We have openldap using the bdb has its database.For some reason the bdb had crashed complaining permission issue.
May 13 16:04:40 ccc slapd[30372]: conn=12430 fd=10 ACCEPT from IP=xxx.yyy.zzz.aaa:33905 (IP=0.0.0.0:389)
May 13 16:04:40 ccc slapd[30372]: conn=12430 op=0 BIND dn="cn=Directory Manager,o=none.com" method=128
May 13 16:04:40 ccc slapd[30372]: conn=12430 op=0 BIND dn="cn=Directory Manager,o=none.com" mech=SIMPLE ssf=0
May 13 16:04:40 ccc slapd[30372]: conn=12430 op=0 RESULT tag=97 err=0 text=
May 13 16:04:40 ccc slapd[30372]: conn=12430 op=1 MOD dn="uid=sysadmin,o=none.com"
May 13 16:04:40 ccc slapd[30372]: conn=12430 op=1 MOD noner=lastlogints lastaccessts authcookie
May 13 16:04:40 ccc slapd[30372]: bdb(o=none.com): /var/lib/ldap/log.0000000002: log file open failed: Permission denied
May 13 16:04:40 ccc slapd[30372]: bdb(o=none.com): PANIC: Permission denied
May 13 16:04:40 ccc slapd[30372]: bdb(o=none.com): DB_ENV->log_put: 2: DB_RUNRECOVERY: Fatal error, run database recovery
May 13 16:04:40 ccc slapd[30372]: bdb(o=none.com): /var/lib/ldap/log.0000000002: log file open failed: Permission denied
The log.000000000 gets rotated based on the size (10MB).The new logfile(log.0000000002) was rotated at on Apr 30th and I believe the permission was set as root:root instead of ldap:ldap(Note: the ldap being run as user ldap).The reason why didnât crash till yesterday was, only search queries were run against the ldap/bdb (The ldap search test for testing ldap keep alive).Yesterday a modify query was run from IP xxx.yyy.zzz.aaa and I guess bdb complained of permission problem and panicked
May 13 16:04:40 ccc slapd[30372]: conn=12430 fd=10 ACCEPT from IP=xxx.yyy.zzz.aaa:33905 (IP=0.0.0.0:389)
May 13 16:04:40 ccc slapd[30372]: conn=12430 op=0 BIND dn="cn=Directory Manager,o=none.com" method=128
May 13 16:04:40 ccc slapd[30372]: conn=12430 op=0 BIND dn="cn=Directory Manager,o=none.com" mech=SIMPLE ssf=0
May 13 16:04:40 ccc slapd[30372]: conn=12430 op=0 RESULT tag=97 err=0 text=
May 13 16:04:40 ccc slapd[30372]: conn=12430 op=1 MOD dn="uid=sysadmin,o=none.com"
[root@ccc ldap]# ls -l /var/lib/ldap
total 13236
-rw------- 1 ldap ldap 106496 Mar 24 19:30 cn.bdb
-rw------- 1 ldap ldap 16384 Mar 20 11:50 __db.001
-rw------- 1 ldap ldap 278528 Mar 20 11:50 __db.002
-rw------- 1 ldap ldap 98304 Mar 20 11:50 __db.003
-rw------- 1 ldap ldap 450560 Mar 20 11:50 __db.004
-rw------- 1 ldap ldap 16384 Mar 20 11:50 __db.005
-rw------- 1 ldap ldap 45056 Mar 24 19:30 dn2id.bdb
-rw------- 1 ldap ldap 278528 Apr 2 13:40 id2entry.bdb
-rw------- 1 ldap ldap 10485710 Apr 30 14:40 log.0000000001
-rw------- 1 root root 1827874 May 13 16:00 log.0000000002
-rw------- 1 ldap ldap 8192 Mar 20 11:50 mail.bdb
-rw------- 1 ldap ldap 16384 Mar 24 19:30 objectClass.bdb
-rw-r--r-- 1 ldap ldap 0 Apr 2 13:31 openldap-master-replog
-rw-r--r-- 1 ldap ldap 0 Apr 2 13:31 openldap-master-replog.lock
-rw------- 1 ldap ldap 8192 Mar 20 11:50 ou.bdb
drwxr-xr-x 2 root root 4096 Mar 21 16:33 replica
-rw------- 1 ldap ldap 49152 Mar 20 11:50 sn.bdb
-rw------- 1 ldap ldap 8192 Mar 20 12:00 uid.bdb
The ldap is being run as user ldap
[root@ccc ~]# ps -ef | grep ldap
root 8983 6956 0 15:40 pts/0 00:00:00 grep ldap
ldap 31694 1 0 Mar20 ? 00:01:57 /usr/sbin/slapd -u ldap -h ldap:///
[root@ccc ~]# grep ldap /etc/passwd
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
Why should a modify cause a panic and not a search?Why did the rotated log had root as owner instead of ldap?Is there a fix for this issue?
Cheers CG