[blfs-support] Can't get OpenLDAP to talk to slapd daemon

Sun, 25 Jun 2017 10:51:06 -0700 

In BLFS systemd version 8.0:

Until a few days ago, the commands "sudo -E" and "su root" did what I
expected: they preserved the environment of the original user. Now they
don't, so I've tried to debug what's going on.
For example, I would think that "sudo -E printenv" would return exactly the same parameters as just "printenv". Isn't that correct? 

Also until a few days ago, the ldap daemon slapd was running ok, it appears.
Then I started cleaning up various configuration files, using the BLFS
book and various online resources. Now, after many changes, the slapd daemon
appears not to be working correctly. I suspect that this may be the cause
of the "sudo" and "su" problems.

At this point I've reinstalled OpenLDAP (with --enable-debug) along with
the Recommended Dependencies and their dependencies:

Cyrus SASL-2.1.26
OpenSSL-1.0.2k
Linux-PAM-1.3.0
ICU-58.2
Pth-2.0.7
unixODBC-2.3.4
PostgreSQL-9.6.2
Berkeley DB-6.2.23

MIT Kerberos V5-1.15 is not installed.

Here is some of what I've tried so far:

######
root [ ~ ]# systemctl status slapd.service
● slapd.service - OpenLDAP server daemon
Loaded: loaded (/lib/systemd/system/slapd.service; enabled; vendor preset: enabled) 
   Active: active (running) since Sun 2017-06-25 09:58:36 MDT; 3min 54s ago
Process: 419 ExecStart=/usr/sbin/slapd -u ldap -g ldap $SLAPD_OPTS (code=exited, status=0/SUCCESS) 
 Main PID: 545 (slapd)
   CGroup: /system.slice/slapd.service
           └─545 /usr/sbin/slapd -u ldap -g ldap

Jun 25 09:58:34 komodo systemd[1]: Starting OpenLDAP server daemon...
Jun 25 09:58:35 komodo slapd[419]: @(#) $OpenLDAP: slapd 2.4.44 (Jun 25 2017 09:06:32) $ 
             lfs@komodo:/sources/openldap-2.4.44/servers/slapd
Jun 25 09:58:35 komodo slapd[419]: File /usr/lib/sasl2/slapd.conf could not be fopened Jun 25 09:58:36 komodo slapd[419]: auxpropfunc error invalid parameter supplied Jun 25 09:58:36 komodo slapd[419]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb Jun 25 09:58:36 komodo slapd[419]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied Jun 25 09:58:36 komodo slapd[419]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb 
Jun 25 09:58:36 komodo systemd[1]: Started OpenLDAP server daemon.
######

# Until a short while ago, there seemed to be an ownership problem with two
# files:

/usr/lib/sasl2/slapd.conf
/etc/sasl2/slapd.conf

Most of the time, the above output from "systemctl status slapd.service"
included another line like:
Jun 25 09:58:35 komodo slapd[419]: File /etc/sasl2/slapd.conf could not be fopened 

So I fiddled with the ownerships (root:root, ldap:ldap, etc.) until this
line disappeared. leaving just the one "could not be fopened" error.

Now I have these ownerships:

######
root [ /usr/lib/sasl2 ]# ll slapd.conf
-rw-r--r-- 1 ldap root 142 Jun 25 04:14 slapd.conf
######

######
root [ /etc/sasl2 ]# ll slapd.conf
-rw-r--r-- 1 ldap root 142 Jun 25 03:24 slapd.conf
######

According to the BLFS book, all you need is /etc/sasl2/slapd.conf, but much
online documentation refers to /usr/lib/sasl2/slapd.conf as well. My two
files are the same.

I've used google to look for the above errors in various combinations --
zillions of instances, but nothing useful to me.

The above problems result in no contact with slapd:

######
root [ /etc/openldap ]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts 
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
######

# I executed several slapd commands:

slaptest -d -1 -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -v
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -v
######
config file testing succeeded
######

slapschema -d -1 -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -v
slapschema -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -v
######
# id=00000001
######
slapauth -d -1 -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -M pam root 
slapauth -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -M pam lfs
######
ID: <lfs> check succeeded
authcID:     <uid=lfs,cn=pam,cn=auth>
######

# The tests seem to have succeeded, with lots of output but no errors when
# the "-d -1" (debug) flag was given.

All of the ldap commands fail with one of two errors:

ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
######
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
######

ldapwhoami -n -v -x -W -Y pam
ldapwhoami -n -v -x -D "cn=root,dc=example,dc=org" -W -Y pam
######
ldapwhoami: incompatible with authentication choice
######


Any suggestions to fix this are welcome.

Alan
--
http://lists.linuxfromscratch.org/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to