Log inUsernamePassword
Log me on automatically each visit    
Register
Register
Log in to check your private messages
Log in to check your private messages
SMS Forum Index » SMS User Support

Post new topic   Reply to topic
openLDAP won't start
View previous topic :: View next topic  
Author Message
webtrip
Member


Joined: 07 Jun 2014
Posts: 22
Location: Netherlands

PostPosted: Tue Jul 29, 2014 8:39 am    Post subject: openLDAP won't start Reply with quote

Hey,

I ran into the next problem. If i want to start openldap it wont start.

Get the next message:

Failed to start LDAP server : sh /etc/rc.d/rc.openldap start failed :

ldap.log:

Jul 29 08:31:19 serv7803 slapd[17162]: @(#) $OpenLDAP: slapd 2.4.37 (Oct 28 2013 18:43:2Cool $ ^Iroot@devel:/tmp/openldap-2.4.37/servers/slapd
Jul 29 08:31:19 serv7803 slapd[17162]: line 21 (allow update_anon)
Jul 29 08:31:19 serv7803 slapd[17162]: line 27 (pidfile^I^I/var/run/slapd.pid)
Jul 29 08:31:19 serv7803 slapd[17162]: line 28 (argsfile^I/var/run/slapd.args)
Jul 29 08:31:19 serv7803 slapd[17162]: line 64 (access to * attrs=userPassword by 'dn="cn=root,dc=webtrip.tk' write by anonymous read by self write by * none)
Jul 29 08:31:19 serv7803 slapd[17162]: /etc/openldap/slapd.conf: line 64: expecting <access> got "'dn=cn=root,dc=webtrip.tk' write by anonymous read by self write by * none".
Jul 29 08:31:19 serv7803 slapd[17162]: <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+ <what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>] <attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::= <attr> [ , <attrlist> ] <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children <who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ] ^I[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ] ^I[dnattr=<attrname>] ^I[realdnattr=<attrname>] ^I[group[/<objectclass>[/<attrname>]][.<style>]=<group>] ^I[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] ^I[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] ^I[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] <style> ::= exact | regex | base(Object) <dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex <attrstyle> ::= exact | regex | base(Object) | one(level) | sub(tree) | children <peernamestyl
Jul 29 08:31:19 serv7803 slapd[17162]: /etc/openldap/slapd.conf: line 64: <access> handler exited with 1!
Jul 29 08:31:19 serv7803 slapd[17162]: slapd destroy: freeing system resources.
Jul 29 08:31:19 serv7803 slapd[17162]: slapd stopped.
Jul 29 08:31:19 serv7803 slapd[17162]: connections_destroy: nothing to destroy.

Any suggestions?

Greetz Richard Trip

_________________
Richard Trip
Field Service Engineer (IT & Document Sollutions )
Printer/MFP specialist
Back to top
View user's profile Send private message Send e-mail
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Tue Jul 29, 2014 10:19 am    Post subject: Reply with quote

Well reading log,
got "'dn=cn=root,dc=webtrip.tk'
default is cn=manager, so I assume you have alter the slapd.conf, did you drop and recreate openldap data with your schema?
Can you post your slapd.conf or the guide you followed (if any)...?

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
webtrip
Member


Joined: 07 Jun 2014
Posts: 22
Location: Netherlands

PostPosted: Tue Jul 29, 2014 5:49 pm    Post subject: re: with slapd.conf Reply with quote

I cant remember what tutorial i followed. It was a mix of tutorialz. Guess there it went wrong Wink

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/mozillaabpersonalpha.schema
include /etc/openldap/schema/evolutionperson.schema

#If you use eGroupware uncomment bellow lines and comment the nis.schema
#include /etc/openldap/schema/acl_addressbook.conf
#include /etc/openldap/schema/rfc2307bis.schema

# Define global ACLs to disable default read access.

loglevel -1


allow update_anon

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args

# Load dynamic backend modules:
# modulepath /usr/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
access to * attrs=userPassword by 'dn="cn=root,dc=webtrip.tk' write by anonymous read by self write by * none

access to * by 'dn="cn=root,dc=webtrip.tk' write by * read
access to * by * read by * write by * search


#######################################################################
# BDB database definitions
#######################################################################

database bdb
suffix dc=serv7803,dc=serv7803.webtrip.tk
rootdn cn=root,dc=serv7803.webtrip.tk
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(Cool and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {crypt}00BjkZ/O.Vuvg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/openldap-data
# Indices to maintain
index objectClass eq
index cn pres,eq

_________________
Richard Trip
Field Service Engineer (IT & Document Sollutions )
Printer/MFP specialist
Back to top
View user's profile Send private message Send e-mail
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Tue Jul 29, 2014 6:25 pm    Post subject: Reply with quote

I don't see the reason you change config, but if run "smsconfig" you should have a ready schema at /etc/openldap/sms.ldif.

Anyway your config works by altering few fields as you can see in the patch bellow....
Code:
--- /etc/openldap/slapd.conf    2014-07-29 19:13:33.251953539 +0300
+++ /etc/openldap/slapd.conf    2014-07-29 19:00:56.868918517 +0300
@@ -61,9 +61,9 @@ argsfile /var/run/slapd.args
 @@ -61,9 +61,9 @@ argsfile /var/run/slapd.args
 # updates to rootdn. (e.g., "access to * by * read")
 #
 # rootdn can always read and write EVERYTHING!
-access to * attrs=userPassword by 'dn="cn=root,dc=webtrip.tk' write by anonymous read by self write by * none
+access to * attrs=userPassword by dn="cn=root,dc=webtrip.tk write by anonymous read by self write by * none

-access to * by 'dn="cn=root,dc=webtrip.tk' write by * read
+access to * by dn="cn=root,dc=webtrip.tk write by * read
 access to * by * read by * write by * search


@@ -72,8 +72,8 @@ access to * by * read by * write by * se
 #######################################################################

 database bdb
-suffix dc=serv7803,dc=serv7803.webtrip.tk
-rootdn cn=root,dc=serv7803.webtrip.tk
+suffix dc=serv7803,dc=webtrip.tk
+rootdn cn=root,dc=serv7803,dc=webtrip.tk
 # Cleartext passwords, especially for the rootdn, should
 # be avoid. See slappasswd(Cool and slapd.conf(5) for details.
 # Use of strong authentication encouraged.


Also you should use SSHA passwords by typing "slappasswd"
entering your password and replace you old "rootpw {CRYPT}" with the new {SSHA} output...

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
webtrip
Member


Joined: 07 Jun 2014
Posts: 22
Location: Netherlands

PostPosted: Mon Aug 04, 2014 9:17 am    Post subject: error line 62 Reply with quote

I am caught in a error now after editing slapd.conf.

I understand from the log that there is a fault in the directive of line 62. But I cant figure out what is wrong in that line?

The log says:

Aug 4 09:10:29 serv7803 slapd[3140]: @(#) $OpenLDAP: slapd 2.4.37 (Oct 28 2013 18:43:2Cool $ ^Iroot@devel:/tmp/openldap-2.4.37/servers/slapd
Aug 4 09:10:29 serv7803 slapd[3140]: line 22 (allow update_anon)
Aug 4 09:10:29 serv7803 slapd[3140]: line 28 (pidfile^I^I/var/run/slapd.pid)
Aug 4 09:10:29 serv7803 slapd[3140]: line 29 (argsfile^I/var/run/slapd.args)
Aug 4 09:10:29 serv7803 slapd[3140]: line 62 (--- /etc/openldap/slapd.conf 2014-07-29 19:13:33.251953539 +0300 )
Aug 4 09:10:29 serv7803 slapd[3140]: /etc/openldap/slapd.conf: line 62: unknown directive <---> outside backend info and database definitions.
Aug 4 09:10:29 serv7803 slapd[3140]: slapd destroy: freeing system resources.
Aug 4 09:10:29 serv7803 slapd[3140]: slapd stopped.
Aug 4 09:10:29 serv7803 slapd[3140]: connections_destroy: nothing to destroy.

here the slapd config file:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/mozillaabpersonalpha.schema
include /etc/openldap/schema/evolutionperson.schema
include /etc/openldap/schema/java.schema

#If you use eGroupware uncomment bellow lines and comment the nis.schema
#include /etc/openldap/schema/acl_addressbook.conf
#include /etc/openldap/schema/rfc2307bis.schema

# Define global ACLs to disable default read access.

loglevel -1


allow update_anon

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args

# Load dynamic backend modules:
# modulepath /usr/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
--- /etc/openldap/slapd.conf 2014-07-29 19:13:33.251953539 +0300
+++ /etc/openldap/slapd.conf 2014-07-29 08:47:59.868918517 +0300
@@ -61,9 +61,9 @@ argsfile /var/run/slapd.args
@@ -61,9 +61,9 @@ argsfile /var/run/slapd.args

# updates to rootdn. (e.g., "access to * by * read")
#
rootdn dc=webtrip,dc=tk
-access to * attrs=userPassword by 'dn="cn=root,dc=webtrip,dc=tk' write by anonymous read by self write by * none

+access to * by 'dn="cn=root,dc=webtrip,dc=tk' write by * read
access to * by * read by * write by * search


#######################################################################
# BDB database definitions
#######################################################################

database bdb
-suffix dc=serv7803,dc=serv7803.webtrip.tk
-rootdn cn=root,dc=serv7803.webtrip.tk
+suffix dc=dc=serv7803,dc=webtrip.tk
+rootdn cn=root,dc=webtrip,dc=tk
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(Cool and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}nwXBHZhEN9aCK6CwMF7RDJMOQGv9DGm7
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/openldap-data
# Indices to maintain
index objectClass eq
index cn pres,eq
suffix dc=root

_________________
Richard Trip
Field Service Engineer (IT & Document Sollutions )
Printer/MFP specialist
Back to top
View user's profile Send private message Send e-mail
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Mon Aug 04, 2014 11:19 am    Post subject: Reply with quote

OK! my bad, I probably confuse you with the patch...
Just for the info, patch is a diff file and applied through "patch" command and what it does actually, is replacing the lines that have "-" in front, with the ones that have "+" (changes made to file).

So replace
Code:
--- /etc/openldap/slapd.conf 2014-07-29 19:13:33.251953539 +0300
+++ /etc/openldap/slapd.conf 2014-07-29 08:47:59.868918517 +0300
@@ -61,9 +61,9 @@ argsfile /var/run/slapd.args
@@ -61,9 +61,9 @@ argsfile /var/run/slapd.args

# updates to rootdn. (e.g., "access to * by * read")
#
rootdn dc=webtrip,dc=tk
-access to * attrs=userPassword by 'dn="cn=root,dc=webtrip,dc=tk' write by anonymous read by self write by * none

+access to * by 'dn="cn=root,dc=webtrip,dc=tk' write by * read
access to * by * read by * write by * search

with
Code:
access to * attrs=userPassword by dn="cn=root,dc=webtrip.tk write by anonymous read by self write by * none

access to * by dn="cn=root,dc=webtrip.tk write by * read
 access to * by * read by * write by * search

and
Code:
-suffix dc=serv7803,dc=serv7803.webtrip.tk
-rootdn cn=root,dc=serv7803.webtrip.tk
+suffix dc=dc=serv7803,dc=webtrip.tk
+rootdn cn=root,dc=webtrip,dc=tk

with
Code:
suffix dc=dc=serv7803,dc=webtrip.tk
rootdn cn=root,dc=webtrip,dc=tk


That should do it...

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
webtrip
Member


Joined: 07 Jun 2014
Posts: 22
Location: Netherlands

PostPosted: Wed Aug 13, 2014 1:36 pm    Post subject: <rootpw> can only be set when rootdn is under suffix Reply with quote

Almost getting there. I get now <rootpw> can only be set when rootdn is under suffix
Error. What does this mean? I edited the slapd.conf as you explained before.

Here the log file for ldap when starting


Aug 13 13:04:35 serv7803 slapd[1507]: line 29 (argsfile^I/var/run/slapd.args)
Aug 13 13:04:35 serv7803 slapd[1507]: line 63 (access to * attrs=userPassword by dn="cn=root,dc=webtrip.tk write by anonymous read by self write by * none )
Aug 13 13:04:35 serv7803 slapd[1507]: >>> dnNormalize: <cn=root,dc=webtrip.tk write by anonymous read by self write by * none >
Aug 13 13:04:35 serv7803 slapd[1507]: <<< dnNormalize: <cn=root,dc=webtrip.tk write by anonymous read by self write by * none>
Aug 13 13:04:36 serv7803 slapd[1507]: line 66 (access to * by dn="cn=root,dc=webtrip.tk write by * read access to * by * read by * write by * search )
Aug 13 13:04:36 serv7803 slapd[1507]: >>> dnNormalize: <cn=root,dc=webtrip.tk write by * read access to * by * read by * write by * search >
Aug 13 13:04:36 serv7803 slapd[1507]: <<< dnNormalize: <cn=root,dc=webtrip.tk write by * read access to * by * read by * write by * search>
Aug 13 13:04:36 serv7803 slapd[1507]: line 73 (database^Ibdb)
Aug 13 13:04:36 serv7803 slapd[1507]: bdb_db_init: Initializing BDB database
Aug 13 13:04:36 serv7803 slapd[1507]: line 75 (suffix dc=dc=serv7803,dc=webtrip.tk)
Aug 13 13:04:36 serv7803 slapd[1507]: >>> dnPrettyNormal: <dc=dc=serv7803,dc=webtrip.tk>
Aug 13 13:04:36 serv7803 slapd[1507]: <<< dnPrettyNormal: <dc=dc\3Dserv7803,dc=webtrip.tk>, <dc=dc\3Dserv7803,dc=webtrip.tk>
Aug 13 13:04:36 serv7803 slapd[1507]: line 76 (rootdn cn=root,dc=webtrip,dc=tk)
Aug 13 13:04:36 serv7803 slapd[1507]: >>> dnPrettyNormal: <cn=root,dc=webtrip,dc=tk>
Aug 13 13:04:36 serv7803 slapd[1507]: <<< dnPrettyNormal: <cn=root,dc=webtrip,dc=tk>, <cn=root,dc=webtrip,dc=tk>
Aug 13 13:04:36 serv7803 slapd[1507]: line 80 (rootpw ***)
Aug 13 13:04:36 serv7803 slapd[1507]: /etc/openldap/slapd.conf: line 80: <rootpw> can only be set when rootdn is under suffix
Aug 13 13:04:36 serv7803 slapd[1507]: slapd destroy: freeing system resources.
Aug 13 13:04:36 serv7803 slapd[1507]: slapd stopped.
Aug 13 13:04:36 serv7803 slapd[1507]: connections_destroy: nothing to destroy.

_________________
Richard Trip
Field Service Engineer (IT & Document Sollutions )
Printer/MFP specialist
Back to top
View user's profile Send private message Send e-mail
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Wed Aug 13, 2014 7:13 pm    Post subject: Reply with quote

OK! I saw a typo at
suffix dc=dc=serv7803,dc=webtrip.tk
it's
suffix dc=serv7803,dc=webtrip.tk

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    SMS Forum Index » SMS User Support All times are GMT + 2 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum

SMS - Superb! Mini Server Project © 2016
Powered by phpBB © 2001, 2002 phpBB Group
iCGstation v1.0 Template By Ray © 2003, 2004 iOptional