Hi.
My company has decided to migrate from Oracle Directory Server 7.0 (ODSEE ) to OpenLDAP due to end of life supportability issues .
I’ve installed the RHEL 6.9 OpenLDAP bundled product and have a working suffix based on cn=config vs. slapd.conf model but cannot get the accesslog overlays/DB’s to work properly (ldapsearch returns accesslog records but never completes
and instead hangs showing “ldap_int_select” . Need to ctl –c to exit )
Here’s the details:
- more /etc/redhat-release
o Red Hat Enterprise Linux Server release 6.9 (Santiago)
- yum list installed | grep openldap
o compat-openldap.x86_64 1:2.3.43-2.el6
o openldap.x86_64 2.4.40-16.el6
o openldap-clients.x86_64 2.4.40-16.el6
o openldap-devel.x86_64 2.4.40-16.el6
o openldap-servers.x86_64 2.4.40-16.el6
- ldapsearch -Q -Y EXTERNAL -H ldapi:/// -LLL -b "olcDatabase={2}bdb,cn=config" | egrep "olcRo|olcSu" < - -------- main suffix DB
o olcSuffix: dc=mydomain,dc=ca
o olcRootDN: cn=dev13,dc=mydomain,dc=ca
o olcRootPW: {SSHA}ZODaH7MZuRjuG+FTzIZvdPg5edL2WDjg
- ldapsearch -Q -Y EXTERNAL -H ldapi:/// -LLL -b "olcDatabase={3}bdb,cn=config" < - ---accesslog DB and overlay
o dn: olcDatabase={3}bdb,cn=config
o objectClass: olcDatabaseConfig
o objectClass: olcBdbConfig
o olcDatabase: {3}bdb
o olcDbDirectory: /var/lib/ldap/accesslog
o olcSuffix: cn=accesslog
o olcRootDN: cn=dev13,dc=mydomain,dc=ca
o olcDbIndex: default eq
o olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
-
o dn: olcOverlay={0}accesslog,olcDatabase={3}bdb,cn=config
o objectClass: olcOverlayConfig
o objectClass: olcAccessLogConfig
o olcOverlay: {0}accesslog
o olcAccessLogDB: cn=accesslog
o olcAccessLogOps: writes reads session
o olcAccessLogPurge: 07+00:00 01+00:00
o olcAccessLogSuccess: TRUE
- ldapsearch -Q -Y EXTERNAL -H ldapi:/// -LLL -b "cn=module{0},cn=config" |< - --------------loaded modules
o dn: cn=module{0},cn=config
o objectClass: olcModuleList
o cn: module{0}
o olcModulePath: /usr/lib64/openldap
o olcModuleLoad: {0}syncprov.la
o olcModuleLoad: {1}accesslog.la
When I execute the ldapsearch on cn=accesslog I get the following ( ctl-c needed to exit from the hang ) :
ldapsearch -d 1 -H ldap:// -v -x -LLL -D "cn=dev13,dc=mailposte,dc=ca" -b cn=accesslog -W
ldap_url_parse_ext(ldap://)
ldap_initialize( ldap://:389/??base )
ldap_create
ldap_url_parse_ext(ldap://:389/??base)
Enter LDAP Password:
… stuff omitted due to length …
reqDN: reqStart=20170620210816.000003Z,cn=accesslog
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
reqResult: 0
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
reqMod: objectClass:+ auditSearch
reqMod: structuralObjectClass:+ auditSearch
reqMod: reqStart:+ 20170620210816.000003Z
reqMod: reqEnd:+ 20170620210816.000004Z
reqMod: reqType:+ search
reqMod: reqSession:+ 18446744073709551615
reqMod: reqAuthzID:+ cn=dev13,dc=mailposte,dc=ca
reqMod: reqDN:+ cn=accesslog
reqMod: reqResult:+ 0
reqMod: reqScope:+ one
reqMod: reqDerefAliases:+ never
reqMod: reqAttrsOnly:+ TRUE
reqMod: reqFilter:+ (reqStart<=20170613210816Z)
reqMod: reqAttr:+ 1.1
reqMod: reqEntries:+ 0
reqMod: reqTimeLimit:+ -1
reqMod: reqSizeLimit:+ -1
reqMod: entryUUID:+ 52bef5ee-ea48-1036-9807-2fa6ad6fded4
reqMod: creatorsName:+ cn=dev13,dc=mailposte,dc=ca
reqMod: createTimestamp:+ 20170620210816Z
reqMod: entryCSN:+ 20170620210816.416676Z#000000#000#000000
reqMod: modifiersName:+ cn=dev13,dc=mailposte,dc=ca
reqMod: modifyTimestamp:+ 20170620210816Z
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
reqEntryUUID: 52bef5ee-ea48-1036-9807-2fa6ad6fded4
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x14c91c0 msgid -1
wait4msg ld 0x14c91c0 msgid -1 (infinite timeout)
wait4msg continue ld 0x14c91c0 msgid -1 all 0
** ld 0x14c91c0 Connections:
* host: (null) port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Jun 21 13:46:58 2017
** ld 0x14c91c0 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x14c91c0 request count 1 (abandoned 0)
** ld 0x14c91c0 Response Queue:
Empty
ld 0x14c91c0 response count 0
ldap_chkResponseList ld 0x14c91c0 msgid -1 all 0
ldap_chkResponseList returns ld 0x14c91c0 NULL
ldap_int_select
^C
When I do an strace of the working suffix ( dc=mydomain,dc=ca ) I get the following termination :
- strace ldapsearch -d 1 -H ldap:// -v -x -LLL -D "cn=dev13,dc=mydomain,dc=ca" -b dc=mydomain,dc=ca -w my_passwd
….. stuff omitted due to length ….
write(3, "0\5\2\1\3B\0", 7) = 7
shutdown(3, SHUT_RDWR) = 0
close(3) = 0
write(2, "ldap_free_connection: actually f"..., 37ldap_free_connection: actually freed
) = 37
exit_group(0) = ?
+++ exited with 0 +++
When I do an strace of cn=accesslog I get the following termination :
- strace ldapsearch -d 1 -H ldap:// -v -x -LLL -D "cn=dev13,dc=mydomain,dc=ca" -b cn=accesslog -w my_passwd
….. stuff omitted due to length ….
write(1, "reqEntryUUID: 52bef5ee-ea48-1036"..., 51reqEntryUUID: 52bef5ee-ea48-1036-9807-2fa6ad6fded4) = 51
write(2, "ldap_get_attribute_ber\n", 23ldap_get_attribute_ber) = 23
write(2, "ldap_msgfree\n", 13ldap_msgfree) = 13
write(2, "ldap_result ld 0x24381e0 msgid -"..., 34ldap_result ld 0x24381e0 msgid -1) = 34
write(2, "wait4msg ld 0x24381e0 msgid -1 ("..., 50wait4msg ld 0x24381e0 msgid -1 (infinite timeout)) = 50
write(2, "wait4msg continue ld 0x24381e0 m"..., 46wait4msg continue ld 0x24381e0 msgid -1 all 0) = 46
write(2, "** ld 0x24381e0 Connections:\n", 29** ld 0x24381e0 Connections:) = 29
write(2, "* host: (null) port: 389 (defa"..., 37* host: (null) port: 389 (default)) = 37
write(2, " refcnt: 2 status: Connected\n", 31 refcnt: 2 status: Connected) = 31
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3477, ...}) = 0
write(2, " last used: Wed Jun 21 14:07:30"..., 39 last used: Wed Jun 21 14:07:30 2017) = 39
write(2, "\n", 1) = 1
write(2, "** ld 0x24381e0 Outstanding Requ"..., 38** ld 0x24381e0 Outstanding Requests:) = 38
write(2, " * msgid 2, origid 2, status In"..., 41 * msgid 2, origid 2, status InProgress) = 41
write(2, " outstanding referrals 0, pare"..., 43 outstanding referrals 0, parent count 0) = 43
write(2, " ld 0x24381e0 request count 1 ("..., 45 ld 0x24381e0 request count 1 (abandoned 0)) = 45
write(2, "** ld 0x24381e0 Response Queue:\n", 32** ld 0x24381e0 Response Queue:) = 32
write(2, " Empty\n", 9 Empty) = 9
write(2, " ld 0x24381e0 response count 0\n", 32 ld 0x24381e0 response count 0) = 32
write(2, "ldap_chkResponseList ld 0x24381e"..., 49ldap_chkResponseList ld 0x24381e0 msgid -1 all 0) = 49
write(2, "ldap_chkResponseList returns ld "..., 47ldap_chkResponseList returns ld 0x24381e0 NULL) = 47
write(2, "ldap_int_select\n", 16ldap_int_select) = 16
poll([{fd=3, events=POLLIN|POLLPRI}], 1, -1 < - ------------------------------- This means poll is waiting for something on this File descriptor which never gets returned
^C
Process 7844 detached
<detached ...>
Here is the ldif file used for moduleload by ldapadd :
cat addModule.ldif
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib64/openldap
#olcModuleLoad: {0}back_bdb
olcModuleLoad: syncprov.la
olcModuleLoad: accesslog.la
Here is the ldif file to add the accesslog db and overlay by ldapadd:
cat addAccesslog2DB
# Accesslog database definitions
dn: olcDatabase={3}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {3}bdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=dev13,dc=mydomain,dc=ca
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={3}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes reads session
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day and purge entries older than 7 days
olcAccessLogPurge: 07+00:00 01+00:00
I have also created /var/lib/ldap/accesslog owned by ldap:ldap :
ls -l /var/lib/ldap/accesslog
total 11232
-rw-r-----. 1 ldap ldap 4096 Jun 20 17:08 alock
-rw-------. 1 ldap ldap 24576 Jun 20 17:08 __db.001
-rw-------. 1 ldap ldap 188416 Jun 21 14:07 __db.002
-rw-------. 1 ldap ldap 270336 Jun 21 13:46 __db.003
-rw-------. 1 ldap ldap 98304 Jun 21 13:46 __db.004
-rw-------. 1 ldap ldap 753664 Jun 21 14:07 __db.005
-rw-------. 1 ldap ldap 32768 Jun 21 14:07 __db.006
-rw-------. 1 ldap ldap 8192 Jun 20 17:08 dn2id.bdb
-rw-------. 1 ldap ldap 8192 Jun 20 17:08 entryCSN.bdb
-rw-------. 1 ldap ldap 32768 Jun 20 17:08 id2entry.bdb
-rw-------. 1 ldap ldap 10485760 Jun 20 17:08 log.0000000001
-rw-------. 1 ldap ldap 8192 Jun 20 17:08 objectClass.bdb
-rw-------. 1 ldap ldap 8192 Jun 20 17:08 reqEnd.bdb
-rw-------. 1 ldap ldap 8192 Jun 20 17:08 reqResult.bdb
-rw-------. 1 ldap ldap 8192 Jun 20 17:08 reqStart.bdb
I am new to this forum so If I’ve missed something please let me know. Constructive comments and suggestions are greatly appreciated.
regards
RON LAMARCHE
Technical Specialist, Online Channel
Innovapost