|
[SMS] - Superb Mini Server Project Support Forum |
 |
|
 |
View previous topic :: View next topic |
Author |
Message |
webtrip Member
Joined: 07 Jun 2014 Posts: 22 Location: Netherlands
|
Posted: Tue Jul 29, 2014 8:39 am Post subject: openLDAP won't start |
|
|
Hey,
I ran into the next problem. If i want to start openldap it wont start.
Get the next message:
Failed to start LDAP server : sh /etc/rc.d/rc.openldap start failed :
ldap.log:
Jul 29 08:31:19 serv7803 slapd[17162]: @(#) $OpenLDAP: slapd 2.4.37 (Oct 28 2013 18:43:2 $ ^Iroot@devel:/tmp/openldap-2.4.37/servers/slapd
Jul 29 08:31:19 serv7803 slapd[17162]: line 21 (allow update_anon)
Jul 29 08:31:19 serv7803 slapd[17162]: line 27 (pidfile^I^I/var/run/slapd.pid)
Jul 29 08:31:19 serv7803 slapd[17162]: line 28 (argsfile^I/var/run/slapd.args)
Jul 29 08:31:19 serv7803 slapd[17162]: line 64 (access to * attrs=userPassword by 'dn="cn=root,dc=webtrip.tk' write by anonymous read by self write by * none)
Jul 29 08:31:19 serv7803 slapd[17162]: /etc/openldap/slapd.conf: line 64: expecting <access> got "'dn=cn=root,dc=webtrip.tk' write by anonymous read by self write by * none".
Jul 29 08:31:19 serv7803 slapd[17162]: <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+ <what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>] <attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::= <attr> [ , <attrlist> ] <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children <who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ] ^I[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ] ^I[dnattr=<attrname>] ^I[realdnattr=<attrname>] ^I[group[/<objectclass>[/<attrname>]][.<style>]=<group>] ^I[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] ^I[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] ^I[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] <style> ::= exact | regex | base(Object) <dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex <attrstyle> ::= exact | regex | base(Object) | one(level) | sub(tree) | children <peernamestyl
Jul 29 08:31:19 serv7803 slapd[17162]: /etc/openldap/slapd.conf: line 64: <access> handler exited with 1!
Jul 29 08:31:19 serv7803 slapd[17162]: slapd destroy: freeing system resources.
Jul 29 08:31:19 serv7803 slapd[17162]: slapd stopped.
Jul 29 08:31:19 serv7803 slapd[17162]: connections_destroy: nothing to destroy.
Any suggestions?
Greetz Richard Trip _________________ Richard Trip
Field Service Engineer (IT & Document Sollutions )
Printer/MFP specialist |
|
Back to top |
|
gerasimos_h Site Admin
Joined: 09 Aug 2007 Posts: 1757 Location: Greece
|
Posted: Tue Jul 29, 2014 10:19 am Post subject: |
|
|
Well reading log,
got "'dn=cn=root,dc=webtrip.tk'
default is cn=manager, so I assume you have alter the slapd.conf, did you drop and recreate openldap data with your schema?
Can you post your slapd.conf or the guide you followed (if any)...?
gerasimos_h _________________ Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
Back to top |
|
webtrip Member
Joined: 07 Jun 2014 Posts: 22 Location: Netherlands
|
Posted: Tue Jul 29, 2014 5:49 pm Post subject: re: with slapd.conf |
|
|
I cant remember what tutorial i followed. It was a mix of tutorialz. Guess there it went wrong
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/mozillaabpersonalpha.schema
include /etc/openldap/schema/evolutionperson.schema
#If you use eGroupware uncomment bellow lines and comment the nis.schema
#include /etc/openldap/schema/acl_addressbook.conf
#include /etc/openldap/schema/rfc2307bis.schema
# Define global ACLs to disable default read access.
loglevel -1
allow update_anon
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
access to * attrs=userPassword by 'dn="cn=root,dc=webtrip.tk' write by anonymous read by self write by * none
access to * by 'dn="cn=root,dc=webtrip.tk' write by * read
access to * by * read by * write by * search
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix dc=serv7803,dc=serv7803.webtrip.tk
rootdn cn=root,dc=serv7803.webtrip.tk
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd( and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {crypt}00BjkZ/O.Vuvg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/openldap-data
# Indices to maintain
index objectClass eq
index cn pres,eq _________________ Richard Trip
Field Service Engineer (IT & Document Sollutions )
Printer/MFP specialist |
|
Back to top |
|
gerasimos_h Site Admin
Joined: 09 Aug 2007 Posts: 1757 Location: Greece
|
Posted: Tue Jul 29, 2014 6:25 pm Post subject: |
|
|
I don't see the reason you change config, but if run "smsconfig" you should have a ready schema at /etc/openldap/sms.ldif.
Anyway your config works by altering few fields as you can see in the patch bellow....
Code: | --- /etc/openldap/slapd.conf 2014-07-29 19:13:33.251953539 +0300
+++ /etc/openldap/slapd.conf 2014-07-29 19:00:56.868918517 +0300
@@ -61,9 +61,9 @@ argsfile /var/run/slapd.args
@@ -61,9 +61,9 @@ argsfile /var/run/slapd.args
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
-access to * attrs=userPassword by 'dn="cn=root,dc=webtrip.tk' write by anonymous read by self write by * none
+access to * attrs=userPassword by dn="cn=root,dc=webtrip.tk write by anonymous read by self write by * none
-access to * by 'dn="cn=root,dc=webtrip.tk' write by * read
+access to * by dn="cn=root,dc=webtrip.tk write by * read
access to * by * read by * write by * search
@@ -72,8 +72,8 @@ access to * by * read by * write by * se
#######################################################################
database bdb
-suffix dc=serv7803,dc=serv7803.webtrip.tk
-rootdn cn=root,dc=serv7803.webtrip.tk
+suffix dc=serv7803,dc=webtrip.tk
+rootdn cn=root,dc=serv7803,dc=webtrip.tk
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(Cool and slapd.conf(5) for details.
# Use of strong authentication encouraged.
|
Also you should use SSHA passwords by typing "slappasswd"
entering your password and replace you old "rootpw {CRYPT}" with the new {SSHA} output...
gerasimos_h _________________ Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
Back to top |
|
webtrip Member
Joined: 07 Jun 2014 Posts: 22 Location: Netherlands
|
Posted: Mon Aug 04, 2014 9:17 am Post subject: error line 62 |
|
|
I am caught in a error now after editing slapd.conf.
I understand from the log that there is a fault in the directive of line 62. But I cant figure out what is wrong in that line?
The log says:
Aug 4 09:10:29 serv7803 slapd[3140]: @(#) $OpenLDAP: slapd 2.4.37 (Oct 28 2013 18:43:2 $ ^Iroot@devel:/tmp/openldap-2.4.37/servers/slapd
Aug 4 09:10:29 serv7803 slapd[3140]: line 22 (allow update_anon)
Aug 4 09:10:29 serv7803 slapd[3140]: line 28 (pidfile^I^I/var/run/slapd.pid)
Aug 4 09:10:29 serv7803 slapd[3140]: line 29 (argsfile^I/var/run/slapd.args)
Aug 4 09:10:29 serv7803 slapd[3140]: line 62 (--- /etc/openldap/slapd.conf 2014-07-29 19:13:33.251953539 +0300 )
Aug 4 09:10:29 serv7803 slapd[3140]: /etc/openldap/slapd.conf: line 62: unknown directive <---> outside backend info and database definitions.
Aug 4 09:10:29 serv7803 slapd[3140]: slapd destroy: freeing system resources.
Aug 4 09:10:29 serv7803 slapd[3140]: slapd stopped.
Aug 4 09:10:29 serv7803 slapd[3140]: connections_destroy: nothing to destroy.
here the slapd config file:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/mozillaabpersonalpha.schema
include /etc/openldap/schema/evolutionperson.schema
include /etc/openldap/schema/java.schema
#If you use eGroupware uncomment bellow lines and comment the nis.schema
#include /etc/openldap/schema/acl_addressbook.conf
#include /etc/openldap/schema/rfc2307bis.schema
# Define global ACLs to disable default read access.
loglevel -1
allow update_anon
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
--- /etc/openldap/slapd.conf 2014-07-29 19:13:33.251953539 +0300
+++ /etc/openldap/slapd.conf 2014-07-29 08:47:59.868918517 +0300
@@ -61,9 +61,9 @@ argsfile /var/run/slapd.args
@@ -61,9 +61,9 @@ argsfile /var/run/slapd.args
# updates to rootdn. (e.g., "access to * by * read")
#
rootdn dc=webtrip,dc=tk
-access to * attrs=userPassword by 'dn="cn=root,dc=webtrip,dc=tk' write by anonymous read by self write by * none
+access to * by 'dn="cn=root,dc=webtrip,dc=tk' write by * read
access to * by * read by * write by * search
#######################################################################
# BDB database definitions
#######################################################################
database bdb
-suffix dc=serv7803,dc=serv7803.webtrip.tk
-rootdn cn=root,dc=serv7803.webtrip.tk
+suffix dc=dc=serv7803,dc=webtrip.tk
+rootdn cn=root,dc=webtrip,dc=tk
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd( and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}nwXBHZhEN9aCK6CwMF7RDJMOQGv9DGm7
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/openldap-data
# Indices to maintain
index objectClass eq
index cn pres,eq
suffix dc=root _________________ Richard Trip
Field Service Engineer (IT & Document Sollutions )
Printer/MFP specialist |
|
Back to top |
|
gerasimos_h Site Admin
Joined: 09 Aug 2007 Posts: 1757 Location: Greece
|
Posted: Mon Aug 04, 2014 11:19 am Post subject: |
|
|
OK! my bad, I probably confuse you with the patch...
Just for the info, patch is a diff file and applied through "patch" command and what it does actually, is replacing the lines that have "-" in front, with the ones that have "+" (changes made to file).
So replace
Code: | --- /etc/openldap/slapd.conf 2014-07-29 19:13:33.251953539 +0300
+++ /etc/openldap/slapd.conf 2014-07-29 08:47:59.868918517 +0300
@@ -61,9 +61,9 @@ argsfile /var/run/slapd.args
@@ -61,9 +61,9 @@ argsfile /var/run/slapd.args
# updates to rootdn. (e.g., "access to * by * read")
#
rootdn dc=webtrip,dc=tk
-access to * attrs=userPassword by 'dn="cn=root,dc=webtrip,dc=tk' write by anonymous read by self write by * none
+access to * by 'dn="cn=root,dc=webtrip,dc=tk' write by * read
access to * by * read by * write by * search |
with
Code: | access to * attrs=userPassword by dn="cn=root,dc=webtrip.tk write by anonymous read by self write by * none
access to * by dn="cn=root,dc=webtrip.tk write by * read
access to * by * read by * write by * search |
and
Code: | -suffix dc=serv7803,dc=serv7803.webtrip.tk
-rootdn cn=root,dc=serv7803.webtrip.tk
+suffix dc=dc=serv7803,dc=webtrip.tk
+rootdn cn=root,dc=webtrip,dc=tk |
with
Code: | suffix dc=dc=serv7803,dc=webtrip.tk
rootdn cn=root,dc=webtrip,dc=tk |
That should do it...
gerasimos_h _________________ Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
Back to top |
|
webtrip Member
Joined: 07 Jun 2014 Posts: 22 Location: Netherlands
|
Posted: Wed Aug 13, 2014 1:36 pm Post subject: <rootpw> can only be set when rootdn is under suffix |
|
|
Almost getting there. I get now <rootpw> can only be set when rootdn is under suffix
Error. What does this mean? I edited the slapd.conf as you explained before.
Here the log file for ldap when starting
Aug 13 13:04:35 serv7803 slapd[1507]: line 29 (argsfile^I/var/run/slapd.args)
Aug 13 13:04:35 serv7803 slapd[1507]: line 63 (access to * attrs=userPassword by dn="cn=root,dc=webtrip.tk write by anonymous read by self write by * none )
Aug 13 13:04:35 serv7803 slapd[1507]: >>> dnNormalize: <cn=root,dc=webtrip.tk write by anonymous read by self write by * none >
Aug 13 13:04:35 serv7803 slapd[1507]: <<< dnNormalize: <cn=root,dc=webtrip.tk write by anonymous read by self write by * none>
Aug 13 13:04:36 serv7803 slapd[1507]: line 66 (access to * by dn="cn=root,dc=webtrip.tk write by * read access to * by * read by * write by * search )
Aug 13 13:04:36 serv7803 slapd[1507]: >>> dnNormalize: <cn=root,dc=webtrip.tk write by * read access to * by * read by * write by * search >
Aug 13 13:04:36 serv7803 slapd[1507]: <<< dnNormalize: <cn=root,dc=webtrip.tk write by * read access to * by * read by * write by * search>
Aug 13 13:04:36 serv7803 slapd[1507]: line 73 (database^Ibdb)
Aug 13 13:04:36 serv7803 slapd[1507]: bdb_db_init: Initializing BDB database
Aug 13 13:04:36 serv7803 slapd[1507]: line 75 (suffix dc=dc=serv7803,dc=webtrip.tk)
Aug 13 13:04:36 serv7803 slapd[1507]: >>> dnPrettyNormal: <dc=dc=serv7803,dc=webtrip.tk>
Aug 13 13:04:36 serv7803 slapd[1507]: <<< dnPrettyNormal: <dc=dc\3Dserv7803,dc=webtrip.tk>, <dc=dc\3Dserv7803,dc=webtrip.tk>
Aug 13 13:04:36 serv7803 slapd[1507]: line 76 (rootdn cn=root,dc=webtrip,dc=tk)
Aug 13 13:04:36 serv7803 slapd[1507]: >>> dnPrettyNormal: <cn=root,dc=webtrip,dc=tk>
Aug 13 13:04:36 serv7803 slapd[1507]: <<< dnPrettyNormal: <cn=root,dc=webtrip,dc=tk>, <cn=root,dc=webtrip,dc=tk>
Aug 13 13:04:36 serv7803 slapd[1507]: line 80 (rootpw ***)
Aug 13 13:04:36 serv7803 slapd[1507]: /etc/openldap/slapd.conf: line 80: <rootpw> can only be set when rootdn is under suffix
Aug 13 13:04:36 serv7803 slapd[1507]: slapd destroy: freeing system resources.
Aug 13 13:04:36 serv7803 slapd[1507]: slapd stopped.
Aug 13 13:04:36 serv7803 slapd[1507]: connections_destroy: nothing to destroy. _________________ Richard Trip
Field Service Engineer (IT & Document Sollutions )
Printer/MFP specialist |
|
Back to top |
|
gerasimos_h Site Admin
Joined: 09 Aug 2007 Posts: 1757 Location: Greece
|
Posted: Wed Aug 13, 2014 7:13 pm Post subject: |
|
|
OK! I saw a typo at
suffix dc=dc=serv7803,dc=webtrip.tk
it's
suffix dc=serv7803,dc=webtrip.tk
gerasimos_h _________________ Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You can attach files in this forum You can download files in this forum
|
|
 |
 |
SMS - Superb! Mini Server Project © 2016
Powered by phpBB © 2001, 2002 phpBB Group
iCGstation v1.0 Template By Ray © 2003, 2004 iOptional
|
 |
|
|