[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3651) slapd dies when using ldapadd.



There is no evidence of a bug in LDAP software (yet), but rather of a
software usage problem, so I suggest you redirect your inquiries to the
openldap-software mailing list.

I suggest you investigate in the direction of run-time linked libraries. 
It is very likely that some dynamic library your slapd is linking at
run-time does not match the headers and/or the dynamic object slapd was
built against.

p.

> Full_Name: Paul Webb
> Version: 2.2.24 stable
> OS: Fedora Core2
> URL:
> Submission from: (NULL) (216.29.61.254)
>
>
> This is most likely my fault, so I'm hoping someone can point out to me
> where I
> screwed up.
>
> I have a Red Hat Fedora Core2 box with all of the development and kernel
> tools
> installed, but hardly any of the servers; I want to install all of the
> server
> daemons myself to avoid the confusing distro-based paths and server
> installs
> that Red Hat and others use.
>
> It should be noted that I previously have installed MySQL, Apache 1.x, and
> PHP
> on this box. In the process of that install, I installed OpenSSL. All of
> these
> were installed from source.
>
> I installed BerkeleyDB.4.3.NS (Non-Secure) from source using the standard
> ./configure, make, make install routine without incident.
>
> I then installed OpenLDAP using the following configure line:
>
> env CPPFLAGS="-I/usr/local/BerkeleyDB.4.3/include
> -I/usr/local/ssl/include/openssl" \
> LDFLAGS="-L/usr/local/BerkeleyDB.4.3/lib -L/usr/local/ssl/lib" \
> ./configure --with-tls --enable-slurpd --enable-crypt --enable-syslog
> --sysconfdir=/etc
>
> When this completed successfully, I ran a make depend, make, make test,
> and make
> install, all without problems.
>
> I generated a symbolic link to my library using something like the
> following
> command:
> ln -s /usr/local/BerkeleyDB.4.3/lib/libdb-4.3.so /usr/include/libdb-4.3.so
>
> (don't quote me on that one. I can't find the command itself -- but it
> resolved
> the issue I was having with slapd failing)
>
> I put the following slapd.conf file in /etc/openldap/slapd.conf:
> --- BEGIN ---
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
>
> allow bind_v2
> pidfile /var/run/slapd.pid
>
> database bdb
> suffix "dc=webbenabled,dc=com"
> rootdn "cn=Manager,dc=webbenabled,dc=com"
> rootpw {SSHA}(A Password Hash is Here)
> directory /var/lib/ldap (This does exist)
>
> index objectClass eq,pres
> index ou,cn,mail,surname,givenname eq,pres,sub
> index uidNumber,gidNumber,loginShell eq,pres
> index uid,memberUid eq,pres,sub
>
> ---END---
>
> I then ran slad using the following line:
>
> /usr/local/libexec/slapd -f /etc/openldap/slapd.conf -u ldap
>
> (Yes, an LDAP user account exists)
>
> The slapd daemon fired up without incident. Now time to add an LDIF file
> to it
> to start. I used the following LDIF file:
>
> ---BEGIN---
> dn: dc=webbenabled, dc=com
> objectClass: top
> objectClass: dcObject
> objectClass: organization
> dc: webbenabled
> o: WebbEnabled Solutions LLC
> ---END---
>
> ... and imported it with the following command:
>
> ldapadd -D 'dc=webbenabled, dc=com' -f webbenabled.ldif -W
>
> I get the following message:
>
> SASL/DIGEST-MD5 authentication started
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>
> So, I restart the daemon and switch to trying to add a known-good, not
> generated
> by me, LDIF file. I get the same error.
>
> So, I restart the daemon again, this time setting my debugging level high:
>
> /usr/local/libexec/slapd -f /etc/openldap/slapd.conf -u ldap -d 5
>
> and I retry again, using the original webbenabled.ldif file. I get the
> following
> output below. I then tried with the known good one, and I got the same
> output:
>
> ---BEGIN---
> [root@server1 build_unix]# /usr/local/libexec/slapd -d 5 -f
> /etc/openldap/slapd.conf
> @(#) $OpenLDAP: slapd 2.2.24 (Apr 11 2005 00:34:17) $
>         root@server1.int.webbenabled.com:/downloads/openldap-2.2.24/servers/slapd
> daemon_init: <null>
> daemon_init: listen on ldap:///
> daemon_init: 1 listeners to open...
> ldap_url_parse_ext(ldap:///)
> daemon: IPv6 socket() failed errno=97 (Address family not supported by
> protocol)
> daemon: initialized ldap:///
> daemon_init: 2 listeners opened
> slapd init: initiated server.
> slap_sasl_init: initialized!
> bdb_back_initialize: initialize BDB backend
> bdb_back_initialize: Sleepycat Software: Berkeley DB 4.3.27: (December 22,
> 2004)
>>>> dnNormalize: <cn=Subschema>
> => ldap_bv2dn(cn=Subschema,0)
> ldap_err2string
> <= ldap_bv2dn(cn=Subschema)=0 Success
> => ldap_dn2bv(272)
> ldap_err2string
> <= ldap_dn2bv(cn=subschema)=0 Success
> <<< dnNormalize: <cn=subschema>
> bdb_db_init: Initializing BDB database
>>>> dnPrettyNormal: <dc=webbenabled,dc=com>
> => ldap_bv2dn(dc=webbenabled,dc=com,0)
> ldap_err2string
> <= ldap_bv2dn(dc=webbenabled,dc=com)=0 Success
> => ldap_dn2bv(272)
> ldap_err2string
> <= ldap_dn2bv(dc=webbenabled,dc=com)=0 Success
> => ldap_dn2bv(272)
> ldap_err2string
> <= ldap_dn2bv(dc=webbenabled,dc=com)=0 Success
> <<< dnPrettyNormal: <dc=webbenabled,dc=com>, <dc=webbenabled,dc=com>
>>>> dnPrettyNormal: <cn=Manager,dc=webbenabled,dc=com>
> => ldap_bv2dn(cn=Manager,dc=webbenabled,dc=com,0)
> ldap_err2string
> <= ldap_bv2dn(cn=Manager,dc=webbenabled,dc=com)=0 Success
> => ldap_dn2bv(272)
> ldap_err2string
> <= ldap_dn2bv(cn=Manager,dc=webbenabled,dc=com)=0 Success
> => ldap_dn2bv(272)
> ldap_err2string
> <= ldap_dn2bv(cn=manager,dc=webbenabled,dc=com)=0 Success
> <<< dnPrettyNormal: <cn=Manager,dc=webbenabled,dc=com>,
> <cn=manager,dc=webbenabled,dc=com>
> matching_rule_use_init
>     1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: (
> 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( oncRpcNumber $
> ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $
> shadowInactive $
> shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $
> uidNumber
> $ mailPreferenceOption $ supportedLDAPVersion ) )
>     1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: (
> 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( oncRpcNumber $
> ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $
> shadowInactive $
> shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $
> uidNumber
> $ mailPreferenceOption $ supportedLDAPVersion ) )
>     1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: (
> 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( nisMapEntry
> $
> bootFile $ macAddress $ ipNetmaskNumber $ ipNetworkNumber $ ipHostNumber $
> memberNisNetgroup $ memberUid $ loginShell $ homeDirectory $ gecos $
> janetMailbox $ cNAMERecord $ sOARecord $ nSRecord $ mXRecord $ mDRecord $
> aRecord $ email $ associatedDomain $ dc $ mail $ altServer ) )
>     1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: (
> 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( nisMapEntry
> $
> bootFile $ macAddress $ ipNetmaskNumber $ ipNetworkNumber $ ipHostNumber $
> memberNisNetgroup $ memberUid $ loginShell $ homeDirectory $ gecos $
> janetMailbox $ cNAMERecord $ sOARecord $ nSRecord $ mXRecord $ mDRecord $
> aRecord $ email $ associatedDomain $ dc $ mail $ altServer ) )
>     2.5.13.35 (certificateMatch): matchingRuleUse: ( 2.5.13.35 NAME
> 'certificateMatch' APPLIES ( cACertificate $ userCertificate ) )
>     2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME
> 'certificateExactMatch' APPLIES ( cACertificate $ userCertificate ) )
>     2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: (
> 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES (
> supportedApplicationContext $ ldapSyntaxes $ supportedFeatures $
> supportedExtension $ supportedControl ) )
>     2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29
> NAME
> 'integerFirstComponentMatch' APPLIES ( oncRpcNumber $ ipProtocolNumber $
> ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning
> $
> shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $
> mailPreferenceOption $ supportedLDAPVersion ) )
>     2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME
> 'generalizedTimeMatch' APPLIES ( modifyTimestamp $ createTimestamp ) )
>     2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24
> NAME
> 'protocolInformationMatch' APPLIES protocolInformation )
>     2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME
> 'uniqueMemberMatch' APPLIES uniqueMember )
>     2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22
> NAME
> 'presentationAddressMatch' APPLIES presentationAddress )
>     2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME
> 'telephoneNumberMatch' APPLIES ( pager $ mobile $ homePhone $
> telephoneNumber )
> )
>     2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME
> 'octetStringMatch' APPLIES userPassword )
>     2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME
> 'bitStringMatch' APPLIES x500UniqueIdentifier )
>     2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME
> 'integerMatch'
> APPLIES ( oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $
> shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $
> shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $
> supportedLDAPVersion ) )
>     2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME
> 'booleanMatch'
> APPLIES hasSubordinates )
>     2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME
> 'caseIgnoreListMatch' APPLIES ( homePostalAddress $ registeredAddress $
> postalAddress ) )
>     2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME
> 'numericStringMatch' APPLIES ( internationaliSDNNumber $ x121Address ) )
>     2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 NAME
> 'caseExactSubstringsMatch' APPLIES ( dnQualifier $ destinationIndicator $
> serialNumber ) )
>     2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME
> 'caseExactOrderingMatch' APPLIES ( dnQualifier $ destinationIndicator $
> serialNumber ) )
>     2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME
> 'caseExactMatch'
> APPLIES ( nisMapName $ ipServiceProtocol $ preferredLanguage $
> employeeType $
> employeeNumber $ displayName $ departmentNumber $ carLicense $
> documentPublisher
> $ buildingName $ organizationalStatus $ uniqueIdentifier $ co $
> personalTitle $
> documentLocation $ documentVersion $ documentTitle $ documentIdentifier $
> host $
> userClass $ roomNumber $ drink $ info $ textEncodedORAddress $ uid $
> dmdName $
> houseIdentifier $ dnQualifier $ generationQualifier $ initials $ givenName
> $
> destinationIndicator $ physicalDeliveryOfficeName $ postOfficeBox $
> postalCode $
> businessCategory $ description $ title $ ou $ o $ street $ st $ l $ c $
> serialNumber $ sn $ knowledgeInformation $ labeledURI $ cn $ name $ ref $
> vendorVersion $ vendorName $ supportedSASLMechanisms ) )
>     2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4 NAME
> 'caseIgnoreSubstringsMatch' APPLIES ( dnQualifier $ destinationIndicator $
> serialNumber ) )
>     2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME
> 'caseIgnoreOrderingMatch' APPLIES ( dnQualifier $ destinationIndicator $
> serialNumber ) )
>     2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME
> 'caseIgnoreMatch' APPLIES ( nisMapName $ ipServiceProtocol $
> preferredLanguage $
> employeeType $ employeeNumber $ displayName $ departmentNumber $
> carLicense $
> documentPublisher $ buildingName $ organizationalStatus $ uniqueIdentifier
> $ co
> $ personalTitle $ documentLocation $ documentVersion $ documentTitle $
> documentIdentifier $ host $ userClass $ roomNumber $ drink $ info $
> textEncodedORAddress $ uid $ dmdName $ houseIdentifier $ dnQualifier $
> generationQualifier $ initials $ givenName $ destinationIndicator $
> physicalDeliveryOfficeName $ postOfficeBox $ postalCode $ businessCategory
> $
> description $ title $ ou $ o $ street $ st $ l $ c $ serialNumber $ sn $
> knowledgeInformation $ labeledURI $ cn $ name $ ref $ vendorVersion $
> vendorName
> $ supportedSASLMechanisms ) )
>     2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME
> 'distinguishedNameMatch' APPLIES ( dITRedirect $ associatedName $
> secretary $
> documentAuthor $ manager $ seeAlso $ roleOccupant $ owner $ member $
> distinguishedName $ aliasedObjectName $ namingContexts $ subschemaSubentry
> $
> modifiersName $ creatorsName ) )
>     2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME
> 'objectIdentifierMatch' APPLIES ( supportedApplicationContext $
> supportedFeatures $ supportedExtension $ supportedControl ) )
> slapd startup: initiated.
> backend_startup: starting "dc=webbenabled,dc=com"
> bdb_db_open: dc=webbenabled,dc=com
> bdb_db_open: dbenv_open(/var/lib/ldap)
> slapd starting
> ldap_pvt_gethostbyname_a: host=server1.xxx.webbenabled.com, r=0
> connection_get(11)
> connection_get(11): got connid=0
> connection_read(11): checking for input on id=0
> ber_get_next
> ber_get_next: tag 0x30 len 62 contents:
> ber_get_next
> ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable)
> do_search
> ber_scanf fmt ({miiiib) ber:
>>>> dnPrettyNormal: <>
> <<< dnPrettyNormal: <>, <>
> SRCH "" 0 0    0 0 0
> ber_scanf fmt (m) ber:
>     filter: (objectClass=*)
> ber_scanf fmt ({M}}) ber:
>     attrs: supportedSASLMechanisms
> => send_search_entry: dn=""
> ber_flush: 62 bytes to sd 11
> <= send_search_entry
> send_ldap_result: conn=0 op=0 p=3
> send_ldap_result: err=0 matched="" text=""
> send_ldap_response: msgid=1 tag=101 err=0
> ber_flush: 14 bytes to sd 11
> connection_get(11)
> connection_get(11): got connid=0
> connection_read(11): checking for input on id=0
> ber_get_next
> ber_get_next: tag 0x30 len 24 contents:
> ber_get_next
> ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable)
> do_bind
> ber_scanf fmt ({imt) ber:
> ber_scanf fmt ({m) ber:
> ber_scanf fmt (}}) ber:
>>>> dnPrettyNormal: <>
> <<< dnPrettyNormal: <>, <>
> do_sasl_bind: dn () mech DIGEST-MD5
> ==> sasl_bind: dn="" mech=DIGEST-MD5 datalen=0
> SASL [conn=0] Debug: DIGEST-MD5 server step 1
> send_ldap_sasl: err=14 len=200
> send_ldap_response: msgid=2 tag=97 err=14
> ber_flush: 219 bytes to sd 11
> <== slap_sasl_bind: rc=14
> connection_get(11)
> connection_get(11): got connid=0
> connection_read(11): checking for input on id=0
> ber_get_next
> ber_get_next: tag 0x30 len 330 contents:
> ber_get_next
> ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable)
> do_bind
> ber_scanf fmt ({imt) ber:
> ber_scanf fmt ({m) ber:
> ber_scanf fmt (m) ber:
> ber_scanf fmt (}}) ber:
>>>> dnPrettyNormal: <>
> <<< dnPrettyNormal: <>, <>
> do_sasl_bind: dn () mech DIGEST-MD5
> ==> sasl_bind: dn="" mech=<continuing> datalen=298
> SASL [conn=0] Debug: DIGEST-MD5 server step 2
> SASL Canonicalize [conn=0]: authcid="root"
> slap_sasl_getdn: id=root [len=4]
> => ldap_dn2bv(16)
> ldap_err2string
> <= ldap_dn2bv(uid=root,cn=DIGEST-MD5,cn=auth)=0 Success
> slap_sasl_getdn: u:id converted to uid=root,cn=DIGEST-MD5,cn=auth
>>>> dnNormalize: <uid=root,cn=DIGEST-MD5,cn=auth>
> => ldap_bv2dn(uid=root,cn=DIGEST-MD5,cn=auth,0)
> ldap_err2string
> <= ldap_bv2dn(uid=root,cn=DIGEST-MD5,cn=auth)=0 Success
> => ldap_dn2bv(272)
> ldap_err2string
> <= ldap_dn2bv(uid=root,cn=digest-md5,cn=auth)=0 Success
> <<< dnNormalize: <uid=root,cn=digest-md5,cn=auth>
> ==>slap_sasl2dn: converting SASL name uid=root,cn=digest-md5,cn=auth to a
> DN
> slap_sasl_regexp: converting SASL name uid=root,cn=digest-md5,cn=auth
> <==slap_sasl2dn: Converted SASL name to <nothing>
> SASL Canonicalize [conn=0]: slapAuthcDN="uid=root,cn=digest-md5,cn=auth"
> Killed
> ---END---
>
> Any ideas what I've done incorrectly?
>
> Thanks in advance for your help!
> --
> Paul Webb
> WebbEnabled Solutions, LLC
>


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497