Hi listers
this is on Fedora 17 running openldap-servers-2.4.31-2.fc17.x86_64
When trying to start slapd on this sysem, I run into the following deadlock:
1. [root@myws ~]# systemctl status slapd.service slapd.service - OpenLDAP Server Daemon Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled) Active: failed (Result: timeout) since Tue, 26 Jun 2012 14:23:02 +0200; 16s ago Process: 2531 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS) Process: 2467 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/slapd.service
When I checked /var/log/localmessages, I found
Jun 26 13:08:21 casablanca slapd[838]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif"
I remembered, that this was exactly the file, where I had introduced the olcRootPW attribute for the cn=config subtree. So I removed the olcRootPW attribute from this file.
2. Then I could start slapd, no problem.
3. I tried to go into the cn=config subtree of the DIT on that slapd server. I tried it withoud password, since I had removed the password from this subtree.
I got: Return Code from Bind: 48 Message: LDAP_INAPPROPRIATE_AUTH: The server requires the client which had attempted to bind anonymously or without supplying credentials to provide some form of credentials
4. I tried to go into the cn=config subtree of the DIT on that slapd server using the password I had usually used at this point.
I got: Return Code from Bind: 49 Message: LDAP_INVALID_CREDENTIALS: The wrong password was supplied or the SASL credentials could not be processed
5. I googled around and found the following: ... Obvious approach: slapcat -n0 -F old/slapd.d > config.ldif edit config.ldif slapadd -n0 -F new/slapd.d -l config.ldif test using new/slapd.d deploy ... which I followed because I thought that such a clever approach can come only from a clever openldap guy.
But when I tried to introduce the edited config.ldif into the DIT, I got
[root@myws /etc/openldap]# slapadd -n0 -F slapd.d -l /tmp/slapd.config.ldif slapadd: could not add entry dn="cn=config" (line=1): _ 1.03% eta none elapsed none spd 4.5 M/s Closing DB... [root@myws /etc/openldap]#
6. I am now at the point, that I cannot access the cn=config subtree, because I cannot define the password to access this subtree and because, to access that subtree, I need to have defined the appropriate password. Looks very much kin'o like a deadlock.
Is there anybody out there who knows how to circumvent this deadlock or do I need to file a bug to openldap?
Thanks for your patience.
suomi
On Tue, 26 Jun 2012, suomi wrote: [...]
[root@myws /etc/openldap]# slapadd -n0 -F slapd.d -l /tmp/slapd.config.ldif slapadd: could not add entry dn="cn=config" (line=1): _ 1.03% eta none elapsed none spd 4.5 M/s Closing DB...
0. What's really going on here? slapadd, like most OpenLDAP Software, supports "-d" debugging option. It looks like this is erroring out so quickly that I'd just go for "-d -1" and see what happens. You'll probably get a better clue with this output...
1. The crystal ball (blindly) says the "better clue" is going to be something along the lines of "entry exists" -- is your output directory /etc/openldap/slapd.d empty at the time of running slapadd?
openldap-technical@openldap.org