Hide Forgot
Description of problem: slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d fails to migrate rootpw to the "new-style" configuration. Version-Release number of selected component (if applicable): openldap-servers-2.4.19 How reproducible: always Steps to Reproduce: 1. create /etc/openldap/slapd.conf with rootpw 2. run slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d 3. restart slapd 4. run e.g. ldapsearch -W -x -D "cn=manager,dc=YOUR_DC" "$@" and enter rootpw from #1 at the prompt. Actual results: ldap_bind: Invalid credentials (49) Expected results: Dump of LDAP database.
Please, use the latest OpenLDAP package available in RHEL6. Anyway, I'm unable to reproduce the issue with both openldap-servers-2.4.19-15.el6_0.2.x86_64 and openldap-servers-2.4.23-15.el6.x86_64 # service slapd stop Stopping slapd: [ OK ] # cd /etc/openldap # grep ^root slapd.conf.bak rootdn "cn=Manager,dc=my-domain,dc=com" rootpw secret # rm -rf slapd.d # mkdir slapd.d # slaptest -f slapd.conf.bak -F slapd.d config file testing succeeded # grep ^olcRoot slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif olcRootDN: cn=Manager,dc=my-domain,dc=com olcRootPW:: c2VjcmV0 # chown -R ldap: slapd.d # service slapd start Starting slapd: [ OK ] # ldapsearch -LLL -x -D "cn=Manager,dc=my-domain,dc=com" -w secret dn: dc=my-domain,dc=com objectClass: dcObject objectClass: organization o: xx dc: my-domain Please, can you double check?
It seems if you wipe out slapd.d completely, do the slaptest -f slapd.conf.bak -F slapd.d, then chown -R ldap:ldap slapd.d, it will work. As a naive root user (well, you can't su - ldap anyway), from clean slate: [root@rendena etc]# yum install openldap-servers ... Installing : openldap-servers-2.4.19-15.el6_0.2.x86_64 ... [root@rendena openldap]# yum install openldap-clients ... Installing : openldap-clients-2.4.19-15.el6_0.2.x86_64 ... [root@rendena etc]# cd openldap [root@rendena openldap]# slappasswd -s 'temp123' {SSHA}C3MiVoyqm9KOgxQ/r0CdiJ7Mj3iAx4aw [root@rendena etc]# vi slapd.conf.bak -- changed: suffix "dc=nmrfam,dc=wisc,dc=edu" rootdn "cn=Manager,dc=nmrfam,dc=wisc,dc=edu" rootpw {SSHA}C3MiVoyqm9KOgxQ/r0CdiJ7Mj3iAx4aw -- (since "secret" and "My-domain.com" aren't useful to anyone) [root@rendena openldap]# slaptest -f slapd.conf.bak -F slapd.d config file testing succeeded [root@rendena openldap]# service slapd start Starting slapd: [ OK ] [root@rendena openldap]# ldapsearch -LL -x -D "cn=Manager,dc=nmrfam,dc=wisc,dc=edu" -w 'temp123' ldap_bind: Invalid credentials (49) [root@rendena openldap]# grep ^olcRoot slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif olcRootDN: cn=Manager,dc=my-domain,dc=com
The purpose of "slaptest -f slapd.conf -F slapd.d" is to convert the old style configuration to new one. It can not be used for updating the configuration. For this purpose, ldapmodify can be used (cn=config root). When slapd.d is empty, attribute olcRootPW is created and set correctly. Therefore I am closing this report as NOTABUG.