Bug 1206910

Summary: openldap-servers doesn't provide slapd.conf
Product: [Fedora] Fedora Reporter: Niranjan Mallapadi Raghavender <mniranja>
Component: openldapAssignee: Jan Synacek <jsynacek>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jsynacek, jv+fedora, phracek, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-30 08:16:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Niranjan Mallapadi Raghavender 2015-03-29 13:58:14 UTC 
Description of problem:
openldap-servers should provide a sample slapd.conf ,without slapd.conf , it's not possible to configure cn=config database 

openldap-servers seems to list slapd.conf and slapd.conf.bak , but they are not available.

# rpm -ql openldap-servers | grep slapd.conf
/etc/openldap/slapd.conf
/etc/openldap/slapd.conf.bak
/usr/share/man/man5/slapd-config.5.gz
/usr/share/man/man5/slapd.conf.5.gz
# ls -l /etc/openldap/slapd.conf
ls: cannot access /etc/openldap/slapd.conf: No such file or directory
# ls -l /etc/openldap/slapd.conf.bak
ls: cannot access /etc/openldap/slapd.conf.bak: No such file or directory



Version-Release number of selected component (if applicable):
openldap-servers-2.4.40-10.fc23.x86_64

How reproducible:

Install openldap-servers-2.4.40-10.fc23.x86_64  , 
slaptest requires slapd.conf, which is not present.
Comment 1 Jan Synacek 2015-03-30 08:16:15 UTC 
# ldapsearch -LLL -H ldapi:// -b cn=config "(olcDatabase=config)"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth" manage by * none

It's been possible to configure the cn=config as root for quite a few releases now.

From the %files section in spec:

# obsolete configuration
%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf
%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf.bak

I have left these lines in there just so the slapd.conf{,.bak} are owned by the package if they exist. You can still provide your own slapd.conf and everything will work.
Comment 2 Niranjan Mallapadi Raghavender 2015-03-30 08:38:00 UTC 
On my system i get this:

After installing openldap-servers, I get this:

[root@pki1 ~]# ldapsearch -LLL -H ldapi:// -b cn=config "(olcDatabase=config)"
SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)
Comment 3 Niranjan Mallapadi Raghavender 2015-03-30 08:58:43 UTC 
after installing openldap-servers on rawhide, I get the above error. Could you give some more info on how you could get ldapsearch with ldapi bind .
Comment 4 Jan Synacek 2015-03-31 06:36:58 UTC 
Try using ldapsearch with additional "-Y EXTERNAL" arguments. Also, is your server configured to listen on ldapi:/// ? Your client is trying to use GSSAPI for some reason.
Comment 5 Niranjan Mallapadi Raghavender 2015-03-31 07:55:33 UTC 
Thanks that worked

# ldapsearch -Y EXTERNAL  -LLL -H ldapi:// -b cn=config "(olcDatabase=config)"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth" manage by * none