Comments (12)
Hi @fatmcgav,
We're unaware of anything specific and it seems unlikely there'd be any kind of breaking changes over the course of a few patch revisions.
Have you checked the ldap server logs to see if there's any clues?
from datacentred-ldap.
@seanhandley I thought the same, so rather confused...
Have updated the gist with some slapd logs: https://gist.github.com/fatmcgav/05c5f011c10f88d17f05#file-openldap-log
Will try increasing the logging level and see if it shows anything...
Edit: Please ignore the bind domain differences, dc=test,dc=com
is sanitized, it's actually dc=dt0388,dc=local
on my vagrant box...
from datacentred-ldap.
Try using the ldapsearch
client (ideally from a different machine to the server) and see if you can still connect that way.
from datacentred-ldap.
Also, in case you've not tried this, you can stop the slapd service and then run slapd -d -1
to see full debug output on STDOUT.
from datacentred-ldap.
OK, ldapsearch
from another host is failing aswell :(
puppet ~]$ ldapsearch -h 192.168.250.120 -x -D "cn=admin,dc=dt0388,dc=local" -W -b "dc=dt0388,dc=local"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
Server logs:
Oct 20 10:53:59 localhost slapd[3819]: conn=1008 fd=11 ACCEPT from IP=192.168.250.250:33537 (IP=0.0.0.0:389)
Oct 20 10:53:59 localhost slapd[3819]: conn=1008 op=0 BIND dn="cn=admin,dc=dt0388,dc=local" method=128
Oct 20 10:53:59 localhost slapd[3819]: conn=1008 op=0 RESULT tag=97 err=49 text=
Oct 20 10:53:59 localhost slapd[3819]: conn=1008 fd=11 closed (connection lost)
Interestingly, increasing the LogLevel config in slapd.conf doesn't appear to have any effect on the log output, which might suggest that some of the slapd.conf stuff is being ignored?
from datacentred-ldap.
Ahh, running it to STDOUT looks like a good call...
It looks like despite there being database definition for suffix "dc=dt0388,dc=local"
, that's not being loaded by slapd...
Have added a log output here: https://gist.github.com/fatmcgav/05c5f011c10f88d17f05#file-slapd-debug-log
from datacentred-ldap.
@seanhandley OK, it looks like it is a behavior change in the way that OpenLDAP is packaged on CentOS 7...
CentOS 7 now uses systemv scripts, and the OpenLDAP one looks like:
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network.target
[Service]
Type=forking
PIDFile=/var/run/openldap/slapd.pid
Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
EnvironmentFile=/etc/sysconfig/slapd
ExecStartPre=/usr/libexec/openldap/check-config.sh
ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
[Install]
WantedBy=multi-user.target
Looking through the ExecStartPre check-config.sh
script, it now loads the config dir before it loads the config file...
#!/bin/sh
# Author: Jan Vcelak <[email protected]>
. /usr/libexec/openldap/functions
function check_config_syntax()
{
retcode=0
tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
if [ $? -ne 0 ]; then
error "Checking configuration file failed:"
cat $tmp_slaptest >&2
retcode=1
fi
rm $tmp_slaptest
return $retcode
}
function check_certs_perms()
{
retcode=0
for cert in `certificates`; do
run_as_ldap "/usr/bin/test -e \"$cert\""
if [ $? -ne 0 ]; then
error "TLS certificate/key/DB '%s' was not found." "$cert"
retcoder=1
continue
fi
run_as_ldap "/usr/bin/test -r \"$cert\""
if [ $? -ne 0 ]; then
error "TLS certificate/key/DB '%s' is not readable." "$cert"
retcode=1
fi
done
return $retcode
}
function check_db_perms()
{
retcode=0
for dbdir in `databases`; do
[ -d "$dbdir" ] || continue
for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do
run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
if [ $? -ne 0 ]; then
error "Read/write permissions for DB file '%s' are required." "$dbfile"
retcode=1
fi
done
done
return $retcode
}
function check_everything()
{
retcode=0
check_config_syntax || retcode=1
# TODO: need support for Mozilla NSS, disabling temporarily
#check_certs_perms || retcode=1
check_db_perms || retcode=1
return $retcode
}
if [ `id -u` -ne 0 ]; then
error "You have to be root to run this script."
exit 4
fi
load_sysconfig
if [ -n "$SLAPD_CONFIG_DIR" ]; then
if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
else
check_everything
exit $?
fi
fi
if [ -n "$SLAPD_CONFIG_FILE" ]; then
if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
else
error "Warning: Usage of a configuration file is obsolete!"
check_everything
exit $?
fi
fi
exit 1
A work-around appears to be specifying the config file as part of the SLAPD_OPTIONS=""
value in /etc/sysconfig/slapd.
$ cat /etc/sysconfig/slapd
# OpenLDAP server configuration
# see 'man slapd' for additional information
# Where the server will run (-h option)
# - ldapi:/// is required for on-the-fly configuration using client tools
# (use SASL with EXTERNAL mechanism for authentication)
# - default: ldapi:/// ldap:///
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
SLAPD_URLS="ldapi:/// ldap:///"
# Any custom options
SLAPD_OPTIONS="-f /etc/openldap/slapd.conf"
# Keytab location for GSSAPI Kerberos authentication
#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
I'll see if I can work up a sensible PR to add this functionality in...
Unless you've got any immediate ideas'...
from datacentred-ldap.
Ahaa, good catch.
I don't think the module will handle that at the moment, so feel free to set up a PR.
from datacentred-ldap.
:) Will get a PR sorted this afto...
On a more general note, are there any plans to update this module to support the OLC config format? As it looks like OpenLDAP/Packagers are trying to encourage users that way...
from datacentred-ldap.
To be honest @fatmcgav - we maintain this module in line with our own internal needs at DataCentred, so the active development work we do on it will be to support our needs. As it stands, on our Ubuntu-based network, there aren't any features we need to add. At the same time, there's a heck of a lot of other development work we need to focus on regarding our internal cloud platform.
We'd love to spend more time on it (and we likely will do in future) but I don't see a lot of dev time going into it from our devs any time soon.
As ever, we welcome all pull requests!
from datacentred-ldap.
@seanhandley No worries, I know that pain aswell :)
from datacentred-ldap.
Closing this, as there's already a PR for OLC support in the form of #16
from datacentred-ldap.
Related Issues (20)
- Does not define monitor database HOT 1
- Does not define config database (should be optional) HOT 1
- Does not support multiple database definitions HOT 1
- Does not generate DB_CONFIG
- ACL support is missing HOT 1
- Supporting OLC HOT 1
- ldap_entry seems to be broken? HOT 30
- Will the plugin be able to work with pam authentication? HOT 2
- Could not autoload ldap_entry HOT 1
- Release new version to the forge
- Undefined method 'force_encoding' HOT 2
- Initial Password for ldap_entry HOT 3
- Error: Could not find a suitable provider for ldap_entry HOT 9
- CA cert not honored in ldap_entry HOT 1
- Can't connect to the server - SSL config issue? HOT 1
- Import existing schema dump? HOT 1
- API Validation HOT 1
- Error: Could not find a suitable provider for ldap_entry - Puppet 6 HOT 2
- Convert to PDK and use Litmus
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from datacentred-ldap.