Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 55706

Summary: openldap: default slapd.conf creates a directory that is nowhere near crash-safe
Product: Gentoo Linux Reporter: Jeremy Kitchen <jeremy>
Component: [OLD] ServerAssignee: Robin Johnson <robbat2>
Status: RESOLVED FIXED    
Severity: critical    
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: patch to default slapd.conf to make the database more reliable.

Description Jeremy Kitchen 2004-06-30 12:09:06 UTC 
the default slapd.conf uses bdb but defines no checkpoints, therefore, if your system crashes, all of your data in your directory (at least since the last shutdown) is gone.

Reproducible: Always
Steps to Reproduce:
1. start slapd with deafault slapd.conf
2. add a ton of stuff to it
3. power off your machine
4. power your machine back on
5. cry.

Actual Results:  
all of the data since the last 'clean' shutdown is gone.  This is a bad thing.

Expected Results:  
if nothing else, it should have had *SOME* of the updates you made.

I would suggest adding the following line (or at least commenting it and
describing its function) to the default slapd.conf:
checkpoint      20      30

that will make slapd have a 'checkpoint' every 20 kilobytes written to the
database, or every 30 minutes, whichever comes first.

You might also add a couple of other commented entries for larger systems that
might actually be doing 20 kilobytes all the time, or 30 minutes is too fast.

http://sapiens.wustl.edu/~sysmain/info/openldap/openldap_configure_bdb.html has
some more description about some sane default settings.
http://www.openldap.org/faq/data/cache/893.html is some openldap.org
documentation about bdb
Comment 1 Jeremy Kitchen 2004-07-21 08:35:57 UTC 
this was reported almost 2 months ago.. I figured it would be a "oh yea, oops" and be in.. but I see nothing :)

Shall I provide a patch to the slapd.conf file?
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-07-21 08:59:05 UTC 
patches greatly accepted.
I'm basically the only person handling openldap presently, and I've got a lot of other things on my plate too.

For the most part, at the moment that means unless it breaks at work (where I've got gentoo deployed to ~20 servers), or I need something new at work/home, It's minor version bumps and the such only.
Comment 3 Jeremy Kitchen 2004-07-21 13:00:36 UTC 
Created attachment 35911 [details, diff]
patch to default slapd.conf to make the database more reliable.

you must not ever have power outages or unexpected shutdowns then, as it does
break then :)

unified diff enclosed.	Not sure if I would revbump or whatever, but I would
think that you'd want this in the config file.

I also added that bind_v2 be allowed, since I believe that's what squirrelmail
uses with php and ldap.

Enjoy.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-07-21 13:20:00 UTC 
my LDAP server has a redudnant power supply, the hardware is good and solid (after my own burn-in testing), makes use of 3ware RAID1, and i've got a big friggin UPS for the server room :-).

i'll see about putting it in sometime tonight maybe.
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-08-22 13:24:43 UTC 
the checkpoint statement is now used in cvs.
I'm NOT putting the 'allow bind_v2' in place. If you have an old application that needs the backwards support of v2 binding, then you should enable it only for your configuration that needs it.