Hello,
I apologize if I am posting to the wrong mailing list.
I have a simple problem, which I am sure any OpenLDAP administrator can easily solve... I am not an administrator, however. Hence being unable to answer this trivial question presents a real problem. I am stuck. Any assistance would be greatly appreciated.
I am trying to add Virtual List View support to an OpenLDAP server on hosted Ubuntu. The distro version is Ubuntu 14.04.1 LTS. The OpenLDAP server is already running. I receive responses to basic commands, but VLV is not working. When I run the version command, I get:
vq@vq-HVM-domU:~$ slapd -VV @(#) $OpenLDAP: slapd (Ubuntu) (Mar 17 2014 21:20:08) $ buildd@aatxe:/build/buildd/openldap-2.4.31/debian/build/servers/slapd
I added the following lines to the slapd.conf file (located for some reason in a funky place /usr/share/slapd/slapd.conf )
moduleload sssvlv.so overlay sssvlv
My path seems to be OK: modulepath /usr/lib/ldap
The dynamic library appears to be in the right place as well:
vq@vq-HVM-domU:~$ ls -l /usr/lib/ldap/sssvlv.so lrwxrwxrwx 1 root root 19 Mar 17 2014 /usr/lib/ldap/sssvlv.so -> sssvlv-2.4.so.2.8.3
vq@vq-HVM-domU:~$ ls -l /usr/lib/ldap/sssvlv-2.4.so.2.8.3 -rw-r--r-- 1 root root 26872 Mar 17 2014 /usr/lib/ldap/sssvlv-2.4.so.2.8.3
I cut out a piece of dmesg, just in case:
[ 0.000000] Linux version 3.13.0-32-generic (buildd@kissel) (gcc version 4.8. 2 (Ubuntu 4.8.2-19ubuntu1) ) #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 (Ubuntu 3.13.0-32.57-generic 3.13.11.4)
I tried to figure out how to see what OpenLDAP modules are loaded, but did not find the appropriate documentation, at least quickly. Sorry again. I am sure the list subscribers where where to look. I unfortunately do not.
There is no slapd-config executable on this system. Hence, I am assuming that slapd.conf is being used.
Please advise what I am missing and/or doing wrong. Any suggestions are welcome
If this is a totally wrong place to ask, please direct me to an appropriate resource. The server fault forums did not produce immediate results.
Thank you,
Igor Shmukler
--On November 11, 2014 at 11:05:26 PM +0200 Igor Shmukler igor.shmukler@gmail.com wrote:
Hello,
I apologize if I am posting to the wrong mailing list.
I have a simple problem, which I am sure any OpenLDAP administrator can easily solve... I am not an administrator, however. Hence being unable to answer this trivial question presents a real problem. I am stuck. Any assistance would be greatly appreciated.
I am trying to add Virtual List View support to an OpenLDAP server on hosted Ubuntu. The distro version is Ubuntu 14.04.1 LTS. The OpenLDAP server is already running. I receive responses to basic commands, but
a) Do not use Ubuntu's utterly broken build of OpenLDAP, to start with. You may want to try the builds from the LTB project.
b) Ubuntu no longer uses the deprecated slapd.conf. It uses the cn=config database. So you're changes to the slapd.conf (included for reference, not use) are ignored. You probably should read up on the slapd.config man page.
--Quanah
Hello,
a) Do not use Ubuntu's utterly broken build of OpenLDAP, to start with. You may want to try the builds from the LTB project.
b) Ubuntu no longer uses the deprecated slapd.conf. It uses the cn=config database. So you're changes to the slapd.conf (included for reference, not use) are ignored. You probably should read up on the slapd.config man page.
Thank you for your answer. I spent quite a lot of time reading various man pages including the one for slaps.conf(5), of course. As I mentioned, there is no slapd-config on my system. [How] is it possible that system is configured cn=config without it? Is there a way to determine whether slapd.conf is used and where the daemon is trying to find it, short of doing a system call trace?
Also, is there a command to list loadable modules in use?
Sincerely,
Igor Shmukler
--On November 11, 2014 at 11:48:59 PM +0200 Igor Shmukler igor.shmukler@gmail.com wrote:
Thank you for your answer. I spent quite a lot of time reading various man pages including the one for slaps.conf(5), of course. As I mentioned, there is no slapd-config on my system. [How] is it possible that system is configured cn=config without it? Is there a way to determine whether slapd.conf is used and where the daemon is trying to find it, short of doing a system call trace?
How do you know there is no slapd-config database on your system? That's what Ubuntu12 and later all use by default. I'm fairly certain yours does too. You can look at the startup script for slapd to see where it is pulling its config from possibly. IIRC, Ubuntu stores it under /etc/ldap/slapd.d, and their documentation confirms that: https://help.ubuntu.com/lts/serverguide/openldap-server.html
--Quanah
On Tue, Nov 11, 2014 at 11:48:59PM +0200, Igor Shmukler wrote:
Thank you for your answer. I spent quite a lot of time reading various man pages including the one for slaps.conf(5), of course. As I mentioned, there is no slapd-config on my system. [How] is it possible that system is configured cn=config without it?
slapd-config is a manual page, not an executable.
man slapd-config Describes the LDAP/LDIF configuration method
man slapd.conf Describes the flat text-file configuration method
Both methods configure the same things, so those pages are quite similar. The keywords / attribute names are different though, so make sure you read the right one for the method you are using.
Is there a way to determine whether slapd.conf is used and where the daemon is trying to find it, short of doing a system call trace?
Use 'ps ax | grep slap' to see whether there are any command-line options applied to the slapd process. If there are, look them up in 'man slapd' taking particular note of the -f and -F options. If those options are not present then the daemon will use the default config database (see slapd-config above) or, failing that, will use the default config file (see slapd.conf above).
Each of those manual pages starts with a note of exactly where the default database or config file will be found on your system.
Also, is there a command to list loadable modules in use?
'lsof -p <slapd PID>' perhaps :-)
Modules can be backends or overlays. I cannot think of a single command that finds all loaded slapd modules. You can find what backends and overlays are available/active by browsing under cn=monitor. Similarly you could search under cn=config to find what the config says *should* be loaded.
Andrew
Thank you Andrew and Quanah. I appreciate your help.
I manually added "olcModuleLoad: {1}sssvlv.la" to the /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif file. For now, it did not do anything. I will re-read the manuals and resume.
It is almost 1 AM in my timezone. To be continued tomorrow.
On Wed, Nov 12, 2014 at 12:41 AM, Andrew Findlay andrew.findlay@skills-1st.co.uk wrote:
On Tue, Nov 11, 2014 at 11:48:59PM +0200, Igor Shmukler wrote:
Thank you for your answer. I spent quite a lot of time reading various man pages including the one for slaps.conf(5), of course. As I mentioned, there is no slapd-config on my system. [How] is it possible that system is configured cn=config without it?
slapd-config is a manual page, not an executable.
man slapd-config Describes the LDAP/LDIF configuration method man slapd.conf Describes the flat text-file configuration methodBoth methods configure the same things, so those pages are quite similar. The keywords / attribute names are different though, so make sure you read the right one for the method you are using.
Is there a way to determine whether slapd.conf is used and where the daemon is trying to find it, short of doing a system call trace?
Use 'ps ax | grep slap' to see whether there are any command-line options applied to the slapd process. If there are, look them up in 'man slapd' taking particular note of the -f and -F options. If those options are not present then the daemon will use the default config database (see slapd-config above) or, failing that, will use the default config file (see slapd.conf above).
Each of those manual pages starts with a note of exactly where the default database or config file will be found on your system.
Also, is there a command to list loadable modules in use?
'lsof -p <slapd PID>' perhaps :-)
Modules can be backends or overlays. I cannot think of a single command that finds all loaded slapd modules. You can find what backends and overlays are available/active by browsing under cn=monitor. Similarly you could search under cn=config to find what the config says *should* be loaded.
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |
--On November 12, 2014 at 12:47:10 AM +0200 Igor Shmukler igor.shmukler@gmail.com wrote:
Thank you Andrew and Quanah. I appreciate your help.
I manually added "olcModuleLoad: {1}sssvlv.la" to the /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif file. For now, it did not do anything. I will re-read the manuals and resume.
Those are database files. If you directly modify them, you may completely corrupt/destroy your installation. You should be using ldapmodify, etc, to update the configuration database.
--Quanah
Interestingly, lsof does have the following entry: slapd 13310 openldap mem REG 202,1 26872 409681 /usr/lib/ldap/sssvlv-2.4.so.2.8.3
Hence, it seems that sssvlv is loaded. At the same time, ldapsearch is telling me "VLV control requires server side sort control"
Does this mean like Quanah said that my OpenLDAP from Ubuntu server is broken?
On Wed, Nov 12, 2014 at 1:00 AM, Quanah Gibson-Mount quanah@zimbra.com wrote:
--On November 12, 2014 at 12:47:10 AM +0200 Igor Shmukler igor.shmukler@gmail.com wrote:
Thank you Andrew and Quanah. I appreciate your help.
I manually added "olcModuleLoad: {1}sssvlv.la" to the /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif file. For now, it did not do anything. I will re-read the manuals and resume.
Those are database files. If you directly modify them, you may completely corrupt/destroy your installation. You should be using ldapmodify, etc, to update the configuration database.
--Quanah
-- Quanah Gibson-Mount Platform Architect Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
Am Wed, 12 Nov 2014 01:02:36 +0200 schrieb Igor Shmukler igor.shmukler@gmail.com:
Interestingly, lsof does have the following entry: slapd 13310 openldap mem REG 202,1 26872 409681 /usr/lib/ldap/sssvlv-2.4.so.2.8.3
Hence, it seems that sssvlv is loaded. At the same time, ldapsearch is telling me "VLV control requires server side sort control"
It seems you have not configured sssvlv, read man slapo-sssvlv(5) and https://tools.ietf.org/html/draft-ietf-ldapext-ldapv3-vlv-09
-Dieter
Does this mean like Quanah said that my OpenLDAP from Ubuntu server is broken?
On Wed, Nov 12, 2014 at 1:00 AM, Quanah Gibson-Mount quanah@zimbra.com wrote:
--On November 12, 2014 at 12:47:10 AM +0200 Igor Shmukler igor.shmukler@gmail.com wrote:
Thank you Andrew and Quanah. I appreciate your help.
I manually added "olcModuleLoad: {1}sssvlv.la" to the /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif file. For now, it did not do anything. I will re-read the manuals and resume.
Those are database files. If you directly modify them, you may completely corrupt/destroy your installation. You should be using ldapmodify, etc, to update the configuration database.
--Quanah
-- Quanah Gibson-Mount Platform Architect Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
Hello Dieter,
Thank you for your input.
It seems you have not configured sssvlv, read man slapo-sssvlv(5) and https://tools.ietf.org/html/draft-ietf-ldapext-ldapv3-vlv-09
I glanced through the IETF document, and see nothing concerning the OpenLDAP SSSVLV configuration. Please advise what section contains relevant information.
The slapo-sssvlv(5) man page indeed covers configuration. I see only three (3) values there: sssvlv-max, sssvlv-maxkeys and sssvlv-maxperconn. According to the same man page, there is a default for each of those. I assumed this means that if the value is not specified, the default is used. Is this wrong?
Further, I understand that the man page must be clear and I probably read it incorrectly, yet... It is clear from the man slapo-sssvlv(5) page that when slapd.conf is being used, the options should appear after the overlay directive. Even I got this. Where those options should go when cn=config is used? I do not understand it from the man page. Is this something to be specified using ldapmodify?
Please advise.
Sincerely,
Igor Shmukler
Hi Igor
It is clear from the man slapo-sssvlv(5) page that when slapd.conf is being used, the options should appear after the overlay directive. Even I got this. Where those options should go when cn=config is used? I do not understand it from the man page. Is this something to be specified using ldapmodify?
You need to use ldapadd with ldif like this:
dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config objectClass: olcSssVlvConfig olcOverlay: sssvlv olcSssVlvMax: 10 olcSssVlvMaxKeys: 5
something like
ldapadd -x -w <password> -D cn=config -f <ldif file>
Chris
Thank you Chris,
This is exactly what I needed. Should I put the leif file into the /etc/ldap/slapd.d/cn=config/cn=schema directory or /etc/ldap/slapd.d/cn=config/ directory? What is the recommended place? [I see that -D is to specify binddn, yet I am not sure whether LDIF should go there. Sorry for being stupid.]
Sincerely,
Igor Shmukler
On Wed, Nov 12, 2014 at 10:38 AM, Chris Card ctcard@hotmail.com wrote:
Hi Igor
It is clear from the man slapo-sssvlv(5) page that when slapd.conf is being used, the options should appear after the overlay directive. Even I got this. Where those options should go when cn=config is used? I do not understand it from the man page. Is this something to be specified using ldapmodify?
You need to use ldapadd with ldif like this:
dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config objectClass: olcSssVlvConfig olcOverlay: sssvlv olcSssVlvMax: 10 olcSssVlvMaxKeys: 5
something like
ldapadd -x -w <password> -D cn=config -f <ldif file>
Chris
On Wed, Nov 12, 2014 at 10:38 AM, Chris Card ctcard@hotmail.com wrote:
It is clear from the man slapo-sssvlv(5) page that when slapd.conf is being used, the options should appear after the overlay directive. Even I got this. Where those options should go when cn=config is used? I do not understand it from the man page. Is this something to be specified using ldapmodify?
You need to use ldapadd with ldif like this:
dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config objectClass: olcSssVlvConfig olcOverlay: sssvlv olcSssVlvMax: 10 olcSssVlvMaxKeys: 5
something like
ldapadd -x -w <password> -D cn=config -f <ldif file>
Thank you Chris,
This is exactly what I needed. Should I put the leif file into the /etc/ldap/slapd.d/cn=config/cn=schema directory or /etc/ldap/slapd.d/cn=config/ directory? What is the recommended place? [I see that -D is to specify binddn, yet I am not sure whether LDIF should go there. Sorry for being stupid.]
Don't update anything under /etc/ldap/slapd.d/cn=config by hand!
The configuration is held in an LDAP directory with suffix cn=config, and you add stuff to it in exactly the same way as any other LDAP directory, using ldapadd, ldapmodify etc.
The fact that you can see files under /etc/ldap/slapd.d/cn=config is just an artifact of the implementation of the cn=config db in openldap, and I believe it is planned to change the implementation in the future.
Chris
Where should I put the ldif file, then?
On Wed, Nov 12, 2014 at 10:53 AM, Chris Card ctcard@hotmail.com wrote:
On Wed, Nov 12, 2014 at 10:38 AM, Chris Card ctcard@hotmail.com wrote:
It is clear from the man slapo-sssvlv(5) page that when slapd.conf is being used, the options should appear after the overlay directive. Even I got this. Where those options should go when cn=config is used? I do not understand it from the man page. Is this something to be specified using ldapmodify?
You need to use ldapadd with ldif like this:
dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config objectClass: olcSssVlvConfig olcOverlay: sssvlv olcSssVlvMax: 10 olcSssVlvMaxKeys: 5
something like
ldapadd -x -w <password> -D cn=config -f <ldif file>
Thank you Chris,
This is exactly what I needed. Should I put the leif file into the /etc/ldap/slapd.d/cn=config/cn=schema directory or /etc/ldap/slapd.d/cn=config/ directory? What is the recommended place? [I see that -D is to specify binddn, yet I am not sure whether LDIF should go there. Sorry for being stupid.]
Don't update anything under /etc/ldap/slapd.d/cn=config by hand!
The configuration is held in an LDAP directory with suffix cn=config, and you add stuff to it in exactly the same way as any other LDAP directory, using ldapadd, ldapmodify etc.
The fact that you can see files under /etc/ldap/slapd.d/cn=config is just an artifact of the implementation of the cn=config db in openldap, and I believe it is planned to change the implementation in the future.
Chris
It is clear from the man slapo-sssvlv(5) page that when slapd.conf is being used, the options should appear after the overlay directive. Even I got this. Where those options should go when cn=config is used? I do not understand it from the man page. Is this something to be specified using ldapmodify?
You need to use ldapadd with ldif like this:
dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config objectClass: olcSssVlvConfig olcOverlay: sssvlv olcSssVlvMax: 10 olcSssVlvMaxKeys: 5
something like
ldapadd -x -w <password> -D cn=config -f <ldif file>
Thank you Chris,
This is exactly what I needed. Should I put the leif file into the /etc/ldap/slapd.d/cn=config/cn=schema directory or /etc/ldap/slapd.d/cn=config/ directory? What is the recommended place? [I see that -D is to specify binddn, yet I am not sure whether LDIF should go there. Sorry for being stupid.]
Don't update anything under /etc/ldap/slapd.d/cn=config by hand!
The configuration is held in an LDAP directory with suffix cn=config, and you add stuff to it in exactly the same way as any other LDAP directory, using ldapadd, ldapmodify etc.
The fact that you can see files under /etc/ldap/slapd.d/cn=config is just an artifact of the implementation of the cn=config db in openldap, and I believe it is planned to change the implementation in the future.
Where should I put the ldif file, then?
It doesn't matter where, it's just a source file. The ldapadd utility will send the ldif to the LDAP server, and the LDAP server will update the cn=config directory.
Chris
Hi Chris,
Sorry to bother you again.
ldapadd -x -w <password> -D cn=config -f <ldif file>
-D cn=config was giving me an authentication error. I used credentials, which work for ldapsearch and got a syntax error.
vq@vq-HVM-domU:~$ ldapadd -x -w SECRET -D "cn=admin, dc=nodomain" -f /usr/share/slapd/sssvlv.ldif ldap_add: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax
Please advise.
Thank you,
Igor Shmukler
On Wed, Nov 12, 2014 at 01:02:36AM +0200, Igor Shmukler wrote:
Interestingly, lsof does have the following entry: slapd 13310 openldap mem REG 202,1 26872 409681 /usr/lib/ldap/sssvlv-2.4.so.2.8.3
Hence, it seems that sssvlv is loaded. At the same time, ldapsearch is telling me "VLV control requires server side sort control"
It would appear that the sssvlv *module* has loaded, but you still have to apply the overlay to the database that you want it to work on.
Does this mean like Quanah said that my OpenLDAP from Ubuntu server is broken?
Not necessarily. Many people on this list dislike the way that some of the major Linux distros build OpenLDAP and the old versions of OpenLDAP that they use, so the default setup tends to get described as 'broken'. Quanah was also referring to the fact that you had hand-edited a file under /etc/ldap/slapd.d/cn=config - that is a very risky thing to do and you may have caused problems that way.
In this case I think it more likely that you just need to add the overlay to the database.
On Wed, Nov 12, 2014 at 08:38:14AM +0000, Chris Card wrote:
Date: Wed, 12 Nov 2014 08:38:14 +0000 From: Chris Card ctcard@hotmail.com
dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config objectClass: olcSssVlvConfig olcOverlay: sssvlv olcSssVlvMax: 10 olcSssVlvMaxKeys: 5
something like
ldapadd -x -w <password> -D cn=config -f <ldif file>
As Chris says, ldapadd (or slapadd if the server is down) is the right way to modify a config of this type. The exact LDIF required will depend on your database setup: Chris has assumed that you want the overlay on the first non-config database and that it is a bdb. If your setup is different then the DN will have to change.
Note also that bdb is deprecated. If you continue to use the binaries shipped with Ubuntu then you should at least consider swapping to hdb. Ideally you should build the latest OpenLDAP from source and use mdb. Changing to a different database type requires dumping all data to LDIF text files and re-loading it in the new database, so this is not something to be undertaken until you are more familiar with OpenLDAP.
Andrew
openldap-technical@openldap.org
-
Andrew Findlay -
Chris Card -
Dieter Klünter -
Igor Shmukler -
Quanah Gibson-Mount