ldap cannot carry slapd.conf changes or did not use /etc/openldap/slapd.conf

joel_saul · 08-20-2010, 01:45 AM

Hi Everyone,

I'm new to this forum and to linux, can anyone give me inputs on my problem with ldap, this would really be a big help.

I am setting up LDAP server, i set slapd.conf(dc=proldap,dc=com) and start ldap it is OK but when i check using
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
result is : namingContexts: dc=my-domain,dc=com

it seems that it did not use my slapd.conf so i tried removing my slapd.conf from /etc/openldap and start slapd again and it did start with no errors. and when i do ldapsearch again still uses dc=my-domain,dc=com

I tried searching about this in google and found no answers,

my reference in setting up ldap is the link below. but it seemed that it always uses another configuration not the one i modified

I'm using Fedora12, ldap version 2.4.19
i installed ldap by yum install

http://www.linuxhomenetworking.com/w...DAP_and_RADIUS

http://www.openldap.org/doc/admin24/quickstart.html

thanks in advance

Blue_Ice · 08-20-2010, 02:12 AM

You probably already have entries in the ldap database with dn: dc=my-domain,dc=com. By changing the suffix in slapd.conf, doesn't change the entries in the database.

quanta · 08-20-2010, 02:13 AM

You can start slapd and point it to your configuration file with -f parameter. Otherwise, post up your init script - /etc/init.d/ldap (or /etc/init.d/openldap, ...)

joel_saul · 08-20-2010, 02:51 AM

Quote:

Originally Posted by quanta

You can start slapd and point it to your configuration file with -f parameter. Otherwise, post up your init script - /etc/init.d/ldap (or /etc/init.d/openldap, ...)

Hi Quanta, i tried using /usr/sbin/slapd -f /etc/openldap/slapd.conf and did not start the slapd daemon. I also tried marking the configfile entry in my initscript but still it run OK. it seems to create its own slapd.conf or use a different one.

Hi Blue Ice, i'm using the default sample DB_CONFIG as my database.

Thanks for the quick reply, anyway i'm setting this up in my VMware ESX should not matter right?

heres my init script :

#!/bin/bash
#
# slapd This shell script takes care of starting and stopping
# ldap servers (slapd).
#
# chkconfig: - 27 73
# description: LDAP stands for Lightweight Directory Access Protocol, used \
# for implementing the industry standard directory services.
# processname: slapd
# config: /etc/openldap/slapd.conf
# pidfile: /var/run/slapd.pid

### BEGIN INIT INFO
# Provides: slapd
# Required-Start: $network $local_fs
# Required-Stop: $network $local_fs
# Should-Start:
# Should-Stop:
# Default-Start:
# Default-Stop:
# Short-Description: starts and stopd OpenLDAP server daemon
# Description: LDAP stands for Lightweight Directory Access Protocol, used
# for implementing the industry standard directory services.
### END INIT INFO

# Source function library.
. /etc/init.d/functions

# Define default values of options allowed in /etc/sysconfig/ldap
SLAPD_LDAP="yes"
SLAPD_LDAPI="no"
SLAPD_LDAPS="no"
SLAPD_URLS=""
SLAPD_SHUTDOWN_TIMEOUT=3
# OPTIONS, SLAPD_OPTIONS and KTB5_KTNAME are not defined

# Source an auxiliary options file if we have one
if [ -r /etc/sysconfig/ldap ] ; then
. /etc/sysconfig/ldap
fi

slapd=/usr/sbin/slapd
slaptest=/usr/sbin/slaptest
lockfile=/var/lock/subsys/slapd
configdir=/etc/openldap/slapd.d/
configfile=/etc/openldap/slapd.conf
pidfile=/var/run/slapd.pid
slapd_pidfile=/var/run/openldap/slapd.pid

RETVAL=0

#
# Pass commands given in $2 and later to "test" run as user given in $1.
#
function testasuser() {
local user= cmd=
user="$1"
shift
cmd="$@"
if test x"$user" != x ; then
if test x"$cmd" != x ; then
/sbin/runuser -f -m -s /bin/sh -c "test $cmd" -- "$user"
else
false
fi
else
false
fi
}

#
# Check for read-access errors for the user given in $1 for a service named $2.
# If $3 is specified, the command is run if "klist" can't be found.
#
function checkkeytab() {
local user= service= klist= default=
user="$1"
service="$2"
default="${3:-false}"
if test -x /usr/kerberos/bin/klist ; then
klist=/usr/kerberos/bin/klist
elif test -x /usr/bin/klist ; then
klist=/usr/bin/klist
fi
KRB5_KTNAME="${KRB5_KTNAME:-/etc/krb5.keytab}"
export KRB5_KTNAME
if test -s "$KRB5_KTNAME" ; then
if test x"$klist" != x ; then
if LANG=C $klist -k "$KRB5_KTNAME" | tail -n 4 | awk '{print $2}' | grep -q ^"$service"/ ; then
if ! testasuser "$user" -r ${KRB5_KTNAME:-/etc/krb5.keytab} ; then
true
else
false
fi
else
false
fi
else
$default
fi
else
false
fi
}

function configtest() {
local user= ldapuid= dbdir= file=
# Check for simple-but-common errors.
user=ldap
prog=`basename ${slapd}`
ldapuid=`id -u $user`
# Unaccessible database files.
slaptestflags=""
dbdirs=""
if [ -d $configdir ]; then
for configfile in `ls -1 $configdir/cn\=config/olcDatabase*.ldif`; do
dbdirs=$dbdirs"
"`LANG=C egrep '^olcDbDirectory[[:space:]]*:[[:space:]]+[[

rint:]]+$' $configfile | sed 's,^olcDbDirectory: ,,'`
done
elif [ -f $configfile ]; then
dbdirs=`LANG=C egrep '^directory[[:space:]]+' $configfile | sed 's,^directory[[:space:]]*,,'`
else
exit 6
fi
for dbdir in $dbdirs; do
if [ ! -d $dbdir ]; then
exit 6
fi
for file in `find ${dbdir}/ -not -uid $ldapuid -and $ -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name alock $` ; do
echo -n $"$file is not owned by \"$user\"" ; warning ; echo
done
if ! test -s ${dbdir}/id2entry.dbb ; then
if ! test -s ${dbdir}/id2entry.gdbm ; then
if ! test -s ${dbdir}/id2entry.bdb ; then
slaptestflags="-u"
fi
fi
fi
done
# Unaccessible keytab with an "ldap" key.
if checkkeytab $user ldap ; then
file=${KRB5_KTNAME:-/etc/krb5.keytab}
echo -n $"$file is not readable by \"$user\"" ; warning ; echo
fi
# Unaccessible TLS configuration files.
if [ -d $configdir ]; then
tlsconfigs=`LANG=C awk '/^olcTLS/ {
while (/^olcTLS/) {
if (/^olc(TLSCertificateKeyFile|TLSCertificateFile|TLSCACertificateFile)[ \t]*:[\t]*/) {
do { printf gensub(/^ /,"",1); getline } while (/^ /)
printf "\n" ;
}
else break;
}
}' $configdir/cn\=config.ldif | awk '{print $2}'`
elif [ -f $configfile ]; then
tlsconfigs=`LANG=C egrep '^(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]+' $configfile | awk '{print $2}'`
fi
for file in $tlsconfigs ; do
if ! testasuser $user -r $file ; then
echo -n $"$file is not readable by \"$user\"" ; warning ; echo
fi
done
# Check the configuration file.
slaptestout=`/sbin/runuser -m -s "$slaptest" -- "$user" $slaptestflags 2>&1`
slaptestexit=$?
# slaptestout=`echo $slaptestout 2>/dev/null | grep -v "config file testing succeeded"`
# print warning if slaptest passed but reports some problems
if test $slaptestexit == 0 ; then
if echo "$slaptestout" | grep -v "config file testing succeeded" >/dev/null ; then
echo -n $"Checking configuration files for $prog: " ; warning ; echo
echo "$slaptestout"
fi
fi
# report error if configuration file is wrong
if test $slaptestexit != 0 ; then
echo -n $"Checking configuration files for $prog: " ; failure ; echo
echo "$slaptestout"
if /sbin/runuser -m -s "$slaptest" -- "$user" "-u" > /dev/null 2> /dev/null ; then
#dirs=`LANG=C egrep '^directory[[:space:]]+[[

rint:]]+$' $configfile | awk '{print $2}'`
for directory in $dbdirs ; do
if test -r $directory/__db.001 ; then
echo -n $"stale lock files may be present in $directory" ; warning ; echo
fi
done
fi
exit 6
fi
}

function start() {
[ -x $slapd ] || exit 5
[ `id -u` -eq 0 ] || exit 4
configtest
# Define a couple of local variables which we'll need. Maybe.
user=ldap
prog=`basename ${slapd}`
harg="$SLAPD_URLS"
if test x$SLAPD_LDAP = xyes ; then
harg="$harg ldap:///"
fi
if test x$SLAPD_LDAPS = xyes ; then
harg="$harg ldaps:///"
fi
if test x$SLAPD_LDAPI = xyes ; then
harg="$harg ldapi:///"
fi
# Start daemons.
echo -n $"Starting $prog: "
daemon --pidfile=$pidfile --check=$prog ${slapd} -h "\"$harg\"" -u ${user} $OPTIONS $SLAPD_OPTIONS
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
touch $lockfile
ln $slapd_pidfile $pidfile
fi
echo
return $RETVAL
}

function stop() {
# Stop daemons.
prog=`basename ${slapd}`
[ `id -u` -eq 0 ] || exit 4
echo -n $"Stopping $prog: "

# This will remove pid and args files from /var/run/openldap
killproc -p $slapd_pidfile -d $SLAPD_SHUTDOWN_TIMEOUT ${slapd}
RETVAL=$?

# Now we want to remove lock file and hardlink of pid file
[ $RETVAL -eq 0 ] && rm -f $pidfile $lockfile
echo
return $RETVAL
}

# See how we were called.
case "$1" in
configtest)
configtest
;;
start)
start
RETVAL=$?
;;
stop)
stop
RETVAL=$?
;;
status)
status -p $pidfile ${slapd}
RETVAL=$?
;;
restart|force-reload)
stop
start
RETVAL=$?
;;
condrestart|try-restart)
status -p $pidfile ${slapd} > /dev/null 2>&1 || exit 0
stop
start
;;
usage)
echo $"Usage: $0 {start|stop|restart|status|condrestart|configtest|usage}"
RETVAL=0
;;
*)
echo $"Usage: $0 {start|stop|restart|status|condrestart|configtest|usage}"
RETVAL=3
esac

exit $RETVAL

Blue_Ice · 08-20-2010, 03:13 AM

DB_CONFIG is not your database. It is just a configuration file, just like slapd.conf.
Your database files and related files are probably located at /var/lib/ldap and are named __db.001, __db.002 and __db.nnn (where nnn is a number), if you are using BerkleyDB as your back-end. These files contain the actual data of your ldap system.

As you can start up ldap, then there is an slapd.conf present. When you edited slapd.conf, used it to create the entries that are currently in the ldap directory and then changed this same slapd.conf, then you are using the correct file. That means there are still some old entries in your database. By changing the suffix in slapd.conf, will not change the entries in the database. You can compare it to storing data in a regular RDBMS like MySQL. If you change the name of the server and you store that same name in a relational database, the name change won't effect the data in the database. So you will have to update the data as well.

I can understand that you think it has to do with slapd.conf, but I guess you are new to this and might not have a good understanding yet of what ldap is. Ldap is basically just another database. The difference is that when we are talking about a database, we are talking about relational databases. That's not the case for ldap, ldap is a so-called hierarchical database.

Anyway, if you really keep thinking that ldap is using a different slapd.conf. You should also have read the init script you posted above, because the configuration you are after are possibly in the file /etc/sysconfig/ldap. But in my opinion, you can look at the configuration for days without finding anything. Check your database or create a new database with the new settings.

quanta · 08-20-2010, 03:17 AM

Quote:

Originally Posted by joel_saul

Hi Quanta, i tried using /usr/sbin/slapd -f /etc/openldap/slapd.conf and did not start the slapd daemon.

Check with pgrep slapd or ps -ef | grep slapd. After that test again with ldapsearch. Also post your slapd.conf file.

joel_saul · 08-21-2010, 04:53 AM

Hi Blue Ice and Quanta, thanks for the input.
This is what i have done.

1.Removed the files under /var/lib/ldap which contains the database,alock, dn2id.bdb, id2entry.bdb,log.0000000001 and DB_CONF

2.Run /usr/sbin/slapd -f /etc/openldap/slapd.conf.
- this created dbase, alock and all in my /var/lib/ldap/ldapserver(the directory i set in slapd.conf

when i do ldapsearch naming context is OK..thanks guys..

now when i do ldapadd i get this ldap_bind: Invalid DN syntax (34) additional info: invalid DN

i read a related problem here but i have to do this on monday...

http://www.openldap.org/lists/openld.../msg00504.html

again thanks..hopefully i can sort this out next week..