OpenLDAP Fails to Start

rtwingfield

Well-Known Member

Thanks: 3
Messages: 281

#1
I've added the following directives to slapd.conf,
Code:
logfile /var/log/slapd.log
loglevel 256
but /var/log/slapd.log is not created when "/usr/local/etc/rc.d/slapd start" is run. The only clues are in /var/log/messages:
Code:
Jul 11 13:56:21 archaxis slapd[61085]: sql_select option missing
Jul 11 13:56:21 archaxis slapd[61085]: auxpropfunc error no mechanism available
I'm assuming that enough of the slapd failed to start that it could not start logging to the the named logfile, i.e., slapd.log. Regardless, what are the significance of the messages in the /var/log/messages file?

The installation of the openldap-sasl-client-2.4.23 apparently directed the installation of Cyrus SASL 2.1.23_1, and during the associated make, a config options panel allowed the selection of the Berkeley DB or MySQL. Well, not expecting this (due to my lack of general knowledge) I opted for the MySQL DB because I use it everywhere.

The following code from the slapd.conf seems to indicate that the slapd should expect to use the Berkeley DB rather than MySQL. Also, there are no MySQL backend modules in /usr/local/libexec/openldap
Code:
# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb


#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=archaxis,dc=net"
rootdn          "cn=Manager,dc=archaxis,dc=net"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/db/openldap-data
# Indices to maintain
index   objectClass     eq
Since posting the above, I have discovered the following by running /usr/local/libexec/slapd -d1 (STDERR and/or debug info output to the console and named log file, too):

Code:
TLS: could not use certificate `/usr/local/etc/openldap/.certificates/cert.crt'.
TLS: error:02001002:system library:fopen:No such file or directory /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:352
TLS: error:20074002:BIO routines:FILE_CTRL:system lib /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:354
TLS: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:470
main: TLS init def ctx failed: -1
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
Obviously this was a certificate problem. I still don't understand the messages that were only logged in the /var/log/messages log because they certainly do not allude to any problem with the certificate or the fact that it could not be found; regardless, by pointing the TLSCACertificateFile directive to the correct CACERT file, /usr/local/etc/openldap/.certificates/cacert.crt, the slapd will start and run.

Code:
RE:  slapd.conf
#TLSCertificateFile   /usr/local/etc/openldap/.certificates/cert.crt   [I]does not like this![/I]
TLSCertificateKeyFile /usr/local/etc/openldap/.certificates/cert.key
TLSCACertificateFile  /usr/local/etc/openldap/.certificates/cacert.crt
This document , http://www.freebsd.org/doc/en/articles/ldap-auth/ldap.html, indicates that the three TLSCertificate* directive should be used, but I've found that as indicated above, the slapd will complain if TLSCertificateFile /usr/local/etc/openldap/.certificates/cert.crt is used.

. . .so moving on to solving this problem:
Code:
backend_startup_one: starting "dc=archaxis,dc=net"
bdb_db_open: warning - no DB_CONFIG file found in directory /var/db/openldap-data: (2).
Expect poor performance for suffix "dc=archaxis,dc=net".
bdb_db_open: database "dc=archaxis,dc=net": dbenv_open(/var/db/openldap-data).
slapd starting
Regarding the "poor performance" thing, I created the /var/db/openldap-data/DB_CONFIG file (see man SLAPD-BDB(5)) with the following directives:
Code:
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
I have now observed that /usr/local/libexec/slapd -d1 will start the slapd, but an attempt to start from the /etc/rc.d, e.g., /usr/local/etc/rc.d/slapd start will fail, and again the only diagnostics are in /var/log/messages, i.e.,
Code:
Jul 11 22:26:10 archaxis slapd[63909]: sql_select option missing
Jul 11 22:26:10 archaxis slapd[63909]: auxpropfunc error no mechanism available
I'm totally puzzled by this one . . .probably not seeing the forest for the trees. Again, all suggestions are much appreciated!
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,516
Messages: 27,956

#2
rtwingfield said:
I've added the following directives to slapd.conf,
Code:
logfile /var/log/slapd.log
loglevel 256
but /var/log/slapd.log is not created when "/usr/local/etc/rc.d/slapd start" is run.
The ldap user where openldap runs on isn't allowed to write there. Create a log directory /var/log/ldap/ and make sure the ldap user is able to write there. Then log into that directory.
 
OP
OP
rtwingfield

rtwingfield

Well-Known Member

Thanks: 3
Messages: 281

#3
LDAP Logs

If I understand your suggestion:
The ldap user where openldap runs on isn't allowed to write there. Create a log directory /var/log/ldap/ and make sure the ldap user is able to write there. Then log into that directory.
. . . I'm already doing that, only I've named it /var/log/slapd.log. The problem is that the only way I can can currently start the slapd is to run # /usr/local/libexec/slapd -d1 from a command line (i.e., fork and wait). Conversely, the slapd fails to start if the start is attempted by running /usr/local/etc/rc.d/slapd start (i.e., fork a background process . . .the daemon, and return). . .resulting in the following log entries in /var/log/messages:
Code:
Jul 12 13:21:06 archaxis slapd[72458]: sql_select option missing
Jul 12 13:21:06 archaxis slapd[72458]: auxpropfunc error no mechanism available
Can this (probably) be attributed of a permissions problem somewhere? . . .or a missing PATH directive?
 

a931

New Member


Messages: 3

#4
let me join the author of the theme.
problem at first! start ldap server.
configuration:

Code:
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema


pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
#moduleload     back_ldbm
moduleload      back_bdb
# moduleload    back_hdb
moduleload      back_ldap

access to attrs=userPassword
        by self write
        by anonymous auth
        by * none

access to *
        by self write
        by anonymous read
        by * none

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=saf-vpn,dc=test,dc=ru"
rootdn          "cn=root,dc=saf-vpn,dc=test,dc=ru"


# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SSHA}######################################### 
logfile         /var/log/ldap/slapd.log
loglevel        256

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/db/openldap-data

# Indices to maintain
index   objectClass     eq
index   cn      eq
start:
Code:
/usr/local/etc/rc.d/slapd start
Starting slapd.
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd
test config file:
/usr/local/libexec/slapd -Tt
Code:
bdb_db_open: database "dc=saf-vpn,dc=test,dc=ru": db_open(/var/db/openldap-data/id2entry.bdb) failed: No such file or directory (2).
backend_startup_one (type=bdb, suffix="dc=saf-vpn,dc=test,dc=ru"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)

tell me how to solve this problem?
 

wmoreno3

Member

Thanks: 6
Messages: 81

#7
sql_select option missing, auxpropfunc error no mechanism available

My server slapd appears to be ready but
Code:
sql_select option missing, auxpropfunc error no mechanism available
messages displays.

Code:
server# /usr/local/etc/rc.d/slapd restart
Stopping slapd.
Waiting for PIDS: 2614.
Starting slapd.
server#
server# dmesg -a
Jun  6 11:54:48 server slapd[2719]: sql_select option missing
Jun  6 11:54:48 server slapd[2719]: auxpropfunc error no mechanism available
server# /usr/local/libexec/slapd -Tt
config file testing succeeded
server#
server# /usr/local/etc/rc.d/slapd status
slapd is running as pid 2720.
server#
I don't know what happens.
 
Top