OpenLDAP does not start

R

rainer_d

Hi,

I've setup a jail on FreeBSD 11.2-RELEASE-p4 with iocage to run OpenLDAP.
The packages are directly from the FreeBSD-project, quarterly branch.

I've followed this tutorial:

https://www.freebsd.org/doc/handbook/network-ldap.html

However, I don't have a file "DB_CONFIG" in the openldap folder.

I set

Code: 
slapd_enable="YES"
slapd_flags="-4 -h ldaps://0.0.0.0/"
slapd_sockets="/var/run/openldap/ldapi"


in rc.conf

It just exits on start.

Running it with debugging is pretty much as useless:
Code: 
(ldap <openldap>) 0 # /usr/local/libexec/slapd -4 -d 1 -h ldaps:/// -u ldap -g ldap
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /usr/local/etc/openldap/ldap.conf
ldap_init: using /usr/local/etc/openldap/ldap.conf
ldap_url_parse_ext(ldaps://ldap.example.org)
ldap_url_parse_ext(ldap://ldap.example.org)
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
5bf9de0d @(#) $OpenLDAP: slapd 2.4.46 (Oct  3 2018 02:54:26) $
    root@112amd64-quarterly-job-16:/wrkdirs/usr/ports/net/openldap24-server/work/openldap-2.4.46/servers/slapd
ldap_pvt_gethostbyname_a: host=ldap, r=-1
5bf9de0d daemon_init: listen on ldaps:///
5bf9de0d daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldaps:///)
5bf9de0d daemon: listener initialized ldaps:///
5bf9de0d daemon_init: 1 listeners opened
ldap_create
5bf9de0d slapd init: initiated server.
5bf9de0d mdb_back_initialize: initialize MDB backend
5bf9de0d mdb_back_initialize: LMDB 0.9.22: (March 21, 2018)
5bf9de0d mdb_db_init: Initializing mdb database
5bf9de0d >>> dnPrettyNormal: <dc=example,dc=org>
5bf9de0d <<< dnPrettyNormal: <dc=example,dc=org>, <dc=example,dc=org>
5bf9de0d >>> dnPrettyNormal: <cn=Manager,dc=example,dc=org>
5bf9de0d <<< dnPrettyNormal: <cn=Manager,dc=example,dc=org>, <cn=manager,dc=example,dc=org>
5bf9de0d slapd destroy: freeing system resources.
5bf9de0d slapd stopped.
5bf9de0d connections_destroy: nothing to destroy.

When I run ktrace on it, I get this at the end:

Code: 
55736 slapd    RET   read 0
 55736 slapd    CALL  close(0x8)
 55736 slapd    RET   close 0
 55736 slapd    CALL  openat(AT_FDCWD,0x800738500,0x300000<O_RDONLY|O_CLOEXEC|O_VERIFY>)
 55736 slapd    NAMI  "/usr/local/libexec/openldap/back_mdb-2.4.so.2"
 55736 slapd    RET   openat 8
 55736 slapd    CALL  fstat(0x8,0x7fffffff9ad8)
 55736 slapd    STRU  struct stat {dev=30477354, ino=164808, mode=0100755, nlink=1, uid=0, gid=0, rdev=4294967295, atime=0, mtime=1538535325, ctime=1543097586.755963000, birthtime=1538535325, size=244744, blksize=131072, blocks=337, flags=0x800 }
 55736 slapd    RET   fstat 0
 55736 slapd    CALL  mmap(0,0x1000,0x1<PROT_READ>,0x40002<MAP_PRIVATE|MAP_PREFAULT_READ>,0x8,0)
 55736 slapd    RET   mmap 34367479808/0x800762000
 55736 slapd    CALL  mmap(0,0x254000,0<PROT_NONE>,0x2000<MAP_GUARD>,0xffffffff,0)
 55736 slapd    RET   mmap 34399584256/0x802600000
 55736 slapd    CALL  mmap(0x802600000,0x3a000,0x5<PROT_READ|PROT_EXEC>,0x60012<MAP_PRIVATE|MAP_FIXED|MAP_NOCORE|MAP_PREFAULT_READ>,0x8,0)
 55736 slapd    RET   mmap 34399584256/0x802600000
 55736 slapd    CALL  mmap(0x80283a000,0x2000,0x3<PROT_READ|PROT_WRITE>,0x40012<MAP_PRIVATE|MAP_FIXED|MAP_PREFAULT_READ>,0x8,0x3a000)
 55736 slapd    RET   mmap 34401918976/0x80283a000
 55736 slapd    CALL  mmap(0x80283c000,0x18000,0x3<PROT_READ|PROT_WRITE>,0x1012<MAP_PRIVATE|MAP_FIXED|MAP_ANON>,0xffffffff,0)
 55736 slapd    RET   mmap 34401927168/0x80283c000
 55736 slapd    CALL  munmap(0x800762000,0x1000)
 55736 slapd    RET   munmap 0
 55736 slapd    CALL  close(0x8)
 55736 slapd    RET   close 0
 55736 slapd    CALL  open(0x8024dc3a0,0x601<O_WRONLY|O_CREAT|O_TRUNC>,0666<S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH>)
 55736 slapd    NAMI  "/var/db/openldap-data/DUMMY"
 55736 slapd    RET   open 8
 55736 slapd    CALL  close(0x8)
 55736 slapd    RET   close 0
 55736 slapd    CALL  unlink(0x8024dc3a0)
 55736 slapd    NAMI  "/var/db/openldap-data/DUMMY"
 55736 slapd    RET   unlink 0
 55736 slapd    CALL  read(0x7,0x80242e000,0x1000)
 55736 slapd    GIO   fd 7 read 0 bytes
       ""
 55736 slapd    RET   read 0
 55736 slapd    CALL  close(0x7)
 55736 slapd    RET   close 0
 55736 slapd    CALL  munmap(0x802600000,0x254000)
 55736 slapd    RET   munmap 0
 55736 slapd    CALL  clock_gettime(0xd,0x7fffffffdc18)
 55736 slapd    RET   clock_gettime 0
 55736 slapd    CALL  getpid
 55736 slapd    RET   getpid 55736/0xd9b8
 55736 slapd    CALL  sendto(0x3,0x7fffffffe150,0x31,0,0,0)
 55736 slapd    GIO   fd 3 wrote 49 bytes
       "<167>Nov 25 00:18:44 slapd[55736]: slapd stopped."
 55736 slapd    RET   sendto 49/0x31
 55736 slapd    CALL  close(0x3)
 55736 slapd    RET   close 0
 55736 slapd    CALL  clock_gettime(0xd,0x7fffffffdbd8)
 55736 slapd    RET   clock_gettime 0
 55736 slapd    CALL  getpid
 55736 slapd    RET   getpid 55736/0xd9b8
 55736 slapd    CALL  socket(PF_LOCAL,0x10000002<SOCK_DGRAM|SOCK_CLOEXEC>,0)
 55736 slapd    RET   socket 3
 55736 slapd    CALL  connect(0x3,0x7fffffffdb78,0x6a)
 55736 slapd    STRU  struct sockaddr { AF_LOCAL, /var/run/logpriv }
 55736 slapd    NAMI  "/var/run/logpriv"
 55736 slapd    RET   connect -1 errno 13 Permission denied
 55736 slapd    CALL  connect(0x3,0x7fffffffdb78,0x6a)
 55736 slapd    STRU  struct sockaddr { AF_LOCAL, /var/run/log }
 55736 slapd    NAMI  "/var/run/log"
 55736 slapd    RET   connect 0
 55736 slapd    CALL  sendto(0x3,0x7fffffffe110,0x4b,0,0,0)
 55736 slapd    GIO   fd 3 wrote 75 bytes
       "<167>Nov 25 00:18:44 slapd[55736]: connections_destroy: nothing to destroy."
 55736 slapd    RET   sendto 75/0x4b
 55736 slapd    CALL  shutdown(0x5,SHUT_RDWR)
 55736 slapd    RET   shutdown -1 errno 38 Socket operation on non-socket
 55736 slapd    CALL  close(0x5)
 55736 slapd    RET   close 0
 55736 slapd    CALL  shutdown(0x4,SHUT_RDWR)
 55736 slapd    RET   shutdown -1 errno 38 Socket operation on non-socket
 55736 slapd    CALL  close(0x4)
 55736 slapd    RET   close 0
 55736 slapd    CALL  exit(0x1)


I have the following configuration:
Code: 
(ldap <openldap>) 0 # cat slapd.conf |grep -v ^# |grep -v ^$
include        /usr/local/etc/openldap/schema/core.schema
pidfile        /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args
modulepath    /usr/local/libexec/openldap
moduleload    back_mdb
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /usr/local/etc/openldap/server.crt
TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key
TLSCACertificateFile /usr/local/etc/openldap/ca.crt
database    mdb
maxsize        1073741824
suffix        "dc=example,dc=org"
rootdn        "cn=Manager,dc=example,dc=org"
directory    /var/db/openldap-data
index    objectClass    eq
rootpw hashed_root_password_here
password-hash {sha}
allow bind_v2


What can I do?

Any ideas?
 
Did you load a module for default database in slapd.conf? That is, if you're using the default mdb database, you have to uncomment the line in slapd.conf about loading the mdb module. I do remember that, as well as other necessary things being left out of the handbook articles.
 
I already tried that....
If I don't load the mdb-module, it complains about not knowing about the mdb database type a couple of lines below.
 
It's just a VM at this point. I'll try outside of a jail and if it doesn't work, I'll just open a PR.
I'll also try on CentOS7.
 
The DB_CONFIG file is not needed, at least not with mbd. The zytrax.com tutorials are good and should get you started with OpenLDAP.

The out-of-the box slapd.conf that is installed with the FreeBSD port of OpenLDAP is very minimal.
 
OK, that was actually helpful.
For one,
Code: 
loglevel -1
created a lot of useful output.

It alerted me of the fact that
allow bind_v2
Code: 
allow bind_v2

needed to come before any modules were loaded.

Now, it's at least starting!
 
Adding some does not work, though:
Code: 
(ldap <openldap>) 0 # ldapadd -H ldaps://ldap.example.org -D "cn=Manager,dc=example,dc=org" -W -y /root/.ldappass -f import1.ldif
ldap_bind: Invalid credentials (49)


Code: 
include        /usr/local/etc/openldap/schema/core.schema
include        /usr/local/etc/openldap/schema/cosine.schema
include        /usr/local/etc/openldap/schema/inetorgperson.schema
pidfile        /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args
password-hash {sha}
allow bind_v2
modulepath    /usr/local/libexec/openldap
moduleload    back_mdb
loglevel     -1
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /usr/local/etc/openldap/server.crt
TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key
TLSCACertificateFile /usr/local/etc/openldap/ca.crt
database    mdb
maxsize        1073741824
suffix        "dc=example,dc=org"
rootdn        "cn=Manager,dc=example,dc=org"
rootpw {SHA}hash-here
directory    /var/db/openldap-data
index    objectClass    eq


The log says:

Code: 
Nov 25 18:09:32 ldap slapd[66732]: conn=1000 op=0 do_bind
Nov 25 18:09:32 ldap slapd[66732]: >>> dnPrettyNormal: <cn=Manager,dc=example,dc=org>
Nov 25 18:09:32 ldap slapd[66732]: <<< dnPrettyNormal: <cn=Manager,dc=example,dc=org>, <cn=manager,dc=example,dc=org>
Nov 25 18:09:32 ldap slapd[66732]: conn=1000 op=0 BIND dn="cn=Manager,dc=example,dc=org" method=128
Nov 25 18:09:32 ldap slapd[66732]: do_bind: version=3 dn="cn=Manager,dc=example,dc=org" method=128
Nov 25 18:09:32 ldap slapd[66732]: ==> mdb_bind: dn: cn=Manager,dc=example,dc=org
Nov 25 18:09:32 ldap slapd[66732]: daemon: activity on 1 descriptor
Nov 25 18:09:32 ldap slapd[66732]: daemon: waked
Nov 25 18:09:32 ldap slapd[66732]: daemon: select: listen=6 active_threads=0 tvp=NULL
Nov 25 18:09:32 ldap slapd[66732]: daemon: select: listen=7 active_threads=0 tvp=NULL
Nov 25 18:09:32 ldap slapd[66732]: mdb_dn2entry("cn=manager,dc=example,dc=org")
Nov 25 18:09:32 ldap slapd[66732]: => mdb_dn2id("cn=manager,dc=example,dc=org")
Nov 25 18:09:32 ldap slapd[66732]: <= mdb_dn2id: get failed: MDB_NOTFOUND: No matching key/data pair found (-30798)
Nov 25 18:09:32 ldap slapd[66732]: send_ldap_result: conn=1000 op=0 p=3
Nov 25 18:09:32 ldap slapd[66732]: send_ldap_result: err=49 matched="" text=""
Nov 25 18:09:32 ldap slapd[66732]: send_ldap_response: msgid=1 tag=97 err=49
Nov 25 18:09:32 ldap slapd[66732]: conn=1000 op=0 RESULT tag=97 err=49 text=
Nov 25 18:09:32 ldap slapd[66732]: daemon: activity on 1 descriptor
Nov 25 18:09:32 ldap slapd[66732]: daemon: activity on:
Nov 25 18:09:32 ldap slapd[66732]:  9r


still digging through google-results...
 
I would get your setup working without TLS certs first.

When first creating your mdb, did you run something like this:

Code: 
echo ""|slapadd -f /usr/local/etc/openldap/slapd.conf
slaptest -f usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d

Note that /usr/local/etc/openldap/slapd.d needs to be created beforehand and owned by ldap:ldap.

And, this is all assuming you want to have an OLC setup (cn=config). I could just post my script that sets this stuff up, but that would take out all the fun for you ;)
 
No, I didn't run anything like that. The tutorial doesn't mention it and I actually don't even want the configuration to be inside the DB, for now.

Removing SSL does not help.
 
Hello,

Better late than never,
Have you tried removing the ssl option and use the -x option :

Bash: 
root@openldap:/usr/local/etc/rc.d # ldapsearch -H ldap://localhost:389 -x -w secret -vvv -D "cn=Manager,dc=my-domain,dc=com" *
ldap_initialize( ldap://localhost:389/??base )
filter: (objectclass=*)
requesting: slapd 
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: slapd 
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
root@openldap:/usr/local/etc/rc.d #
 
You must log in or register to reply here.
Back
Top