Bug 532108
| Summary: | slapd init script flooding error messages | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daniel Qarras <dqarras> |
| Component: | openldap | Assignee: | Jan Zeleny <jzeleny> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 12 | CC: | jzeleny |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 2.4.19-1.fc12 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-12-10 04:25:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Attachments: | |||
|
Description
Daniel Qarras
2009-10-30 16:50:27 UTC
Actually, the directory slapd.d is a new means of configuring openldap, which has been activated in rawhide. In your report those messages aren't really an issue. They are here for good reason - to let you know the config dir is missing and slapd is falling back to second option - old config file. I understand you installed Fedora rawhide, replaced config file and ran slapd, right? Well, that might be the real issue. Openldap generates slapd.d directory during installation/update using one of openldap tools. For you I recommend similar approach: 1. yun install openldap openldap-clients openldap-servers 2. rm -rf /etc/openldap/slapd.d/* 3. Replace slapd.conf with your version of it 4. Add these lines to slapd.conf before any line beginning with "database" or "backend" database config rootdn "cn=admin,cn=config" #rootpw secret 5. slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d 6. chown -R ldap:ldap /etc/openldap/slapd.d 7. chmod -R 000 /etc/openldap/slapd.d 8. chmod -R u+rwX /etc/openldap/slapd.d 9. mv /etc/openldap/slapd.conf /etc/openldap/slapd.conf-bak 10. Run service slapd start Let me know if this works for you. Thanks for looking into this.
I now see how this is supposed to work but I encountered few rough edges along the way.
Most irrelevant first, during installation I noticed something printed to stdout or stderr:
Running Transaction
Installing : openldap-servers-2.4.18-5.fc12.i686 1/2
/etc/pki/tls/certs /
/
Installing : openldap-clients-2.4.18-5.fc12.i686 2/2
The actual check and other steps passed but SELinux issues are now preventing me to run slapd:
root@localhost:~# restorecon -v -R /etc/openldap /var/lib /var/run
root@localhost:~# /etc/init.d/slapd stop
Stopping slapd: [FAILED]
root@localhost:~# /etc/init.d/slapd start
ln: accessing `/var/run/openldap/slapd.pid': No such file or directory
I'm running SELinux in enforcing mode but I've run restorecon for /etc/openldap and /var/run/openldap to no avail, I see these errors in syslog:
Raw Audit Messages :
node=localhost.localdomain type=AVC msg=audit(1257329406.787:218): avc: denied { module_request } for pid=2543 comm="slapd" scontext=unconfined_u:system_r:slapd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
node=localhost.localdomain type=SYSCALL msg=audit(1257329406.787:218): arch=40000003 syscall=102 success=no exit=-97 a0=1 a1=bfa1b310 a2=8bc818 a3=1 items=0 ppid=2542 pid=2543 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null)
And now after rebooting to SELinux permissive mode I see the same error again:
+ /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/slapd -h " ldap:///" -u ldap'
+ '[' 0 -eq 0 ']'
+ success 'slapd startup'
+ '[' color '!=' verbose -a -z '' ']'
+ echo_success
+ '[' color = color ']'
+ echo -en '\033[60G'
+ echo -n '['
[+ '[' color = color ']'
+ echo -en '\033[0;32m'
+ echo -n ' OK '
OK + '[' color = color ']'
+ echo -en '\033[0;39m'
+ echo -n ']'
]+ echo -ne '\r'
+ return 0
+ return 0
+ RETVAL=0
+ '[' 0 -eq 0 ']'
+ touch /var/lock/subsys/slapd
+ ln /var/run/openldap/slapd.pid /var/run/slapd.pid
ln: accessing `/var/run/openldap/slapd.pid': No such file or directory
+ echo
+ return 0
Now with the new configuration system I don't have a clue even where to turn on more verbose logging - the good old loglevel parameter is only present in the backup of my configuration file.
This feels bad since now my LDAP configuration which has worked since the beginning of time seems to be broken. Is there any way to just use the good old proven one-configuration-file method?
I think the issue you are describing now is related to something completely different. See bug 523434. There were some changes in init script in order to achieve behavior compatible with Fedora requirements. Unfortunately openldap handling of pid file isn't perfect, which led to some ugly hacks and those resulted in your error. I will look at this, hopefully I can come up with a solution soon. As for more verbose logging - there should be no problem converting old config file to config dir, including the loglevel, it just has to be present in config file. As for old config style: just copy your old config file to /etc/openldap/slapd.conf, delete /etc/openldap/slapd.d and run slapd manually - that should do the trick. If you want to use init script, you'd have to use the old one, because the new is modified to support config directory. Since the original issue has been cleared, I'm closing this bug and opening a new one for the SELinux issue. Just for reference, the SELinux issue is https://bugzilla.redhat.com/show_bug.cgi?id=533157 Actually I have to reopen this one. Everything works just perfectly with the good old slapd.conf if just does: 1. yum install openldap openldap-clients openldap-servers 2. rm -rf /etc/openldap/slapd.d/* 3. Replace /etc/openldap/slapd.conf with your version of it 4. service slapd start Currently one can see error messages from the init script but there are harmless and can be redirected to /dev/null. In fact, I will attach such a trivial patch to fix the issue. Thanks. Created attachment 367893 [details]
Shut up slapd init script when using traditional slapd.conf instead of slapd.d
Yeah, well I will think about it, but I don't like this form of it. I know the patch is simple, but you just gave me an idea to extend it a little bit, so the init script would give user a warning, that slapd.conf isn't fully supported configuration method any more. Ok, sounds ok, perhaps however with on option in /etc/sysconfig/slapd to silence the warning / define that slapd.conf is wanted if the user knows what s/he is doing? Thanks. Created attachment 368340 [details]
Patch for better init script transition between new and old config
I thought about it a little more and I came up with what I think is even better patch. It takes away the restrictions requiring slapd.d directory and keeps the functionality. I think it will be the best option until support for old config style is dropped entirely.
Looks better but now getting a new error message: root@localhost:~# rm -rf /etc/openldap/slapd.d/ root@localhost:~# /etc/init.d/slapd stop Stopping slapd: [FAILED] root@localhost:~# /etc/init.d/slapd start find: `directory/': No such file or directory Starting slapd: [ OK ] root@localhost:~# Created attachment 368995 [details]
Second version of previous patch
I have second version, which is fixing your issue. I hope everything will be ok now.
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Yes, this works perfectly, thanks a lot! No problem. Closing this bug. Patch is already in rawhide, F12 update will be issued soon. openldap-2.4.19-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/openldap-2.4.19-1.fc12 Please don't shoot the messenger but with 2.4.19-1.fc12 I see: root@localhost:~# /etc/init.d/slapd start ls: cannot access /etc/openldap/slapd.d//cn=config/olcDatabase*: No such file or directory egrep: /etc/openldap/slapd.d//cn=config.ldif: No such file or directory Starting slapd: [ OK ] root@localhost:~# /etc/init.d/slapd status slapd (pid 3908) is running... root@localhost:~# /etc/init.d/slapd stop Stopping slapd: [ OK ] root@localhost:~# /etc/init.d/slapd stop zsh: exit 7 /etc/init.d/slapd stop root@localhost:~# /etc/init.d/slapd start ls: cannot access /etc/openldap/slapd.d//cn=config/olcDatabase*: No such file or directory egrep: /etc/openldap/slapd.d//cn=config.ldif: No such file or directory Starting slapd: [ OK ] root@localhost:~# /etc/init.d/slapd start zsh: exit 1 /etc/init.d/slapd start root@localhost:~# /etc/init.d/slapd status slapd (pid 3956) is running... root@localhost:~# /etc/init.d/slapd stop Stopping slapd: [ OK ] root@localhost:~# /etc/init.d/slapd stop zsh: exit 7 /etc/init.d/slapd stop root@localhost:~# /etc/init.d/slapd status slapd is stopped zsh: exit 3 /etc/init.d/slapd status root@localhost:~# openldap-2.4.19-1.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update openldap'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-11725 Please make sure you delete entire slapd.d directory, not only its contents. If the problem persists, let me know. openldap-2.4.19-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |