[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Database is getting corrupted
- To: openldap-technical@openldap.org
- Subject: Re: Database is getting corrupted
- From: Jason Voorhees <jvoorhees1@gmail.com>
- Date: Mon, 05 Jan 2009 09:42:50 -0500
- In-reply-to: <13ca621c0812311009n56ffd35cl2fe06b316363457d@mail.gmail.com>
- References: <495A54E7.20507@gmail.com> <13ca621c0812311009n56ffd35cl2fe06b316363457d@mail.gmail.com>
- User-agent: Thunderbird 2.0.0.18 (X11/20081112)
(Sorry if maybe I'm sending this message twice. I think I sent the first
one in HTML format and I guess that format isn't allowed here).
Ok, maybe I'm missing some essential knowledge about how OpenLDAP and
indexing works.
This is what I'm doing (as simple as possible after too many failed
tests with more complex scenarios):
1. Create a new database in slapd.conf withouy any ACLs yet:
database bdb
suffix dc=test,dc=com
rootdn cn=manager,dc=test,dc=com
rootpw {SSHA}5b3FNT6a3PrldYD/X58ghCXa7vhUOO24
directory /var/lib/ldap/test
mode 600
cachesize 10000
index objectClass eq
index mail eq,sub
2. After stopping OpenLDAP I create the basic content of my LDAP tree
using slapadd:
# slapadd -l test.ldif -b dc=test,dc=com
# cat test.ldif
dn: dc=test,dc=com
objectClass: domain
dc: test
(all worked fine, no errors, no problems)
3. Then I fix perms and ownership of database directory
(/var/lib/ldap/test):
# chown -R ldap.ldap /var/lib/ldap/test
# chmod 700 /var/lib/ldap/test
# chmod 600 /var/lib/ldap/test/*
# ls -ld /var/lib/ldap /var/lib/ldap/test
drwx------ 3 ldap ldap 4096 Dec 31 07:38 /var/lib/ldap/
drwx------ 2 ldap ldap 4096 Jan 1 10:39 /var/lib/ldap/test/
# ls -l /var/lib/ldap/test
total 732
-rw------- 1 ldap ldap 2048 Jan 1 10:39 alock
-rw------- 1 ldap ldap 24576 Jan 1 10:38 __db.001
-rw------- 1 ldap ldap 278528 Jan 1 10:38 __db.002
-rw------- 1 ldap ldap 270336 Jan 1 10:38 __db.003
-rw------- 1 ldap ldap 98304 Jan 1 10:38 __db.004
-rw------- 1 ldap ldap 352256 Jan 1 10:38 __db.005
-rw------- 1 ldap ldap 24576 Jan 1 10:38 __db.006
-rw------- 1 ldap ldap 8192 Jan 1 10:39 dn2id.bdb
-rw------- 1 ldap ldap 32768 Jan 1 10:39 id2entry.bdb
-rw------- 1 ldap ldap 10485760 Jan 1 10:39 log.0000000001
-rw------- 1 ldap ldap 8192 Jan 1 10:39 objectClass.bdb
(pay attetion, there's no mail.bdb file yet!, right?)
4. Check slapd syntax, start OpenLDAP and make a test:
# slaptest -u
config file testing succeeded
# service ldap start
# ldapsearch -xLLL -b dc=test,dc=com
(and Yes, /etc/init.d/ldap it forces slapd to run as ldap user)
5. Everithing is fine. Then I try to add some content from an LDIF file:
# ldapmodify -a -x -D cn=manager,dc=test,dc=com -w secret -f test.ldif
adding new entry "mail=jvoorhees1@gmail.com,dc=test,dc=com"
ldap_add: Internal (implementation specific) error (80)
additional info: index generation failed
# cat test.ldif
dn: mail=jvoorhees1@gmail.com,dc=test,dc=com
objectClass: inetOrgPerson
mail: jvoorhees1@gmail.com
cn: Jason Voorhees
sn: Voorhees
6. What happened? What am I doing wrong? I'm working with "loglevel 256"
in slapd.conf and sending local4.* logs to /var/log/ldap.log and I'm
getting this error message while using ldapmodify:
Jan 1 10:51:49 ha1 slapd[26023]: @(#) $OpenLDAP: slapd 2.3.27 (Jul 9
2008 13:10:56) $
mockbuild@builder16.centos.org:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd
Jan 1 10:51:49 ha1 slapd[26024]: bdb_db_open: Warning - No DB_CONFIG
file found in directory /var/lib/ldap/test: (2) Expect poor performance
for suffix dc=test,dc=com.
Jan 1 10:51:49 ha1 slapd[26024]: slapd starting
Jan 1 10:51:56 ha1 slapd[26024]: conn=0 fd=12 ACCEPT from
IP=127.0.0.1:40112 (IP=0.0.0.0:389)
Jan 1 10:51:56 ha1 slapd[26024]: conn=0 op=0 BIND
dn="cn=manager,dc=test,dc=com" method=128
Jan 1 10:51:56 ha1 slapd[26024]: conn=0 op=0 BIND
dn="cn=manager,dc=test,dc=com" mech=SIMPLE ssf=0
Jan 1 10:51:56 ha1 slapd[26024]: conn=0 op=0 RESULT tag=97 err=0 text=
Jan 1 10:51:56 ha1 slapd[26024]: conn=0 op=1 ADD
dn="mail=jvoorhees1@gmail.com,dc=test,dc=com"
Jan 1 10:51:56 ha1 slapd[26024]: bdb(dc=test,dc=com):
/var/lib/ldap/test/mail.bdb: Permission denied
Jan 1 10:51:56 ha1 slapd[26024]: bdb_db_cache: db_open(mail) failed:
Permission denied (13)
Jan 1 10:51:56 ha1 slapd[26024]: bdb_index_read: Could not open DB mail
Jan 1 10:51:56 ha1 slapd[26024]: conn=0 op=1 RESULT tag=105 err=80
text=index generation failed
Jan 1 10:51:56 ha1 slapd[26024]: conn=0 op=2 UNBIND
Jan 1 10:51:56 ha1 slapd[26024]: conn=0 fd=12 closed
Jan 1 10:51:56 ha1 slapd[26024]: connection_read(12): no connection!
Why can't slapd create any index file in its database directory? Does
slapd need to have index files created before it is started? Is it
possible to slapd to create new index files when it is already running?
Those are my essential doubts :(
7. OK, according to error message I must check perms and ownership of
database files. But OMG everything is apparently fine!. Look:
# ls -ld /var/lib/ldap /var/lib/ldap/test
drwx------ 3 ldap ldap 4096 Dec 31 07:38 /var/lib/ldap/
drwx------ 2 ldap ldap 4096 Jan 1 10:51 /var/lib/ldap/test/
# ls -l /var/lib/ldap/test
total 752
-rw------- 1 ldap ldap 4096 Jan 1 10:51 alock
-rw------- 1 ldap ldap 24576 Jan 1 10:38 __db.001
-rw------- 1 ldap ldap 278528 Jan 1 10:38 __db.002
-rw------- 1 ldap ldap 270336 Jan 1 10:38 __db.003
-rw------- 1 ldap ldap 98304 Jan 1 10:38 __db.004
-rw------- 1 ldap ldap 352256 Jan 1 10:38 __db.005
-rw------- 1 ldap ldap 24576 Jan 1 10:38 __db.006
-rw------- 1 ldap ldap 8192 Jan 1 10:51 dn2id.bdb
-rw------- 1 ldap ldap 32768 Jan 1 10:39 id2entry.bdb
-rw------- 1 ldap ldap 10485760 Jan 1 10:51 log.0000000001
-rw------- 1 ldap ldap 8192 Jan 1 10:51 objectClass.bdb
What else? SElinux?
# getenforce
Disabled
So, what's the problem?
SO: CentOS 5.2
OpenLDAP: 2.3.27 (openldap-servers-2.3.27-8.el5_2.4.rpm)
Kernel: 2.6.18-92.1.22.el5xen
SElinux: disabled
The same problem occurs in an equal envinronment but with no Xen kernel.
Could somebody help me? Thanks a lot
Gavin Henry escribió:
> Nothing is getting corrupt, only permission errors. Check what
> permissions your init script is looking for and running slapd as.
>
> On 30/12/2008, Jason Voorhees <jvoorhees1@gmail.com> wrote:
>> Hi all:
>>
>> I'm running OpenLDAP 2.3.27 from CentOS 5.2 to build from scratch an
>> LDAP tree based on Phamm sample LDIF files.
>> I have these database definition in slapd.conf:
>>
>> database bdb
>> suffix "dc=redtube,dc=com"
>> rootdn "cn=manager,dc=redtube,dc=com"
>> rootpw {SSHA}5b3FNT6a3PrldYD/X58ghCXa7vhUOO24
>> directory /var/lib/ldap
>> mode 660
>>
>> index objectClass eq
>> index cn,mail eq,subinitial
>> index vd,delete eq,pres
>> index accountActive,forwardActive eq,pres
>> index smtpAuth eq,pres
>> index sn,uid,displayName pres,eq,sub
>> index uidNumber,gidNumber eq
>> index default sub
>>
>> I always do the following:
>>
>> 1. # rm /var/lib/ldap/*
>> (to be sure i'm starting from scratch)
>>
>>
>> 2. # slapadd -b dc=redtube,dc=com redtube.ldif
>>
>> After step (2) I can see that /var/lib/ldap/alock has rw-r--r-- and all
>> the other files have -w----r-T as permissions and are owned by root.root
>> . Is that correct?
>>
>> Well, as far as I know they should be owned by ldap user and ldap group
>> with 0660 permissions asigned (based on "mode" directive in slapd.conf).
>> So I do the following:
>>
>>
>> 3. # chown ldap.ldap /var/lib/ldap/*
>> # chmod 660 /var/lib/ldap/*
>> (/var/lib/ldap directory is 0700 and owned by ldap.ldap already)
>>
>> 4. I check against posible errors and then start OpenLDAP:
>>
>> # slapd -Tt
>> # service ldap start
>>
>>
>> 5. OpenLDAP starts correctly, it works perfectly. I can even do
>> modificatons to the LDAP tree adding entries based on attributes like
>> vd, cn, mail, among others.
>> I'm aware that there are no uid.bdb created yet in /var/lib/ldap, so I
>> guess that's ok.
>>
>> My problem comes when I try to perform some operation that causes
>> OpenLDAP to create an index file in /var/lib/ldap.
>> In example, when I try to log in with rootdn trough phpldapadmin I get
>> something like this in logs:
>>
>> Dec 30 11:31:22 ha1 slapd[1889]: conn=5 fd=12 ACCEPT from
>> IP=127.0.0.1:38395 (IP=0.0.0.0:389) Dec 30 11:31:22 ha1
>> slapd[1889]: conn=5 op=0 BIND dn="" method=128
>> Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=0 RESULT
>> tag=97 err=0 text= Dec 30
>> 11:31:22 ha1 slapd[1889]: conn=5 op=1 SRCH base="dc=redtube,dc=com"
>> scope=2 deref=0 filter="(uid=cn=manager,dc=redtube,dc=com)"
>>
>> Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=1 SRCH attr=dn
>> Dec 30 11:31:22 ha1 slapd[1889]:
>> bdb(dc=redtube,dc=com): /var/lib/ldap/uid.bdb: Permission denied
>> Dec 30 11:31:22 ha1 slapd[1889]: bdb_db_cache: db_open(uid) failed:
>> Permission denied (13) Dec 30 11:31:22 ha1
>> slapd[1889]: <= bdb_equality_candidates: (uid) index_param failed (13)
>> Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=1 SEARCH
>> RESULT tag=101 err=0 nentries=0 text= Dec 30
>> 11:31:22 ha1 slapd[1889]: conn=5 op=2 UNBIND
>> Dec 30 11:31:22 ha1 slapd[1889]: conn=5
>> fd=12 closed
>>
>> I don't know why phpldapadmin performs a search based on a filter like
>> "(uid=cn=manager,dc=redtube,dc=com)" but well, it doesn't matter to me.
>>
>> Then I stop and start OpenLDAP and I start getting this:
>>
>> # /etc/init.d/ldap stop
>> Stopping slapd: [ OK ]
>> # /etc/init.d/ldap start
>> Checking configuration files for slapd: bdb_db_open: unclean shutdown
>> detected; attempting recovery.
>> bdb_db_open: Warning - No DB_CONFIG file found in directory
>> /var/lib/ldap: (2)
>> Expect poor performance for suffix dc=mailtest,dc=com.
>> bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if
>> errors are encountered.
>> config file testing succeeded
>> [ OK ]
>> Starting slapd: [ OK ]
>>
>>
>> Question is: Why can't OpenLDAP create /var/lib/ldap/uid.bdb? Why is
>> getting permission denied messages? The hole directory /var/lib/ldap is
>> owned by ldap user with 660 permissions.
>> Can anybody help me? Thanks
>>
>