# OpenLDAP does not start



## rainer_d (Nov 24, 2018)

Hi,

I've setup a jail on FreeBSD 11.2-RELEASE-p4 with iocage to run OpenLDAP.
The packages are directly from the FreeBSD-project, quarterly branch.

I've followed this tutorial:

https://www.freebsd.org/doc/handbook/network-ldap.html

However, I don't have a file "DB_CONFIG" in the openldap folder.

I set


```
slapd_enable="YES"
slapd_flags="-4 -h ldaps://0.0.0.0/"
slapd_sockets="/var/run/openldap/ldapi"
```


in rc.conf

It just exits on start.

Running it with debugging is pretty much as useless:

```
(ldap <openldap>) 0 # /usr/local/libexec/slapd -4 -d 1 -h ldaps:/// -u ldap -g ldap
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /usr/local/etc/openldap/ldap.conf
ldap_init: using /usr/local/etc/openldap/ldap.conf
ldap_url_parse_ext(ldaps://ldap.example.org)
ldap_url_parse_ext(ldap://ldap.example.org)
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
5bf9de0d @(#) $OpenLDAP: slapd 2.4.46 (Oct  3 2018 02:54:26) $
    root@112amd64-quarterly-job-16:/wrkdirs/usr/ports/net/openldap24-server/work/openldap-2.4.46/servers/slapd
ldap_pvt_gethostbyname_a: host=ldap, r=-1
5bf9de0d daemon_init: listen on ldaps:///
5bf9de0d daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldaps:///)
5bf9de0d daemon: listener initialized ldaps:///
5bf9de0d daemon_init: 1 listeners opened
ldap_create
5bf9de0d slapd init: initiated server.
5bf9de0d mdb_back_initialize: initialize MDB backend
5bf9de0d mdb_back_initialize: LMDB 0.9.22: (March 21, 2018)
5bf9de0d mdb_db_init: Initializing mdb database
5bf9de0d >>> dnPrettyNormal: <dc=example,dc=org>
5bf9de0d <<< dnPrettyNormal: <dc=example,dc=org>, <dc=example,dc=org>
5bf9de0d >>> dnPrettyNormal: <cn=Manager,dc=example,dc=org>
5bf9de0d <<< dnPrettyNormal: <cn=Manager,dc=example,dc=org>, <cn=manager,dc=example,dc=org>
5bf9de0d slapd destroy: freeing system resources.
5bf9de0d slapd stopped.
5bf9de0d connections_destroy: nothing to destroy.
```

When I run ktrace on it, I get this at the end:


```
55736 slapd    RET   read 0
 55736 slapd    CALL  close(0x8)
 55736 slapd    RET   close 0
 55736 slapd    CALL  openat(AT_FDCWD,0x800738500,0x300000<O_RDONLY|O_CLOEXEC|O_VERIFY>)
 55736 slapd    NAMI  "/usr/local/libexec/openldap/back_mdb-2.4.so.2"
 55736 slapd    RET   openat 8
 55736 slapd    CALL  fstat(0x8,0x7fffffff9ad8)
 55736 slapd    STRU  struct stat {dev=30477354, ino=164808, mode=0100755, nlink=1, uid=0, gid=0, rdev=4294967295, atime=0, mtime=1538535325, ctime=1543097586.755963000, birthtime=1538535325, size=244744, blksize=131072, blocks=337, flags=0x800 }
 55736 slapd    RET   fstat 0
 55736 slapd    CALL  mmap(0,0x1000,0x1<PROT_READ>,0x40002<MAP_PRIVATE|MAP_PREFAULT_READ>,0x8,0)
 55736 slapd    RET   mmap 34367479808/0x800762000
 55736 slapd    CALL  mmap(0,0x254000,0<PROT_NONE>,0x2000<MAP_GUARD>,0xffffffff,0)
 55736 slapd    RET   mmap 34399584256/0x802600000
 55736 slapd    CALL  mmap(0x802600000,0x3a000,0x5<PROT_READ|PROT_EXEC>,0x60012<MAP_PRIVATE|MAP_FIXED|MAP_NOCORE|MAP_PREFAULT_READ>,0x8,0)
 55736 slapd    RET   mmap 34399584256/0x802600000
 55736 slapd    CALL  mmap(0x80283a000,0x2000,0x3<PROT_READ|PROT_WRITE>,0x40012<MAP_PRIVATE|MAP_FIXED|MAP_PREFAULT_READ>,0x8,0x3a000)
 55736 slapd    RET   mmap 34401918976/0x80283a000
 55736 slapd    CALL  mmap(0x80283c000,0x18000,0x3<PROT_READ|PROT_WRITE>,0x1012<MAP_PRIVATE|MAP_FIXED|MAP_ANON>,0xffffffff,0)
 55736 slapd    RET   mmap 34401927168/0x80283c000
 55736 slapd    CALL  munmap(0x800762000,0x1000)
 55736 slapd    RET   munmap 0
 55736 slapd    CALL  close(0x8)
 55736 slapd    RET   close 0
 55736 slapd    CALL  open(0x8024dc3a0,0x601<O_WRONLY|O_CREAT|O_TRUNC>,0666<S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH>)
 55736 slapd    NAMI  "/var/db/openldap-data/DUMMY"
 55736 slapd    RET   open 8
 55736 slapd    CALL  close(0x8)
 55736 slapd    RET   close 0
 55736 slapd    CALL  unlink(0x8024dc3a0)
 55736 slapd    NAMI  "/var/db/openldap-data/DUMMY"
 55736 slapd    RET   unlink 0
 55736 slapd    CALL  read(0x7,0x80242e000,0x1000)
 55736 slapd    GIO   fd 7 read 0 bytes
       ""
 55736 slapd    RET   read 0
 55736 slapd    CALL  close(0x7)
 55736 slapd    RET   close 0
 55736 slapd    CALL  munmap(0x802600000,0x254000)
 55736 slapd    RET   munmap 0
 55736 slapd    CALL  clock_gettime(0xd,0x7fffffffdc18)
 55736 slapd    RET   clock_gettime 0
 55736 slapd    CALL  getpid
 55736 slapd    RET   getpid 55736/0xd9b8
 55736 slapd    CALL  sendto(0x3,0x7fffffffe150,0x31,0,0,0)
 55736 slapd    GIO   fd 3 wrote 49 bytes
       "<167>Nov 25 00:18:44 slapd[55736]: slapd stopped."
 55736 slapd    RET   sendto 49/0x31
 55736 slapd    CALL  close(0x3)
 55736 slapd    RET   close 0
 55736 slapd    CALL  clock_gettime(0xd,0x7fffffffdbd8)
 55736 slapd    RET   clock_gettime 0
 55736 slapd    CALL  getpid
 55736 slapd    RET   getpid 55736/0xd9b8
 55736 slapd    CALL  socket(PF_LOCAL,0x10000002<SOCK_DGRAM|SOCK_CLOEXEC>,0)
 55736 slapd    RET   socket 3
 55736 slapd    CALL  connect(0x3,0x7fffffffdb78,0x6a)
 55736 slapd    STRU  struct sockaddr { AF_LOCAL, /var/run/logpriv }
 55736 slapd    NAMI  "/var/run/logpriv"
 55736 slapd    RET   connect -1 errno 13 Permission denied
 55736 slapd    CALL  connect(0x3,0x7fffffffdb78,0x6a)
 55736 slapd    STRU  struct sockaddr { AF_LOCAL, /var/run/log }
 55736 slapd    NAMI  "/var/run/log"
 55736 slapd    RET   connect 0
 55736 slapd    CALL  sendto(0x3,0x7fffffffe110,0x4b,0,0,0)
 55736 slapd    GIO   fd 3 wrote 75 bytes
       "<167>Nov 25 00:18:44 slapd[55736]: connections_destroy: nothing to destroy."
 55736 slapd    RET   sendto 75/0x4b
 55736 slapd    CALL  shutdown(0x5,SHUT_RDWR)
 55736 slapd    RET   shutdown -1 errno 38 Socket operation on non-socket
 55736 slapd    CALL  close(0x5)
 55736 slapd    RET   close 0
 55736 slapd    CALL  shutdown(0x4,SHUT_RDWR)
 55736 slapd    RET   shutdown -1 errno 38 Socket operation on non-socket
 55736 slapd    CALL  close(0x4)
 55736 slapd    RET   close 0
 55736 slapd    CALL  exit(0x1)
```


I have the following configuration:

```
(ldap <openldap>) 0 # cat slapd.conf |grep -v ^# |grep -v ^$
include        /usr/local/etc/openldap/schema/core.schema
pidfile        /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args
modulepath    /usr/local/libexec/openldap
moduleload    back_mdb
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /usr/local/etc/openldap/server.crt
TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key
TLSCACertificateFile /usr/local/etc/openldap/ca.crt
database    mdb
maxsize        1073741824
suffix        "dc=example,dc=org"
rootdn        "cn=Manager,dc=example,dc=org"
directory    /var/db/openldap-data
index    objectClass    eq
rootpw hashed_root_password_here
password-hash {sha}
allow bind_v2
```


What can I do?

Any ideas?


----------



## scottro (Nov 25, 2018)

Did you load a module for default database in slapd.conf? That is, if you're using the default mdb database, you have to uncomment the line in slapd.conf about loading the mdb module.  I do remember that, as well as other necessary things being left out of the handbook articles.


----------



## rainer_d (Nov 25, 2018)

I already tried that....
If I don't load the mdb-module, it complains about not knowing about the mdb database type a couple of lines below.


----------



## scottro (Nov 25, 2018)

I'm sorry, that's the only obvious thing that the handbook left out that I remember.  There's a ton of ldap tutorials around, but most are for Linux.  http://www.zytrax.com/books/ldap/  is good, but I don't think it starts from scratch.


----------



## rainer_d (Nov 25, 2018)

It's just a VM at this point. I'll try outside of a jail and if it doesn't work, I'll just open a PR.
I'll also try on CentOS7.


----------



## Datapanic (Nov 25, 2018)

The DB_CONFIG file is not needed, at least not with mbd.  The zytrax.com tutorials are good and should get you started with OpenLDAP.   

The out-of-the box slapd.conf that is installed with the FreeBSD port of OpenLDAP is very minimal.


----------



## rainer_d (Nov 25, 2018)

OK, that was actually helpful.
For one, 

```
loglevel -1
```
created a lot of useful output.

It alerted me of the fact that
allow bind_v2

```
allow bind_v2
```

needed to come before any modules were loaded.

Now, it's at least starting!


----------



## rainer_d (Nov 25, 2018)

Adding some does not work, though:

```
(ldap <openldap>) 0 # ldapadd -H ldaps://ldap.example.org -D "cn=Manager,dc=example,dc=org" -W -y /root/.ldappass -f import1.ldif
ldap_bind: Invalid credentials (49)
```



```
include        /usr/local/etc/openldap/schema/core.schema
include        /usr/local/etc/openldap/schema/cosine.schema
include        /usr/local/etc/openldap/schema/inetorgperson.schema
pidfile        /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args
password-hash {sha}
allow bind_v2
modulepath    /usr/local/libexec/openldap
moduleload    back_mdb
loglevel     -1
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /usr/local/etc/openldap/server.crt
TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key
TLSCACertificateFile /usr/local/etc/openldap/ca.crt
database    mdb
maxsize        1073741824
suffix        "dc=example,dc=org"
rootdn        "cn=Manager,dc=example,dc=org"
rootpw {SHA}hash-here
directory    /var/db/openldap-data
index    objectClass    eq
```


The log says:


```
Nov 25 18:09:32 ldap slapd[66732]: conn=1000 op=0 do_bind
Nov 25 18:09:32 ldap slapd[66732]: >>> dnPrettyNormal: <cn=Manager,dc=example,dc=org>
Nov 25 18:09:32 ldap slapd[66732]: <<< dnPrettyNormal: <cn=Manager,dc=example,dc=org>, <cn=manager,dc=example,dc=org>
Nov 25 18:09:32 ldap slapd[66732]: conn=1000 op=0 BIND dn="cn=Manager,dc=example,dc=org" method=128
Nov 25 18:09:32 ldap slapd[66732]: do_bind: version=3 dn="cn=Manager,dc=example,dc=org" method=128
Nov 25 18:09:32 ldap slapd[66732]: ==> mdb_bind: dn: cn=Manager,dc=example,dc=org
Nov 25 18:09:32 ldap slapd[66732]: daemon: activity on 1 descriptor
Nov 25 18:09:32 ldap slapd[66732]: daemon: waked
Nov 25 18:09:32 ldap slapd[66732]: daemon: select: listen=6 active_threads=0 tvp=NULL
Nov 25 18:09:32 ldap slapd[66732]: daemon: select: listen=7 active_threads=0 tvp=NULL
Nov 25 18:09:32 ldap slapd[66732]: mdb_dn2entry("cn=manager,dc=example,dc=org")
Nov 25 18:09:32 ldap slapd[66732]: => mdb_dn2id("cn=manager,dc=example,dc=org")
Nov 25 18:09:32 ldap slapd[66732]: <= mdb_dn2id: get failed: MDB_NOTFOUND: No matching key/data pair found (-30798)
Nov 25 18:09:32 ldap slapd[66732]: send_ldap_result: conn=1000 op=0 p=3
Nov 25 18:09:32 ldap slapd[66732]: send_ldap_result: err=49 matched="" text=""
Nov 25 18:09:32 ldap slapd[66732]: send_ldap_response: msgid=1 tag=97 err=49
Nov 25 18:09:32 ldap slapd[66732]: conn=1000 op=0 RESULT tag=97 err=49 text=
Nov 25 18:09:32 ldap slapd[66732]: daemon: activity on 1 descriptor
Nov 25 18:09:32 ldap slapd[66732]: daemon: activity on:
Nov 25 18:09:32 ldap slapd[66732]:  9r
```


still digging through google-results...


----------



## Datapanic (Nov 25, 2018)

I would get your setup working without TLS certs first. 

When first creating your mdb, did you run something like this:


```
echo ""|slapadd -f /usr/local/etc/openldap/slapd.conf
slaptest -f usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d
```

Note that /usr/local/etc/openldap/slapd.d needs to be created beforehand and owned by ldap:ldap.

And, this is all assuming you want to have an OLC setup (cn=config).  I could just post my script that sets this stuff up, but that would take out all the fun for you


----------



## rainer_d (Nov 25, 2018)

No, I didn't run anything like that. The tutorial doesn't mention it and I actually don't even want the configuration to be inside the DB, for now. 

Removing SSL does not help.


----------



## Datapanic (Nov 26, 2018)

Good luck!


----------



## simonpie (Feb 8, 2019)

Hello,

Better late than never,
Have you tried removing the ssl option and use the [FONT=courier new]-x[/FONT] option :


```
root@openldap:/usr/local/etc/rc.d # ldapsearch -H ldap://localhost:389 -x -w secret -vvv -D "cn=Manager,dc=my-domain,dc=com" *
ldap_initialize( ldap://localhost:389/??base )
filter: (objectclass=*)
requesting: slapd 
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: slapd 
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
root@openldap:/usr/local/etc/rc.d #
```


----------

