Hi all:
I'm running OpenLDAP 2.3.27 from CentOS 5.2 to build from scratch an LDAP tree based on Phamm sample LDIF files. I have these database definition in slapd.conf:
database bdb suffix "dc=redtube,dc=com" rootdn "cn=manager,dc=redtube,dc=com" rootpw {SSHA}5b3FNT6a3PrldYD/X58ghCXa7vhUOO24 directory /var/lib/ldap mode 660
index objectClass eq index cn,mail eq,subinitial index vd,delete eq,pres index accountActive,forwardActive eq,pres index smtpAuth eq,pres index sn,uid,displayName pres,eq,sub index uidNumber,gidNumber eq index default sub
I always do the following:
1. # rm /var/lib/ldap/* (to be sure i'm starting from scratch)
2. # slapadd -b dc=redtube,dc=com redtube.ldif
After step (2) I can see that /var/lib/ldap/alock has rw-r--r-- and all the other files have -w----r-T as permissions and are owned by root.root . Is that correct?
Well, as far as I know they should be owned by ldap user and ldap group with 0660 permissions asigned (based on "mode" directive in slapd.conf). So I do the following:
3. # chown ldap.ldap /var/lib/ldap/* # chmod 660 /var/lib/ldap/* (/var/lib/ldap directory is 0700 and owned by ldap.ldap already)
4. I check against posible errors and then start OpenLDAP:
# slapd -Tt # service ldap start
5. OpenLDAP starts correctly, it works perfectly. I can even do modificatons to the LDAP tree adding entries based on attributes like vd, cn, mail, among others. I'm aware that there are no uid.bdb created yet in /var/lib/ldap, so I guess that's ok.
My problem comes when I try to perform some operation that causes OpenLDAP to create an index file in /var/lib/ldap. In example, when I try to log in with rootdn trough phpldapadmin I get something like this in logs:
Dec 30 11:31:22 ha1 slapd[1889]: conn=5 fd=12 ACCEPT from IP=127.0.0.1:38395 (IP=0.0.0.0:389) Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=0 BIND dn="" method=128 Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=0 RESULT tag=97 err=0 text= Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=1 SRCH base="dc=redtube,dc=com" scope=2 deref=0 filter="(uid=cn=manager,dc=redtube,dc=com)"
Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=1 SRCH attr=dn Dec 30 11:31:22 ha1 slapd[1889]: bdb(dc=redtube,dc=com): /var/lib/ldap/uid.bdb: Permission denied Dec 30 11:31:22 ha1 slapd[1889]: bdb_db_cache: db_open(uid) failed: Permission denied (13) Dec 30 11:31:22 ha1 slapd[1889]: <= bdb_equality_candidates: (uid) index_param failed (13) Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=2 UNBIND Dec 30 11:31:22 ha1 slapd[1889]: conn=5 fd=12 closed
I don't know why phpldapadmin performs a search based on a filter like "(uid=cn=manager,dc=redtube,dc=com)" but well, it doesn't matter to me.
Then I stop and start OpenLDAP and I start getting this:
# /etc/init.d/ldap stop Stopping slapd: [ OK ] # /etc/init.d/ldap start Checking configuration files for slapd: bdb_db_open: unclean shutdown detected; attempting recovery. bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap: (2) Expect poor performance for suffix dc=mailtest,dc=com. bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered. config file testing succeeded [ OK ] Starting slapd: [ OK ]
Question is: Why can't OpenLDAP create /var/lib/ldap/uid.bdb? Why is getting permission denied messages? The hole directory /var/lib/ldap is owned by ldap user with 660 permissions. Can anybody help me? Thanks