Bug 476488

Summary: OpenLDAP's bdb doesn not support F10 supplied Berkely DB
Product: [Fedora] Fedora Reporter: Wilfried Spillemaeckers <wilfried>
Component: openldapAssignee: Jan Safranek <jsafrane>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: low    
Version: 10CC: jsafrane
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-15 14:26:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Wilfried Spillemaeckers 2008-12-15 08:31:58 UTC 
Description of problem:
Upgrade from FC8 to FC10.
Was using LDBM in FC8 but this is no longer supported.
Changed to bdb in slapd.conf.
LDAP refuses to start wiht following error :
bdb(dc=nneos,dc=com): Program version 4.6 doesn't match environment version 4.4

I believe bdb shipped with FC10 upgrade is bdb-v4.4 where the OpenLDAP shipped expects bdb-4.6

Version-Release number of selected component (if applicable):OpenLDAP 2.4.12


How reproducible: upgrade to 2.4.12 from 2.3.x


Steps to Reproduce:
1. Have OpenLDAP 2.3.x
2. Upgrade to 2.4.12
3.
  
Actual results: bdb(dc=nneos,dc=com): Program version 4.6 doesn't match environment version 4.4


Expected results: start normally


Additional info: Found no workaround so far.  Obviously, workaround would be to remove OpenLDAP completely but I will be filing a bug against yum remove as that wants to remove everything on my system in that case.
Comment 1 Wilfried Spillemaeckers 2008-12-15 11:09:03 UTC 
Obvious workaround would be to remove OpenLDAP and bdb and reinstall earlier version.  However, doing that would break my system (what I though was a bug of yum is actually  not a bug it seems).
This means ldap authentication using bdb does not work in FC10.
Comment 2 Jan Safranek 2008-12-15 11:39:50 UTC 
There must be something wrong in your environment... LDAP server (/usr/sbin/slapd) comes with its own db4 library to prevent exactly the errors you see.

Please post result of following commands:
rpm -qf /usr/sbin/slapd
ldd -r /usr/sbin/slapd
rpm -qa | egrep "ldap|db4"

The openldap-servers rpm package tries to update BDB database in /var/lib/ldap to the current version, but since you used ldbm instead of bdb backend, you must convert the database on your own. The script can't work in all possible OpenLDAP usage scenarios and works only in the default one.
Comment 3 Wilfried Spillemaeckers 2008-12-15 12:09:36 UTC 
Below the output of the commands as per your request.
Understand what you are saying about ldbm to dbd conversion, but :
- this conversion is only possible by exporting ldbm to ldif and then importing into bdb (at least to my knowledge - have been looking for a tool that does it without going through ldif)
- this means you have to be able to start up bdb before importing the ldif, which I am unable to do.


rpm -qf /usr/sbin/slapd :
openldap-servers-2.4.12-1.fc10.i386

ldd -r /usr/sbin/slapd:
linux-gate.so.1 =>  (0x00130000)
	libltdl.so.3 => /usr/lib/libltdl.so.3 (0x00133000)
	libdl.so.2 => /lib/libdl.so.2 (0x0013a000)
	libslapd_db-4.6.so => /usr/lib/libslapd_db-4.6.so (0x0013f000)
	libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00273000)
	libssl.so.7 => /lib/libssl.so.7 (0x0028c000)
	libcrypto.so.7 => /lib/libcrypto.so.7 (0x002d7000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x00425000)
	libresolv.so.2 => /lib/libresolv.so.2 (0x00458000)
	libpthread.so.0 => /lib/libpthread.so.0 (0x0046f000)
	libwrap.so.0 => /lib/libwrap.so.0 (0x00489000)
	libc.so.6 => /lib/libc.so.6 (0x00492000)
	/lib/ld-linux.so.2 (0x00110000)
	libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00606000)
	libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00635000)
	libcom_err.so.2 => /lib/libcom_err.so.2 (0x006d4000)
	libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x006d7000)
	libz.so.1 => /lib/libz.so.1 (0x006fc000)
	libnsl.so.1 => /lib/libnsl.so.1 (0x00710000)
	libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x0072a000)
	libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00734000)
	libselinux.so.1 => /lib/libselinux.so.1 (0x00737000)

rpm -qa | egrep "ldap|db4" :
compat-db45-4.5.20-5.fc10.i386
mozldap-6.0.5-4.fc10.i386
smbldap-tools-0.9.5-2.fc10.noarch
mozldap-tools-6.0.5-4.fc10.i386
openldap-devel-2.4.12-1.fc10.i386
nss_ldap-261-4.fc10.i386
python-ldap-2.3.5-1.fc10.i386
db4-4.7.25-6.fc10.i386
php-ldap-5.2.6-5.i386
phpldapadmin-1.1.0.5-2.fc10.noarch
ldapjdk-javadoc-4.18-1.fc9.i386
db4-devel-4.7.25-6.fc10.i386
openldap-clients-2.4.12-1.fc10.i386
gpg-pubkey-db42a60e-37ea5438
openldap-2.4.12-1.fc10.i386
ldapjdk-4.18-1.fc9.i386
db4-cxx-4.7.25-6.fc10.i386
openldap-servers-2.4.12-1.fc10.i386
compat-db46-4.6.21-5.fc10.i386
Comment 4 Jan Safranek 2008-12-15 14:00:48 UTC 
The packages seem to be correct, so are the libraries. Does the slapd start if you use the default config file, which comes with the rpm and with empty /var/lib/ldap? If so, could you post your config file?

And you can probably erase content of /var/lib/ldap anyway (AFTER you convert it to ldif format!), maybe some files there confuse slapd.

Regarding the import/export - yes, you need to export the database from ldbm to ldif. Best with Fedora 8 (I know it's not much helpful, when you have F10 now).
Comment 5 Wilfried Spillemaeckers 2008-12-15 14:27:33 UTC 
Removing the ldbm files indeed got rid of the above error.
When starting ldap now (with the new conf file from the rpm as well as with my own conf file) got me the below error :

bdb_db_open: database "dc=nneos,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).

I see a number of db files have been created but not the above.
Comment 6 Wilfried Spillemaeckers 2008-12-15 14:33:50 UTC 
For completeness sake, the below files have been created :

ls -l /var/lib/ldap
total 576
-rw-r--r-- 1 ldap root   2048 2008-12-15 15:24 alock
-rw------- 1 ldap root  24576 2008-12-15 15:24 __db.001
-rw------- 1 ldap root 147456 2008-12-15 15:24 __db.002
-rw------- 1 ldap root 270336 2008-12-15 15:24 __db.003
-rw------- 1 ldap root  98304 2008-12-15 15:24 __db.004
-rw------- 1 ldap root 475136 2008-12-15 15:24 __db.005
-rw------- 1 ldap root  32768 2008-12-15 15:24 __db.006
Comment 7 Wilfried Spillemaeckers 2008-12-16 09:23:14 UTC 
Afer googling, I solved that problem by loading a small intial ldif file :
slapadd -f /etc/openldap/slapd.conf -l base.ldif

Now I can run slaptest without errors but slapd still fails to start.
Comment 8 Wilfried Spillemaeckers 2008-12-16 09:46:59 UTC 
Finally solved the problem.

The slapd logfile returned :
slapd[24492]: daemon: bind(7) failed errno=98 (Address already in use)

So I did :

lsof -i :389
COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
ns-slapd 18487 nobody    7u  IPv6 585761      0t0  TCP *:ldap (LISTEN)

I killed this process, and lo, it worked.

Thanks for pointing me in the right direction.

However, I am not convinced this should not be called a bug.  I don't think the release notes of FC10 warn that if you are on LDBM you should export to LDIF, erase the /var/lib/ldap directory, or probably better, convert to BDB before you start the upgrade process.
Comment 9 Jan Safranek 2009-01-15 14:26:08 UTC 
I am sorry, we cannot provide upgrade instructions for every package Fedora ships. There is nice description at OpenLDAP site, saying how to upgrade the database, backups is one of the first steps:

http://www.openldap.org/faq/data/cache/842.html

I try to make the upgrade as painless as possible and it should not delete any your data. I know, I should have added some note about end of ldbm to release notes, but now it's too late. There are many changes between releases and this important one slipped through the cracks.