Hello, I have a problem that I'm really having trouble figuring out. I run CentOS Linux 5.5. I have three servers. All have been setup and running with LDAP authentication for a couple years with absolutely no problems.
Unfortunately a couple weeks ago, we had a power outage. Ever since, I am having continuous problems with authentication to the server. I see in /var/log/messages
nss_ldap: reconnected to LDAP server ldap://127.0.0.1
I did run a yum update that installed an update to ldap, however that did not fix the issue.
I have seen a post mentioning changing 'nss_connect_policy persist' to 'nss_connect_policy oneshot'. However I don't see this setting in my server, and again, the server was working perfectly fine for years before the power outage.
I'm really thinking that some file got corrupted and I just need to clean it out. Maybe a cache file somewhere?
Following is ldap.conf file. Any suggestions?
<ldap.conf> base dc=inside,dc=msi timelimit 120 bind_timelimit 120 idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman rootbinddn cn=Manager,dc=inside,dc=msi nss_base_passwd ou=People,dc=inside,dc=msi nss_base_shadow ou=People,dc=inside,dc=msi nss_base_group ou=Group,dc=inside,dc=msi uri ldap://127.0.0.1 ldap://my.domain ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 </ldap.conf>
On 2/18/2011 9:13 AM, Tim Alberts wrote:
Hello, I have a problem that I'm really having trouble figuring out. I run CentOS Linux 5.5. I have three servers. All have been setup and running wi..
Update, using Webmin to restart the server, I see the following: Stopping slapd: [ OK ] Stopping slurpd: [ OK ] Checking configuration files for slapd: bdb_db_open: unclean shutdown detected; attempting recovery. bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered. config file testing succeeded [ OK ] Starting slapd: [ OK ] Starting slurpd: [ OK ]
I've been reading that the recovery is supposed to be automatic. Unfortunately it seems to be a read-only mode.
Anyone know why it is read-only mode?
Anyone have a simple tutorial on running 'db_recover' command?
On 2/18/2011 10:11 AM, Tim Alberts wrote:
Update, using Webmin to restart the server, I see the following: Stopping slapd: [ OK ] Stopping slurpd: [ OK ] Checking configuration files for slapd: bdb_db_open: unclean shutdown detected; attempting recovery. bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered. config file testing succeeded [ OK ] Starting slapd: [ OK ] Starting slurpd: [ OK ]
I've been reading that the recovery is supposed to be automatic. Unfortunately it seems to be a read-only mode.
Anyone know why it is read-only mode?
Anyone have a simple tutorial on running 'db_recover' command?
I found a helpful page: http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP.html approximately 2/3 down the page, section titled 'Notes: LDAP on Red Hat/Fedora distribution:' An example database recovery command as follows:
/usr/sbin/slapd_db_recover -v -h /var/lib/ldap/stooges/
I have run this (twice now with ldap stopped) on all three servers and continue to have problems. Now I'm really lost as to what to do.
On 2/18/2011 11:05 AM, Tim Alberts wrote:
I found a helpful page: http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP.html approximately 2/3 down the page, section titled 'Notes: LDAP on Red Hat/Fedora distribution:' An example database recovery command as follows:
/usr/sbin/slapd_db_recover -v -h /var/lib/ldap/stooges/
I have run this (twice now with ldap stopped) on all three servers and continue to have problems. Now I'm really lost as to what to do.
Update, I believe this actually did fix the problem (db_recover). Unfortunately, after I did this, I hadn't seen anymore:
nss_ldap: reconnected to LDAP serverldap://127.0.0.1
errors in /var/log/messages. However my Apache server was still giving Forbidden errors, and my subversion server was still giving Forbidden errors. I figured some berkelyDB was not shutdown in apache authentication and or subversion as well. Fortunately, I decided to do a restart of Apache and that seems to have fixed that problem too.
So solution appears to be, simple database recovery, followed by Apache restart. Thank you to the folks who posted responses to help. Hopefully my this thread can find it's way to helping someone else who runs in to this.
On 18/02/11 10:11 AM, Tim Alberts wrote:
Checking configuration files for slapd: bdb_db_open: unclean shutdown detected; attempting recovery. bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered. config file testing succeeded
The LDAP database files are *very* sensitive to unclean shut downs. I'd keep multi-master redundant servers on separate power supplies if possible. Or at least a decent clean shut down off UPS power.
It may be simplest to recover the databases from backup using the import scripts than attempt to recover an existing corrupted database. There is a section in the manual (can't find the link right away) that states if the servers go down hard then the databases "will" be corrupted and to restore from backup.
Good luck, -pete
Tim Alberts wrote:
Hello, I have a problem that I'm really having trouble figuring out. I run CentOS Linux 5.5. I have three servers. All have been setup and running with LDAP authentication for a couple years with absolutely no problems.
Unfortunately a couple weeks ago, we had a power outage. Ever since, I am having continuous problems with authentication to the server. I see in /var/log/messages
<snip> Have you resynched everyone's timeclock?
mark
On 2/18/2011 10:13 AM, m.roth@5-cent.us wrote:
Tim Alberts wrote:
Hello, I have a problem...
Unfortunately a couple weeks ago, we had a power outage. Ever since, I am having continuous problems with authentication to the server. I see in /var/log/messages
<snip> Have you resynched everyone's timeclock?
mark
Thank you for your response. If your referring the computer system clock, they are all in sync. I'm not sure how that is related? I am running replication servers, but even services on the local host show continuous reconnect errors (apache, dovecot, vsftpd, etc). Or do I misunderstand your meaning?
Tim Alberts wrote:
On 2/18/2011 10:13 AM, m.roth@5-cent.us wrote:
Tim Alberts wrote:
Hello, I have a problem...
Unfortunately a couple weeks ago, we had a power outage. Ever since, I am having continuous problems with authentication to the server. I see in /var/log/messages
<snip> Have you resynched everyone's timeclock?
Thank you for your response. If your referring the computer system clock, they are all in sync. I'm not sure how that is related? I am running replication servers, but even services on the local host show continuous reconnect errors (apache, dovecot, vsftpd, etc). Or do I misunderstand your meaning?
It does matter - if they're "too far" out of sync, too many seconds, authentication? authorization? will fail, at least for kerborous, using ldap or not.
mark
-
m.roth@5-cent.us -
Peter Brady -
Tim Alberts