Hi all,
I'm in the process of changing the domain name of a kerberos/openafs/openldap server on ubuntu 10.04 LTS. ldap provides the user metadata such as homedir location, user and group id, etc. The server itself remains the same as well as the IP number. Actually I cloned it, so I can still access the old, working instance (only one server running at any time, since the IP is the same).
I followed instructions telling to
1) export the old data... slapcat -v -l ldap.diff
2) replace the old domain instances with the new ones using gedit
3) remove the old data rm -rf /var/lib/ldap/*
4) import the updated data back slapadd -l new-ldap.diff
5) and restore dir permissions chown -R openldap:openldap /var/lib/ldap/*
However, whereas the export went seemingly fine, importing and manipulating the new data required to point the specific slapd.conf file. E.g. slapadd or slapindex without -f /etc/ldap/slapd.conf would raise an error: Available database(s) do not allow [action].
Basic commands like id, ldapsearch -x or slapcat return empty content without errors. All the /etc/ .confs have been updated, and should point to the new domain name.
Any idea what could cause this and how to fix it?
br, jukka
On 09/26/13 14:37 +0300, Jukka Tuominen wrote:
I'm in the process of changing the domain name of a kerberos/openafs/openldap server on ubuntu 10.04 LTS. ldap provides the user metadata such as homedir location, user and group id, etc. The server itself remains the same as well as the IP number. Actually I cloned it, so I can still access the old, working instance (only one server running at any time, since the IP is the same).
I followed instructions telling to
- export the old data...
slapcat -v -l ldap.diff
replace the old domain instances with the new ones using gedit
remove the old data
rm -rf /var/lib/ldap/*
Did you recreate this directory?
- import the updated data back
slapadd -l new-ldap.diff
- and restore dir permissions
chown -R openldap:openldap /var/lib/ldap/*
However, whereas the export went seemingly fine, importing and manipulating the new data required to point the specific slapd.conf file. E.g. slapadd or slapindex without -f /etc/ldap/slapd.conf would raise an error: Available database(s) do not allow [action].
So it does work with -f or doesn't? I'm not clear.
If you modified the suffix in your new-ldap.diff, did you also modify the suffix in your slapd.conf?
On 09/26/13 14:37 +0300, Jukka Tuominen wrote:
I'm in the process of changing the domain name of a kerberos/openafs/openldap server on ubuntu 10.04 LTS. ldap provides the user metadata such as homedir location, user and group id, etc. The server itself remains the same as well as the IP number. Actually I cloned it, so I can still access the old, working instance (only one server running at any time, since the IP is the same).
I followed instructions telling to
- export the old data...
slapcat -v -l ldap.diff
replace the old domain instances with the new ones using gedit
remove the old data
rm -rf /var/lib/ldap/*
Did you recreate this directory?
No. I think the above command removes the contents only, but leaves the /var/lib/ldap in place? I checked the original installation and it seemed to contain the same files.
- import the updated data back
slapadd -l new-ldap.diff
- and restore dir permissions
chown -R openldap:openldap /var/lib/ldap/*
However, whereas the export went seemingly fine, importing and manipulating the new data required to point the specific slapd.conf file. E.g. slapadd or slapindex without -f /etc/ldap/slapd.conf would raise an error: Available database(s) do not allow [action].
So it does work with -f or doesn't? I'm not clear.
With -f it works.
If you modified the suffix in your new-ldap.diff, did you also modify the suffix in your slapd.conf?
Yes I did. And with -f I was pointing the very same file. Weird! I'm not at all familiar with ldap, so I may be overlooking something very simple.
br,jukka
-- Dan White
Still not working. A few more things that I've noticed:
- While pointing to slapd.conf file with -f, slapadd and slapadd seem to work, but starting the daemon similarly with -f doesn't help finding the actual content (e.g. ldapsearch -x uid=xxx). - The original, working setup doesn't use the slapd.conf. Disabling the file in the new system didn't help. - Running slapadd with -b option (and without -f) returns error: slapadd: slap_init no backend for "dc=xxx,dc=xxx"
I also wonder if there are any configurations outside /etc/ that I should tweak or check the file/dir permissions?
Any help is greatly appreciated br,jukka
On 09/26/13 14:37 +0300, Jukka Tuominen wrote:
I'm in the process of changing the domain name of a kerberos/openafs/openldap server on ubuntu 10.04 LTS. ldap provides the user metadata such as homedir location, user and group id, etc. The server itself remains the same as well as the IP number. Actually I cloned it, so I can still access the old, working instance (only one server running at any time, since the IP is the same).
I followed instructions telling to
- export the old data...
slapcat -v -l ldap.diff
replace the old domain instances with the new ones using gedit
remove the old data
rm -rf /var/lib/ldap/*
Did you recreate this directory?
No. I think the above command removes the contents only, but leaves the /var/lib/ldap in place? I checked the original installation and it seemed to contain the same files.
- import the updated data back
slapadd -l new-ldap.diff
- and restore dir permissions
chown -R openldap:openldap /var/lib/ldap/*
However, whereas the export went seemingly fine, importing and manipulating the new data required to point the specific slapd.conf file. E.g. slapadd or slapindex without -f /etc/ldap/slapd.conf would raise an error: Available database(s) do not allow [action].
So it does work with -f or doesn't? I'm not clear.
With -f it works.
If you modified the suffix in your new-ldap.diff, did you also modify the suffix in your slapd.conf?
Yes I did. And with -f I was pointing the very same file. Weird! I'm not at all familiar with ldap, so I may be overlooking something very simple.
br,jukka
-- Dan White
openldap-technical@openldap.org
-
Dan White -
Jukka Tuominen