Does 5.5 break LDAP

Post by **scottro** » 2010/05/18 02:52:10

As per post 11 and some followups in https://www.centos.org/modules/newbb/viewtopic.php?topic_id=26239

It seems that the upgrade adds an /etc/sysconfig/ldap file that may (or may not) have to be modified.

I'd be interested in people's experience with this. I haven't yet (and after this, may not) upgrade any of our systems running LDAP, nor have I had a chance to try in a VM.

So, if anyone can say, I upgraded to 5.5 and didn't have to do anything with LDAP, or I upgraded and had to modify , or I upgraded and it's not working, I"d be grateful.

Thanks for any input.

jlehtone · Post by **jlehtone** » 2010/05/18 06:07:19

To summarize my entry from the other thread:

/etc/sysconfig/ldap had:
[code]SLAPD_OPTIONS="-4"[/code]
After update:
[code]# service ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [FAILED][/code]
And in the log, using
"slapd.conf: [i]loglevel none[/i]" and
"syslog.conf: [i]local4.* -/var/log/ldap.log[/i]":
[code]May 17 07:54:59 foo slapd[842]: @(#) $OpenLDAP: slapd 2.3.43 (Mar 31 2010 03:59:04) $ \
mockbuild@builder17.centos.org:/builddir/build/BUILD/openldap-2.3.43/openldap-2.3.43/build-servers/servers/slapd
May 17 07:54:59 foo slapd[842]: daemon_init: no urls () provided.
May 17 07:54:59 foo slapd[842]: slapd stopped.
May 17 07:54:59 foo slapd[842]: connections_destroy: nothing to destroy.[/code]
Only minor panic as this was a redundant slave. Then:
[code]# cat /etc/sysconfig/ldap.rpmnew >> /etc/sysconfig/ldap[/code]
Starts now as expected.

"[b]no urls[/b]"

Look at /etc/init.d/ldap:
[code] if test x$SLAPD_LDAP = xyes ; then
harg="ldap:///"
fi
if grep -q ^TLS /etc/openldap/slapd.conf || test x$SLAPD_LDAPS = xyes ; then
harg="$harg ldaps:///"
fi
if test x$SLAPD_LDAPI = xyes ; then
harg="$harg ldapi:///"
fi
# Start daemons.
echo -n $"Starting $prog: "
ulimit $ULIMIT_SETTINGS > /dev/null 2>&1
daemon --check=$prog ${slapd} -h \"$harg\" -u ${user} $OPTIONS $SLAPD_OPTIONS
RETVAL=$?[/code]
Notice the
[code]-h \"$harg\" -u[/code]
Conclude that you have to succeed in at least one of the:
[code]x$SLAPD_LDAP = xyes
x$SLAPD_LDAPS = xyes
x$SLAPD_LDAPI = xyes[/code]
or the above snippet resolves to:
[code]-h "" -u[/code]
Further observe that none of the three variables were defined in my /etc/sysconfig/ldap, nor set to "yes".

IMO the /etc/init.d/ldap should not add the
[code]-h \"$harg\"[/code]
if none of the SLAPD_LDAP, SLAPD_LDAPS, SLAPD_LDAPI has been defined.
In that case the slapd would use its default [b]ldap:///[/b], or the user could provide
a custom url via OPTIONS or SLAPD_OPTIONS.

The last scenario is for the user to have
SLAPD_LDAP=no
SLAPD_LDAPS=no
SLAPD_LDAPI=no
but frankly I would have trouble figuring out what the user means with such denial. ;-)

(Scratch that "[i]summarize[/i]" ...)

r_hartman · Post by **r_hartman** » 2010/05/18 11:21:37

The default content of the new 5.5 /etc/sysconfig/ldap file has
[code]
SLAPD_LDAP=yes
SLAPD_LDAPS=no
SLAPD_LDAPI=no[/code]

On boxes that already have a /etc/sysconfig/ldap file (it used to be optional), the new file will be installed as /etc/sysconfig/ldap.rpmnew, and the existing file will remain untouched. This causes issues.

On boxes that have no /etc/sysconfig/ldap file at all, the new file will be installed as /etc/sysconfig/ldap and cause slapd to only listen on port 389.

Configurations having slapd listen on ldap (port 389) only and currently [i]not[/i] having a /etc/sysconfig/ldap file most likely will therefore not show any issues after the update. All other setups will likely need intervention.

Post by **scottro** » 2010/05/18 17:02:28

Thanks to both of you for the input. As mentioned, I'll have to test this, but right now, time is scarce.

pschaff · Post by **pschaff** » 2010/05/18 17:15:50

Will add something to the [url=http://wiki.centos.org/Manuals/ReleaseNotes/CentOS5.5]CentOS 5.5 Release Notes[/url] with a pointer to this thread. Please post back here if I fail to capture the issue correctly.

Post by **scottro** » 2010/05/19 00:53:15

Yeah, I'm going to add a link to this thread to the LDAP page, with my usual disgust with Linux (lack of) documentation. Something like, In their effort to improve Ubuntu's, Windows, and Apple's market share, it seems that 5.5 has quietly broken LDAP. :)

Or something similar. Frankly, sometimes I wonder why MS considers Linux a threat. There was an interesting bikeshed discussion in this weeks' distrowatch comments, more or less in part, to that effect, that OpenSource probably does more to hurt itself than MS does.

Sigh, I really am in a bad mood tonight, so take the above with a grain of salt.

AlanBartlett · Post by **AlanBartlett** » 2010/05/19 01:11:28

[quote]
Sigh, I really am in a bad mood tonight
[/quote]
Perhaps someone should cuddle a cat . . . :roll:

Post by **scottro** » 2010/05/19 02:50:50

He also seems in a bad mood. :-)

Post by **scottro** » 2010/06/11 15:00:42

Just to add that there is now mention of this in the Known Issues (section #4) of release notes.

http://wiki.centos.org/Manuals/ReleaseNotes/CentOS5.5

CentOS