Discussion:
Migrate from openldap 2.2 to 2.4 issue
DEVARIEUX Alain
2015-10-29 15:35:16 UTC
Permalink
Content preview: Hi! First excuse me for my approximative english. I'm trying
to migrate from an old Redhat server running openldap 2.2 to a brand new
one using Centos 7 and openldap 2.4. Using slapcat / sldapadd I can't have
my new server running with an olc config. [...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[84.96.93.161 listed in list.dnswl.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Hi!

First excuse me for my approximative english.

I'm trying to migrate from an old Redhat server running openldap 2.2 to
a brand new one using Centos 7 and openldap 2.4.
Using slapcat / sldapadd I can't have my new server running with an olc
config.

I'd like to know what I'm doing wrong during this process :

# To remove entryUUID lines because they're not usable with openldap 2.4
sed -i -e "/entryUUID/d" /root/myslapcat.ldif

# Running slapadd with a 'cleaned' version of my old slapd.conf
slapadd -f /tpm/oldserver/slapd.conf -F /etc/openldap/slapd.d/ -c -u -o
schema-check=yes -l /root/myslapcat.ldif

# moving from file configuration to olc :
slaptest -f /tmp/oldserver/slapdb.conf -F /etc/openldap/slapd.d/

# now, I can start the service without problem :
systemctl start slapd

But, when I try to access the diectory, here is the error messages I have :
Oct 29 16:02:57 ldap01-qualif slapd[12351]: conn=1002 fd=11 ACCEPT from
IP=10.35.100.87:49238 (IP=0.0.0.0:389)
Oct 29 16:02:57 ldap01-qualif slapd[12351]: conn=1002 op=0 BIND
dn="cn=Manager,dc=mydomain,dc=fr" method=128
Oct 29 16:02:57 ldap01-qualif slapd[12351]: conn=1002 op=0 BIND
dn="cn=Manager,dc=mydomain,dc=fr" mech=SIMPLE ssf=0
Oct 29 16:02:57 ldap01-qualif slapd[12351]: conn=1002 op=0 RESULT tag=97
err=0 text=
Oct 29 16:02:57 ldap01-qualif slapd[12351]: conn=1002 op=1 SRCH
base="dc=mydomain,dc=fr" scope=1 deref=0 filter="(objectClass=*)"
Oct 29 16:02:57 ldap01-qualif slapd[12351]: conn=1002 op=1 SRCH
attr=objectclass
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr):
BDB0060 PANIC: fatal region error detected; run recovery
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr):
BDB0060 PANIC: fatal region error detected; run recovery
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr):
BDB0060 PANIC: fatal region error detected; run recovery
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr):
BDB0060 PANIC: fatal region error detected; run recovery
Oct 29 16:02:57 ldap01-qualif slapd[12351]: conn=1002 op=1 SEARCH RESULT
tag=101 err=80 nentries=0 text=internal error

But, if a launch slapd like telling it the configuration file to use,
everything works well (ie : I can bind to server and view all entries)

slapd -u ldap -f /tmp/oldserver/slapd.conf


Am I missing something obvious? I'm new to openldap...

Regards,
--
Alain Devarieux
Pôle Infrastructures
GIP SIB
Michael Ströder
2015-10-30 08:36:25 UTC
Permalink
Post by DEVARIEUX Alain
# Running slapadd with a 'cleaned' version of my old slapd.conf
slapadd -f /tpm/oldserver/slapd.conf -F /etc/openldap/slapd.d/ -c -u -o
schema-check=yes -l /root/myslapcat.ldif
You invoked this command as user root?
Post by DEVARIEUX Alain
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr): BDB0060
PANIC: fatal region error detected; run recovery
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr): BDB0060
PANIC: fatal region error detected; run recovery
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr): BDB0060
PANIC: fatal region error detected; run recovery
Oct 29 16:02:57 ldap01-qualif slapd[12351]: bdb(dc=mydomain,dc=fr): BDB0060
PANIC: fatal region error detected; run recovery
Check ownership/permissions of the database files.

Ciao, Michael.
DEVARIEUX Alain
2015-10-30 10:57:15 UTC
Permalink
This post might be inappropriate. Click to display it.
Quanah Gibson-Mount
2015-10-30 20:47:49 UTC
Permalink
Content preview: --On Friday, October 30, 2015 12:57 PM +0100 DEVARIEUX Alain
<***@sib.fr> wrote: > Le 30/10/2015 09:36, Michael Ströder a
écrit : >> DEVARIEUX Alain wrote: >>> # Running slapadd with a 'cleaned'
version of my old slapd.conf >>> slapadd -f /tpm/oldserver/slapd.conf -F
/etc/openldap/slapd.d/ -c -u -o >>> schema-check=yes -l /root/myslapcat.ldif
Post by DEVARIEUX Alain
Post by Michael Ströder
Post by DEVARIEUX Alain
You invoked this command as user root? > > Yes, but I then changed
the ownership to user ldap group ldap. [...]

Content analysis details: (-4.3 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: zimbra.com]
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[162.209.122.174 listed in list.dnswl.org]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -4.3 (----)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: --On Friday, October 30, 2015 12:57 PM +0100 DEVARIEUX Alain
<***@sib.fr> wrote: > Le 30/10/2015 09:36, Michael Ströder a
écrit : >> DEVARIEUX Alain wrote: >>> # Running slapadd with a 'cleaned'
version of my old slapd.conf >>> slapadd -f /tpm/oldserver/slapd.conf -F
/etc/openldap/slapd.d/ -c -u -o >>> schema-check=yes -l /root/myslapcat.ldif
Post by DEVARIEUX Alain
Post by Michael Ströder
Post by DEVARIEUX Alain
You invoked this command as user root? > > Yes, but I then changed
the ownership to user ldap group ldap. [...]

Content analysis details: (-4.3 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[162.209.122.174 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: zimbra.com]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

--On Friday, October 30, 2015 12:57 PM +0100 DEVARIEUX Alain
Post by DEVARIEUX Alain
Post by Michael Ströder
Post by DEVARIEUX Alain
# Running slapadd with a 'cleaned' version of my old slapd.conf
slapadd -f /tpm/oldserver/slapd.conf -F /etc/openldap/slapd.d/ -c -u -o
schema-check=yes -l /root/myslapcat.ldif
You invoked this command as user root?
Yes, but I then changed the ownership to user ldap group ldap.
Those are not new lines. They are continuations. I suggest reading up on
the LDIF RFC.

--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration

Loading...