[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openLDAP with Berkeley DB - "Permission denied" problems after setting different data and log directories in DB_CONFIG - SOLVED

To: battery@writeme.com
Subject: Re: openLDAP with Berkeley DB - "Permission denied" problems after setting different data and log directories in DB_CONFIG - SOLVED
From: Francesco Cicolani <francescocicolani@yahoo.it>
Date: Mon, 15 Jun 2009 21:27:43 +0000 (GMT)
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.it; s=s1024; t=1245101263; bh=eV07a2Dvi3CVFUvFO1YYNBXd9yXynTmYKP4I9pM8eWw=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ij4Cgo2A8WEjJA187CqC9CaUfqdJjSNB5SJtAm1NrcAcjaVOtnhXckO++KFG/eDdNAtYQ7xhiWAy4L98qyNQhwtKehMyEs170VHpsPw5qcs2LkkOmBXJtvBUcZ5WVwbunb9/7+XtCNSUplnrZblnR6g6l28X6anzNAEo1KH10EI=
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.it; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding; b=CJxm855QIRdggNuP1xvbvQ4C+1C6hHoMPmd+zTriZbZ0FATVtm5UqukrI+XC35UA+ogWgZCboKJOeQPN6+NX1rIZ/UmBP+KQZp56eCpfHb/287IYzrpIPj+zDN6ujt+BGc2dwn/++TmG5Fxc6sUMZLUQuv2LxoQQ+GRIW6Mt/vw=;

You got it Matt!

I really missed the point that an apparmor profile for slapd is generated by default in Ubuntu during openldap installation.

I did a test putting slapd apparmor profile in compliant-mode and all went well this time!

Now, time for a resume of the steps I eventually made to successfully change Berkeley DB data and log file directories, integrated with a BDB backup and recovery, on Ubuntu 8.04.2 with Apparmor framework enabled, just in case it could also help someone else having similar problems in the future:

1. Make a standard BDB backup (see Berkeley DB Reference Guide, in particular: http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/archival.html):
   1.1. stop slapd
   1.2. force a checkpoint with db4.2_checkpoint -1v
   1.3. copy all .bdb files returned by db4.2_archive -s to backup location /backup (cp -p)
   1.4. copy all log.XXXXXXXXXX files returned by db4.2_archive -l to backup location /backup (cp -p)

2. Update apparmor profile for slapd (/etc/apparmor.d/usr.sbin.slapd):
   ## customized bdb data and log files:
   /new/path/to/bdbdata/ r,
   /new/path/to/bdbdata/* rw,
   /new/path/to/bdblogs/ r,
   /new/path/to/bdblogs/* rw,
   ## lock file in customized bdbdata dir
   /new/path/to/bdbdata/alock kw, 

3. Parse updated apparmor profile for slapd:
   apparmor_parser -r < /etc/apparmor.d/usr.sbin.slapd

4. Update bdb data 'directory' directive in slapd.conf
   directory       "/new/path/to/bdbdata"

5. remove all .bdb, alock, __db.XXX and log.XXXXXXXXXX files from /var/lib/ldap (old default location)

6. edit DB_CONFIG file with new directives set_data_dir and set_lg_dir:
   # Directory for the data files
   set_data_dir /new/path/to/bdbdata
   [...]
   # Directory for the logfiles
   set_lg_dir /new/path/to/bdblogs

7. move DB_CONFIG file to /new/path/to/bdbdata and verify ownerships are preserved:
   -rw-r--r-- 1 openldap openldap     410 2009-06-15 22:00 DB_CONFIG

8. copy .bdb files from backup location /backup to /new/path/to/bdbdata (cp -p)

9. copy log.XXXXXXXXXX file from backup location /backup to /new/path/to/bdblogs (cp -p)

10. Finally, cd to /new/path/to/bdbdata and issue the recovery command (as root):
    root@bob:/new/path/to/bdbdata# db4.2_recover -cv
      db_recover: Finding last valid log LSN: file: 1 offset 141201
      db_recover: Recovery starting from [1][28]
      db_recover: Recovery complete at Mon Jun 15 22:14:04 2009
      db_recover: Maximum transaction ID 80000044 Recovery checkpoint [1][141201]

11. Restart slapd and force a checkpoint just to keep things clean on db side:
    root@bob:/new/path/to/bdbdata# /etc/init.d/slapd start
    root@bob:/new/path/to/bdbdata# db4.2_checkpoint -1v
      db_checkpoint: checkpoint: Mon Jun 15 22:18:03 2009

Note1: doing a backup and recovery of bdb could not be strictly required, but I thought that removing the bdb data and log files from the old path would contribute to keep things cleaner.

Note2: putting slapd logging level to 'any' prior to restarting slapd would help to troubleshoot startup problems and verify that bdb starts cleanly.

Thank you again guys!... and see you to the next 'mayday' thread! =)

fra

--- On Mon, 6/15/09, Matt Kassawara <battery@writeme.com> wrote:

> From: Matt Kassawara <battery@writeme.com>
> Subject: Re: openLDAP with Berkeley DB - "Permission denied" problems after  setting different data and log directories in DB_CONFIG
> To: "Klaus Lemkau" <klaus.lemkau@tu-berlin.de>
> Cc: "Francesco Cicolani" <francescocicolani@yahoo.it>, openldap-technical@openldap.org
> Date: Monday, June 15, 2009, 6:40 PM
> By default, the Ubuntu AppArmor
> profile for slapd prevents it from writing databases to
> anywhere but /var/lib/ldap.  You'll need to modify the
> usr.sbin.slapd profile in /etc/apparmor.d to correct the
> problem.
> 
> Matt

Prev by Date: Re: LDAP search question
Next by Date: RE: openLDAP with Berkeley DB - "Permission denied" problems after setting different data and log directories in DB_CONFIG
Index(es):
- Chronological
- Thread