Unable to login to OpenLDAP on CentOS 7 about datacentred-ldap HOT 12 CLOSED

Hi @fatmcgav,

We're unaware of anything specific and it seems unlikely there'd be any kind of breaking changes over the course of a few patch revisions.

Have you checked the ldap server logs to see if there's any clues?

from datacentred-ldap.

@seanhandley I thought the same, so rather confused...

Have updated the gist with some slapd logs: https://gist.github.com/fatmcgav/05c5f011c10f88d17f05#file-openldap-log

Will try increasing the logging level and see if it shows anything...

Edit: Please ignore the bind domain differences, dc=test,dc=com is sanitized, it's actually dc=dt0388,dc=local on my vagrant box...

from datacentred-ldap.

Try using the ldapsearch client (ideally from a different machine to the server) and see if you can still connect that way.

from datacentred-ldap.

Also, in case you've not tried this, you can stop the slapd service and then run slapd -d -1 to see full debug output on STDOUT.

from datacentred-ldap.

OK, ldapsearch from another host is failing aswell :(

puppet ~]$ ldapsearch -h 192.168.250.120 -x -D "cn=admin,dc=dt0388,dc=local" -W -b "dc=dt0388,dc=local"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

Server logs:

Oct 20 10:53:59 localhost slapd[3819]: conn=1008 fd=11 ACCEPT from IP=192.168.250.250:33537 (IP=0.0.0.0:389)
Oct 20 10:53:59 localhost slapd[3819]: conn=1008 op=0 BIND dn="cn=admin,dc=dt0388,dc=local" method=128
Oct 20 10:53:59 localhost slapd[3819]: conn=1008 op=0 RESULT tag=97 err=49 text=
Oct 20 10:53:59 localhost slapd[3819]: conn=1008 fd=11 closed (connection lost)

Interestingly, increasing the LogLevel config in slapd.conf doesn't appear to have any effect on the log output, which might suggest that some of the slapd.conf stuff is being ignored?

from datacentred-ldap.

Ahh, running it to STDOUT looks like a good call...

It looks like despite there being database definition for suffix "dc=dt0388,dc=local", that's not being loaded by slapd...

Have added a log output here: https://gist.github.com/fatmcgav/05c5f011c10f88d17f05#file-slapd-debug-log

from datacentred-ldap.

@seanhandley OK, it looks like it is a behavior change in the way that OpenLDAP is packaged on CentOS 7...

CentOS 7 now uses systemv scripts, and the OpenLDAP one looks like:

[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network.target

[Service]
Type=forking
PIDFile=/var/run/openldap/slapd.pid
Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
EnvironmentFile=/etc/sysconfig/slapd
ExecStartPre=/usr/libexec/openldap/check-config.sh
ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS

[Install]
WantedBy=multi-user.target

Looking through the ExecStartPre check-config.sh script, it now loads the config dir before it loads the config file...

#!/bin/sh
# Author: Jan Vcelak <[email protected]>

. /usr/libexec/openldap/functions

function check_config_syntax()
{
        retcode=0
        tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
        run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
        if [ $? -ne 0 ]; then
                error "Checking configuration file failed:"
                cat $tmp_slaptest >&2
                retcode=1
        fi
        rm $tmp_slaptest
        return $retcode
}

function check_certs_perms()
{
        retcode=0
        for cert in `certificates`; do
                run_as_ldap "/usr/bin/test -e \"$cert\""
                if [ $? -ne 0 ]; then
                        error "TLS certificate/key/DB '%s' was not found." "$cert"
                        retcoder=1
                        continue
                fi
                run_as_ldap "/usr/bin/test -r \"$cert\""
                if [ $? -ne 0 ]; then
                        error "TLS certificate/key/DB '%s' is not readable." "$cert"
                        retcode=1
                fi
        done
        return $retcode
}

function check_db_perms()
{
        retcode=0
        for dbdir in `databases`; do
                [ -d "$dbdir" ] || continue
                for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do
                        run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
                        if [ $? -ne 0 ]; then
                                error "Read/write permissions for DB file '%s' are required." "$dbfile"
                                retcode=1
                        fi
                done
        done
        return $retcode
}

function check_everything()
{
        retcode=0
        check_config_syntax || retcode=1
        # TODO: need support for Mozilla NSS, disabling temporarily
        #check_certs_perms || retcode=1
        check_db_perms || retcode=1
        return $retcode
}

if [ `id -u` -ne 0 ]; then
        error "You have to be root to run this script."
        exit 4
fi

load_sysconfig

if [ -n "$SLAPD_CONFIG_DIR" ]; then
        if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
                error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
        else
                check_everything
                exit $?
        fi
fi

if [ -n "$SLAPD_CONFIG_FILE" ]; then
        if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
                error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
        else
                error "Warning: Usage of a configuration file is obsolete!"
                check_everything
                exit $?
        fi
fi

exit 1

A work-around appears to be specifying the config file as part of the SLAPD_OPTIONS=""value in /etc/sysconfig/slapd.

$ cat /etc/sysconfig/slapd
# OpenLDAP server configuration
# see 'man slapd' for additional information

# Where the server will run (-h option)
# - ldapi:/// is required for on-the-fly configuration using client tools
#   (use SASL with EXTERNAL mechanism for authentication)
# - default: ldapi:/// ldap:///
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
SLAPD_URLS="ldapi:/// ldap:///"

# Any custom options
SLAPD_OPTIONS="-f /etc/openldap/slapd.conf"

# Keytab location for GSSAPI Kerberos authentication
#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"

I'll see if I can work up a sensible PR to add this functionality in...

Unless you've got any immediate ideas'...

from datacentred-ldap.

Ahaa, good catch.

I don't think the module will handle that at the moment, so feel free to set up a PR.

from datacentred-ldap.

:) Will get a PR sorted this afto...

On a more general note, are there any plans to update this module to support the OLC config format? As it looks like OpenLDAP/Packagers are trying to encourage users that way...

from datacentred-ldap.

To be honest @fatmcgav - we maintain this module in line with our own internal needs at DataCentred, so the active development work we do on it will be to support our needs. As it stands, on our Ubuntu-based network, there aren't any features we need to add. At the same time, there's a heck of a lot of other development work we need to focus on regarding our internal cloud platform.

We'd love to spend more time on it (and we likely will do in future) but I don't see a lot of dev time going into it from our devs any time soon.

As ever, we welcome all pull requests!

from datacentred-ldap.

@seanhandley No worries, I know that pain aswell :)

from datacentred-ldap.

Closing this, as there's already a PR for OLC support in the form of #16

from datacentred-ldap.