Hello.

I'm trying to migrate an OpenLDAP database from one server to another. The old server was using Linux From Scratch and the new Server is using CentOS 5.1. I'm using a "stock" build and doing my best to try and use yum packages where ever possible. The machine was installed with Openldap-servers and openldap-clients installed. Here's my problem.

If I start ldap using the "stock" configuration file, it works fine. When I start it using the config files from the other server, it segfaults.

Here's the ldap.conf file:

BASE dc=eb,dc=loc
URI ldap://127.0.0.1

And here's slapd.conf. You'll notice I've commented out the replication portion of things because this is a test box that doesn't have a "partner" to replicate to.

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/sphinx.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/qmail.schema
include /etc/openldap/schema/mozilla.schema
include /etc/openldap/schema/pureftpd.schema
#include /etc/openldap/schema/sphinx.schema

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args


database bdb
suffix "dc=eb,dc=loc"
rootdn "cn=Manager,dc=eb,dc=loc"
rootpw {SSHA}garbagehere
directory /var/openldap/openldap-data
password-hash {MD5}
password-crypt-salt-format "$1$.8s"


#replogfile /etc/openldap/replog
#updatedn "cn=replicator,dc=eb,dc=loc"
#updateref ldap://10.255.255.30


index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,givenName eq
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
index default sub


#access to attrs=userPassword,sambaLMPassword,sambaNTPassword
# by self write
# by anonymous auth
# by dn="cn=replicator,dc=eb,dc=loc" write
# by * none
#
#access to *
# by dn="cn=replicator,dc=eb,dc=loc" write
# by * read

Now, one of the first things I did was copy over the data files from /srv/ldap to /var/openldap. Then I deleted the alock file. Then I chown -R ldap:ldap /var/openldap to allow for permissions. Just to be on the safe side, I also issued a setsebool -R slapd_disable_trans=0 so that way SELinux wouldn't interfere with it.

Now, whenever I try to start it, I get this:
[root@hptestlin openldap]# service ldap start
Checking configuration files for slapd: bdb_db_open: unclean shutdown detected; attempting recovery.
bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered.
[ OK ]
Starting slapd: [ OK ]

slapd or slurpd are not listed in the process list! /var/log/messages shows this:

Feb 13 16:39:02 hptestlin kernel: slaptest[22371]: segfault at 00002aaaae5a0008 rip 00002aaaaad66982 rsp 00007fffc0e08490 error 4
Feb 13 16:39:02 hptestlin kernel: slapd[22379]: segfault at 00002aaaaaacc008 rip 00002aaaaad66982 rsp 00007fff55738dc0 error 4

Doing a slapd_db_recover -v doesn't make any difference.

Lastly, if I attempt to start slapd manually with a -d 4, I get this:

[root@hptestlin openldap-data]# slapd -d 4
@(#) $OpenLDAP: slapd 2.3.27 (Nov 10 2007 09:23:56) $
mockbuild@builder6.centos.org:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd
daemon_init: <null>
=> ldap_bv2dn(dc=eb,dc=loc,0)
<= ldap_bv2dn(dc=eb,dc=loc)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=eb,dc=loc)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=eb,dc=loc)=0
=> ldap_bv2dn(cn=Manager,dc=eb,dc=loc,0)
<= ldap_bv2dn(cn=Manager,dc=eb,dc=loc)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=Manager,dc=eb,dc=loc)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=manager,dc=eb,dc=loc)=0
=> ldap_bv2dn(cn=Subschema,0)
<= ldap_bv2dn(cn=Subschema)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=subschema)=0
bdb_db_open: dc=eb,dc=loc
bdb_db_open: unclean shutdown detected; attempting recovery.
Segmentation fault

I'm at my wits end here. Does anyone have any ideas? Does anyone need more information to be able to help out? I've Googled this with no luck, It always segfaults at the same address.

Your help is highly appreciated.

trying to copy the data from the old machine may be a problem. Have you tried just starting the server with the appropriate slapd.conf and then importing the data with a ldif?

Thanks for the advice.

OK. Exporting the LDIF file worked fine from the old server.

However, this was the result:

[root@hptestlin ~]# slapadd -v -l openldap.ldif
bdb_db_open: unclean shutdown detected; attempting recovery.
Segmentation fault
[root@hptestlin ~]#

And if I tail /var/log/messages, I get the following:

Feb 14 08:36:25 hptestlin kernel: slapadd[25138]: segfault at 00002aaaae5a0008 rip 00002aaaaad66982 rsp 00007fff9f7d04a0 error 4

From what I can tell, all the LDIF file is, is the structure of the database, correct?

I also need to copy over all the data too. What's the best way to do that?

As well, I'm assuming that the reason why it keeps complaining about an unclean shutdown is because the alock file is missing and/or invalid.

What you've told me though, if I've understood you correctly, is that I need to fully export the database and then import it into the new machine, not just copy the data over with an scp command.

Thanks for all your patience.

Just thought I'd add this.. The reason why I didn't think that LDIF did a full backup was because the LDIF file slapcat created is only 48 Kilobytes in side, (Unless I did something wrong?) wherease the entire /var/openldap directory is about 269 Megabytes in size.

So, would ldapsearch and ldapadd be the right commands to export and import data? If so, I get something like this:

root@eb-lin-2:/etc# ldapsearch -w somepassword *
SASL/OTP authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no OTP secret in database

Now, I'm guessing this error is because I don't have the right password to the LDAP database. How do I extract it?

find your "slapd.conf"
It should have some lines like this:
The garbage on the rootpw line is the encrypted password for the user specified in the rootdn line.

Type in "slappasswd" and then issue it your new password at it's request. It will give you the info to put on the "rootpw" line and then your new password will allow you access.

You can view the ldif, it's a plain text file. MAke sure it has stuff that looks like an ldif with user's parameters.

sounds like your berkely database is corrupted

how do you handle stopping the dameon once its started according to the manuel theres a specific way to do this please make sure your not using the kill command

check your berkely db for corruption too

also be catious of mixing config files unless your using the exact same openldap versions

Thanks AOT2002.

I think this is quite possibly what could be causing my problems. The new server is running openldap from yum, whereas the old server is probably running a version of LDAP that is at least 3-4 years old.

So, I guess the big question is, how do I properly move the data from the old to the new server? Obviously, I'm doing it incorrectly. The two config files which seem to matter the most are included in with this post.

Any ideas?

heres some migration scripts for linux openldap
http://www.padl.com/OSS/MigrationTools.html

also this editor is great for what u need
http://sourceforge.net/projects/led/

also ldap has a replication feature so if you create your new ldap server as a slave to your existing setup it will suck all the info over
http://www.openldap.org/doc/admin22/syncrepl.html

another option is to write a perl script to interface ldap and do it yourself.
i hope this helps you

Thank you very much. I'll try messing with these.