On Wednesday, 16 May 2012 11:33:02 Igor Zinovik wrote:
And here is my problem:
I can successfully execute search query by hands using ldapsearch(1):
ldap2:~# ldapsearch -H "ldap:/// ldaps:/// ldapi:///" -b
dc=test,dc=org -LLL -s base -x -D
'uid=slapd-pcmk,ou=Services,dc=test,dc=org -w 'P@ssw0rd,'
Enter LDAP Password:
dn: dc=test,dc=org
dc: test
objectClass: organization
objectClass: dcObject
o: Test org
ldap2:~# echo $?
0
Pacemaker uses resource agents to monitor various daemons, so i downloaded
resource agent for slapd. Resource agent is just a script file (e.g.
resource agent for
slapd) and it executes same query as i do by hand, but slapd complains
about "invalid dn":
Here is how slapd resource was defined:
ldap2:~# crm configure primitive slapd_mirrormode ocf:heartbeat:slapd
params \ slapd="/usr/lib/openldap/slapd"
config="/etc/openldap/slapd.conf"
\ user="ldap" group="ldap" services="ldap:/// ldaps:///
ldapi:///" \
watch_suffix="dc=test,dc=org" \
bind_dn="uid=slapd-pcmk,ou=Services,dc=test,dc=org" \
password="P@ssw0rd," parameters="-o slp=on" \
meta migration-threshold="3" op monitor interval="10s"
I changed loglevel in slapd to `1' and see following in log:
[...]
May 16 13:07:02 ldap2 slapd[7641]: conn=1015 op=0 do_bind: invalid
dn
('uid=slapd-pcmk,ou=Services,dc=test,dc=org')
The single quotes are part of the DN being sent. For example:
$ ldapsearch -x -D
"'uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com'"
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
yields:
May 16 16:51:00 tiger slapd[6395]: conn=4082 fd=41 ACCEPT from
PATH=/var/run/ldap/ldapi (PATH=/var/run/ldap/ldapi)
May 16 16:51:00 tiger slapd[6395]: conn=4082 op=0 do_bind: invalid dn
('uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com')
May 16 16:51:00 tiger slapd[6395]: conn=4082 op=0 RESULT tag=97 err=34
text=invalid DN
May 16 16:51:00 tiger slapd[6395]: conn=4082 fd=41 ACCEPT from
PATH=/var/run/ldap/ldapi (PATH=/var/run/ldap/ldapi)
May 16 16:51:00 tiger slapd[6395]: conn=4082 op=0 do_bind: invalid dn
('uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com')
May 16 16:51:00 tiger slapd[6395]: conn=4082 op=0 RESULT tag=97 err=34
text=invalid DN
May 16 16:51:00 tiger slapd[6395]: conn=4082 op=1 UNBIND
May 16 16:51:00 tiger slapd[6395]: conn=4082 fd=41 closed
May 16 16:51:00 tiger slapd[6395]: conn=4082 op=1 UNBIND
May 16 16:51:00 tiger slapd[6395]: conn=4082 fd=41 closed
Whereas:
$ ldapsearch -x -D "uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com"
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed
yields:
May 16 16:51:05 tiger slapd[6395]: conn=4083 fd=41 ACCEPT from
PATH=/var/run/ldap/ldapi (PATH=/var/run/ldap/ldapi)
May 16 16:51:05 tiger slapd[6395]: conn=4083 fd=41 ACCEPT from
PATH=/var/run/ldap/ldapi (PATH=/var/run/ldap/ldapi)
May 16 16:51:05 tiger slapd[6395]: conn=4083 op=0 BIND
dn="uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com" method=128
May 16 16:51:05 tiger slapd[6395]: conn=4083 op=0 RESULT tag=97 err=53
text=unauthenticated bind (DN with no password) disallowed
May 16 16:51:05 tiger slapd[6395]: conn=4083 op=0 BIND
dn="uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com" method=128
May 16 16:51:05 tiger slapd[6395]: conn=4083 op=0 RESULT tag=97 err=53
text=unauthenticated bind (DN with no password) disallowed
and:
$ ldapsearch -x -D "xxxx"
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
yields:
May 16 16:56:23 May 16 16:56:23 tiger slapd[6395]: conn=4085 fd=41 ACCEPT from
PATH=/var/run/ldap/ldapi (PATH=/var/run/ldap/ldapi)
May 16 16:56:23 tiger slapd[6395]: conn=4085 fd=41 ACCEPT from
PATH=/var/run/ldap/ldapi (PATH=/var/run/ldap/ldapi)
May 16 16:56:23 tiger slapd[6395]: conn=4085 op=0 do_bind: invalid dn (xxxx)
May 16 16:56:23 tiger slapd[6395]: conn=4085 op=0 RESULT tag=97 err=34
text=invalid DN
May 16 16:56:23 tiger slapd[6395]: conn=4085 op=0 do_bind: invalid dn (xxxx)
May 16 16:56:23 tiger slapd[6395]: conn=4085 op=0 RESULT tag=97 err=34
text=invalid DNtiger slapd[6395]: conn=4085 fd=41 ACCEPT from
PATH=/var/run/ldap/ldapi (PATH=/var/run/ldap/ldapi)
May 16 16:56:23 tiger slapd[6395]: conn=4085 fd=41 ACCEPT from
PATH=/var/run/ldap/ldapi (PATH=/var/run/ldap/ldapi)
May 16 16:56:23 tiger slapd[6395]: conn=4085 op=0 do_bind: invalid dn (xxxx)
May 16 16:56:23 tiger slapd[6395]: conn=4085 op=0 RESULT tag=97 err=34
text=invalid DN
May 16 16:56:23 tiger slapd[6395]: conn=4085 op=0 do_bind: invalid dn (xxxx)
May 16 16:56:23 tiger slapd[6395]: conn=4085 op=0 RESULT tag=97 err=34
text=invalid DN
slapd is not quoting the invalid DN, so the quotes are part of the DN being
sent, which is obviously invalid due to the quotes.
I understand that there might be a problem in pacemakers `slapd'
resource
agent. Maybe it corrupts bind dn somehow...
Agent executes `monitor' operation, here is a snippet from resource agent
code: ldap2:~# less /usr/lib/ocf/resource.d/heartbeat/slapd
...
slapd_monitor()
{
...
options="-LLL -s base -x"
if [ -n "$bind_dn" ]; then
options="$options -D '$bind_dn' -w '$password'"
This is wrong. Removing the single quotes in the line above should fix it.
Regards,
Buchan