1

I'll preface with saying I have used *nix, regularly, for >20 years; however, I have minimal experiene with openldap. I had openldap (slapd) running on a server that has been working for years. Today, I ran yum update and it updated quite a few packages, including openLDAP, and now my ldap server will not start.

Here is/are the openldap version(s) from rpm -qa:

openldap-clients-2.4.40-12.el6.x86_64
openldap-servers-2.4.40-12.el6.x86_64
openldap-devel-2.4.40-12.el6.x86_64
compat-openldap-2.3.43-2.el6.x86_64
openldap-2.4.40-12.el6.x86_64

Once yum update finished (without errors) our LDAP server was not running. I attempted a simple service slapd start which fail. slaptest -u now returns:

# slaptest -u
581260f7 config error processing cn={5}passwordSelfReset,cn=schema,cn=config: 
slaptest: bad configuration file!

Here is also my slapd.conf file (that worked prior to the yum update):

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/passwordSelfReset.schema

allow bind_v2

pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

modulepath /usr/lib64/openldap

moduleload syncprov.la
moduleload unique.la

database monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=admin,dc=am5up,dc=com" read
        by * none

database    bdb
suffix      "dc=am5up,dc=com"
rootdn      "cn=admin,dc=am5up,dc=com"
rootpw {SSHA}0yFFC0BTYdZLDRNtSHVz1I6YC4zJ3Z0AZ09123
directory   /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber               eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

overlay unique
unique_attributes mail

ServerID        1 "ldap://ldap.am5up.com"

overlay         syncprov
syncprov-checkpoint     10 1
syncprov-sessionlog     100

Update: So I deleted everything in /etc/openldap/slapd.d and then ran: 

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

Now slaptest -u returns successfully, but service slapd start still fails. The only log entry I can find after the failure is in /var/log/ldap.log:

@(#) $OpenLDAP: slapd 2.4.40 (May 10 2016 23:30:49) $#012#011mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd
MSF004
  • 337
  • 1
  • 2
  • 11

1 Answers1

0

For anyone else with this issue - I have figured out the problem. During the upgrade the slightly newer version requires the host to match the server definition in the config file.

For instance, in your slapd.conf file has a line like:

ServerID 1 "ldap://myldapserver"

Then your startup script (or when you startup slapd) you must define the host as "ldap://myldapserver".

This would appear to make sense; however, through my troubles today I learned that the default /etc/init.d/slapd file that was added during my initial install lists the host as blank. Thus, the default startup script, basically, executes:

slapd -h "" -u <user> -g <group>

Once I edited the startup script to ensure the -h switch on slapd matches what is in my config file everything started working again.

MSF004
  • 337
  • 1
  • 2
  • 11