldapadd:
cat addAccesslog2DB # Accesslog database definitions dn: olcDatabase={3}bdb,cn=config objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: {3}bdb olcDbDirectory: /var/lib/ldap/accesslog olcSuffix: cn=accesslog olcRootDN: cn=dev13,dc=mydomain,dc=ca olcDbIndex: default eq olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
# accesslog overlay definitions for primary db dn: olcOverlay=accesslog,olcDatabase={3}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: accesslog olcAccessLogDB: cn=accesslog olcAccessLogOps: writes reads session olcAccessLogSuccess: TRUE # scan the accesslog DB every day and purge entries older than 7 days olcAccessLogPurge: 07+00:00 01+00:00
I have also created /var/lib/ldap/accesslog owned by ldap:ldap :
ls -l /var/lib/ldap/accesslog total 11232 -rw-r-----. 1 ldap ldap 4096 Jun 20 17:08 alock -rw-------. 1 ldap ldap 24576 Jun 20 17:08 __db.001 -rw-------. 1 ldap ldap 188416 Jun 21 14:07 __db.002 -rw-------. 1 ldap ldap 270336 Jun 21 13:46 __db.003 -rw-------. 1 ldap ldap 98304 Jun 21 13:46 __db.004 -rw-------. 1 ldap ldap 753664 Jun 21 14:07 __db.005 -rw-------. 1 ldap ldap 32768 Jun 21 14:07 __db.006 -rw-------. 1 ldap ldap 8192 Jun 20 17:08 dn2id.bdb -rw-------. 1 ldap ldap 8192 Jun 20 17:08 entryCSN.bdb -rw-------. 1 ldap ldap 32768 Jun 20 17:08 id2entry.bdb -rw-------. 1 ldap ldap 10485760 Jun 20 17:08 log.0000000001 -rw-------. 1 ldap ldap 8192 Jun 20 17:08 objectClass.bdb -rw-------. 1 ldap ldap 8192 Jun 20 17:08 reqEnd.bdb -rw-------. 1 ldap ldap 8192 Jun 20 17:08 reqResult.bdb -rw-------. 1 ldap ldap 8192 Jun 20 17:08 reqStart.bdb
I am new to this forum so If I've missed something please let me know. Constructive comments and suggestions are greatly appreciated.
regards
RON LAMARCHE Technical Specialist, Online Channel Innovapost