With Ubuntu 10.04, slapd is shipped by default using slapd.d configuration instead of slapd.conf. Referring to the document [1] I believe adding a new database should be as simple as adding a new file in slapd.d/cn=config/
But it doesn't work for me. Behavior explained below:
I created this new database definition by copying example [2]:
# cat "/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb" # BDB definition for example.com dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcSuffix: "dc=test,dc=com" olcDbDirectory: /var/lib/ldap olcRootDN: "cn=Manager,dc=test,dc=com" olcRootPW: secret olcDbIndex: uid pres,eq olcDbIndex: cn,sn,uid pres,eq,approx,sub olcDbIndex: objectClass eq olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="cn=Admin,dc=test,dc=com" write by * none olcAccess: to * by self write by dn.base="cn=Admin,dc=test,dc=com" write by * read
According to my experience of using slapd.conf in the last five years, if I restart slapd, I should see DB_CONFIG and a few other files created in DB directory. But this is not happening this time.
root@orphalese:~# ls -dlh /var/lib/ldap drwxr-x--- 2 openldap openldap 4.0K Jun 12 10:36 /var/lib/ldap root@orphalese:~# ls -lh /var/lib/ldap total 0
Quesiton: 1) did I do anything wrong? 2) What would you future suggest me to check?
List of what I have checked:
1. Adding entry to the newly created database also doesn't work:
# slapadd -b dc=test,dc=com < /tmp/first.ldif slapadd: slap_init no backend for "dc=test,dc=com"
2. I checked syslog with LogLevel set to 255, end up with a lot of details in syslog but none mentioning keyword 'hdb'.
3. The above experiment is re-done with hdb replaced with bdb without luck neither.
4. Authentication also fails: $ ldapsearch -x -D cn=Manager,dc=test,dc=com -w secret ldap_bind: Invalid credentials (49)
5. I also checked to make sure slapd.conf doesn't exist.
6. I also checked there is only one slapd.d directory and slapd is using the same slapd.d that I am editing, by the fact I changed LogLevel in cn=config.ldif and it has vivid effect on syslog.
[1] http://www.openldap.org/doc/admin24/slapdconf2.html [2] The 'example' is "/etc/ldap/slapd.d/cn=config/olcDatabase=bdb" shipped with Ubuntu:
# cat "/etc/ldap/slapd.d/cn=config/olcDatabase=bdb" # BDB definition for example.com dn: olcDatabase=bdb,cn=config objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: bdb olcSuffix: "dc=example,dc=com" olcDbDirectory: /usr/local/var/openldap-data olcRootDN: "cn=Manager,dc=example,dc=com" olcRootPW: secret olcDbIndex: uid pres,eq olcDbIndex: cn,sn,uid pres,eq,approx,sub olcDbIndex: objectClass eq olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="cn=Admin,dc=example,dc=com" write by * none olcAccess: to * by self write by dn.base="cn=Admin,dc=example,dc=com" write by * read
On 26/07/2010 13:10, Zhang Weiwu wrote:
With Ubuntu 10.04, slapd is shipped by default using slapd.d configuration instead of slapd.conf. Referring to the document [1] I believe adding a new database should be as simple as adding a new file in slapd.d/cn=config/
One would usually add the new configuration object via LDAP, rather than by modifying the database files. This is the point of cn=config. However, adding files may work also...
But it doesn't work for me. Behavior explained below:
I created this new database definition by copying example [2]:
# cat "/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb" # BDB definition for example.com dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcSuffix: "dc=test,dc=com" olcDbDirectory: /var/lib/ldap olcRootDN: "cn=Manager,dc=test,dc=com" olcRootPW: secret olcDbIndex: uid pres,eq olcDbIndex: cn,sn,uid pres,eq,approx,sub olcDbIndex: objectClass eq olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="cn=Admin,dc=test,dc=com" write by * none olcAccess: to * by self write by dn.base="cn=Admin,dc=test,dc=com" write by * read
According to my experience of using slapd.conf in the last five years, if I restart slapd, I should see DB_CONFIG and a few other files created in DB directory. But this is not happening this time.
The DB_CONFIG file will only be created if you have used the parameter olcDbConfig (dbconfig in slapd.conf).
The file should be named /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif.
root@orphalese:~# ls -dlh /var/lib/ldap drwxr-x--- 2 openldap openldap 4.0K Jun 12 10:36 /var/lib/ldap root@orphalese:~# ls -lh /var/lib/ldap total 0
Quesiton: 1) did I do anything wrong? 2) What would you future suggest me to check?
List of what I have checked:
Adding entry to the newly created database also doesn't work:
# slapadd -b dc=test,dc=com < /tmp/first.ldif slapadd: slap_init no backend for "dc=test,dc=com"
I checked syslog with LogLevel set to 255, end up with a lot of details in syslog but none mentioning keyword 'hdb'.
I recommend using loglevel config to see debugging information related to configuration issues. If your file is not read, the hdb database won't appear in the output...
The above experiment is re-done with hdb replaced with bdb without luck neither.
Authentication also fails: $ ldapsearch -x -D cn=Manager,dc=test,dc=com -w secret ldap_bind: Invalid credentials (49)
I also checked to make sure slapd.conf doesn't exist.
I also checked there is only one slapd.d directory and slapd is using the same slapd.d that I am editing, by the fact I changed LogLevel in cn=config.ldif and it has vivid effect on syslog.
[1] http://www.openldap.org/doc/admin24/slapdconf2.html [2] The 'example' is "/etc/ldap/slapd.d/cn=config/olcDatabase=bdb" shipped with Ubuntu:
# cat "/etc/ldap/slapd.d/cn=config/olcDatabase=bdb" # BDB definition for example.com dn: olcDatabase=bdb,cn=config objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: bdb olcSuffix: "dc=example,dc=com" olcDbDirectory: /usr/local/var/openldap-data olcRootDN: "cn=Manager,dc=example,dc=com" olcRootPW: secret olcDbIndex: uid pres,eq olcDbIndex: cn,sn,uid pres,eq,approx,sub olcDbIndex: objectClass eq olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="cn=Admin,dc=example,dc=com" write by * none olcAccess: to * by self write by dn.base="cn=Admin,dc=example,dc=com" write by * read
On 2010年07月26日 19:53, Jonathan Clarke wrote:
The file should be named /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif.
You are right. slapd behavior changed immediately after I renamed as you recommended.
I recommend using loglevel config to see debugging information related to configuration issues. If your file is not read, the hdb database won't appear in the output...
Thanks for recommendation. I tried it and began to have a second different problem. This time new db definition is obviously read, but slapd quit with error:
[snip] <= root access granted => access_allowed: search access granted by manage(=mwrscxd) <= test_filter 6 : config_add_internal: DN="olcDatabase={1}bdb,cn=config" no structural objectClass (unrecognized objectClass 'olcBdbConfig') config error processing olcDatabase={1}bdb,cn=config: send_ldap_result: conn=-1 op=0 p=0 [/snip]
This part "Unrecognized objectClass 'olcBdbConfig'" surprised me a bit, as the line caused the problem is taken from openldap manual:
Quote from http://www.openldap.org/doc/admin24/slapdconf2.html
5.2.6. BDB and HDB Database DirectivesIn addition to the olcDatabaseConfig objectClass, BDB and HDB database entries must have the olcBdbConfig and olcHdbConfig objectClass, respectively.
Jonathan Clarke also wrote:
One would usually add the new configuration object via LDAP, rather than by modifying the database files. This is the point of cn=config. However, adding files may work also...
Thanks.
Perhaps I missed some document, but what you said is not mentioned in the document I referred to. I think it make a lot of sense to add new database via LDAP, but a newbie would not be able to assume this can be done, especially puzzled by not knowing what crediential should I use to access db cn=config, because olcRootPW is not existing in any of the ldif files except the one I just added:
# grep -R olcRootPW /etc/ldap/slapd.d/ /etc/ldap/slapd.d/cn=config/olcDatabase=bdb:olcRootPW: secret /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb:olcRootPW: secret
On 26/07/2010 15:23, Zhang Weiwu wrote:
[snip] <= root access granted => access_allowed: search access granted by manage(=mwrscxd) <= test_filter 6 : config_add_internal: DN="olcDatabase={1}bdb,cn=config" no structural objectClass (unrecognized objectClass 'olcBdbConfig') config error processing olcDatabase={1}bdb,cn=config: send_ldap_result: conn=-1 op=0 p=0 [/snip]
This part "Unrecognized objectClass 'olcBdbConfig'" surprised me a bit, as the line caused the problem is taken from openldap manual:
Quote from http://www.openldap.org/doc/admin24/slapdconf2.html
5.2.6. BDB and HDB Database DirectivesIn addition to the olcDatabaseConfig objectClass, BDB and HDB database entries must have the olcBdbConfig and olcHdbConfig objectClass, respectively.
Actually if you re-read that, you'll see that it says to use the 'olcBdbConfig' objectClass *in addition* to the olcDatabaseConfig objectClass.
Jonathan Clarke also wrote:
One would usually add the new configuration object via LDAP, rather than by modifying the database files. This is the point of cn=config. However, adding files may work also...
Thanks.
Perhaps I missed some document, but what you said is not mentioned in the document I referred to. I think it make a lot of sense to add new database via LDAP, but a newbie would not be able to assume this can be done, especially puzzled by not knowing what crediential should I use to access db cn=config, because olcRootPW is not existing in any of the ldif files except the one I just added:
# grep -R olcRootPW /etc/ldap/slapd.d/ /etc/ldap/slapd.d/cn=config/olcDatabase=bdb:olcRootPW: secret /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb:olcRootPW: secret
No, I recall that Ubuntu sets up some other form of authentication tied into the OS... I've never really got it though, so I can't help here. Maybe others on the list understand how this works by default on Ubuntu?
Jonathan
Jonathan Clarke wrote:
On 26/07/2010 15:23, Zhang Weiwu wrote:
Thanks.
Perhaps I missed some document, but what you said is not mentioned in the document I referred to. I think it make a lot of sense to add new database via LDAP, but a newbie would not be able to assume this can be done, especially puzzled by not knowing what crediential should I use to access db cn=config, because olcRootPW is not existing in any of the ldif files except the one I just added:
# grep -R olcRootPW /etc/ldap/slapd.d/ /etc/ldap/slapd.d/cn=config/olcDatabase=bdb:olcRootPW: secret /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb:olcRootPW: secret
No, I recall that Ubuntu sets up some other form of authentication tied into the OS... I've never really got it though, so I can't help here. Maybe others on the list understand how this works by default on Ubuntu?
It depends on which version of Ubuntu you're using.
In 9.10 they configure an admin password when you install/configure the package.
https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html
In 10.04 they use Unix root privileges with ldapi://
https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html
For future reference, distro-specific questions should be directed to your distro provider. Clearly we cannot provide generic answers for these questions.
On 2010年07月26日 22:13, Jonathan Clarke wrote:
Actually if you re-read that (means the document), you'll see that it says to use the 'olcBdbConfig' objectClass *in addition* to the olcDatabaseConfig objectClass.
If you re-read my original post, you see I did exactly that:) Quote from line 13 from my original post:
objectClass: olcDatabaseConfig objectClass: olcHdbConfig
Le 27/07/2010 02:51, Zhang Weiwu a écrit :
On 2010年07月26日 22:13, Jonathan Clarke wrote:
Actually if you re-read that (means the document), you'll see that it says to use the 'olcBdbConfig' objectClass *in addition* to the olcDatabaseConfig objectClass.
If you re-read my original post, you see I did exactly that:) Quote from line 13 from my original post:
objectClass: olcDatabaseConfig objectClass: olcHdbConfig
Oops. My bad, sorry!
If you can use olcBdbConfig but not olcHdbConfig, or vice-versa, make sure you have loaded the module for the backend you want to use (see the cn=module{0},cn=config entry).
Jonathan
Jonathan Clarke wrote:
On 26/07/2010 13:10, Zhang Weiwu wrote:
With Ubuntu 10.04, slapd is shipped by default using slapd.d configuration instead of slapd.conf. Referring to the document [1] I believe adding a new database should be as simple as adding a new file in slapd.d/cn=config/
No. Never create files inside slapd.d by hand.
One would usually add the new configuration object via LDAP, rather than by modifying the database files. This is the point of cn=config. However, adding files may work also...
No. cn=config is only meant to be manipulated via LDAP or slap* tools. Never muck around directly in the files.
But it doesn't work for me.
openldap-technical@openldap.org
-
Howard Chu -
Jonathan Clarke -
Zhang Weiwu