On Wednesday, 16 May 2012 11:33:02 Igor Zinovik wrote:

> And here is my problem:

> I can successfully execute search query by hands using ldapsearch(1):

> ldap2:~# ldapsearch -H "ldap:/// ldaps:/// ldapi:///" -b

> dc=test,dc=org -LLL -s base -x -D

> 'uid=slapd-pcmk,ou=Services,dc=test,dc=org -w 'P@ssw0rd,'

> Enter LDAP Password:

> dn: dc=test,dc=org

> dc: test

> objectClass: organization

> objectClass: dcObject

> o: Test org

> ldap2:~# echo $?

> 0

>

> Pacemaker uses resource agents to monitor various daemons, so i downloaded

> resource agent for slapd. Resource agent is just a script file (e.g.

> resource agent for

> slapd) and it executes same query as i do by hand, but slapd complains

> about "invalid dn":

> Here is how slapd resource was defined:

> ldap2:~# crm configure primitive slapd_mirrormode ocf:heartbeat:slapd

> params \ slapd="/usr/lib/openldap/slapd" config="/etc/openldap/slapd.conf"

> \ user="ldap" group="ldap" services="ldap:/// ldaps:/// ldapi:///" \

> watch_suffix="dc=test,dc=org" \

> bind_dn="uid=slapd-pcmk,ou=Services,dc=test,dc=org" \

> password="P@ssw0rd," parameters="-o slp=on" \

> meta migration-threshold="3" op monitor interval="10s"

>

> I changed loglevel in slapd to `1' and see following in log:

[...]

> May 16 13:07:02 ldap2 slapd[7641]: conn=1015 op=0 do_bind: invalid dn

> ('uid=slapd-pcmk,ou=Services,dc=test,dc=org')

The single quotes are part of the DN being sent. For example:

$ ldapsearch -x -D "'uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com'"

ldap_bind: Invalid DN syntax (34)

additional info: invalid DN

yields:

May 16 16:51:00 tiger slapd[6395]: conn=4082 fd=41 ACCEPT from PATH=/var/run/ldap/ldapi (PATH=/var/run/ldap/ldapi)

May 16 16:51:00 tiger slapd[6395]: conn=4082 op=0 do_bind: invalid dn ('uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com')

May 16 16:51:00 tiger slapd[6395]: conn=4082 op=0 RESULT tag=97 err=34 text=invalid DN

May 16 16:51:00 tiger slapd[6395]: conn=4082 fd=41 ACCEPT from PATH=/var/run/ldap/ldapi (PATH=/var/run/ldap/ldapi)

May 16 16:51:00 tiger slapd[6395]: conn=4082 op=0 do_bind: invalid dn ('uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com')

May 16 16:51:00 tiger slapd[6395]: conn=4082 op=0 RESULT tag=97 err=34 text=invalid DN

May 16 16:51:00 tiger slapd[6395]: conn=4082 op=1 UNBIND

May 16 16:51:00 tiger slapd[6395]: conn=4082 fd=41 closed

May 16 16:51:00 tiger slapd[6395]: conn=4082 op=1 UNBIND

May 16 16:51:00 tiger slapd[6395]: conn=4082 fd=41 closed

Whereas:

$ ldapsearch -x -D "uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com"

ldap_bind: Server is unwilling to perform (53)

additional info: unauthenticated bind (DN with no password) disallowed

yields:

May 16 16:51:05 tiger slapd[6395]: conn=4083 fd=41 ACCEPT from PATH=/var/run/ldap/ldapi (PATH=/var/run/ldap/ldapi)

May 16 16:51:05 tiger slapd[6395]: conn=4083 fd=41 ACCEPT from PATH=/var/run/ldap/ldapi (PATH=/var/run/ldap/ldapi)

May 16 16:51:05 tiger slapd[6395]: conn=4083 op=0 BIND dn="uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com" method=128

May 16 16:51:05 tiger slapd[6395]: conn=4083 op=0 RESULT tag=97 err=53 text=unauthenticated bind (DN with no password) disallowed

May 16 16:51:05 tiger slapd[6395]: conn=4083 op=0 BIND dn="uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com" method=128

May 16 16:51:05 tiger slapd[6395]: conn=4083 op=0 RESULT tag=97 err=53 text=unauthenticated bind (DN with no password) disallowed

and:

$ ldapsearch -x -D "xxxx"

ldap_bind: Invalid DN syntax (34)

additional info: invalid DN

yields:

May 16 16:56:23 May 16 16:56:23 tiger slapd[6395]: conn=4085 fd=41 ACCEPT from PATH=/var/run/ldap/ldapi (PATH=/var/run/ldap/ldapi)

May 16 16:56:23 tiger slapd[6395]: conn=4085 fd=41 ACCEPT from PATH=/var/run/ldap/ldapi (PATH=/var/run/ldap/ldapi)

May 16 16:56:23 tiger slapd[6395]: conn=4085 op=0 do_bind: invalid dn (xxxx)

May 16 16:56:23 tiger slapd[6395]: conn=4085 op=0 RESULT tag=97 err=34 text=invalid DN

May 16 16:56:23 tiger slapd[6395]: conn=4085 op=0 do_bind: invalid dn (xxxx)

May 16 16:56:23 tiger slapd[6395]: conn=4085 op=0 RESULT tag=97 err=34 text=invalid DNtiger slapd[6395]: conn=4085 fd=41 ACCEPT from PATH=/var/run/ldap/ldapi (PATH=/var/run/ldap/ldapi)

May 16 16:56:23 tiger slapd[6395]: conn=4085 fd=41 ACCEPT from PATH=/var/run/ldap/ldapi (PATH=/var/run/ldap/ldapi)

May 16 16:56:23 tiger slapd[6395]: conn=4085 op=0 do_bind: invalid dn (xxxx)

May 16 16:56:23 tiger slapd[6395]: conn=4085 op=0 RESULT tag=97 err=34 text=invalid DN

May 16 16:56:23 tiger slapd[6395]: conn=4085 op=0 do_bind: invalid dn (xxxx)

May 16 16:56:23 tiger slapd[6395]: conn=4085 op=0 RESULT tag=97 err=34 text=invalid DN

slapd is not quoting the invalid DN, so the quotes are part of the DN being sent, which is obviously invalid due to the quotes.

> I understand that there might be a problem in pacemakers `slapd' resource

> agent. Maybe it corrupts bind dn somehow...

>

> Agent executes `monitor' operation, here is a snippet from resource agent

> code: ldap2:~# less /usr/lib/ocf/resource.d/heartbeat/slapd

> ...

> slapd_monitor()

> {

> ...

> options="-LLL -s base -x"

>

> if [ -n "$bind_dn" ]; then

> options="$options -D '$bind_dn' -w '$password'"

This is wrong. Removing the single quotes in the line above should fix it.

Regards,

Buchan