(Sorry if maybe I'm sending this message twice. I think I sent the first one in HTML format and I guess that format isn't allowed here).
Ok, maybe I'm missing some essential knowledge about how OpenLDAP and indexing works. This is what I'm doing (as simple as possible after too many failed tests with more complex scenarios):
1. Create a new database in slapd.conf withouy any ACLs yet:
database bdb suffix dc=test,dc=com rootdn cn=manager,dc=test,dc=com rootpw {SSHA}5b3FNT6a3PrldYD/X58ghCXa7vhUOO24 directory /var/lib/ldap/test mode 600 cachesize 10000
index objectClass eq index mail eq,sub
2. After stopping OpenLDAP I create the basic content of my LDAP tree using slapadd:
# slapadd -l test.ldif -b dc=test,dc=com # cat test.ldif dn: dc=test,dc=com objectClass: domain dc: test
(all worked fine, no errors, no problems)
3. Then I fix perms and ownership of database directory (/var/lib/ldap/test):
# chown -R ldap.ldap /var/lib/ldap/test # chmod 700 /var/lib/ldap/test # chmod 600 /var/lib/ldap/test/* # ls -ld /var/lib/ldap /var/lib/ldap/test drwx------ 3 ldap ldap 4096 Dec 31 07:38 /var/lib/ldap/ drwx------ 2 ldap ldap 4096 Jan 1 10:39 /var/lib/ldap/test/
# ls -l /var/lib/ldap/test total 732 -rw------- 1 ldap ldap 2048 Jan 1 10:39 alock -rw------- 1 ldap ldap 24576 Jan 1 10:38 __db.001 -rw------- 1 ldap ldap 278528 Jan 1 10:38 __db.002 -rw------- 1 ldap ldap 270336 Jan 1 10:38 __db.003 -rw------- 1 ldap ldap 98304 Jan 1 10:38 __db.004 -rw------- 1 ldap ldap 352256 Jan 1 10:38 __db.005 -rw------- 1 ldap ldap 24576 Jan 1 10:38 __db.006 -rw------- 1 ldap ldap 8192 Jan 1 10:39 dn2id.bdb -rw------- 1 ldap ldap 32768 Jan 1 10:39 id2entry.bdb -rw------- 1 ldap ldap 10485760 Jan 1 10:39 log.0000000001 -rw------- 1 ldap ldap 8192 Jan 1 10:39 objectClass.bdb
(pay attetion, there's no mail.bdb file yet!, right?)
4. Check slapd syntax, start OpenLDAP and make a test:
# slaptest -u config file testing succeeded # service ldap start # ldapsearch -xLLL -b dc=test,dc=com
(and Yes, /etc/init.d/ldap it forces slapd to run as ldap user)
5. Everithing is fine. Then I try to add some content from an LDIF file:
# ldapmodify -a -x -D cn=manager,dc=test,dc=com -w secret -f test.ldif adding new entry "mail=jvoorhees1@gmail.com,dc=test,dc=com" ldap_add: Internal (implementation specific) error (80) additional info: index generation failed
# cat test.ldif dn: mail=jvoorhees1@gmail.com,dc=test,dc=com objectClass: inetOrgPerson mail: jvoorhees1@gmail.com cn: Jason Voorhees sn: Voorhees
6. What happened? What am I doing wrong? I'm working with "loglevel 256" in slapd.conf and sending local4.* logs to /var/log/ldap.log and I'm getting this error message while using ldapmodify:
Jan 1 10:51:49 ha1 slapd[26023]: @(#) $OpenLDAP: slapd 2.3.27 (Jul 9 2008 13:10:56) $ mockbuild@builder16.centos.org:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd Jan 1 10:51:49 ha1 slapd[26024]: bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap/test: (2) Expect poor performance for suffix dc=test,dc=com. Jan 1 10:51:49 ha1 slapd[26024]: slapd starting Jan 1 10:51:56 ha1 slapd[26024]: conn=0 fd=12 ACCEPT from IP=127.0.0.1:40112 (IP=0.0.0.0:389) Jan 1 10:51:56 ha1 slapd[26024]: conn=0 op=0 BIND dn="cn=manager,dc=test,dc=com" method=128 Jan 1 10:51:56 ha1 slapd[26024]: conn=0 op=0 BIND dn="cn=manager,dc=test,dc=com" mech=SIMPLE ssf=0 Jan 1 10:51:56 ha1 slapd[26024]: conn=0 op=0 RESULT tag=97 err=0 text= Jan 1 10:51:56 ha1 slapd[26024]: conn=0 op=1 ADD dn="mail=jvoorhees1@gmail.com,dc=test,dc=com" Jan 1 10:51:56 ha1 slapd[26024]: bdb(dc=test,dc=com): /var/lib/ldap/test/mail.bdb: Permission denied Jan 1 10:51:56 ha1 slapd[26024]: bdb_db_cache: db_open(mail) failed: Permission denied (13) Jan 1 10:51:56 ha1 slapd[26024]: bdb_index_read: Could not open DB mail Jan 1 10:51:56 ha1 slapd[26024]: conn=0 op=1 RESULT tag=105 err=80 text=index generation failed Jan 1 10:51:56 ha1 slapd[26024]: conn=0 op=2 UNBIND Jan 1 10:51:56 ha1 slapd[26024]: conn=0 fd=12 closed Jan 1 10:51:56 ha1 slapd[26024]: connection_read(12): no connection!
Why can't slapd create any index file in its database directory? Does slapd need to have index files created before it is started? Is it possible to slapd to create new index files when it is already running? Those are my essential doubts :(
7. OK, according to error message I must check perms and ownership of database files. But OMG everything is apparently fine!. Look:
# ls -ld /var/lib/ldap /var/lib/ldap/test drwx------ 3 ldap ldap 4096 Dec 31 07:38 /var/lib/ldap/ drwx------ 2 ldap ldap 4096 Jan 1 10:51 /var/lib/ldap/test/
# ls -l /var/lib/ldap/test total 752 -rw------- 1 ldap ldap 4096 Jan 1 10:51 alock -rw------- 1 ldap ldap 24576 Jan 1 10:38 __db.001 -rw------- 1 ldap ldap 278528 Jan 1 10:38 __db.002 -rw------- 1 ldap ldap 270336 Jan 1 10:38 __db.003 -rw------- 1 ldap ldap 98304 Jan 1 10:38 __db.004 -rw------- 1 ldap ldap 352256 Jan 1 10:38 __db.005 -rw------- 1 ldap ldap 24576 Jan 1 10:38 __db.006 -rw------- 1 ldap ldap 8192 Jan 1 10:51 dn2id.bdb -rw------- 1 ldap ldap 32768 Jan 1 10:39 id2entry.bdb -rw------- 1 ldap ldap 10485760 Jan 1 10:51 log.0000000001 -rw------- 1 ldap ldap 8192 Jan 1 10:51 objectClass.bdb
What else? SElinux?
# getenforce Disabled
So, what's the problem?
SO: CentOS 5.2 OpenLDAP: 2.3.27 (openldap-servers-2.3.27-8.el5_2.4.rpm) Kernel: 2.6.18-92.1.22.el5xen SElinux: disabled
The same problem occurs in an equal envinronment but with no Xen kernel. Could somebody help me? Thanks a lot
Gavin Henry escribió:
Nothing is getting corrupt, only permission errors. Check what permissions your init script is looking for and running slapd as.
On 30/12/2008, Jason Voorhees jvoorhees1@gmail.com wrote:
Hi all:
I'm running OpenLDAP 2.3.27 from CentOS 5.2 to build from scratch an LDAP tree based on Phamm sample LDIF files. I have these database definition in slapd.conf:
database bdb suffix "dc=redtube,dc=com" rootdn "cn=manager,dc=redtube,dc=com" rootpw {SSHA}5b3FNT6a3PrldYD/X58ghCXa7vhUOO24 directory /var/lib/ldap mode 660
index objectClass eq index cn,mail eq,subinitial index vd,delete eq,pres index accountActive,forwardActive eq,pres index smtpAuth eq,pres index sn,uid,displayName pres,eq,sub index uidNumber,gidNumber eq index default sub
I always do the following:
- # rm /var/lib/ldap/*
(to be sure i'm starting from scratch)
- # slapadd -b dc=redtube,dc=com redtube.ldif
After step (2) I can see that /var/lib/ldap/alock has rw-r--r-- and all the other files have -w----r-T as permissions and are owned by root.root . Is that correct?
Well, as far as I know they should be owned by ldap user and ldap group with 0660 permissions asigned (based on "mode" directive in slapd.conf). So I do the following:
# chown ldap.ldap /var/lib/ldap/* # chmod 660 /var/lib/ldap/* (/var/lib/ldap directory is 0700 and owned by ldap.ldap already)
I check against posible errors and then start OpenLDAP:
# slapd -Tt # service ldap start
OpenLDAP starts correctly, it works perfectly. I can even do
modificatons to the LDAP tree adding entries based on attributes like vd, cn, mail, among others. I'm aware that there are no uid.bdb created yet in /var/lib/ldap, so I guess that's ok.
My problem comes when I try to perform some operation that causes OpenLDAP to create an index file in /var/lib/ldap. In example, when I try to log in with rootdn trough phpldapadmin I get something like this in logs:
Dec 30 11:31:22 ha1 slapd[1889]: conn=5 fd=12 ACCEPT from IP=127.0.0.1:38395 (IP=0.0.0.0:389) Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=0 BIND dn="" method=128 Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=0 RESULT tag=97 err=0 text= Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=1 SRCH base="dc=redtube,dc=com" scope=2 deref=0 filter="(uid=cn=manager,dc=redtube,dc=com)"
Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=1 SRCH attr=dn Dec 30 11:31:22 ha1 slapd[1889]: bdb(dc=redtube,dc=com): /var/lib/ldap/uid.bdb: Permission denied Dec 30 11:31:22 ha1 slapd[1889]: bdb_db_cache: db_open(uid) failed: Permission denied (13) Dec 30 11:31:22 ha1 slapd[1889]: <= bdb_equality_candidates: (uid) index_param failed (13) Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=2 UNBIND Dec 30 11:31:22 ha1 slapd[1889]: conn=5 fd=12 closed
I don't know why phpldapadmin performs a search based on a filter like "(uid=cn=manager,dc=redtube,dc=com)" but well, it doesn't matter to me.
Then I stop and start OpenLDAP and I start getting this:
# /etc/init.d/ldap stop Stopping slapd: [ OK ] # /etc/init.d/ldap start Checking configuration files for slapd: bdb_db_open: unclean shutdown detected; attempting recovery. bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap: (2) Expect poor performance for suffix dc=mailtest,dc=com. bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered. config file testing succeeded [ OK ] Starting slapd: [ OK ]
Question is: Why can't OpenLDAP create /var/lib/ldap/uid.bdb? Why is getting permission denied messages? The hole directory /var/lib/ldap is owned by ldap user with 660 permissions. Can anybody help me? Thanks