Discussion:
Migrate from openldap 2.2 to 2.4 issue
(too old to reply)
DEVARIEUX Alain
2015-10-29 15:35:16 UTC
Permalink
Raw Message
Content preview: Hi! First excuse me for my approximative english. I'm trying
to migrate from an old Redhat server running openldap 2.2 to a brand new
one using Centos 7 and openldap 2.4. Using slapcat / sldapadd I can't have
my new server running with an olc config. [...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[84.96.93.161 listed in list.dnswl.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Hi!

First excuse me for my approximative english.

I'm trying to migrate from an old Redhat server running openldap 2.2 to
a brand new one using Centos 7 and openldap 2.4.
Using slapcat / sldapadd I can't have my new server running with an olc
config.

I'd like to know what I'm doing wrong during this process :

# To remove entryUUID lines because they're not usable with openldap 2.4
sed -i -e "/entryUUID/d" /root/myslapcat.ldif

# Running slapadd with a 'cleaned' version of my old slapd.conf
slapadd -f /tpm/oldserver/slapd.conf -F /etc/openldap/slapd.d/ -c -u -o
schema-check=yes -l /root/myslapcat.ldif

# moving from file configuration to olc :
slaptest -f /tmp/oldserver/slapdb.conf -F /etc/openldap/slapd.d/

# now, I can start the service without problem :
systemctl start slapd

But, when I try to access the diectory, here is the error messages I have :
Oct 29 16:02:57 ldap01-qualif slapd[12351]: conn=1002 fd=11 ACCEPT from
IP=10.35.100.87:49238 (IP=0.0.0.0:389)
Oct 29 16:02:57 ldap01-qualif slapd[12351]: conn=1002 op=0 BIND
dn="cn=Manager,dc=mydomain,dc=fr" method=128
Oct 29 16:02:57 ldap01-qualif slapd[12351]: conn=1002 op=0 BIND
dn="cn=Manager,dc=mydomain,dc=fr" mech=SIMPLE ssf=0
Oct 29 16:02:57 ldap01-qualif slapd[12351]: conn=1002 op=0 RESULT tag=97
err=0 text=
Oct 29 16:02:57 ldap01-qualif slapd[12351]: conn=1002 op=1 SRCH
base="dc=mydomain,dc=fr" scope=1 deref=0 filter="(objectClass=*)"
Oct 29 16:02:57 ldap01-qualif slapd[12351]: conn=1002 op=1 SRCH
attr=objectclass
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr):
BDB0060 PANIC: fatal region error detected; run recovery
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr):
BDB0060 PANIC: fatal region error detected; run recovery
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr):
BDB0060 PANIC: fatal region error detected; run recovery
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr):
BDB0060 PANIC: fatal region error detected; run recovery
Oct 29 16:02:57 ldap01-qualif slapd[12351]: conn=1002 op=1 SEARCH RESULT
tag=101 err=80 nentries=0 text=internal error

But, if a launch slapd like telling it the configuration file to use,
everything works well (ie : I can bind to server and view all entries)

slapd -u ldap -f /tmp/oldserver/slapd.conf


Am I missing something obvious? I'm new to openldap...

Regards,
--
Alain Devarieux
Pôle Infrastructures
GIP SIB
Michael Ströder
2015-10-30 08:36:25 UTC
Permalink
Raw Message
Post by DEVARIEUX Alain
# Running slapadd with a 'cleaned' version of my old slapd.conf
slapadd -f /tpm/oldserver/slapd.conf -F /etc/openldap/slapd.d/ -c -u -o
schema-check=yes -l /root/myslapcat.ldif
You invoked this command as user root?
Post by DEVARIEUX Alain
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr): BDB0060
PANIC: fatal region error detected; run recovery
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr): BDB0060
PANIC: fatal region error detected; run recovery
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr): BDB0060
PANIC: fatal region error detected; run recovery
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr): BDB0060
PANIC: fatal region error detected; run recovery
Check ownership/permissions of the database files.

Ciao, Michael.
DEVARIEUX Alain
2015-10-30 10:57:15 UTC
Permalink
Raw Message
Content preview: Le 30/10/2015 09:36, Michael Ströder a écrit : > DEVARIEUX
Alain wrote: >> # Running slapadd with a 'cleaned' version of my old slapd.conf
Post by Michael Ströder
Post by DEVARIEUX Alain
slapadd -f /tpm/oldserver/slapd.conf -F /etc/openldap/slapd.d/ -c -u -o
schema-check=yes -l /root/myslapcat.ldif > > You invoked this command
as user root? [...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[84.96.93.161 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: openldap.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
X-Mailman-Approved-At: Fri, 30 Oct 2015 20:12:24 +0000
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -1.9 (-)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Le 30/10/2015 09:36, Michael Ströder a écrit : > DEVARIEUX
Alain wrote: >> # Running slapadd with a 'cleaned' version of my old slapd.conf
Post by Michael Ströder
Post by DEVARIEUX Alain
slapadd -f /tpm/oldserver/slapd.conf -F /etc/openldap/slapd.d/ -c -u -o
schema-check=yes -l /root/myslapcat.ldif > > You invoked this command
as user root? [...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[84.96.93.161 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: openldap.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Post by Michael Ströder
Post by DEVARIEUX Alain
# Running slapadd with a 'cleaned' version of my old slapd.conf
slapadd -f /tpm/oldserver/slapd.conf -F /etc/openldap/slapd.d/ -c -u -o
schema-check=yes -l /root/myslapcat.ldif
You invoked this command as user root?
Yes, but I then changed the ownership to user ldap group ldap.
Post by Michael Ströder
Post by DEVARIEUX Alain
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr): BDB0060
PANIC: fatal region error detected; run recovery
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr): BDB0060
PANIC: fatal region error detected; run recovery
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr): BDB0060
PANIC: fatal region error detected; run recovery
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr): BDB0060
PANIC: fatal region error detected; run recovery
Check ownership/permissions of the database files.
Ownsership and permsissions are all OK.
I compared a good server with this one and the file
olcDatabase={1}bdb.ldif have lines which seems to be responsible for the
error.

here is the bad content, I really don't know how it as arrived here :

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 XXXXXX
dn: olcDatabase={1}bdb
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {1}bdb
olcSuffix: dc=mydomain,dc=fr
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=mydomain,dc=fr
olcRootPW:: XXXXXXXXXXXXXXXXXXXXXXX
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbDirectory: /var/lib/ldap
olcDbCacheSize: 1000
olcDbConfig: {0}# $OpenLDAP$
olcDbConfig: {1}# Example DB_CONFIG file for use with slapd(8) BDB/HDB
databas
es. <========= this is a new line
olcDbConfig: {2}#
olcDbConfig: {3}# See the Oracle Berkeley DB documentation
olcDbConfig: {4}#
<http://www.oracle.com/technology/documentation/berkeley-d
b/db/ref/env/db_config.html> <============== this is a new line
olcDbConfig: {5}# for detail description of DB_CONFIG syntax and semantics.
olcDbConfig: {6}#
olcDbConfig: {7}# Hints can also be found in the OpenLDAP Software FAQ
olcDbConfig::
ezh9Iwk8aHR0cDovL3d3dy5vcGVubGRhcC5vcmcvZmFxL2luZGV4LmNnaT9maWxl
PTI+ <========= This a new line
olcDbConfig: {9}# in particular:
olcDbConfig: {10}# <http://www.openldap.org/faq/index.cgi?file=1075>
olcDbConfig: {11}
olcDbConfig: {12}# Note: most DB_CONFIG settings will take effect only
upon re
building <============= this is a new line
olcDbConfig: {13}# the DB environment.
olcDbConfig: {14}
olcDbConfig: {15}# one 0.25 GB cache
olcDbConfig: {16}set_cachesize 0 268435456 1
olcDbConfig: {17}
olcDbConfig: {18}# Data Directory
olcDbConfig: {19}#set_data_dir db
olcDbConfig: {20}
olcDbConfig: {21}# Transaction Log settings
olcDbConfig: {22}set_lg_regionmax 262144
olcDbConfig: {23}set_lg_bsize 2097152
olcDbConfig: {24}#set_lg_dir logs
olcDbConfig: {25}
olcDbConfig: {26}# Note: special DB_CONFIG flags are no longer needed
for "qui
ck" <============ new line
olcDbConfig::
ezI3fSMgc2xhcGFkZCg4KSBvciBzbGFwaW5kZXgoOCkgYWNjZXNzIChzZWUgdGhl
aXIgLXEgb3B0aW9uKS4g <============ New Line
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0
structuralObjectClass: olcBdbConfig
entryUUID: a8d3783e-1299-1035-85e6-718a04e8aa45
creatorsName: cn=config
createTimestamp: 20151029150121Z
entryCSN: 20151029150121.235155Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20151029150121Z


I think my slaptest -f myoldconfigfile.conf -F /etc/openldap/slapd.d/ is
doing that.
I have to run some test to know when this happens exactly.

Would you know how this behaviour can happens?

Regards,
Post by Michael Ströder
Ciao, Michael.
--
Alain Devarieux
Pôle Infrastructures
GIP SIB
Tel 02 99 54 76 94
www.sib.fr - standard: 02 99 54 75 10
Quanah Gibson-Mount
2015-10-30 20:47:49 UTC
Permalink
Raw Message
Content preview: --On Friday, October 30, 2015 12:57 PM +0100 DEVARIEUX Alain
<***@sib.fr> wrote: > Le 30/10/2015 09:36, Michael Ströder a
écrit : >> DEVARIEUX Alain wrote: >>> # Running slapadd with a 'cleaned'
version of my old slapd.conf >>> slapadd -f /tpm/oldserver/slapd.conf -F
/etc/openldap/slapd.d/ -c -u -o >>> schema-check=yes -l /root/myslapcat.ldif
Post by DEVARIEUX Alain
Post by Michael Ströder
Post by DEVARIEUX Alain
You invoked this command as user root? > > Yes, but I then changed
the ownership to user ldap group ldap. [...]

Content analysis details: (-4.3 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: zimbra.com]
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[162.209.122.174 listed in list.dnswl.org]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -4.3 (----)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: --On Friday, October 30, 2015 12:57 PM +0100 DEVARIEUX Alain
<***@sib.fr> wrote: > Le 30/10/2015 09:36, Michael Ströder a
écrit : >> DEVARIEUX Alain wrote: >>> # Running slapadd with a 'cleaned'
version of my old slapd.conf >>> slapadd -f /tpm/oldserver/slapd.conf -F
/etc/openldap/slapd.d/ -c -u -o >>> schema-check=yes -l /root/myslapcat.ldif
Post by DEVARIEUX Alain
Post by Michael Ströder
Post by DEVARIEUX Alain
You invoked this command as user root? > > Yes, but I then changed
the ownership to user ldap group ldap. [...]

Content analysis details: (-4.3 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[162.209.122.174 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: zimbra.com]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

--On Friday, October 30, 2015 12:57 PM +0100 DEVARIEUX Alain
Post by DEVARIEUX Alain
Post by Michael Ströder
Post by DEVARIEUX Alain
# Running slapadd with a 'cleaned' version of my old slapd.conf
slapadd -f /tpm/oldserver/slapd.conf -F /etc/openldap/slapd.d/ -c -u -o
schema-check=yes -l /root/myslapcat.ldif
You invoked this command as user root?
Yes, but I then changed the ownership to user ldap group ldap.
Those are not new lines. They are continuations. I suggest reading up on
the LDIF RFC.

--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration

Loading...