Re: MDB_BAD_RSLOT while executing slapacl

["Igor Zinovik" <zinovik.igor@gmail.com>]

Howard Chu <hyc@symas.com> wrote on Thu, 12 Dec 2013 15:24:00 +0400:

> Igor Zinovik wrote:
> > 2013/12/12 Howard Chu <hyc@symas.com <mailto:hyc@symas.com>>
> >
> >     You should upgrade to get the fix for #7662.
> >
> >
> > I upgraded my slapd to 2.4.38, but I still see error message when I  
> > execute
> > slapacl.
> > I also removed data.mdb and lock.mdb, imported data back to ldap using  
> > backup
> > copy and I still see error message.
> Post your config, sample data, and the exact slapacl command you used.

I started with empty config and empty database with slapd-2.4.38:
# sudo slapadd -F /etc/openldap/slapd.d -n0 -l config.ldif
_#################### 100.00% eta   none elapsed            none fast!
Closing DB...

I import single object into my catalog:
# cat initial-import.ldif
dn: dc=example,dc=org
dc: example
objectClass: organization
objectClass: dcObject
o: Example

# sudo slapadd -F /etc/openldap/slapd.d -b dc=example,dc=org -l config.ldif
_#################### 100.00% eta   none elapsed            none fast!
Closing DB...

Trying to check access:
# sudo slapacl -F /etc/openldap/slapd.d -D  
uid=zinovik,ou=people,dc=example,dc=org \
  -b dc=example,dc=org o/read
authcDN: "uid=zinovik,ou=people,dc=example,dc=org"
52abd7bc mdb_opinfo_get: err MDB_BAD_RSLOT: Invalid reuse of reader  
locktable slot(-30783)
read access to o: ALLOWED

Here is my config (with omitted cn=schema,cn=config):
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: slapd.conf.bak
olcConfigDir: slapd.d
olcArgsFile: /var/run/slapd/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /var/run/slapd/slapd.pid
olcReadOnly: FALSE
olcSaslSecProps: noplain,noanonymous
olcServerID: 1 ldap://ldap1.example.org
olcServerID: 2 ldap://ldap2.example.org
olcServerID: 3 ldap://ldap3.example.org
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 8
olcTLSCACertificatePath: /etc/ssl/certs
olcTLSCertificateKeyFile: /etc/openldap/ldap.key
olcTLSCRLCheck: none
olcTLSVerifyClient: allow
olcToolThreads: 1
olcWriteTimeout: 0
olcTLSCACertificateFile: /etc/ssl/example-ca-bundle.crt
olcTLSCertificateFile: /etc/openldap/ldap.crt
olcLogLevel: config sync

dn: cn=schema,cn=config
...
[omitted]
...

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/openldap/modules
olcModuleLoad: {0}accesslog
olcModuleLoad: {1}memberof
olcModuleLoad: {2}pcache
olcModuleLoad: {3}refint
olcModuleLoad: {4}syncprov
olcModuleLoad: {5}unique

dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to dn.base=""  by * read
olcAccess: {1}to dn.base="cn=subschema"  by * read
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 0
olcReadOnly: FALSE
olcSchemaDN: cn=Subschema
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to *  by group/groupOfNames/member.exact="cn=ldap  
admins,ou=grou
 ps,dc=example,dc=org" write
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=admin,cn=config
olcRootPW:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
olcSyncUseSubentry: FALSE
olcMirrorMode: TRUE
olcMonitoring: FALSE
olcSyncrepl: {0}rid=001 provider=ldap://ldap1.example.org  
binddn="cn=admin,cn=co
 nfig" bindmethod=simple credentials="XXXXXXXXXXXXXXXXX" searchbase="cn=con
 fig" type=refreshAndPersist retry="5 5 30 +" timeout=1 starttls=yes  
tls_cert=
 "/etc/openldap/ldap.crt" tls_key="/etc/openldap/ldap.key"  
tls_cacert="/etc/ss
 l/example-ca-bundle.crt" tls_reqcert=demand tls_crlcheck=none
olcSyncrepl: {1}rid=002 provider=ldap://ldap2.example.org  
binddn="cn=admin,cn=co
 nfig" bindmethod=simple credentials="XXXXXXXXXXXXXXXXX" searchbase="cn=con
 fig" type=refreshAndPersist retry="5 5 30 +" timeout=1 starttls=yes  
tls_cert=
 "/etc/openldap/ldap.crt" tls_key="/etc/openldap/ldap.key"  
tls_cacert="/etc/ss
 l/example-ca-bundle.crt" tls_reqcert=demand tls_crlcheck=none
olcSyncrepl: {2}rid=003 provider=ldap://ldap3.example.org  
binddn="cn=admin,cn=co
 nfig" bindmethod=simple credentials="XXXXXXXXXXXXXXXXX" searchbase="cn=con
 fig" type=refreshAndPersist retry="5 5 30 +" timeout=1 starttls=yes  
tls_cert=
 "/etc/openldap/ldap.crt" tls_key="/etc/openldap/ldap.key"  
tls_cacert="/etc/ss
 l/example-ca-bundle.crt" tls_reqcert=demand tls_crlcheck=none

dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov

dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=org
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcLimits: {0}group/groupOfNames/member="cn=ldap  
admins,ou=groups,dc=example,dc
 =ru" size=unlimited
olcLimits: {1}group/groupOfNames/member="cn=ldap  
admins,ou=groups,dc=example,dc
 =ru" time=unlimited
olcLimits:  
{2}group/groupOfNames/member="cn=admins,ou=mail,ou=groups,dc=example
 ,dc=ru" size=unlimited
olcLimits:  
{3}group/groupOfNames/member="cn=replicators,ou=groups,dc=example,dc
 =ru" size=unlimited time=unlimited
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=admin,dc=example,dc=org
olcRootPW:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
olcSyncUseSubentry: FALSE
olcSyncrepl: {0}rid=004 provider=ldap://ldap1.example.org  
bindmethod=simple bind
 dn="uid=mirrormode,ou=services,dc=example,dc=org"  
credentials="XXXXXXXXXXXXXXXX
 XX" keepalive=0:0:0 starttls=yes tls_cert="/etc/openldap/ldap.crt"  
tls_key="/
 etc/openldap/ldap.key" tls_cacert="/etc/ssl/example-ca-bunle.crt"  
tls_reqcert=
 demand tls_crlcheck=none filter="(objectclass=*)"  
searchbase="dc=example,dc=org
 " schemachecking=on type=refreshAndPersist retry="60 +"
olcSyncrepl: {1}rid=005 provider=ldap://ldap2.example.org  
bindmethod=simple bind
 dn="uid=mirrormode,ou=services,dc=example,dc=org"  
credentials="XXXXXXXXXXXXXXXX
 XX" keepalive=0:0:0 starttls=yes tls_cert="/etc/openldap/ldap.crt"  
tls_key="/
 etc/openldap/ldap.key" tls_cacert="/etc/ssl/example-ca-bundle.crt"  
tls_reqcert
 =demand tls_crlcheck=none filter="(objectclass=*)"  
searchbase="dc=example,dc=r
 u" schemachecking=on type=refreshAndPersist retry="60 +"
olcSyncrepl: {2}rid=006 provider=ldap://ldap3.example.org  
bindmethod=simple bind
 dn="uid=mirrormode,ou=services,dc=example,dc=org"  
credentials="XXXXXXXXXXXXXXXX
 XX" keepalive=0:0:0 starttls=yes tls_cert="/etc/openldap/ldap.crt"  
tls_key="/
 etc/openldap/ldap.key" tls_cacert="/etc/ssl/example-ca-bundle.crt"  
tls_reqcert
 =demand tls_crlcheck=none filter="(objectclass=*)"  
searchbase="dc=example,dc=r
 u" schemachecking=on type=refreshAndPersist retry="60 +"
olcMirrorMode: TRUE
olcMonitoring: TRUE
olcDbNoSync: FALSE
olcDbIndex: objectClass eq
olcDbIndex: cn pres,eq,approx,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: memberUid eq
olcDbIndex: member eq
olcDbIndex: sudoUser eq,sub
olcDbIndex: uniqueMember eq
olcDbIndex: uidNumber eq
olcDbIndex: rfc822MailMember eq
olcDbIndex: gidNumber eq
olcDbIndex: mail eq,sub
olcDbIndex: zoneName eq
olcDbIndex: relativeDomainName eq
olcDbIndex: dlzHostName,dlzZoneName,dlzRecordID,dlzType eq,pres
olcDbIndex: dhcpHWAddress,dhcpClassData eq
olcDbIndex: sudoHost eq,sub
olcDbIndex: accountStatus eq
olcDbIndex: dc eq
olcDbMaxReaders: 0
olcDbMaxSize: 1073741824
olcDbMode: 0600
olcDbSearchStack: 16
olcAccess: {0}to attrs=userPassword  by self write  by anonymous auth
olcAccess: {1}to * by * read

dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: {0}memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member

dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
olcOverlay: {1}refint
olcRefintAttribute: seeAlso
olcRefintAttribute: uniqueMember
olcRefintAttribute: member
olcRefintNothing: cn=EMPTY

dn: olcOverlay={2}unique,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcUniqueConfig
olcOverlay: {2}unique
olcUniqueURI: ldap:///ou=Hosts,dc=example,dc=org?ipHostNumber?sub
olcUniqueURI: ldap:///ou=People,dc=example,dc=org?uid,uidNumber?sub
olcUniqueURI: ldap:///ou=Groups,dc=example,dc=org?cn,gidNumber?sub
olcUniqueURI: ldap:///ou=Mail,dc=example,dc=org?mail,mailLocalAddress?sub

dn: olcOverlay={3}syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {3}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100

dn: olcDatabase={2}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {2}monitor
olcAccess: {0}to *  by group/groupOfNames/member.exact="cn=ldap  
admins,ou=grou
 ps,dc=example,dc=org" read
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE