Hello
Am using OpenLDAP 'openldap-2.4.31' on debian. I have configured syncrepl .Everything work’s normal. But frequently am getting below Error. The log file ownership is getting changed any one of the node automatically .
here is the Error From syslog.
Mar 29 12:14:26 xxx slapd[29405]: conn=5774 op=40651 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 29 12:14:29 xxx slapd[29405]: bdb(dc=xxx,dc=xxx,dc=xxx): /var/lib/ldap/xxx/log.0000000883:
log xxxle unreadable: Permission denied
Mar 29 12:14:29 xxx slapd[29405]: bdb(dc=xxx,dc=xxx,dc=xxx): PANIC: Permission denied
Mar 29 12:14:29 xxx slapd[29405]: bdb(dc=xxx,dc=xxx,dc=xxx): DB_ENV->log_newfh: 883: DB_RUNRECOVERY: Fatal error, run database recovery
Mar 29 12:14:29 xxx slapd[29405]: bdb(dc=xxx,dc=xxx,dc=xxx): txn_checkpoint: log failed at LSN [883 68682]: DB_RUNRECOVERY: Fatal error, run database recovery
Mar 29 12:14:30 xxx slapd[29405]: conn=5774 op=40652 SRCH base="" scope=0 deref=3 xxxlter="(objectClass=*)"
Mar 29 12:14:30 xxx slapd[29405]: conn=5774 op=40652 SRCH attr=objectclass
Any idea what is going wrong here?
LDAP is running as below user .
openldap:x:106:108:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
$ id openldap uid=106(openldap) gid=108(openldap) groups=108(openldap)
I dont find any logs for open file issue.But still i pasted below settings. open file limit settings
openldap soft nofile 65536 openldap hard nofile 65536
slapd.conf settings
loglevel sync stats modulepath /usr/lib/ldap moduleload back_hdb moduleload syncprov sizelimit 500 tool-threads 8 threads 16 backend hdb database hdb monitoring on cachesize 50000 idlcachesize 50000 directory "/var/lib/ldap/account" dbconfig set_cachesize 0 167772160 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass,snAccount,snEnabled,entryCSN,entryUUID eq index cn eq,pres,subany lastmod on checkpoint 5120 30 access to dn.base="" by * read syncrepl rid=001 provider=ldap://xx.xx.xxx.xxx bindmethod=simple binddn="cn=xxx,ou=administrators,dc=test,dc=IN" credentials=xxx searchbase="dc=account,dc=test,dc=IN" schemachecking=on type=refreshAndPersist retry="10 +" mirrormode on overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 10000
Br/Prashanth
On Tue, Mar 29, 2016 at 12:11:29PM +0200, Prashanth P.Nair wrote:
Hello
Am using OpenLDAP 'openldap-2.4.31' on debian. I have configured syncrepl .Everything work???s normal. But frequently am getting below Error. The log file ownership is getting changed any one of the node automatically .
Does that node run any of the db_checkpoint utilities as a user other than your openldap UID?
I shot myself in the foot with a backup script that ran as root, and it would sometimes mess with the ownership of the transaction logs.
Br/Prashanth
On Tue, Mar 29, 2016 at 8:20 PM, Brian Reichert reichert@numachi.com wrote:
On Tue, Mar 29, 2016 at 12:11:29PM +0200, Prashanth P.Nair wrote:
Hello
Am using OpenLDAP 'openldap-2.4.31' on debian. I have configured syncrepl .Everything work???s normal. But frequently am getting below Error. The
log
file ownership is getting changed any one of the node automatically .
Does that node run any of the db_checkpoint utilities as a user other than your openldap UID?
I shot myself in the foot with a backup script that ran as root, and it would sometimes mess with the ownership of the transaction logs.
Br/Prashanth
Thanks Brian
Yes.i have back up script which runs as root. But it stores the back file in different location .
here is the script.
/usr/bin/logger -t ldap_backup "Starting hourly LDAP backup" for each in 1 2 3 4 5 6; do /usr/bin/logger -t ldap_backup "Backing up database number $each"; /usr/sbin/slapcat -n $each -l /var/backup/$(date +%F_%H%M)_$each.ldif; done /usr/bin/logger -t ldap_backup "Hourly LDAP backup finished."
----------
root@-02:~# ls -lt /var/ total 36 drwxr-xr-x 2 root root 16384 Mar 30 12:14 backup ---------- root@02:~# ls -lt /var/lib/ drwxr-xr-x 12 openldap openldap 4096 Feb 21 2014 ldap ---------
-- Brian Reichert reichert@numachi.com BSD admin/developer at large
On Wed, Mar 30, 2016 at 05:48:56PM +0200, Prashanth P.Nair wrote:
Thanks Brian
Yes.i have back up script which runs as root. But it stores the back file in different location .
That script looks safe, but you didn't answer my other question:
Does that node run any of the db_checkpoint utilities as a user other than your openldap UID?
On Thu, Mar 31, 2016 at 4:10 PM, Brian Reichert reichert@numachi.com wrote:
On Wed, Mar 30, 2016 at 05:48:56PM +0200, Prashanth P.Nair wrote:
Thanks Brian
Yes.i have back up script which runs as root. But it stores the back file in different location .
That script looks safe, but you didn't answer my other question:
Does that node run any of the db_checkpoint utilities as a user other than your openldap UID?
Thanks Brian.
Could you please let me know how that can be checked?
I have these utlilites. But nothing is running.
root@02:~# db db4.8_archive db4.8_hotbackup db4.8_sql dbus-cleanup-sockets dbus-uuidgen db4.8_checkpoint db4.8_load db4.8_stat dbus-daemon db4.8_deadlock db4.8_printlog db4.8_upgrade dbus-monitor db4.8_dump db4.8_recover db4.8_verify dbus-send
root@02:~# ps -ef| grep db4.8_checkpoint root 15319 15251 0 17:30 pts/0 00:00:00 grep db4.8_checkpoint
-- Brian Reichert reichert@numachi.com BSD admin/developer at large
On Thu, Mar 31, 2016 at 04:31:42PM +0200, Prashanth P.Nair wrote:
On Thu, Mar 31, 2016 at 4:10 PM, Brian Reichert reichert@numachi.com wrote:
On Wed, Mar 30, 2016 at 05:48:56PM +0200, Prashanth P.Nair wrote:
Thanks Brian
Yes.i have back up script which runs as root. But it stores the back file in different location .
That script looks safe, but you didn't answer my other question:
Does that node run any of the db_checkpoint utilities as a user other than your openldap UID?
Thanks Brian.
Could you please let me know how that can be checked?
I have no way of knowing what sort of administrative tooling you may have on your systems.
In my specific case, I was running a CentOS 5-based system. This distribution had a version of OpenLDAP that was compiled against a private copy of the Berkeley database library.
I had a home-rolled backup cronjob that ran these utilities:
/usr/sbin/slapd_db_checkpoint /usr/sbin/slapd_db_archive
but did so as 'root', not as slapd's UID. Once in a great while, this would result in a transaction log owned by root, and slapd would fail.
On Thu, Mar 31, 2016 at 4:50 PM, Brian Reichert reichert@numachi.com wrote:
On Thu, Mar 31, 2016 at 04:31:42PM +0200, Prashanth P.Nair wrote:
On Thu, Mar 31, 2016 at 4:10 PM, Brian Reichert reichert@numachi.com wrote:
On Wed, Mar 30, 2016 at 05:48:56PM +0200, Prashanth P.Nair wrote:
Thanks Brian
Yes.i have back up script which runs as root. But it stores the back
file
in different location .
That script looks safe, but you didn't answer my other question:
Does that node run any of the db_checkpoint utilities as a user other than your openldap UID?
Thanks Brian.
Could you please let me know how that can be checked?
I have no way of knowing what sort of administrative tooling you may have on your systems.
In my specific case, I was running a CentOS 5-based system. This distribution had a version of OpenLDAP that was compiled against a private copy of the Berkeley database library.
I had a home-rolled backup cronjob that ran these utilities:
/usr/sbin/slapd_db_checkpoint /usr/sbin/slapd_db_archive
but did so as 'root', not as slapd's UID. Once in a great while, this would result in a transaction log owned by root, and slapd would fail.
I dont find any db utilites running..
Am running ldap on debian machine . and i have below db utilities.But its not running at all.
+++-=======================-================-================-==================================================== ii db4.8-util 4.8.30-2 amd64 Berkeley v4.8 Database Utilities
-rwxr-xr-x 1 root root 8088 Aug 30 2010 /usr/bin/db4.8_archive -rwxr-xr-x 1 root root 9896 Aug 30 2010 /usr/bin/db4.8_checkpoint -rwxr-xr-x 1 root root 10136 Aug 30 2010 /usr/bin/db4.8_deadlock -rwxr-xr-x 1 root root 12376 Aug 30 2010 /usr/bin/db4.8_dump -rwxr-xr-x 1 root root 17200 Aug 30 2010 /usr/bin/db4.8_hotbackup -rwxr-xr-x 1 root root 23432 Aug 30 2010 /usr/bin/db4.8_load -rwxr-xr-x 1 root root 67440 Aug 30 2010 /usr/bin/db4.8_printlog -rwxr-xr-x 1 root root 9928 Aug 30 2010 /usr/bin/db4.8_recover -rwxr-xr-x 1 root root 119224 Aug 30 2010 /usr/bin/db4.8_sql -rwxr-xr-x 1 root root 10944 Aug 30 2010 /usr/bin/db4.8_stat -rwxr-xr-x 1 root root 8760 Aug 30 2010 /usr/bin/db4.8_upgrade -rwxr-xr-x 1 root root 9240 Aug 30 2010 /usr/bin/db4.8_verify
-- Brian Reichert reichert@numachi.com BSD admin/developer at large
Brian Reichert wrote:
I had a home-rolled backup cronjob that ran these utilities:
/usr/sbin/slapd_db_checkpoint /usr/sbin/slapd_db_archive
but did so as 'root', not as slapd's UID. Once in a great while, this would result in a transaction log owned by root, and slapd would fail.
From my understanding those commands change DB environment. IMO this is asking for trouble and is also obsolete with back-mdb.
The recommended way to export your DB for backup is to use slapcat command-line tool.
Ciao, Michael.
On Thu, Mar 31, 2016 at 6:51 PM, Michael Ströder michael@stroeder.com wrote:
Brian Reichert wrote:
I had a home-rolled backup cronjob that ran these utilities:
/usr/sbin/slapd_db_checkpoint /usr/sbin/slapd_db_archive
but did so as 'root', not as slapd's UID. Once in a great while, this would result in a transaction log owned by root, and slapd would fail.
From my understanding those commands change DB environment. IMO this is asking for trouble and is also obsolete with back-mdb.
The recommended way to export your DB for backup is to use slapcat command-line tool.
Ciao, Michael.
Thanks Micheal..But no DB check utilities are running in my system.
openldap-technical@openldap.org
-
Brian Reichert -
Michael Ströder -
Prashanth P.Nair