Here is the full LDIF file which also contains the cn=config
configuration of the newly created DB (sill ldapvi LDIF syntax).
Le 06/02, Benjamin Dauvergne a écrit :
> Hi,
>
> I'm using OpenLDAP debian package from wheezy-backports (version
> 2.4.31+really2.4.40+dfsg) which is a 2.4.40 but backported I think under
> another version number to allow the jessie package to execute its migration
> when upgrade time will come.
>
> When trying to initialize a new DB by loading an LDIF file using ldapvi,
> looking like that:
>
> add dc=coin2,dc=fr
> objectClass: organization
> objectClass: dcObject
> objectClass: eduOrg
> objectClass: supannOrg
> dc: coin2
> o: whatever
> supannEtablissement: {UAI}ccc
>
> add ou=people,dc=coin2,dc=fr
> objectClass: organizationalUnit
> ou: people
>
> add uid=admin,ou=people,dc=coin2,dc=fr
> objectClass: inetOrgPerson
> objectClass: eduPerson
> objectClass: supannPerson
> uid: admin
> cn: Administrateur annuaire
> displayName: Administrateur annuaire
> givenName: Administrateur
> sn: annuaire
> supannListeRouge: TRUE
> userPassword: xxxx
> supannEtablissement: {UAI}COIN
>
> It blocks on adding the ou=people. After setting loglever to 255 I got my
> syslog filled with such messages, soon filling the virtual machine virtual
> disk:
>
> Jun 2 02:34:26 ldap1-psl slapd[12159]: mdb_search: 1 scope not okay
> Jun 2 02:34:26 ldap1-psl slapd[12159]: mdb_search: 2 scope not okay
> Jun 2 02:34:26 ldap1-psl slapd[12159]: mdb_search: 3 scope not okay
> etc...
>
> The log of the query finishing like that is:
>
> Jun 2 02:34:26 ldap1-psl slapd[12159]: connection_get(15)
> Jun 2 02:34:26 ldap1-psl slapd[12159]: connection_get(15): got connid=1001
> Jun 2 02:34:26 ldap1-psl slapd[12159]: connection_read(15): checking for
> input on id=1001
> Jun 2 02:34:26 ldap1-psl slapd[12159]: op tag 0x68, time 1433205266
> Jun 2 02:34:26 ldap1-psl slapd[12159]: conn=1001 op=9 do_add
> Jun 2 02:34:26 ldap1-psl slapd[12159]: conn=1001 op=9 do_add: dn
> (ou=people,dc=coin2,dc=fr)
> Jun 2 02:34:26 ldap1-psl slapd[12159]: >>> dnPrettyNormal:
> <ou=people,dc=coin2,dc=fr>
> Jun 2 02:34:26 ldap1-psl slapd[12159]: <<< dnPrettyNormal:
> <ou=people,dc=coin2,dc=fr>, <ou=people,dc=coin2,dc=fr>
> Jun 2 02:34:26 ldap1-psl slapd[12159]: ==> unique_add
> <ou=people,dc=coin2,dc=fr>
> Jun 2 02:34:26 ldap1-psl slapd[12159]: ==> unique_search
> (|(objectClass=organizationalUnit)(ou=people))
> Jun 2 02:34:26 ldap1-psl slapd[12159]: str2filter
> "(|(objectClass=organizationalUnit)(ou=people))"
> Jun 2 02:34:26 ldap1-psl slapd[12159]: begin get_filter
> Jun 2 02:34:26 ldap1-psl slapd[12159]: OR
> Jun 2 02:34:26 ldap1-psl slapd[12159]: begin get_filter_list
> Jun 2 02:34:26 ldap1-psl slapd[12159]: begin get_filter
> Jun 2 02:34:26 ldap1-psl slapd[12159]: EQUALITY
> Jun 2 02:34:26 ldap1-psl slapd[12159]: end get_filter 0
> Jun 2 02:34:26 ldap1-psl slapd[12159]: begin get_filter
> Jun 2 02:34:26 ldap1-psl slapd[12159]: EQUALITY
> Jun 2 02:34:26 ldap1-psl slapd[12159]: end get_filter 0
> Jun 2 02:34:26 ldap1-psl slapd[12159]: end get_filter_list
> Jun 2 02:34:26 ldap1-psl slapd[12159]: end get_filter 0
> Jun 2 02:34:26 ldap1-psl slapd[12159]: => mdb_search
> Jun 2 02:34:26 ldap1-psl slapd[12159]: mdb_dn2entry("dc=coin2,dc=fr")
> Jun 2 02:34:26 ldap1-psl slapd[12159]: => mdb_dn2id("dc=coin2,dc=fr")
> Jun 2 02:34:26 ldap1-psl slapd[12159]: <= mdb_dn2id: got id=0x1
> Jun 2 02:34:26 ldap1-psl slapd[12159]: => mdb_entry_decode:
> Jun 2 02:34:26 ldap1-psl slapd[12159]: <= mdb_entry_decode
> Jun 2 02:34:26 ldap1-psl slapd[12159]: => access_allowed: search access to
> "dc=coin2,dc=fr" "entry" requested
> Jun 2 02:34:26 ldap1-psl slapd[12159]: <= root access granted
> Jun 2 02:34:26 ldap1-psl slapd[12159]: => access_allowed: search access
> granted by manage(=mwrscxd)
> Jun 2 02:34:26 ldap1-psl slapd[12159]: search_candidates:
> base="dc=coin2,dc=fr" (0x00000001) scope=-1
> Jun 2 02:34:26 ldap1-psl slapd[12159]: => mdb_filter_candidates
> Jun 2 02:34:26 ldap1-psl slapd[12159]: #011OR
> Jun 2 02:34:26 ldap1-psl slapd[12159]: => mdb_list_candidates 0xa1
> Jun 2 02:34:26 ldap1-psl slapd[12159]: => mdb_filter_candidates
> Jun 2 02:34:26 ldap1-psl slapd[12159]: #011EQUALITY
> Jun 2 02:34:26 ldap1-psl slapd[12159]: => mdb_equality_candidates
> (objectClass)
> Jun 2 02:34:26 ldap1-psl slapd[12159]: => key_read
> Jun 2 02:34:26 ldap1-psl slapd[12159]: mdb_idl_fetch_key: [b49d1940]
> Jun 2 02:34:26 ldap1-psl slapd[12159]: <= mdb_index_read: failed (-30798)
> Jun 2 02:34:26 ldap1-psl slapd[12159]: <= mdb_equality_candidates: id=0,
> first=0, last=0
> Jun 2 02:34:26 ldap1-psl slapd[12159]: <= mdb_filter_candidates: id=0
> first=0 last=0
> Jun 2 02:34:26 ldap1-psl slapd[12159]: => mdb_filter_candidates
> Jun 2 02:34:26 ldap1-psl slapd[12159]: #011OR
> Jun 2 02:34:26 ldap1-psl slapd[12159]: => mdb_list_candidates 0xa1
> Jun 2 02:34:26 ldap1-psl slapd[12159]: => mdb_filter_candidates
> Jun 2 02:34:26 ldap1-psl slapd[12159]: #011EQUALITY
> Jun 2 02:34:26 ldap1-psl slapd[12159]: => mdb_equality_candidates
> (objectClass)
> Jun 2 02:34:26 ldap1-psl slapd[12159]: => key_read
> Jun 2 02:34:26 ldap1-psl slapd[12159]: mdb_idl_fetch_key: [9bee355f]
> Jun 2 02:34:26 ldap1-psl slapd[12159]: <= mdb_index_read: failed (-30798)
> Jun 2 02:34:26 ldap1-psl slapd[12159]: <= mdb_equality_candidates: id=0,
> first=0, last=0
> Jun 2 02:34:26 ldap1-psl slapd[12159]: <= mdb_filter_candidates: id=0
> first=0 last=0
> Jun 2 02:34:26 ldap1-psl slapd[12159]: => mdb_filter_candidates
> Jun 2 02:34:26 ldap1-psl slapd[12159]: #011EQUALITY
> Jun 2 02:34:26 ldap1-psl slapd[12159]: => mdb_equality_candidates (ou)
> Jun 2 02:34:26 ldap1-psl slapd[12159]: <= mdb_equality_candidates: (ou) not
> indexed
> Jun 2 02:34:26 ldap1-psl slapd[12159]: <= mdb_filter_candidates: id=-1
> first=1 last=-1
> Jun 2 02:34:26 ldap1-psl slapd[12159]: <= mdb_list_candidates: id=-1 first=1
> last=-1
> Jun 2 02:34:26 ldap1-psl slapd[12159]: <= mdb_filter_candidates: id=-1
> first=1 last=-1
> Jun 2 02:34:26 ldap1-psl slapd[12159]: <= mdb_list_candidates: id=-1 first=1
> last=-1
> Jun 2 02:34:26 ldap1-psl slapd[12159]: <= mdb_filter_candidates: id=-1
> first=1 last=-1
> Jun 2 02:34:26 ldap1-psl slapd[12159]: mdb_search_candidates: id=-1 first=1
> last=-1
> Jun 2 02:34:26 ldap1-psl slapd[12159]: mdb_search: 1 scope not okay
> Jun 2 02:34:26 ldap1-psl slapd[12159]: mdb_search: 2 scope not okay
> Jun 2 02:34:26 ldap1-psl slapd[12159]: mdb_search: 3 scope not okay
> Jun 2 02:34:26 ldap1-psl slapd[12159]: mdb_search: 4 scope not okay
> Jun 2 02:34:26 ldap1-psl slapd[12159]: mdb_search: 5 scope not okay
> etc...
>
> I don't know why it's doing a search on an add but seeing the message "(ou)
> not
> indexed" I though that maybe adding an equality index on this attribute would
> help, and effectively it did. Now the add ou=people passed, but it started
> looping again when adding the uid=admin entry.
>
> The infinite loop happen in server/slapd/back-mdb/search.c in mdb_search(). If
> you have any idea I can continue investigating or add debug logs.
>
> The debian package has the following patches applied over openldap 2.4.40:
>
> add-tlscacert-option-to-ldap-conf
> autogroup-makefile
> contrib-modules-use-dpkg-buildflags
> do-not-second-guess-sonames
> evolution-ntlm
> fix-build-top-mk
> getaddrinfo-is-threadsafe
> heimdal-fix
> index-files-created-as-root
> ITS6035-olcauthzregex-needs-restart.patch
> ITS7975-fix-mdb-onelevel-search.patch
> ITS8027-deref-reject-empty-attr-list.patch
> ITS8046-fix-vrFilter_free-crash.patch
> lastbind-makefile
> ldap-conf-tls-cacertdir
> ldapi-socket-place
> libldap-symbol-versions
> man-slapd
> no-AM_INIT_AUTOMAKE
> no-bdb-ABI-second-guessing
> pw-sha2-makefile
> sasl-default-path
> slapi-errorlog-file
> smbk5pwd-makefile
> switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
> wrong-database-location
>
# LDAPVI syntax
add olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcSuffix: dc=coin2,dc=fr
olcDbDirectory: /var/lib/ldap/dc=coin2,dc=fr/
olcRootDN: uid=admin,ou=people,dc=coin2,dc=fr
olcRootPW: xxx
olcLastMod: TRUE
olcAddContentACL: FALSE
olcMonitoring: TRUE
olcSyncUseSubentry: FALSE
olcMaxDerefDepth: 0
olcLimits: {0}dn.exact="uid=admin,ou=people,dc=coin2,dc=fr" size.soft=unlimited
size.hard=unlimited time.soft=unlimited time.hard=unlimited
olcLimits:
{1}dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
size.soft=unlimited size.hard=unlimited time.soft=unlimited
time.hard=unlimited
olcReadOnly: FALSE
# Index
olcDbIndex:
objectClass,contextCSN,member,eduPersonPrincipalName,owner,supannRefId eq
olcDbIndex:
supannAliasLogin,mail,givenName,uid,cn,sn,supannMailPerso,displayName
pres,eq,approx,sub
# Accès super-utilisateur
olcAccess: {0}to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by group.exact="cn=admin,ou=groups,dc=coin2,dc=fr" manage
by * break
# Branche people
olcAccess: {1}to dn.regex="uid=[^,]+,ou=people,dc=coin2,dc=fr"
attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,userPassword,labeledURI
by self write
by * break
# Les accès aux autres attributs utilisateurs
olcAccess: {2}to dn.one="ou=people,dc=coin2,dc=fr"
by users read
by anonymous auth
by * none
# Branche groups
# Le propriétaire du groupe
olcAccess: {3}to dn.one="ou=groups,dc=coin2,dc=fr"
by set="this/owner & user" manage
by * break
# Les utilisateurs en général sur les attributs descriptifs
olcAccess: {4}to dn.one="ou=groups,dc=coin2,dc=fr"
attrs=cn,description,owner,supannRefId
by users read
by * break
# Les admin et lecteur des membres du groupe
# les membres peuvent trouver leurs groupes
olcAccess: {5}to dn.one="ou=groups,dc=coin2,dc=fr" attrs=member
by set="this/supannGroupeAdminDN/member* & user" write
by set="this/supannGroupeAdminDN & user" write
by set="this/supannGroupeLecteurDN/member* & user" read
by set="this/supannGroupeLecteurDN & user" read
by dnattr=member search
# Branche structures
olcAccess: {6}to dn.one="ou=structures,dc=coin2,dc=fr"
by * read
# Autorisation de recherche par tous les utilisateurs sur toute la base
olcAccess: {7}to * by users search
# Create accesslog DIT
add olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcSuffix: cn=accesslog,dc=coin2,dc=fr
olcDbDirectory: /var/lib/ldap/dc=coin2,dc=fr/accesslog/
olcAccess: {0}to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by group=cn=admin,ou=groupes,dc=coin2,dc=fr manage
by * break
add olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100
# Log all writes to the db
add olcOverlay={1}accesslog,olcDatabase={2}mdb,cn=config
objectClass: olcAccesslogConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {1}accesslog
olcAccessLogDB: cn=accesslog,dc=coin2,dc=fr
olcAccessLogOps: writes
# log are conserved one year and purged every day
olcAccessLogPurge: 365+00:00 1+00:00
# Keep a copy of everything
olcAccessLogOld: objectClass=*
add olcOverlay={2}refint,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
olcOverlay: {2}refint
olcRefintAttribute: member
eduPersonOrgDN
eduPersonOrgUnitDN
owner
eduPersonPrimaryOrgUnitDN
supannGroupeAdminDN
supannGroupeLecteurDN
supannParrainDN
olcRefintNothing: dc=coin2,dc=fr
add olcOverlay={3}constraint,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConstraintConfig
olcOverlay: {3}constraint
# un seul cn pour les utilisateurs
olcConstraintAttribute: cn count 1
restrict="ldap:///ou=people,dc=coin2,dc=fr??sub?(objectClass=*)"
#olcConstraintAttribute: cn regex "^[-A-Z' ]*$"
restrict="ldap:///ou=people,dc=coin2,dc=fr??sub?(objectClass=*)"
olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$"
restrict="ldap:///ou=groups,dc=coin2,dc=fr??sub?(objectClass=*)"
olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$"
restrict="ldap:///dc=coin2,dc=fr??base?(objectClass=*)"
olcConstraintAttribute: dc regex "^[a-z0-9-]*$"
olcConstraintAttribute: eduOrgHomePageURI,eduOrgSuperiorURI,eduOrgWhitePagesURI
regex "^https?://.*$"
olcConstraintAttribute: eduPersonAffiliation regex
"^(student|faculty|staff|employee|member|affiliate|alum|library-walk-in|researcher|retired|emeritus|teacher|registered-reader)$"
olcConstraintAttribute: eduPersonPrincipalName regex "^.*@.*$"
olcConstraintAttribute: mail count 1
olcConstraintAttribute: mail,supannMailPerso,supannAutreMail
regex "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$"
# olcConstraintAttribute: mailForwardingAddress
regex "^([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}|[a-zA-Z0-9]+)$" #
mail ou uid
olcConstraintAttribute: supannAliasLogin regex "^[[:alnum:]]+$"
olcConstraintAttribute: supannCodeEntiteParent,supannEntiteAffectation uri
ldap:///ou=structures,dc=coin2,dc=fr?supannCodeEntite?sub?(objectClass=supannEntite)
olcConstraintAttribute: supannCodeINE count 1
olcConstraintAttribute: supannEmpId count 1
# FIXME: syntex regex pas bonne
olcConstraintAttribute: supannCivilite regex "^(M.|Mme|Mlle)$"
olcConstraintAttribute: supannTypeEntite,supannEtuCursusAnnee regex
"^\{SUPANN\}[A-Z][0-9]+$"
# attribut issu d'une nomenclature
olcConstraintAttribute: supannEtablissement,
supannEtuDiplome,
supannEtuElementPedagogique,
supannEtuEtape,
supannEtuRegimeInscription,
supannEtuSecteurDisciplinaire,
supannEtuTypeDiplome,
regex "^\{[^}]+\}.*$"
olcConstraintAttribute: supannEtuAnneeInscription regex
"^[0-9][0-9][0-9][0-9]$"
add olcOverlay={4}unique,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcUniqueConfig
olcOverlay: {4}unique
olcUniqueURI: ldap://?supannAutreMail?sub
add dc=coin2,dc=fr
objectClass: organization
objectClass: dcObject
objectClass: eduOrg
objectClass: supannOrg
dc: coin2
o: COIN
supannEtablissement: {UAI}COIN
add ou=people,dc=coin2,dc=fr
objectClass: organizationalUnit
ou: people
add uid=admin,ou=people,dc=coin2,dc=fr
objectClass: inetOrgPerson
objectClass: eduPerson
objectClass: supannPerson
uid: admin
cn: Administrateur annuaire
displayName: Administrateur annuaire
givenName: Administrateur
sn: annuaire
supannListeRouge: TRUE
userPassword: xxx
supannEtablissement: {UAI}COIN
add ou=structures,dc=coin2,dc=fr
objectClass: organizationalUnit
ou: structures
add supannCodeEntite=COIN,ou=structures,dc=coin2,dc=fr
objectClass: supannOrg
objectClass: supannEntite
objectClass: organization
objectClass: eduOrg
o: COIN
supannCodeEntite: COIN
description: COIN
add ou=groups,dc=coin2,dc=fr
objectClass: organizationalUnit
ou: groups
add cn=admin,ou=groups,dc=coin2,dc=fr
objectClass: groupOfNames
objectClass: supannGroupe
cn: admin
description: Groupe des administrateurs de l'annuaire
member: uid=admin,ou=people,dc=coin2,dc=fr
