Bugzilla – Bug 964924
LDAP server broken after update, reconfiguration fails with str2ad(olcDbCheckpoint): attribute type undefined
Last modified: 2017-09-24 12:10:17 UTC
I've been running an authentication server in my home network for half a year now, without problems. After a zypper dup on 2016-02-02, clients could no longer authenticate their users (both other computers on the net and the server itself). Below I've quoted slapd-related error messages from the system journal during the update. Stopped slapd and re-ran the Yast2 Authentication server module, opted for clean re-install (without reading current configuration). Selected starting of LDAP and Kerberos. Default hdb backend. On clicking "Finish", there is an error message 56b1f578 <= str2entry: str2ad(olcDbCheckpoint): attribute type undefined slapadd: could not parse entry (line=920) Searched for a schema file containing the database-specific attributes (a web search hinted at a confighdb.ldif file, which appears not to be present on my system. I'd be happy to run tests or provide further data, and of course I would also welcome a workaround. *.* Feb 02 18:47:22 spunk slapd[2408]: slapd shutdown: waiting for 0 operations/tasks to finish Feb 02 18:47:23 spunk slapd[2408]: DIGEST-MD5 common mech free Feb 02 18:47:23 spunk slapd[2408]: slapd stopped. Feb 02 18:47:23 spunk systemd[1]: Stopped OpenLDAP Server Daemon. Feb 02 18:47:23 spunk audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=slapd comm="systemd" exe="/ Feb 02 18:47:23 spunk audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=slapd comm="systemd" exe="/u Feb 02 18:47:23 spunk systemd[1]: Starting OpenLDAP Server Daemon... Feb 02 18:47:23 spunk slapd[7266]: @(#) $OpenLDAP: slapd 2.4.43 $ opensuse-buildservice@opensuse.org Feb 02 18:47:23 spunk slapd[7266]: UNKNOWN attributeDescription "OLCDBCACHESIZE" inserted. Feb 02 18:47:23 spunk slapd[7266]: UNKNOWN attributeDescription "OLCDBCHECKPOINT" inserted. Feb 02 18:47:23 spunk slapd[7266]: UNKNOWN attributeDescription "OLCDBCONFIG" inserted. Feb 02 18:47:23 spunk slapd[7266]: UNKNOWN attributeDescription "OLCDBIDLCACHESIZE" inserted. Feb 02 18:47:23 spunk slapd[7266]: UNKNOWN attributeDescription "OLCDBINDEX" inserted. Feb 02 18:47:23 spunk slapd[7266]: config error processing olcDatabase={1}hdb,cn=config: Feb 02 18:47:23 spunk slapd[7266]: DIGEST-MD5 common mech free Feb 02 18:47:23 spunk slapd[7266]: slapd stopped. Feb 02 18:47:23 spunk slapd[7266]: connections_destroy: nothing to destroy. Feb 02 18:47:23 spunk systemd[1]: slapd.service: Control process exited, code=exited status=1 Feb 02 18:47:23 spunk systemd[1]: Failed to start OpenLDAP Server Daemon. Feb 02 18:47:23 spunk audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=slapd comm="systemd" exe="/ Feb 02 18:47:23 spunk systemd[1]: slapd.service: Unit entered failed state. Feb 02 18:47:23 spunk systemd[1]: slapd.service: Failed with result 'exit-code'. Feb 02 18:47:23 spunk start[7266]: Starting ldap-server Feb 02 18:47:23 spunk [RPM][7214]: erase openldap2-2.4.42-18.1.x86_64: success Feb 02 18:47:23 spunk [RPM][7214]: Transaction ID 56b0eba8 finished: 0 Feb 02 18:47:23 spunk [RPM][7290]: Transaction ID 56b0ebab started
Could you please attach y2logs as described here: https://en.opensuse.org/openSUSE:Report_a_YaST_bug#I_reported_a_YaST2_bug.2C_and_now_I_am_asked_to_.22attach_y2logs.22_.28for_package_installation_also_.22libzypp_logging.22.29._What_does_that_mean.2C_and_how_do_I_do_that.3F
This is not related to yast or zypper so those logs are not what you need, after updating openldap packages on tumbleweed(slapd 2.4.44), slapd fails to start with the errors in the first report: UNKNOWN attributeDescription "OLCDBCACHESIZE"... Woraround: reverting the packages from Leap on tumbleweed gets the slapd running again.
Hi Jörn. Sorry about that! Since the last update, you will have to manually load database backends. Previously the database backends were built into the executable itself, which is a waste of tiny bit of memory. Please take a look at the changelog file: https://build.opensuse.org/package/view_file/network:ldap/openldap2/openldap2.changes?expand=1 The version you're using is from the 8th February revision. Please also check out this example .conf template for conversion to OLC config: https://build.opensuse.org/package/view_file/network:ldap/openldap2/slapd.conf.olctemplate?expand=1 For now, to resume normal ldap operation, please temporarily remove olcDatabases from cn=config by relocating /etc/openldap/slapd.d/cn=config/ nodes, then start LDAP server and add HDB backend module (back_hdb.la), and eventually bring the olcDatabase back in. Here's a reference to the syntax of add/delete modules: http://www.zytrax.com/books/ldap/ch6/slapd-config.html#use-modules Also, please refrain from using Authentication Server module for now, there's a known issue in the module that prevents it from working with openldap at the moment.
Wow, this took me by surprise. How is it possible to release an upgrade for openldap without having support from the yast2 module. Shouldn't there be a dependency there? I didn't see any warning during the upgrade about this change requiring some action from my side. Once the upgrade was done, I found out I couldn't login into any host which I had not used before (thank goodness sssd still had the cache version of the credentials). Since I have a backup of LDAP I thought of just trying to re-create the setup from scratch and then re-importing the data. But no! yast couldn't do so, failing with multiple errors. I tried to fixed them, but it was taking too long. I reverted the packages to the previous version and re-loaded my data. Could we set a dependency on the yast module and the openldap version? Thanks!
@Federico: sorry, I overlooked the Yast module when doing the LDAP upgrade. Fixing the auth server module is in my priority task list.
@Howard, thanks for looking into this. I'll definitively watch this bug so I don't miss the update.
Several fixes are on their way to Factory, please track the progress over here: https://build.opensuse.org/request/show/387858 Once it makes its way to Tumbleweed snapshot, please report back on whether it works for you.
I think the issue has been fixed, but feel free to reopen the bug report should you still encounter this issue.
Jun 25 19:39:24 arthur slapd[87670]: @(#) $OpenLDAP: slapd 2.4.44 $ opensuse-buildservice@opensuse.org Jun 25 19:39:24 arthur slapd[87670]: UNKNOWN attributeDescription "OLCDBCACHESIZE" inserted. Jun 25 19:39:24 arthur slapd[87670]: UNKNOWN attributeDescription "OLCDBCHECKPOINT" inserted. Jun 25 19:39:24 arthur slapd[87670]: UNKNOWN attributeDescription "OLCDBCONFIG" inserted. Jun 25 19:39:24 arthur slapd[87670]: UNKNOWN attributeDescription "OLCDBIDLCACHESIZE" inserted. Jun 25 19:39:24 arthur slapd[87670]: UNKNOWN attributeDescription "OLCDBINDEX" inserted. Jun 25 19:39:24 arthur slapd[87670]: config error processing olcDatabase={1}hdb,cn=config: I know I'm late to the party here, but I'm getting a similar error after doing the Leap 42.1 to 42.2 update. I think I've only got the one database, and that's an email address book. I don't think this bug should be occurring during a leap upgrade.
Ignore my comment, bug 1011582 seems to be more generic than this bug which is auth-server specific.
I just got hit by this bug when upgrading from 13.2 to 42.3. My server is now non-functional.
Upgrade from 42.1 to 42.2 still appears to break on update. Any updates on the inclusion of the suggested fix in Factory from comment #9 ? https://bugzilla.opensuse.org/show_bug.cgi?id=964924#c9 Also, this bug seems identical to https://bugzilla.opensuse.org/show_bug.cgi?id=1011582 I don't see how it is more generic as suggested above? *** This bug has been marked as a duplicate of bug 1011582 ***