Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 502502

Summary: net-nds/openldap - /etc/conf.d/slapd recommends deprecated default (use slapd.conf file instead of slapd.d directory)
Product: Gentoo Linux Reporter: Sergey S. Starikoff <Ikonta>
Component: Current packagesAssignee: Gentoo LDAP project <ldap-bugs>
Status: RESOLVED INVALID    
Severity: normal CC: salikov.alexey
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
URL: http://www.openldap.org/doc/admin24/slapdconf2.html
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: slapd_args.ldif

Description Sergey S. Starikoff 2014-02-26 07:58:42 UTC
Checked against net-nds/openldap-2.4.35-r1
Since OpenLDAP-2.4 the default was changed to use dynamic configuration back-end:
«This chapter describes configuring slapd(8) via the slapd.conf(5) configuration file. slapd.conf(5) has been deprecated and should only be used if your site requires one of the backends that hasn't yet been updated to work with the newer slapd-config(5) system.»
http://www.openldap.org/doc/admin24/slapdconfig.html
But Gentoo's config (file net-nds/openldap/files/slapd-confd-2.4.28-r1) default expects usage of slapd.conf.


Reproducible: Always

Steps to Reproduce:
1. Install default version of OpenLDAP.
2. Start configure it.
3. See.
Actual Results:  
/etc/conf.d/slapd:
# If you use the classical configuration file:
OPTS_CONF="-f /etc/${INSTANCE}/slapd.conf"
# Uncomment this instead to use the new slapd.d configuration directory for openldap 2.3
#OPTS_CONF="-F /etc/${INSTANCE}/slapd.d"
# (the OPTS_CONF variable is also passed to slaptest during startup)

Expected Results:  
/etc/conf.d/slapd:
# Use dynamic config back-end slapd.d (default since OpenLDAP 2.4)
OPTS_CONF="-F /etc/${INSTANCE}/slapd.d"
# Uncomment this instead to use legacy flat configuration file (slapd.conf)
# It could be easely converted to slapd.d using numerous of utilities, starting from slaptest
#OPTS_CONF="-f /etc/${INSTANCE}/slapd.conf"
# (the OPTS_CONF variable is also passed to slaptest during startup)

$ einfo 
Portage 2.2.7 (default/linux/amd64/13.0, gcc-4.7.3, glibc-2.17, 3.10.25-aufs x86_64)
=================================================================
System uname: Linux-3.10.25-aufs-x86_64-AMD_Athlon-tm-_II_X2_250_Processor-with-gentoo-2.2
KiB Mem:     1794820 total,     29192 free
KiB Swap:    8000364 total,   7984900 free
Timestamp of tree: Tue, 25 Feb 2014 06:15:01 +0000
ld GNU ld (GNU Binutils) 2.23.2
app-shells/bash:          4.2_p45
dev-java/java-config:     2.1.12-r1
dev-lang/python:          2.7.5-r3, 3.3.3
dev-util/cmake:           2.8.11.2
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.12.6, 1.13.4
sys-devel/binutils:       2.23.2
sys-devel/gcc:            4.7.3-r1
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.9 (virtual/os-headers)
sys-libs/glibc:           2.17
Repositories: gentoo local_hdd
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /etc/env.d /usr/share/gnupg/qualified.txt /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.4/ext-active/ /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--ask --verbose --autounmask=n"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildsyspkg config-protect-if-modified distlocks downgrade-backup ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://mirror.yandex.ru/gentoo-distfiles/                 ftp://mirror.yandex.ru/gentoo-distfiles/                 http://ftp.corbina.net/pub/Linux/gentoo/                 ftp://ftp.corbina.net/pub/Linux/gentoo/"
LANG="ru_RU.utf8"
LC_ALL=""
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage/gentoo"
PORTDIR_OVERLAY="/usr/portage/local"
USE="X a52 ac3 acl alsa amd64 avi berkdb bold bzip2 cdr cli consolekit cracklib crypt cups cxx dbus djvu dri dvd flac fortran gdbm gif gtk iconv inotify jpeg jpeg2k lock mmx modules mp3 multilib ncurses nls nptl ogg openmp pam pcre pdf png policykit qt3support readline session sse sse2 ssl tcpd thunar tiff udev udisks unicode utf8 vorbis xcb xulrunner zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="ru ru_RU" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-4" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, USE_PYTHON
Comment 1 Sergey S. Starikoff 2014-02-28 08:47:11 UTC
Some ideas about follow-up improvements:

1. Rename new-style flat config-source file from /etc/openldap/slapd.ldif to /etc/openldap/slapd-config.ldif (clearly pointing on SLAPD-CONFIG(5) manual page, containing similiar example)

2. Following syslog USE add to slapd startup options (listed in /etc/conf.d/slapd) -s 256 (according slapd.conf(5) manual page, but not slapd-config(5) 256 is the recommended loglevel).

3. Completely separate old-style config files from new ones (if's looks very strange in RHEL to find deprecated flat config file only installed only in /usr/share/openldap-servers/slapd.conf.obsolete, but both old flat *schemas with new *ldif schemas in /etc/openldap/schema/).
So, to my mind it would be clear enough to install obsolete schema files in /etc/openldap/schema/ with moving new-style *ldif schema files into /etc/openldap/schema.d/ directory).
Comment 2 cronolio 2017-02-16 17:03:34 UTC
net-nds/openldap-2.4.44 and conf.d/slapd and pid

required both
OPTS_CONF="-F /etc/${INSTANCE}/slapd.d -f /etc/${INSTANCE}/slapd.conf"

slapd.conf should keep only 
pidfile     /run/openldap/slapd.pid
argsfile    /run/openldap/slapd.args

with new slapd.d style i do not find other way to set where pid file is stored

see also bug 21962
Comment 3 Sergey S. Starikoff 2017-02-17 07:30:12 UTC
Created attachment 464032 [details]
slapd_args.ldif

(In reply to cronolio from comment #2)
> net-nds/openldap-2.4.44 and conf.d/slapd and pid
> 
> required both
> OPTS_CONF="-F /etc/${INSTANCE}/slapd.d -f /etc/${INSTANCE}/slapd.conf"

It is the thing, config script should *NOT* allow to do.

> slapd.conf should keep only 
> pidfile     /run/openldap/slapd.pid
> argsfile    /run/openldap/slapd.args
> 
> with new slapd.d style i do not find other way to set where pid file is
> stored

It means, you use wrong config directory.
Show it's dump (maybe on my mail).
How you've got it?

Try to fix it with attached ldif.

P.S. In a few days I plan to review server's setup in wiki.
Comment 4 cronolio 2017-02-17 10:29:41 UTC
(In reply to Sergey S. Starikoff from comment #3)
> Created attachment 464032 [details]
> slapd_args.ldif

yeah i find it later
maybe you interesting in upgrading our wiki like this https://wiki.gentoo.org/wiki/Centralized_authentication_using_OpenLDAP or maybe expand other articles and write how to use some software with ldap ?
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-10-09 17:50:58 UTC
The comment there is pretty clear, it does not recommend anything, it just says "if you are using..."