Issue 10031 - Conversion of slapd.conf fails using pcache
Summary: Conversion of slapd.conf fails using pcache
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: overlays (show other issues)
Version: 2.6.0
Hardware: All All
: --- normal
Target Milestone: 2.5.15
Assignee: Ondřej Kuzník
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-27 18:12 UTC by stefan
Modified: 2023-07-10 21:08 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description stefan 2023-03-27 18:12:07 UTC 
I've got the following working slapd.conf:
--------------------
include                 /opt/symas/etc/openldap/schema/core.schema
include                 /opt/symas/etc/openldap/schema/cosine.schema
include                 /opt/symas/etc/openldap/schema/inetorgperson.schema
include                 /opt/symas/etc/openldap/schema/misc.schema
include                 /opt/symas/etc/openldap/schema/nis.schema
include                 /opt/symas/etc/openldap/schema/msuser.schema
modulepath              /opt/symas/lib/openldap
moduleload              back_ldap
moduleload              back_mdb
moduleload              rwm.la
moduleload              memberof.la
moduleload              pcache.la
loglevel                any
pidfile         /var/symas/run/slapd.pid
argsfile        /var/symas/run/slapd.args

database ldap
readonly yes
protocol-version 3
rebind-as-user yes
uri "ldap://192.168.56.201:389"
suffix "dc=example1,dc=net"
rootdn "cn=admin,dc=example1,dc=net"
idassert-bind bindmethod=simple
        mode=none
        binddn="CN=Administrator,cn=users,dc=example1,dc=net"
        credentials=Passw0rd
        tls_cacertdir=/opt/symas/etc/openldap
        tls_reqcert=never
idassert-authzFrom "*"

overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map objectClass posixAccount person

overlay memberof
memberof-group-oc groupOfuniqueNames
memberof-member-ad uniquemember
memberof-dangling error

overlay pcache
pcache mdb 100000 6 1000 100
pcachePersist TRUE
directory       "/var/symas/pcache"
pcacheAttrset    0 1.1
pcacheTemplate   (uid=) 0 3600
pcacheTemplate   (&(|(objectClass=))) 0 3600
pcacheAttrset    1 employeetype givenName cn sn uid mail
pcacheTemplate   (uid=) 1 3600
pcacheBind           (uid=) 1 3600 sub dc=de
pcacheAttrset    2 givenName cn sn uid mail uidNumber
pcacheTemplate   (objectClass=) 2 3600
pcacheAttrset    3 userPassword
pcacheTemplate   (uid=) 3 3600
pcacheTemplate   (objectClass=) 2 3600
pcacheAttrset    4 employeetype givenName cn sn uid mail
pcacheTemplate   (uid=) 1 3600
pcacheAttrset    5 memberOf
pcacheTemplate (objectClass=*) 2 3600
--------------------
Search for an entry in AD is working:
----------------------
root@ldap-proxy01:~/server-setup/proxy# ldapsearch -x -b dc=example1,dc=net cn=administrator -LLL dn

dn: cn=Administrator,cn=Users,dc=example1,dc=net
---------------------- 
Now I want convert it to cn=config but I'm getting the following error:
--------------------
root@ldap-proxy01:/opt/symas/etc/openldap# slaptest -F ./my-slapd.d/ -f slapd.conf
Entry (olcDatabase={0}mdb,olcOverlay={2}pcache,olcDatabase={1}ldap,cn=config): object class 'olcMdbBkConfig' requires attribute 'olcBackend'
config_build_entry: build "olcDatabase={0}mdb" failed: "(null)"
config file testing succeeded
mdb_opinfo_get: err Permission denied(13)
-------------------- 

When I comment out all the settings for the overlay pcache, converting slapd.conf is working, but starting slapd gives me the following error:
--------------
Mär 27 20:02:03 ldap-proxy01 slapd[2042]: olcAttributeTypes: value #741 olcAttributeTypes: Duplicate attributeType: ""
Mär 27 20:02:03 ldap-proxy01 slapd[2042]: config error processing cn={5}msuser,cn=schema,cn=config: olcAttributeTypes: Duplicate attributeType: ""
Mär 27 20:02:03 ldap-proxy01 slapd[2042]: send_ldap_result: conn=-1 op=0 p=0
Mär 27 20:02:03 ldap-proxy01 slapd[2042]: send_ldap_result: err=80 matched="" text=""

--------------
slapcat -n0 tells me:
--------------
root@ldap-proxy01:/opt/symas/etc/openldap# slapcat -n0
olcAttributeTypes: value #741 olcAttributeTypes: Duplicate attributeType: "�p�:V"
config error processing cn={5}msuser,cn=schema,cn=config: olcAttributeTypes: Duplicate attributeType: "�p�:V"
slapcat: bad configuration file!

--------------
But switching back to slapd.conf the msuser.schema makes no problems. 

Creating my own LDIF (without converting):
--------------------------
dn: cn=config
objectClass: olcGlobal
cn: config
olcLogLevel: any
olcPidFile: /var/symas/run/slapd.pid
olcArgsFile: /var/symas/run/slapd.args
olcToolThreads: 1

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /opt/symas/lib/openldap
olcModuleLoad: back_mdb
olcModuleLoad: back_ldap
olcModuleLoad: back_monitor
olcModuleLoad: argon2

include: file:///opt/symas/etc/openldap/schema/core.ldif
include: file:///opt/symas/etc/openldap/schema/cosine.ldif
include: file:///opt/symas/etc/openldap/schema/nis.ldif
include: file:///opt/symas/etc/openldap/schema/inetorgperson.ldif
include: file:///opt/symas/etc/openldap/schema/msuser.ldif

dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcSizeLimit: 500
olcAccess: {0}to *
  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
  by * break
olcAccess: {1}to dn=""  by * read
olcAccess: {2}to dn.base="cn=subschema"  by * read
passwordHash: {ARGON2}

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootDN: cn=admin,cn=config
olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4
olcAccess: {0}to *
  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage

dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to dn.subtree="cn=monitor"
  by dn.exact=cn=admin,cn=config read
  by dn.exact=cn=admin,dc=example,dc=net read
  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth read

dn: olcDatabase={2}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {2}ldap
olcSuffix: dc=example1,dc=net
olcAddContentAcl: FALSE
olcLastMod: FALSE
olcLastBind: FALSE
olcLastBindPrecision: 0
olcMaxDerefDepth: 15
olcReadOnly: TRUE
olcRootDN: cn=admin,dc=example1,dc=net
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
olcDbURI: "ldap://dc-net01.example.net:389"
olcDbStartTLS: none  starttls=no
olcDbIDAssertBind: mode=none flags=prescriptive,proxy-authz-non-critical bindm
 ethod=simple timeout=0 network-timeout=0 binddn="cn=administrator,cn=users,dc
 =example1,dc=net" credentials="Passw0rd" keepalive=0:0:0 tcp-user-timeout=0 t
 ls_cacertdir="/opt/symas/etc/openldap" tls_reqcert=never tls_reqsan=allow tls
 _crlcheck=none
olcDbIDAssertAuthzFrom: *
olcDbRebindAsUser: TRUE
olcDbChaseReferrals: FALSE
olcDbTFSupport: no
olcDbProxyWhoAmI: FALSE
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbSessionTrackingRequest: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbOnErr: continue
olcDbKeepalive: 0:0:0 
--------------------------
msuser is working, no error about duplicate attributeType. 

System ist Debian 11 with symas-packages OpenLDAP 2.6
Comment 1 Ondřej Kuzník 2023-03-28 13:27:15 UTC 
This is caused by ITS#8977 changing the members of mdbocs. But pcache (wrongly?) expects that cm->db.bd_info->bi_cf_ocs would be the DB config objectclass and not the one for its backend.
Comment 3 Quanah Gibson-Mount 2023-04-27 16:14:01 UTC 
head:

  • 53906655 
by Ondřej Kuzník at 2023-03-30T23:12:55+00:00 
ITS#10031 Adjust *err if we free it


RE26:

  • 99cc55d6 
by Ondřej Kuzník at 2023-04-27T15:12:39+00:00 
ITS#10031 Adjust *err if we free it


RE25:

  • c3cc9289 
by Ondřej Kuzník at 2023-04-27T15:14:02+00:00 
ITS#10031 Adjust *err if we free it