after restart slapd server I cannot search single record in ldap servers

Hello,

I set up an slapd with slapd-meta backend. I have two Active Directory servers which don't share any portion of naming context. I would like to get one virtual domain. I configure it and it works fine until I restart slapd server. When I restart slapd server then I am unable to search in my ldap servers single record.

When I search one single record (samAccountName=testdom1) then I have got 0 result.

root@slapd:~# ldapsearch -b 'dc=dom,dc=com' -h 172.30.14.190 -p 389 -D 'cn=Manager,dc=dom,dc=com' -w secret '(samAccountName=testdom1)' # extended LDIF # # LDAPv3 # base <dc=dom,dc=com> with scope subtree # filter: (samAccountName=testdom1) # requesting: ALL #

# search result search: 2 result: 0 Success

# numResponses: 1 root@slapd:~#

In the log (full debug) I have:

Jul 27 16:12:17 dom slapd[12096]: daemon: read active on 9 Jul 27 16:12:17 dom slapd[12096]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Jul 27 16:12:17 dom slapd[12096]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Jul 27 16:12:17 dom slapd[12096]: connection_get(9) Jul 27 16:12:17 dom slapd[12096]: connection_get(9): got connid=1000 Jul 27 16:12:17 dom slapd[12096]: connection_read(9): checking for input on id=1000 Jul 27 16:12:17 dom slapd[12096]: op tag 0x42, time 1311775937 Jul 27 16:12:17 dom slapd[12096]: ber_get_next on fd 9 failed errno=0 (Success) Jul 27 16:12:17 dom slapd[12096]: connection_read(9): input error=-2 id=1000, closing. Jul 27 16:12:17 dom slapd[12096]: connection_closing: readying conn=1000 sd=9 for close Jul 27 16:12:17 dom slapd[12096]: connection_close: deferring conn=1000 sd=9 Jul 27 16:12:17 dom slapd[12096]: conn=1000 op=2 do_unbind Jul 27 16:12:17 dom slapd[12096]: conn=1000 op=2 UNBIND Jul 27 16:12:17 dom slapd[12096]: connection_resched: attempting closing conn=1000 sd=9 Jul 27 16:12:17 dom slapd[12096]: connection_close: deferring conn=1000 sd=9 Jul 27 16:12:17 dom slapd[12096]: daemon: activity on 1 descriptor Jul 27 16:12:17 dom slapd[12096]: daemon: activity on: Jul 27 16:12:17 dom slapd[12096]: Jul 27 16:12:17 dom slapd[12096]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Jul 27 16:12:17 dom slapd[12096]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Jul 27 16:12:17 dom slapd[12096]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Jul 27 16:12:17 dom slapd[12096]: connection_resched: attempting closing conn=1000 sd=9 Jul 27 16:12:17 dom slapd[12096]: connection_close: conn=1000 sd=9 Jul 27 16:12:17 dom slapd[12096]: =>meta_back_conn_destroy: fetching conn=1000 DN="cn=manager,dc=dom,dc=com" Jul 27 16:12:17 dom slapd[12096]: daemon: removing 9 Jul 27 16:12:17 dom slapd[12096]: conn=1000 fd=9 closed

Then when I search full list of record (samAccountName=*) I have got full list of records from two ldap servers.

root@slapd:~# ldapsearch -b 'dc=dom,dc=com' -h 172.30.14.190 -p 389 -D 'cn=Manager,dc=dom,dc=com' -w secret '(samAccountName=*)'

# search result search: 2 result: 0 Success

# numResponses: 39 # numEntries: 38 root@slapd:~#

And this is the trick. From now... When I again search one single record I got correct result - until I restart slapd server again. I don't know what can be wrong. Any ideas?

root@slapd:~# ldapsearch -b 'dc=dom,dc=com' -h 172.30.14.190 -p 389 -D 'cn=Manager,dc=dom,dc=com' -w secret '(samAccountName=testdom1)' # extended LDIF # # LDAPv3 # base <dc=dom,dc=com> with scope subtree # filter: (samAccountName=testdom1) # requesting: ALL #

# testdom1, dom.com dn: cn=testdom1,dc=dom,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: USER cn: testdom1 givenName: testdom1 distinguishedName: cn=testdom1,dc=dom,dc=com INSTANCETYPE: 4 WHENCREATED: 20110726100434.0Z WHENCHANGED: 20110726160313.0Z DISPLAYNAME: testdom1 USNCREATED: 24630 USNCHANGED: 24756 name: testdom1 OBJECTGUID:: +ERwSjOp5Uex1n86v5CurA== USERACCOUNTCONTROL: 66048 BADPWDCOUNT: 0 CODEPAGE: 0 COUNTRYCODE: 0 BADPASSWORDTIME: 129561692315625000 LASTLOGOFF: 0 LASTLOGON: 129561692402968750 PWDLASTSET: 129561697935781250 PRIMARYGROUPID: 513 OBJECTSID:: AQUAAAAAAAUVAAAAMkafw9OC5FYbZ2/5UwQAAA== ACCOUNTEXPIRES: 9223372036854775807 LOGONCOUNT: 0 SAMACCOUNTNAME: testdom1 SAMACCOUNTTYPE: 805306368 USERPRINCIPALNAME: testdom1@dom1.com OBJECTCATEGORY: CN=Person,CN=Schema,CN=Configuration,DC=dom1,DC=com

# search result search: 2 result: 0 Success

# numResponses: 2 # numEntries: 1 root@slapd:~#

The log:

Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to "cn=testdom1,dc=dom,dc=com" "BADPWDCOUNT" requested Jul 27 16:19:22 dom slapd[12096]: <= root access granted Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access granted by manage(=mwrscxd) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in cache (CODEPAGE) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to "cn=testdom1,dc=dom,dc=com" "CODEPAGE" requested Jul 27 16:19:22 dom slapd[12096]: <= root access granted Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access granted by manage(=mwrscxd) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in cache (COUNTRYCODE) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to "cn=testdom1,dc=dom,dc=com" "COUNTRYCODE" requested Jul 27 16:19:22 dom slapd[12096]: <= root access granted Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access granted by manage(=mwrscxd) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in cache (BADPASSWORDTIME) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to "cn=testdom1,dc=dom,dc=com" "BADPASSWORDTIME" requested Jul 27 16:19:22 dom slapd[12096]: <= root access granted Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access granted by manage(=mwrscxd) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in cache (LASTLOGOFF) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to "cn=testdom1,dc=dom,dc=com" "LASTLOGOFF" requested Jul 27 16:19:22 dom slapd[12096]: <= root access granted Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access granted by manage(=mwrscxd) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in cache (LASTLOGON) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to "cn=testdom1,dc=dom,dc=com" "LASTLOGON" requested Jul 27 16:19:22 dom slapd[12096]: <= root access granted Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access granted by manage(=mwrscxd) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in cache (PWDLASTSET) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to "cn=testdom1,dc=dom,dc=com" "PWDLASTSET" requested Jul 27 16:19:22 dom slapd[12096]: <= root access granted Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access granted by manage(=mwrscxd) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in cache (PRIMARYGROUPID) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to "cn=testdom1,dc=dom,dc=com" "PRIMARYGROUPID" requested Jul 27 16:19:22 dom slapd[12096]: <= root access granted Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access granted by manage(=mwrscxd) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in cache (OBJECTSID) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to "cn=testdom1,dc=dom,dc=com" "OBJECTSID" requested Jul 27 16:19:22 dom slapd[12096]: <= root access granted Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access granted by manage(=mwrscxd) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in cache (ACCOUNTEXPIRES) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to "cn=testdom1,dc=dom,dc=com" "ACCOUNTEXPIRES" requested Jul 27 16:19:22 dom slapd[12096]: <= root access granted Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access granted by manage(=mwrscxd) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in cache (LOGONCOUNT) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to "cn=testdom1,dc=dom,dc=com" "LOGONCOUNT" requested Jul 27 16:19:22 dom slapd[12096]: <= root access granted Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access granted by manage(=mwrscxd) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in cache (SAMACCOUNTNAME) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to "cn=testdom1,dc=dom,dc=com" "SAMACCOUNTNAME" requested Jul 27 16:19:22 dom slapd[12096]: <= root access granted Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access granted by manage(=mwrscxd) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in cache (SAMACCOUNTTYPE) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to "cn=testdom1,dc=dom,dc=com" "SAMACCOUNTTYPE" requested Jul 27 16:19:22 dom slapd[12096]: <= root access granted Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access granted by manage(=mwrscxd) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in cache (USERPRINCIPALNAME) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to "cn=testdom1,dc=dom,dc=com" "USERPRINCIPALNAME" requested Jul 27 16:19:22 dom slapd[12096]: <= root access granted Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access granted by manage(=mwrscxd) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: result not in cache (OBJECTCATEGORY) Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access to "cn=testdom1,dc=dom,dc=com" "OBJECTCATEGORY" requested Jul 27 16:19:22 dom slapd[12096]: <= root access granted Jul 27 16:19:22 dom slapd[12096]: => access_allowed: read access granted by manage(=mwrscxd) Jul 27 16:19:22 dom slapd[12096]: conn=1003 op=1 ENTRY dn="cn=testdom1,dc=dom,dc=com" Jul 27 16:19:22 dom slapd[12096]: <= send_search_entry: conn 1003 exit. Jul 27 16:19:22 dom slapd[12096]: send_ldap_result: conn=1003 op=1 p=3 Jul 27 16:19:22 dom slapd[12096]: send_ldap_result: err=0 matched="" text="" Jul 27 16:19:22 dom slapd[12096]: send_ldap_response: msgid=2 tag=101 err=0 Jul 27 16:19:22 dom slapd[12096]: conn=1003 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 27 16:19:22 dom slapd[12096]: daemon: activity on 1 descriptor Jul 27 16:19:22 dom slapd[12096]: daemon: activity on: Jul 27 16:19:22 dom slapd[12096]: 9r Jul 27 16:19:22 dom slapd[12096]: Jul 27 16:19:22 dom slapd[12096]: daemon: read active on 9 Jul 27 16:19:22 dom slapd[12096]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Jul 27 16:19:22 dom slapd[12096]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Jul 27 16:19:22 dom slapd[12096]: connection_get(9) Jul 27 16:19:22 dom slapd[12096]: connection_get(9): got connid=1003 Jul 27 16:19:22 dom slapd[12096]: connection_read(9): checking for input on id=1003 Jul 27 16:19:22 dom slapd[12096]: op tag 0x42, time 1311776362 Jul 27 16:19:22 dom slapd[12096]: ber_get_next on fd 9 failed errno=0 (Success) Jul 27 16:19:22 dom slapd[12096]: connection_read(9): input error=-2 id=1003, closing. Jul 27 16:19:22 dom slapd[12096]: connection_closing: readying conn=1003 sd=9 for close Jul 27 16:19:22 dom slapd[12096]: connection_close: deferring conn=1003 sd=9 Jul 27 16:19:22 dom slapd[12096]: conn=1003 op=2 do_unbind Jul 27 16:19:22 dom slapd[12096]: conn=1003 op=2 UNBIND Jul 27 16:19:22 dom slapd[12096]: connection_resched: attempting closing conn=1003 sd=9 Jul 27 16:19:22 dom slapd[12096]: connection_close: deferring conn=1003 sd=9 Jul 27 16:19:22 dom slapd[12096]: daemon: activity on 1 descriptor Jul 27 16:19:22 dom slapd[12096]: daemon: activity on: Jul 27 16:19:22 dom slapd[12096]: Jul 27 16:19:22 dom slapd[12096]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Jul 27 16:19:22 dom slapd[12096]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Jul 27 16:19:22 dom slapd[12096]: connection_resched: attempting closing conn=1003 sd=9 Jul 27 16:19:22 dom slapd[12096]: connection_close: conn=1003 sd=9 Jul 27 16:19:22 dom slapd[12096]: =>meta_back_conn_destroy: fetching conn=1003 DN="cn=manager,dc=dom,dc=com" Jul 27 16:19:22 dom slapd[12096]: daemon: removing 9 Jul 27 16:19:22 dom slapd[12096]: conn=1003 fd=9 closed

My OpenLDAP version:

root@slapd:~# slapd -V @(#) $OpenLDAP: slapd 2.4.23 (Jul 26 2011 14:53:23) $ root@slapd:/root/openldap-2.4.23/servers/slapd

My slapd.conf:

root@slapd:~# cat /usr/local/etc/openldap/slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org

pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args

# Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_hdb.la # moduleload back_ldap.la

loglevel 0xFFFF

access to * by * read

####################################################################### # database definitions #######################################################################

database meta suffix "dc=dom,dc=com" rootdn "cn=Manager,dc=dom,dc=com" rootpw secret chase-referrals no #nretries forever nretries 3 # 1 sec timeout for binds bind-timeout 1000000 #norefs true dncache-ttl DISABLED conn-ttl 90 idle-timeout 1m30s onerr CONTINUE

# ldap1 uri "ldap://dc1.dom1.com:389/dc=dom,dc=com" suffixmassage "dc=dom,dc=com" "cn=Users,dc=dom1,dc=com" idassert-bind bindmethod=simple binddn="cn=LDAPconnector,cn=Users,dc=dom1,dc=com" credentials="pass" mode=none flags=non-prescriptive

# ldap2 uri "ldap://dc2.dom2.com:389/dc=dom,dc=com" suffixmassage "dc=dom,dc=com" "cn=Users,dc=dom2,dc=com" idassert-bind bindmethod=simple binddn="cn=LDAPconnector2,cn=Users,dc=dom2,dc=com" credentials="pass" mode=none flags=non-prescriptive

root@slapd:~#

King regards, Marcin