[Date Prev][Date Next] [Chronological] [Thread] [Top]
OpenLDAP, DB2 back-sql and UnixODBC configuration.

To: OpenLDAP-software@OpenLDAP.org
Subject: OpenLDAP, DB2 back-sql and UnixODBC configuration.
From: Roman Scherer <roman.scherer@gmx.de>
Date: Sun, 27 Jun 2004 14:12:05 +0200
Hi,

i'm trying to use IBM's DB2 as a database backend for the slapd. But
when I fire up the slapd program I get an error message and the "native
error code: -1013". The debug trace of slapd is appended to this
message.

Does anyone know where the problem could be? Does anyone has already a
working configuration using OpenLDAP, DB2 and UnixODBC and send it to
me?

The DB2 database is running under the user "goyaldap". I can also
connect to this database with this user account, and play around in this
database. So I think this problem is not a DB2 issue.

I set & exported the environment variable DB2INSTANCE to the same user
account. I read the common documentation about using DB2 as a backend
and how to configure UnixODBC. I can even connect & query the database
with the "isql" program which is shipped with UnixODBC package. So
UnixODBC is also configured correct?

I also figured out, that the name of the DB2 database must match the
name of the UnixODBC "topic" (in my example "[GOYALDAP]").

Thanks for your help, 
Roman.

---- Debug trace from slapd -------------------------------------------

BOMBACLAAT:~# export DB2INSTANCE="goyaldap"
BOMBACLAAT:~# echo $DB2INSTANCE
goyaldap
BOMBACLAAT:~# slapd -4 -d 1
@(#) $OpenLDAP: slapd 2.1.30 (May 24 2004 23:50:57) $
       
@pulsar:/home/torsten/packages/openldap/release-2.1.30-1/openldap2-2.1.30/debian/build/servers/slapd
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: initialized ldap:///
daemon_init: 1 listeners opened
ldap_pvt_gethostbyname_a: host=BOMBACLAAT, r=0
slapd init: initiated server.
slap_sasl_init: initialized!
>>> dnNormalize: <cn=Subschema>
=> ldap_bv2dn(cn=Subschema,0)
<= ldap_bv2dn(cn=Subschema,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=subschema,272)=0
<<< dnNormalize: <cn=subschema>
==>backsql_initialize()
<==backsql_initialize()
==>backsql_db_init()
==>backsql_init_db_env()
<==backsql_init_db_env()
<==backsql_db_init()
>>> dnPrettyNormal: <o=sql,c=RU>
=> ldap_bv2dn(o=sql,c=RU,0)
<= ldap_bv2dn(o=sql,c=RU,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(o=sql,c=RU,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(o=sql,c=ru,272)=0
<<< dnPrettyNormal: <o=sql,c=RU>, <o=sql,c=ru>
>>> dnPrettyNormal: <cn=root,o=sql,c=RU>
=> ldap_bv2dn(cn=root,o=sql,c=RU,0)
<= ldap_bv2dn(cn=root,o=sql,c=RU,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=root,o=sql,c=RU,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=root,o=sql,c=ru,272)=0
<<< dnPrettyNormal: <cn=root,o=sql,c=RU>, <cn=root,o=sql,c=ru>
==>backsql_db_config()
<==backsql_db_config(): dbname=GOYALDAP
==>backsql_db_config()
<==backsql_db_config(): dbuser=goyaldap
==>backsql_db_config()
<==backsql_db_config(): dbpasswd=xxxx
==>backsql_db_config()
<==backsql_db_config(): insentry_query=insert into ldap_entries
(id,dn,oc_map_id,parent,keyval) values ((select max(id)+1 from
ldap_entries),?,?,?,?)
==>backsql_db_config()
<==backsql_db_config(): subtree_cond=upper(ldap_entries.dn) LIKE
CONCAT('%',?)
==>backsql_db_config()
<==backsql_db_config(): upper_func=upper
==>backsql_db_config()
<==backsql_db_config(): upper_needs_cast =yes
==>backsql_db_config()
<==backsql_db_config(): create_needs_select =yes
==>backsql_db_config()
<==backsql_db_config(): has_ldapinfo_dn_ru=no
==>backsql_db_config()
<==backsql_db_config (/etc/ldap/slapd.conf line 228): unknown directive
"defaultaccess" (ignored)
matching_rule_use_init
    1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: (
1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( oncRpcNumber $
ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $
shadowInactive $ shadowWarning $ shadowMax $ shadowMin $
shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $
supportedLDAPVersion ) )
    1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: (
1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( oncRpcNumber
$ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $
shadowInactive $ shadowWarning $ shadowMax $ shadowMin $
shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $
supportedLDAPVersion ) )
    1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES (
nisMapEntry $ bootFile $ macAddress $ ipNetmaskNumber $ ipNetworkNumber
$ ipHostNumber $ memberNisNetgroup $ memberUid $ loginShell $
homeDirectory $ gecos $ janetMailbox $ cNAMERecord $ sOARecord $
nSRecord $ mXRecord $ mDRecord $ aRecord $ email $ associatedDomain $ dc
$ mail $ altServer ) )
    1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES (
nisMapEntry $ bootFile $ macAddress $ ipNetmaskNumber $ ipNetworkNumber
$ ipHostNumber $ memberNisNetgroup $ memberUid $ loginShell $
homeDirectory $ gecos $ janetMailbox $ cNAMERecord $ sOARecord $
nSRecord $ mXRecord $ mDRecord $ aRecord $ email $ associatedDomain $ dc
$ mail $ altServer ) )
    2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME
'certificateExactMatch' APPLIES ( cACertificate $ userCertificate ) )
    2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: (
2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES (
supportedApplicationContext $ ldapSyntaxes $ matchingRuleUse $
objectClasses $ attributeTypes $ matchingRules $ supportedFeatures $
supportedExtension $ supportedControl $ structuralObjectClass $
objectClass ) )
    2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29
NAME 'integerFirstComponentMatch' APPLIES ( oncRpcNumber $
ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $
shadowInactive $ shadowWarning $ shadowMax $ shadowMin $
shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $
supportedLDAPVersion ) )
    2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME
'generalizedTimeMatch' APPLIES ( modifyTimestamp $ createTimestamp ) )
    2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24
NAME 'protocolInformationMatch' APPLIES protocolInformation )
    2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME
'uniqueMemberMatch' APPLIES uniqueMember )
    2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22
NAME 'presentationAddressMatch' APPLIES presentationAddress )
    2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME
'telephoneNumberMatch' APPLIES ( pager $ mobile $ homePhone $
telephoneNumber ) )
    2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME
'octetStringMatch' APPLIES userPassword )
    2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME
'bitStringMatch' APPLIES x500UniqueIdentifier )
    2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME
'integerMatch' APPLIES ( oncRpcNumber $ ipProtocolNumber $ ipServicePort
$ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $ shadowMax
$ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $
mailPreferenceOption $ supportedLDAPVersion ) )
    2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME
'booleanMatch' APPLIES hasSubordinates )
    2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME
'caseIgnoreListMatch' APPLIES ( homePostalAddress $ registeredAddress $
postalAddress ) )    2.5.13.8 (numericStringMatch): matchingRuleUse: (
2.5.13.8 NAME 'numericStringMatch' APPLIES ( internationaliSDNNumber $
x121Address ) )
    2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7
NAME 'caseExactSubstringsMatch' APPLIES ( dnQualifier $
destinationIndicator $ serialNumber ) )
    2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME
'caseExactOrderingMatch' APPLIES ( dnQualifier $ destinationIndicator $
serialNumber ) )    2.5.13.5 (caseExactMatch): matchingRuleUse: (
2.5.13.5 NAME 'caseExactMatch' APPLIES ( preferredLanguage $
employeeType $ employeeNumber $ displayName $ departmentNumber $
carLicense $ nisMapName $ ipServiceProtocol $ documentPublisher $
buildingName $ organizationalStatus $ uniqueIdentifier $ co $
personalTitle $ documentLocation $ documentVersion $ documentTitle $
documentIdentifier $ host $ userClass $ roomNumber $ drink $ info $
textEncodedORAddress $ uid $ labeledURI $ dmdName $ houseIdentifier $
dnQualifier $ generationQualifier $ initials $ givenName $
destinationIndicator $ physicalDeliveryOfficeName $ postOfficeBox $
postalCode $ businessCategory $ description $ title $ ou $ o $ street $
st $ l $ c $ serialNumber $ sn $ knowledgeInformation $ cn $ name $ ref
$ vendorVersion $ vendorName $ supportedSASLMechanisms ) )
    2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME
'caseIgnoreOrderingMatch' APPLIES ( dnQualifier $ destinationIndicator $
serialNumber ) )
    2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME
'caseIgnoreMatch' APPLIES ( preferredLanguage $ employeeType $
employeeNumber $ displayName $ departmentNumber $ carLicense $
nisMapName $ ipServiceProtocol $ documentPublisher $ buildingName $
organizationalStatus $ uniqueIdentifier $ co $ personalTitle $
documentLocation $ documentVersion $ documentTitle $ documentIdentifier
$ host $ userClass $ roomNumber $ drink $ info $ textEncodedORAddress $
uid $ labeledURI $ dmdName $ houseIdentifier $ dnQualifier $
generationQualifier $ initials $ givenName $ destinationIndicator $
physicalDeliveryOfficeName $ postOfficeBox $ postalCode $
businessCategory $ description $ title $ ou $ o $ street $ st $ l $ c $
serialNumber $ sn $ knowledgeInformation $ cn $ name $ ref $
vendorVersion $ vendorName $ supportedSASLMechanisms ) )
    2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME
'distinguishedNameMatch' APPLIES ( dITRedirect $ associatedName $
secretary $ documentAuthor $ manager $ seeAlso $ roleOccupant $ owner $
member $ distinguishedName $ aliasedObjectName $ namingContexts $
subschemaSubentry $ modifiersName $ creatorsName ) )
    2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME
'objectIdentifierMatch' APPLIES ( supportedApplicationContext $
supportedFeatures $ supportedExtension $ supportedControl $
structuralObjectClass $ objectClass ) )
slapd startup: initiated.
==>backsql_db_open(): testing RDBMS connection
backsql_db_open(): concat func not specified (use "concat_pattern"
directive in slapd.conf)
backsql_db_open(): setting 'upper(ldap_entries.dn)=upper(?)' as default
backsql_db_open(): objectclass mapping SQL statement not specified (use
"oc_query" directive in slapd.conf)
backsql_db_open(): setting 'SELECT
id,name,keytbl,keycol,create_proc,create_keyval,delete_proc,expect_return FROM ldap_oc_mappings' by default
backsql_db_open(): attribute mapping SQL statement not specified (use
"at_query" directive in slapd.conf)
backsql_db_open(): setting 'SELECT
name,sel_expr,from_tbls,join_where,add_proc,delete_proc,param_order,expect_return,sel_expr_u FROM ldap_attr_mappings WHERE oc_map_id=?' by default
backsql_db_open(): entry deletion SQL statement not specified (use
"delentry_query" directive in slapd.conf)
backsql_db_open(): setting 'DELETE FROM ldap_entries WHERE id=?' by
default
==>backsql_get_db_conn()
==>backsql_open_db_conn()
backsql_open_db_conn: SQLConnect() to database 'GOYALDAP' as user
'goyaldap' failed:
Return code: -1
Native error code: -1013
SQL engine state:
Message:
backsql_get_db_conn(): could not get connection handle -- returning NULL
backsql_db_open(): connection failed, exiting
backend_startup: bi_db_open(0) failed! (1)
slapd shutdown: initiated
==>backsql_db_close()
<==backsql_db_close()
slapd shutdown: freeing system resources.
==>backsql_db_destroy()
==>backsql_free_db_env()
<==backsql_free_db_env()
==>destroy_schema_map()
<==destroy_schema_map()
<==backsql_db_destroy()
slapd stopped.
connections_destroy: nothing to destroy.

---- /etc/odbc.ini --------------------------------------------------
[GOYALDAP]
Description 	= Goya DB2
Driver 		= /opt/IBM/db2/V8.1/lib/libdb2.so
FileUsage 	= 1
DontDLClose 	= 1
Servername      = localhost
Database        = goyaldap
UserName        = goyaldap
Password        = goyaldap
DMEnvAttr 	= SQL_ATTR_UNIXODBC_ENVATTR={DB2INSTANCE=goyaldap}

---- /etc/ldap/slapd.conf ----------------------------------------------

# include <filename>
#
# Read additional configuration information from the given
# file before continuing with the next line of the current file.

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema


# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck     on


# pidfile <filename>
#
# The (absolute) name of a file that will hold the slapd
# server's process ID ( see getpid(2) ) if started without the
# debugging command line option.

pidfile         /var/run/slapd/slapd.pid


# argsfile <filename>
#
# The (absolute) name of a file that will hold the slapd server's
# command line options if started without the debugging command line
# option.

argsfile        /var/run/slapd.args


# loglevel <integer>
#
# Specify the level at which debugging statements and
# operation statistics should be syslogged (currently logged to the
# syslogd(8) LOG_LOCAL4 facility).  Log levels are additive, and
# available levels are:
#
#     1     trace function calls
#     2     debug packet handling
#     4     heavy trace debugging
#     8     connection management
#     16     print out packets sent and received
#     32     search filter processing
#     64     configuration file processing
#     128    access control list processing
#     256    stats log connections/operations/results
#     512    stats log entries sent
#     1024   print communication with shell backends
#     2048   entry parsing

loglevel        256


# modulepath <pathspec>
#
# Specify a list of directories to search  for  loadable  modules.
# Typically  the  path  is colon-separated but this depends on the
# operating system.

modulepath      /usr/lib/ldap


# moduleload <filename>
#
# Specify the name of a dynamically loadable module to load.  The
# filename may be an absolute path name or a simple filename. Non-
# absolute names are searched for in the directories specified by the
# modulepath option. This option and the modulepath option are only
# usable if slapd was compiled with --enable-modules.

moduleload      back_sql


# database <databasetype>
#
# Mark the beginning of a new database instance
# definition.  <databasetype> should be one of bdb, dnssrv, ldap, ldbm,
# meta, monitor, null, passwd, perl, shell, sql, or tcl, depending on
# which backend will serve the database.

database        sql

# suffix <dn suffix>
#
# Specify the DN suffix of queries that will be passed to this backend
# database.  Multiple suffix lines can be given and at least one is
# required for each database definition.  If the suffix of one database
# is "inside" that of another, the database with the inner suffix must
# come first in the configuration file.

suffix          "o=sql,c=RU"


# rootdn <dn>
#
# Specify the distinguished name that is not subject to access
# control or administrative limit restrictions for operations on this
# database.  This DN may or may not be associated with an entry.  An
# empty root DN (the default) specifies no root access is to be
# granted.  It is recommended that the rootdn only be specified when
# needed (such as when initially populating a database).  If the rootdn
# is within a namingContext (suffix) of the database, a simple bind
# password may also be provided using the rootpw directive.

rootdn          "cn=root,o=sql,c=RU"


# rootpw <password>
#
# Specify a password (or hash of the password) for the
# rootdn.  The password can only be set if the rootdn is within the
# namingContext (suffix) of the database.  This option accepts all RFC
# 2307 userPassword formats known to the server (see password- hash
# description) as well as cleartext. slappasswd(8) may be used to
# generate a hash of a password.  Cleartext and {CRYPT} passwords are
# not recommended.  If empty (the default), authentication of the root
# DN is by other means (e.g. SASL).  Use of SASL is encouraged.

rootpw          secret


# dbname <datasource name>
#
# The name of the ODBC datasource to use.

dbname          GOYALDAP

# dbhost <hostname>
# dbuser <username>
# dbpasswd <password>
#
# These three options are generally unneeded, because this
# information is already taken from the datasource.  Use them if you
# need to override datasource settings.  Also, several RDBMS' drivers
# tend to require explicit passing of user/password, even if those are
# given in datasource (Note: dbhost is currently ignored).

dbuser          goyaldap
dbpasswd        goyaldap


# password-hash <hash> [<hash>...]
#
# This option  configures  one  or      more  hashes  to  be  used  in
# generation of user passwords stored in the userPassword attribute
# during processing of LDAP Password Modify Extended Operations (RFC
3062).
# The <hash> must be one of {SSHA}, {SHA}, {SMD5}, {MD5},
# {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.

password-hash   {MD5}


# lastmod on | off
# Controls whether slapd will automatically maintain the
# modifiersName, modifyTimestamp, creatorsName, and createTimestamp
# attributes for entries. By default, lastmod is on.

lastmod         off


# insentry_query <SQL expression>
#
# The  default is INSERT INTO ldap_entries (dn, oc_map_id, parent,
# keyval) VALUES (?, ?, ?, ?)

insentry_query  "insert into ldap_entries
(id,dn,oc_map_id,parent,keyval) values ((select max(id)+1 from
ldap_entries),?,?,?,?)"


# subtree_cond <SQL expression>
#
# Specifies a where-clause template used to form a subtree search
# condition (dn=".*<dn>").  It may differ from one SQL dialect to
# another (see samples).

subtree_cond    "upper(ldap_entries.dn) LIKE CONCAT('%',?)"


# upper_func <SQL function name>
#
# Specifies the name of a function that converts a given value  to
# uppercase.  This is used for CIS matching when the RDBMS is case
# sensitive.

upper_func      "upper"


# upper_needs_cast { yes | no }
#
# Set this directive to yes if upper_func needs an explicit cast when
# applied to literal strings.  The form cast (<arg> as var- char(<max
# DN length>)) is used, where <max DN length> is builtin.  This is
# experimental and may change in future releases.

upper_needs_cast "yes"

create_needs_select     "yes"


# has_ldapinfo_dn_ru { yes | no }
#
# Explicitly inform the backend whether the SQL schema  has  dn_ru
# column  (dn in reverse uppercased form) or not.  Overrides auto-
# matic check (required by PostgreSQL/unixODBC).  This is  experi-
# mental and may change in future releases.

has_ldapinfo_dn_ru      "no"


# access to <what> [ by <who> <access> <control> ]+
#
# Grant access (specified by <access>) to a set of entries
# and/or attributes (specified by <what>) by one or more requestors
# (specified by <who>).  See slapd.access(5) and the "OpenLDAP's
# Administrator's Guide" for details.

#access to * by self write by * read
#access to * by dn="cn=root,o=sql,c=ru" write

#access to * by self write by * read
#access to dn.children="dc=goya" by dn="cn=admin,dc=goya" write
#access to dn.children="dc=goya" by * write

defaultaccess write
Follow-Ups:
- Re: OpenLDAP, DB2 back-sql and UnixODBC configuration.
  - From: Michael Ströder <michael@stroeder.com>
- Re: OpenLDAP, DB2 back-sql and UnixODBC configuration.
  - From: "Pierangelo Masarati" <ando@sys-net.it>
Prev by Date: Changes in ACI between 2.1.29 and 2.2.11
Next by Date: ldapi security level?
Index(es):
- Chronological
- Thread