Consistency issue (probably with me) - openldap-technical

18 Sep 2019


      Hi all,
I just went through all of this previously.  I documented everything.  I don't believe (yeah... believe) I changed anything.
I verified that my firewall rules are correct (although this is all local)
I just shutdown slapd with:
systemctl stop slapd
I did:
rm -rf /var/lib/ldap/* /etc/openldap/slapd.d/*
Changed my password with slappasswd and put the new one in my slapd.conf .
Re-initialized everything with:
 slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
Got that the configuration passed.  Checked slapd.d and /var/lib/ldap.
Both had expected values/files.
Did:
chown -R ldap:ldap /etc/openldap/slapd.d /var/lib/ldap
systemctl start slapd
Tried to add my memberof.ldif file with:
 ldapadd -f /etc/openldap/memberof.ldif -v -D "cn=config" -H ldap://newldap.hq.example.com -W -c
Got prompted for the password and got an "invalid credentials (49)"  (I tried re-doing this multiple times with simple passwords....but same issue...)
slapd -d -1 shows me:
5d8267a3 config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context
5d8267a3 backend_startup_one: starting "dc=hq,dc=example,dc=com"
5d8267a3 mdb_db_open: "dc=hq,dc=example,dc=com"
5d8267a3 mdb_db_open: database "dc=hq,dc=example,dc=com": dbenv_open(/var/lib/ldap).
5d8267a3 mdb_monitor_db_open: monitoring disabled; configure monitor database to enable
5d8267a3 slapd starting
5d8267a3 daemon: added 4r listener=(nil)
5d8267a3 daemon: added 7r listener=0x565118e8b500
5d8267a3 daemon: added 8r listener=0x565118e8b330
5d8267a3 daemon: epoll: listen=7 active_threads=0 tvp=zero
5d8267a3 daemon: epoll: listen=8 active_threads=0 tvp=zero
5d8267a3 daemon: activity on 1 descriptor
5d8267a3 daemon: activity on:
5d8267a3 daemon: epoll: listen=7 active_threads=0 tvp=zero
5d8267a3 daemon: epoll: listen=8 active_threads=0 tvp=zero
5d8267b8 daemon: activity on 1 descriptor
5d8267b8 daemon: activity on:
5d8267b8 slap_listener_activate(7):
5d8267b8 daemon: epoll: listen=7 busy
5d8267b8 daemon: epoll: listen=8 active_threads=0 tvp=zero
5d8267b8 >>> slap_listener(ldap:///)
5d8267b8 daemon: listen=7, new connection on 12
5d8267b8 daemon: added 12r (active) listener=(nil)
5d8267b8 conn=1000 fd=12 ACCEPT from IP=192.168.2.60:39984 (IP=0.0.0.0:389)
5d8267b8 daemon: activity on 2 descriptors
5d8267b8 daemon: activity on: 12r
5d8267b8 daemon: read active on 12
5d8267b8 daemon: epoll: listen=7 active_threads=0 tvp=zero
5d8267b8 daemon: epoll: listen=8 active_threads=0 tvp=zero
5d8267b8 connection_get(12)
5d8267b8 connection_get(12): got connid=1000
5d8267b8 connection_read(12): checking for input on id=1000
ber_get_next
ldap_read: want=8, got=8
  0000:  30 27 02 01 01 60 22 02                            0'...`".
ldap_read: want=33, got=33
  0000:  01 03 04 09 63 6e 3d 63  6f 6e 66 69 67 80 12 62   ....cn=config..b
  0010:  6f 73 74 6f 6e 2d 65 6e  67 69 6e 65 65 72 69 6e   
  0020:  67                                                 g
ber_get_next: tag 0x30 len 39 contents:
ber_dump: buf=0x7f21bc001e00 ptr=0x7f21bc001e00 end=0x7f21bc001e27 len=39
  0000:  02 01 01 60 22 02 01 03  04 09 63 6e 3d 63 6f 6e   ...`".....cn=con
  0010:  66 69 67 80 12 62 6f 73  74 6f 6e 2d 65 6e 67 69   fig..
  0020:  6e 65 65 72 69 6e 67                               neering
5d8267b8 op tag 0x60, time 1568827320
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
5d8267b8 conn=1000 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x7f21bc001e00 ptr=0x7f21bc001e03 end=0x7f21bc001e27 len=36
  0000:  60 22 02 01 03 04 09 63  6e 3d 63 6f 6e 66 69 67   `".....cn=config
  0010:  80 12 62 6f 73 74 6f 6e  2d 65 6e 67 69 6e 65 65   .
  0020:  72 69 6e 67                                        ring
ber_scanf fmt (m}) ber:
ber_dump: buf=0x7f21bc001e00 ptr=0x7f21bc001e13 end=0x7f21bc001e27 len=20
  0000:  00 12 62 6f 73 74 6f 6e  2d 65 6e 67 69 6e 65 65   .
  0010:  72 69 6e 67                                        ring
5d8267b8 >>> dnPrettyNormal: <cn=config>
=> ldap_bv2dn(cn=config,0)
<= ldap_bv2dn(cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=config)=0
5d8267b8 <<< dnPrettyNormal: <cn=config>, <cn=config>
5d8267b8 conn=1000 op=0 BIND dn="cn=config" method=128
5d8267b8 do_bind: version=3 dn="cn=config" method=128
5d8267b8 send_ldap_result: conn=1000 op=0 p=3
5d8267b8 send_ldap_result: err=49 matched="" text=""
5d8267b8 send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 14 bytes to sd 12
  0000:  30 0c 02 01 01 61 07 0a  01 31 04 00 04 00         0....a...1....
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 61 07 0a  01 31 04 00 04 00         0....a...1....
5d8267b8 conn=1000 op=0 RESULT tag=97 err=49 text=
5d8267b8 daemon: activity on 1 descriptor
5d8267b8 daemon: activity on:
5d8267b8 daemon: epoll: listen=7 active_threads=0 tvp=zero
5d8267b8 daemon: epoll: listen=8 active_threads=0 tvp=zero
5d8267b8 daemon: activity on 1 descriptor
5d8267b8 daemon: activity on: 12r
5d8267b8 daemon: read active on 12
5d8267b8 daemon: epoll: listen=7 active_threads=0 tvp=zero
5d8267b8 daemon: epoll: listen=8 active_threads=0 tvp=zero
5d8267b8 connection_get(12)
5d8267b8 connection_get(12): got connid=1000
5d8267b8 connection_read(12): checking for input on id=1000
ber_get_next
ldap_read: want=8, got=7
  0000:  30 05 02 01 02 42 00                               0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x7f21bc000a80 ptr=0x7f21bc000a80 end=0x7f21bc000a85 len=5
  0000:  02 01 02 42 00                                     ...B.
5d8267b8 op tag 0x42, time 1568827320
ber_get_next
ldap_read: want=8, got=0
5d8267b8 ber_get_next on fd 12 failed errno=0 (Success)
5d8267b8 connection_read(12): input error=-2 id=1000, closing.
5d8267b8 connection_closing: readying conn=1000 sd=12 for close
5d8267b8 connection_close: deferring conn=1000 sd=12
5d8267b8 conn=1000 op=1 do_unbind
5d8267b8 conn=1000 op=1 UNBIND
5d8267b8 connection_resched: attempting closing conn=1000 sd=12
5d8267b8 connection_close: conn=1000 sd=12
5d8267b8 daemon: removing 12
5d8267b8 conn=1000 fd=12 closed
5d8267b8 daemon: activity on 1 descriptor
5d8267b8 daemon: activity on:
5d8267b8 daemon: epoll: listen=7 active_threads=0 tvp=zero
5d8267b8 daemon: epoll: listen=8 active_threads=0 tvp=zero