Hi.

 

My company has decided to migrate from Oracle Directory Server 7.0 (ODSEE ) to OpenLDAP due to end of life supportability issues .

 

I’ve installed the RHEL 6.9 OpenLDAP bundled product and have a working suffix based on cn=config vs. slapd.conf  model but cannot get the accesslog overlays/DB’s to work  properly (ldapsearch returns accesslog records but never completes and instead hangs showing “ldap_int_select” . Need to ctl –c to exit )

 

Here’s the details:

 

-              more /etc/redhat-release

o             Red Hat Enterprise Linux Server release 6.9 (Santiago)

-              yum list installed | grep openldap

o             compat-openldap.x86_64            1:2.3.43-2.el6           

o             openldap.x86_64                   2.4.40-16.el6           

o             openldap-clients.x86_64           2.4.40-16.el6           

o             openldap-devel.x86_64             2.4.40-16.el6           

o             openldap-servers.x86_64           2.4.40-16.el6  

-              ldapsearch -Q -Y EXTERNAL -H ldapi:/// -LLL -b "olcDatabase={2}bdb,cn=config" | egrep "olcRo|olcSu" < - -------- main suffix DB

o             olcSuffix: dc=mydomain,dc=ca

o             olcRootDN: cn=dev13,dc=mydomain,dc=ca

o             olcRootPW: {SSHA}ZODaH7MZuRjuG+FTzIZvdPg5edL2WDjg

-              ldapsearch -Q -Y EXTERNAL -H ldapi:/// -LLL -b "olcDatabase={3}bdb,cn=config" < - ---accesslog DB and overlay

o             dn: olcDatabase={3}bdb,cn=config

o             objectClass: olcDatabaseConfig

o             objectClass: olcBdbConfig

o             olcDatabase: {3}bdb

o             olcDbDirectory: /var/lib/ldap/accesslog

o             olcSuffix: cn=accesslog

o             olcRootDN: cn=dev13,dc=mydomain,dc=ca

o             olcDbIndex: default eq

o             olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart

-             

o             dn: olcOverlay={0}accesslog,olcDatabase={3}bdb,cn=config

o             objectClass: olcOverlayConfig

o             objectClass: olcAccessLogConfig

o             olcOverlay: {0}accesslog

o             olcAccessLogDB: cn=accesslog

o             olcAccessLogOps: writes reads session

o             olcAccessLogPurge: 07+00:00 01+00:00

o             olcAccessLogSuccess: TRUE

-              ldapsearch -Q -Y EXTERNAL -H ldapi:/// -LLL -b "cn=module{0},cn=config" |< - --------------loaded  modules

o             dn: cn=module{0},cn=config

o             objectClass: olcModuleList

o             cn: module{0}

o             olcModulePath: /usr/lib64/openldap

o             olcModuleLoad: {0}syncprov.la

o             olcModuleLoad: {1}accesslog.la

 

When I execute the ldapsearch on cn=accesslog I get the following ( ctl-c needed to exit from the hang ) :

 

ldapsearch -d 1 -H ldap:// -v -x -LLL -D "cn=dev13,dc=mailposte,dc=ca" -b cn=accesslog -W

ldap_url_parse_ext(ldap://)

ldap_initialize( ldap://:389/??base )

ldap_create

ldap_url_parse_ext(ldap://:389/??base)

Enter LDAP Password:

 

… stuff omitted due to length  …

 

reqDN: reqStart=20170620210816.000003Z,cn=accesslog

ldap_get_attribute_ber

ber_scanf fmt ({mM}) ber:

reqResult: 0

ldap_get_attribute_ber

ber_scanf fmt ({mM}) ber:

reqMod: objectClass:+ auditSearch

reqMod: structuralObjectClass:+ auditSearch

reqMod: reqStart:+ 20170620210816.000003Z

reqMod: reqEnd:+ 20170620210816.000004Z

reqMod: reqType:+ search

reqMod: reqSession:+ 18446744073709551615

reqMod: reqAuthzID:+ cn=dev13,dc=mailposte,dc=ca

reqMod: reqDN:+ cn=accesslog

reqMod: reqResult:+ 0

reqMod: reqScope:+ one

reqMod: reqDerefAliases:+ never

reqMod: reqAttrsOnly:+ TRUE

reqMod: reqFilter:+ (reqStart<=20170613210816Z)

reqMod: reqAttr:+ 1.1

reqMod: reqEntries:+ 0

reqMod: reqTimeLimit:+ -1

reqMod: reqSizeLimit:+ -1

reqMod: entryUUID:+ 52bef5ee-ea48-1036-9807-2fa6ad6fded4

reqMod: creatorsName:+ cn=dev13,dc=mailposte,dc=ca

reqMod: createTimestamp:+ 20170620210816Z

reqMod: entryCSN:+ 20170620210816.416676Z#000000#000#000000

reqMod: modifiersName:+ cn=dev13,dc=mailposte,dc=ca

reqMod: modifyTimestamp:+ 20170620210816Z

ldap_get_attribute_ber

ber_scanf fmt ({mM}) ber:

reqEntryUUID: 52bef5ee-ea48-1036-9807-2fa6ad6fded4

ldap_get_attribute_ber

ldap_msgfree

ldap_result ld 0x14c91c0 msgid -1

wait4msg ld 0x14c91c0 msgid -1 (infinite timeout)

wait4msg continue ld 0x14c91c0 msgid -1 all 0

** ld 0x14c91c0 Connections:

* host: (null)  port: 389  (default)

  refcnt: 2  status: Connected

  last used: Wed Jun 21 13:46:58 2017

 

 

** ld 0x14c91c0 Outstanding Requests:

* msgid 2,  origid 2, status InProgress

   outstanding referrals 0, parent count 0

  ld 0x14c91c0 request count 1 (abandoned 0)

** ld 0x14c91c0 Response Queue:

   Empty

  ld 0x14c91c0 response count 0

ldap_chkResponseList ld 0x14c91c0 msgid -1 all 0

ldap_chkResponseList returns ld 0x14c91c0 NULL

ldap_int_select

^C

 

 

When I do an strace of  the working suffix ( dc=mydomain,dc=ca )  I get the following  termination :

 

-              strace ldapsearch -d 1 -H ldap:// -v -x -LLL -D "cn=dev13,dc=mydomain,dc=ca" -b dc=mydomain,dc=ca -w my_passwd

 

….. stuff omitted due to length ….

 

write(3, "0\5\2\1\3B\0", 7)             = 7

shutdown(3, SHUT_RDWR)                  = 0

close(3)                                = 0

write(2, "ldap_free_connection: actually f"..., 37ldap_free_connection: actually freed

) = 37

exit_group(0)                           = ?

+++ exited with 0 +++

 

When I do an strace of  cn=accesslog   I get the following  termination :

 

-              strace ldapsearch -d 1 -H ldap:// -v -x -LLL -D "cn=dev13,dc=mydomain,dc=ca" -b cn=accesslog -w my_passwd

 

….. stuff omitted due to length ….

 

write(1, "reqEntryUUID: 52bef5ee-ea48-1036"..., 51reqEntryUUID: 52bef5ee-ea48-1036-9807-2fa6ad6fded4) = 51

write(2, "ldap_get_attribute_ber\n", 23ldap_get_attribute_ber) = 23

write(2, "ldap_msgfree\n", 13ldap_msgfree)          = 13

write(2, "ldap_result ld 0x24381e0 msgid -"..., 34ldap_result ld 0x24381e0 msgid -1) = 34

write(2, "wait4msg ld 0x24381e0 msgid -1 ("..., 50wait4msg ld 0x24381e0 msgid -1 (infinite timeout)) = 50

write(2, "wait4msg continue ld 0x24381e0 m"..., 46wait4msg continue ld 0x24381e0 msgid -1 all 0) = 46

write(2, "** ld 0x24381e0 Connections:\n", 29** ld 0x24381e0 Connections:) = 29

write(2, "* host: (null)  port: 389  (defa"..., 37* host: (null)  port: 389  (default)) = 37

write(2, "  refcnt: 2  status: Connected\n", 31  refcnt: 2  status: Connected) = 31

stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3477, ...}) = 0

write(2, "  last used: Wed Jun 21 14:07:30"..., 39  last used: Wed Jun 21 14:07:30 2017) = 39

write(2, "\n", 1)                       = 1

write(2, "** ld 0x24381e0 Outstanding Requ"..., 38** ld 0x24381e0 Outstanding Requests:) = 38

write(2, " * msgid 2,  origid 2, status In"..., 41 * msgid 2,  origid 2, status InProgress) = 41

write(2, "   outstanding referrals 0, pare"..., 43   outstanding referrals 0, parent count 0) = 43

write(2, "  ld 0x24381e0 request count 1 ("..., 45  ld 0x24381e0 request count 1 (abandoned 0)) = 45

write(2, "** ld 0x24381e0 Response Queue:\n", 32** ld 0x24381e0 Response Queue:) = 32

write(2, "   Empty\n", 9   Empty)               = 9

write(2, "  ld 0x24381e0 response count 0\n", 32  ld 0x24381e0 response count 0) = 32

write(2, "ldap_chkResponseList ld 0x24381e"..., 49ldap_chkResponseList ld 0x24381e0 msgid -1 all 0) = 49

write(2, "ldap_chkResponseList returns ld "..., 47ldap_chkResponseList returns ld 0x24381e0 NULL) = 47

write(2, "ldap_int_select\n", 16ldap_int_select)       = 16

poll([{fd=3, events=POLLIN|POLLPRI}], 1, -1 < - ------------------------------- This means poll is  waiting for something on this File descriptor which never gets returned

^C

Process 7844 detached

<detached ...>

 

Here is  the ldif file used for moduleload by  ldapadd  :

 

cat addModule.ldif

 

dn: cn=module{0},cn=config

objectClass: olcModuleList

cn: module{0}

olcModulePath: /usr/lib64/openldap

#olcModuleLoad: {0}back_bdb

olcModuleLoad: syncprov.la

olcModuleLoad: accesslog.la

 

Here is  the ldif file to add the accesslog db and overlay by  ldapadd:

 

cat addAccesslog2DB

# Accesslog database definitions

dn: olcDatabase={3}bdb,cn=config

objectClass: olcDatabaseConfig

objectClass: olcBdbConfig

olcDatabase: {3}bdb

olcDbDirectory: /var/lib/ldap/accesslog

olcSuffix: cn=accesslog

olcRootDN: cn=dev13,dc=mydomain,dc=ca

olcDbIndex: default eq

olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart

 

# accesslog overlay definitions for primary db

dn: olcOverlay=accesslog,olcDatabase={3}bdb,cn=config

objectClass: olcOverlayConfig

objectClass: olcAccessLogConfig

olcOverlay: accesslog

olcAccessLogDB: cn=accesslog

olcAccessLogOps: writes reads session

olcAccessLogSuccess: TRUE

# scan the accesslog DB every day and purge entries older than 7 days

olcAccessLogPurge: 07+00:00 01+00:00

 

I have also  created /var/lib/ldap/accesslog owned by  ldap:ldap :

 

ls -l /var/lib/ldap/accesslog

total 11232

-rw-r-----. 1 ldap ldap     4096 Jun 20 17:08 alock

-rw-------. 1 ldap ldap    24576 Jun 20 17:08 __db.001

-rw-------. 1 ldap ldap   188416 Jun 21 14:07 __db.002

-rw-------. 1 ldap ldap   270336 Jun 21 13:46 __db.003

-rw-------. 1 ldap ldap    98304 Jun 21 13:46 __db.004

-rw-------. 1 ldap ldap   753664 Jun 21 14:07 __db.005

-rw-------. 1 ldap ldap    32768 Jun 21 14:07 __db.006

-rw-------. 1 ldap ldap     8192 Jun 20 17:08 dn2id.bdb

-rw-------. 1 ldap ldap     8192 Jun 20 17:08 entryCSN.bdb

-rw-------. 1 ldap ldap    32768 Jun 20 17:08 id2entry.bdb

-rw-------. 1 ldap ldap 10485760 Jun 20 17:08 log.0000000001

-rw-------. 1 ldap ldap     8192 Jun 20 17:08 objectClass.bdb

-rw-------. 1 ldap ldap     8192 Jun 20 17:08 reqEnd.bdb

-rw-------. 1 ldap ldap     8192 Jun 20 17:08 reqResult.bdb

-rw-------. 1 ldap ldap     8192 Jun 20 17:08 reqStart.bdb

 

I am new to this forum so If I’ve missed something please let me know.  Constructive comments and suggestions are greatly appreciated.

 

regards

 

RON LAMARCHE

Technical Specialist, Online Channel

Innovapost