[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP + SASL + BDB + Heimdal = BDB errors?


(I did google.  I apologize in advance if I missed something that google
turns up)

I have installed:

OpenSSL 0.9.7e
Heimdal 0.6.3
Berkeley DB 4.2.52 (w/crypto) + 2 patches for locking issues
Cyrus-SASL 2.1.20
OpenLDAP 2.2.20 + standford patches (from CVS HEAD)

on RedHat enterprise linux 3 ES.  I was surprised RedHat's packages
didn't work straight up, so I built it.  I was also suprised at how much
of a PITA SASL can be.  Esp. when trying to run LDAP on an alias
interface (eth0:0).  I couldn't get that to work, so I'm just using a
CNAME for master.ldap-> app0.prod.  It works with kerberos and I stopped 
getting GSSAPI error messages, so I suppose that's a good thing.

Anyways, I have the kerberos, SASL, etc. issues worked out.  But I think
I have BDB problems.  I run:

$ ldapsearch -ZZ '(objectClass=*)' -Y GSSAPI

which yields:

SASL/GSSAPI authentication started
SASL username: adam@GMI.COM
SASL installing layers
# extended LDIF
# LDAPv3
# base <> with scope sub
# filter: (objectClass=*)
# requesting: ALL

# search result
search: 5
result: 80 Internal (implementation specific) error
text: internal error

# numResponses: 1

In my logs for slapd (w/ -d 256.  btw, figuring out debugging flags was
harder than it should be, or perhaps I missed something):

2005-01-22 15:58:39.114978500 @(#) $OpenLDAP: slapd 2.2.20 (Jan 20 2005 14:36:49) $
2005-01-22 15:58:39.114982500 root@app0.prod:/export/ldap/src/openldap-2.2.20/servers/slapd
2005-01-22 15:58:39.126200500 bdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)
2005-01-22 15:58:39.126322500 bdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)
2005-01-22 15:58:39.133535500 bdb_db_init: Initializing BDB database 2005-01-22 15:58:39.145038500 slapd starting
2005-01-22 15:58:44.129224500 conn=0 fd=10 ACCEPT from IP= (IP=
2005-01-22 15:58:44.151426500 conn=0 op=1 BIND dn="" method=163
2005-01-22 15:58:44.152745500 conn=0 op=2 BIND dn="" method=163
2005-01-22 15:58:44.153256500 conn=0 op=3 BIND dn="" method=163
2005-01-22 15:58:44.153699500 conn=0 op=3 BIND authcid="adam@GMI.COM"
2005-01-22 15:58:44.153842500 conn=0 op=3 BIND dn="uid=adam,cn=gmi.com,ou=people,dc=gmi,dc=com" mech=GSSAPI ssf=56
2005-01-22 15:58:44.154537500 conn=0 op=4 SRCH base="dc=gmi,dc=com" scope=2 deref=0 filter="(objectClass=*)"
2005-01-22 15:58:44.154731500 bdb(dc=gmi,dc=com): illegal flag specified to txn_begin
2005-01-22 15:58:44.154777500 bdb(dc=gmi,dc=com): illegal flag specified to txn_begin
2005-01-22 15:58:44.154819500 bdb(dc=gmi,dc=com): illegal flag specified to txn_begin
2005-01-22 15:58:44.154860500 bdb(dc=gmi,dc=com): illegal flag specified to txn_begin
2005-01-22 15:58:44.155084500 conn=0 op=4 SEARCH RESULT tag=101 err=80 nentries=0 text=internal error
2005-01-22 15:58:44.155761500 conn=0 op=5 UNBIND
2005-01-22 15:58:44.155932500 conn=0 fd=10 closed

So I'm getting a bunch of "illegal flag specified to txn_begin."  I
think this means BDB is "wacky."  So now you want to know what version
I'm running (see above), and then you wonder what patches I'm running.  
Just the two patches from Sleepycat that they recommend for 4.2.52.  For
OpenLDAP, I'm using four patches mentioned on the ITS pages at Stanford
(which is a great page!):


Now, I should mention I'm running OpenLDAP non-root.  But I have
configured SASL to point slapd to a keytab it can read:

# cat sasl2/slapd.conf 
# 2005-01-21 ADM
[snip comments]
keytab:         /export/ldap/etc/ldap.keytab

So...what stupid thing am I missing that is causing my txn_begin errors?
I can do things like:

[adam@app0 tmp]$ ldapsearch -ZZ -x -L -s "base" -b ""
version: 1

# filter: (objectclass=*)
# requesting: supportedSASLMechanisms 

supportedSASLMechanisms: GSSAPI

# search result

# numResponses: 2
# numEntries: 1

thanks in advance!!!