Hi all,
I'm trying to move our LDAP from an old CentOS 6 server to new Debian 11 server, but I'm running into the problem importing the config on the new server with slapadd:
63cc2422 <= str2entry: str2ad(olcDbCacheSize): attribute type undefined slapadd: could not parse entry (line=2076)
I read that it's because of BDB being removed and no longer supported. What should I do, then?
I admit LDAP is an area I practically know nothing about, so I'll appreciate your patience. This instance has been in place before I started my position over 6.5 years ago! It's been running great, but the server it's running on is also getting old and used for intense computation still at times, so I'm trying to be proactive and separate the LDAP service off to another server that is newer, that I can keep updated.
The current, old server is running:
@(#) $OpenLDAP: slapd 2.4.40 (Mar 22 2017 06:29:21) $ mockbuild@c1bm.rdu2.centos.org:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd Included static backends: config ldif monitor bdb hdb ldap mdb meta null passwd relay shell sock
and new server is running:
@(#) $OpenLDAP: slapd 2.4.57+dfsg-3+deb11u1 (May 14 2022 18:32:57) $ Debian OpenLDAP Maintainers pkg-openldap-devel@lists.alioth.debian.org Included static backends: config ldif
On the old server, I just ran:
# cd /tmp # slapcat -n 0 -l config.ldif 63cc1841 PROXIED attributeDescription "DC" inserted. # slapcat -n 1 -l user.ldif 63cc1943 PROXIED attributeDescription "DC" inserted. #
Then transferred the *.ldif to the new server and ran:
# slapadd -n 0 -l /tmp/config.ldif
This didn't work right off, so I adjusted the values of some parameters inside, such as: olcConfigFile, olcConfigDir, olcArgsFile, olcPidFile, olcTLSCertificateFile, olcTLSCertificateKeyFile. These were all in the `dn: cn=config`.
After some more tries, figured I needed the -F option so am now using this command:
# slapadd -n 0 -l /tmp/config.ldif -F /etc/ldap/slapd.d 63cc1f0f PROXIED attributeDescription "DC" inserted. 63cc1f0f <= str2entry: str2ad(olcDbCacheSize): attribute type undefined slapadd: could not parse entry (line=2076) _################### 99.05% eta none elapsed none spd 13.5 M/s Closing DB... #
which brings us to the present situation. So, let me know if you have any ideas of what I should do/try next!
Best, Chandler
On Sat, Jan 21, 2023 at 12:20:47PM -0700, Chandler Sobel-Sorenson wrote:
63cc2422 <= str2entry: str2ad(olcDbCacheSize): attribute type undefined slapadd: could not parse entry (line=2076)
Your slapd output below shows that the BDB backend is built-in on the CentOS version. In Debian, it's a loadable module (not listed under "included static backends"). Try "olcModuleLoad: back_bdb" (under "cn=module{0},cn=config").
I read that it's because of BDB being removed and no longer supported. What should I do, then?
That's true for the OpenLDAP 2.5 series. In Debian 11, BDB is still available (but deprecated, and it's recommended to migrate to the modern LMDB backend at your earliest convenience).
Ryan
Ryan Tandy wrote on 1/21/23 2:59 PM:
Try "olcModuleLoad: back_bdb" (under "cn=module{0},cn=config").
Oh, thank you! but when I try that, it can't get past that part now:
slapadd: could not add entry dn="cn=module{0},cn=config" (line=42):
here is that section for reference:
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModuleLoad: {0}ppolicy.la structuralObjectClass: olcModuleList entryUUID: 7740c768-5317-1030-8b2d-fdcfaa05fe78 creatorsName: cn=config createTimestamp: 20110804185820Z entryCSN: 20110804185820.719606Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20110804185820Z
I tried adding it after the other olcModuleLoad parameter, as well as at the bottom, but still get the error it can't process line 42.
Also, is there a way to overwrite the config when I call slapadd, so I don't have to keep `rm -rf slapd.d/*` every time it fails?
it's recommended to migrate to the modern LMDB backend at your earliest convenience).
That would probably be now while I'm moving everything over, yes? I'll search around for a guide...
--On Saturday, January 21, 2023 5:14 PM -0700 Chandler Sobel-Sorenson chandler@genome.arizona.edu wrote:
Ryan Tandy wrote on 1/21/23 2:59 PM:
Try "olcModuleLoad: back_bdb" (under "cn=module{0},cn=config").
Oh, thank you! but when I try that, it can't get past that part now:
slapadd: could not add entry dn="cn=module{0},cn=config" (line=42):
a) The OpenLDAP 2.4 series is historic, I'd strongly advise upgrading to a supported release series. Debian 11 unfortunately does not have it available natively, and it's also linked to GnuTLS as opposed to OpenSSL which can cause some differences in configuration from your existing setup if you are using TLS.
There are a few options available for OpenLDAP 2.5 packages if you're not comfortable maintaining them yourself:
1. Packages provided by Symas free of charge. They also can provide paid support contracts with discounts for educational institutions: https://repo.symas.com/
2. The LTB project: https://ltb-project.org/download.html
b) If you provide your cn=config database (minus passwords, etc) I can document for you what's necessary for upgrading to both back-mdb and to OpenLDAP 2.5+
I've also removed your moderation flag. I'd note in the future before sending off nastygrams, consider that FOSS Projects are *volunteer* organizations, which means if you're starting something on a weekend you should probably expect delayed responses.
Regards, Quanah
Quanah Gibson-Mount wrote on 1/22/23 10:09 AM:
a) The OpenLDAP 2.4 series is historic, I'd strongly advise upgrading to a supported release series. There are a few options available for OpenLDAP 2.5 packages if you're not comfortable maintaining them yourself:
Thanks I will definitely look into this during this transition period.
b) If you provide your cn=config database (minus passwords, etc) I can document for you what's necessary for upgrading to both back-mdb and to OpenLDAP 2.5+
Ok, let's see. I made the changes needed to convert it to mdb and got the ldif imported, just having a strange permission issue now, which I'll post in my other follow-up I'm working on. Almost thought I was close to completing this! I'll check on getting 2.5 installed and what that entails...
I've also removed your moderation flag. I'd note in the future before sending off nastygrams, consider that FOSS Projects are *volunteer* organizations, which means if you're starting something on a weekend you should probably expect delayed responses.
Thanks dear! I don't think I sent anything nasty though, just observing that my first post was approved but subsequent one was still moderated, someone was obviously around! It messes with the communication since others don't see my reply but then they post follow-ups, etc...
My position is only part time and I work over a full time schedule, over the weekends as well, so definitely understand and appreciate the volunteer spirit! Sorry to have upset!
Since then I've made some progress...
Chandler Sobel-Sorenson wrote on 1/21/23 5:14 PM:
Ryan Tandy wrote on 1/21/23 2:59 PM:
Try "olcModuleLoad: back_bdb" (under "cn=module{0},cn=config").
slapadd: could not add entry dn="cn=module{0},cn=config" (line=42): here is that section for reference: [...] olcModuleLoad: {0}ppolicy.la
What ended up working was "olcModuleLoad: {1}back_bdb.la" after this line. Also had to add "olcModuleLoad: {2}back_monitor.la" plus some other changes.
it's recommended to migrate to the modern LMDB backend at your earliest convenience).
That would probably be now while I'm moving everything over, yes? I'll search around for a guide...
After that I proceeded to convert it to use mdb. That entailed things like: deleting a bunch of olcDb* olcAttributeTypes, olcBdbConfig and olcHdbConfig olcObjectClasses, a bunch of olcDb* attributes, and added olcDbMaxSize attribute.
Now just getting a permissions error that I don't understand yet, but I'll try upgrading to 2.5 first. Version 2.5.13+dfsg-2~bpo11+1 is in bullseye-backports!
--On Sunday, January 22, 2023 1:51 PM -0700 Chandler Sobel-Sorenson chandler@genome.arizona.edu wrote:
Now just getting a permissions error that I don't understand yet, but I'll try upgrading to 2.5 first. Version 2.5.13+dfsg-2~bpo11+1 is in bullseye-backports!
Biggest thing is you'll need to remove the ppolicy schema file from your schema tree. It's part of the overlay itself now.
--Quanah
On 2023/01/21 12:20, Chandler Sobel-Sorenson wrote:
Hi all,
I'm trying to move our LDAP from an old CentOS 6 server to new Debian 11 server, but I'm running into the problem importing the config on the new server with slapadd:
63cc2422 <= str2entry: str2ad(olcDbCacheSize): attribute type undefined slapadd: could not parse entry (line=2076)
I read that it's because of BDB being removed and no longer supported. What should I do, then?
This is specific to BDB. Assuming you're moving to the recommended MDB backend, you can remove it.
https://kb.symas.com/migrating-bdbhdb-to-mdb-slapdconf.html is helpful, though depending on how packages are built some of it maybe irrelevant or need slight adjustment.
openldap-technical@openldap.org
-
Chandler Sobel-Sorenson -
Quanah Gibson-Mount -
Ryan Tandy -
Stuart Henderson