Today (Saturday) We will make some minor tuning adjustments to MySQL.

You may experience 2 up to 10 seconds "glitch time" when we restart MySQL. We expect to make these adjustments around 1AM Eastern Daylight Saving Time (EDT) US.


OPENLDAP - not able to download profile from master


Login or Register to Reply

 
Thread Tools Search this Thread
# 1  
OPENLDAP - not able to download profile from master

Hi,
I have created a new OpenLDAP server, on RHEL 7. I am trying to connect a Solaris-10 client to it. But when I am adding this client to ldap master, it is not able to download ldap_client file and thats why service is not coming online. Need help in fixing this issue.
Code:
-bash-3.2# /usr/sbin/ldapclient -v init -a proxyDN=cn=`hostname`,ou=hosts,dc=foo,dc=bar,dc=baz,dc=us -y /etc/ldap.secret -a domainName=ng522.state.ia.us -a profileName=`hostname` master-wks3-data
Parsing proxyDN=cn=ia-client01,ou=hosts,dc=foo,dc=bar,dc=baz,dc=us
Parsing domainName=ng522.state.ia.us
Parsing profileName=ia-client01
Arguments parsed:
        domainName: ng522.state.ia.us
        proxyDN: cn=ia-client01,ou=hosts,dc=foo,dc=bar,dc=baz,dc=us
        profileName: ia-client01
        proxyPassword: xxxxxxxxxxxxxxxxxx
        defaultServerList: master-wks3-data
Handling init option
About to configure machine by downloading a profile
Proxy DN: cn=ia-client01,ou=hosts,dc=foo,dc=bar,dc=baz,dc=us
Proxy password: {NS1}xxxxxxxxxxxxxxxxxx
Credential level: 1
Authentication method: 3
Shadow Update is not enabled, no adminDN/adminPassword is required.
About to modify this machines configuration by writing the files
Stopping network services
sendmail not running
nscd not running
autofs not running
Stopping ldap
stop: network/ldap/client:default... restoring from maintenance state
stop: sleep 100000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "ng522.state.ia.us"
file_backup: stat(/var/yp/binding/foo.ia.us)=-1
file_backup: No /var/yp/binding/foo.ia.us directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
mv: cannot access /var/ldap/ldap_client_cred
file_backup: file_move(/var/ldap/ldap_client_cred, /var/ldap/restore/ldap_client_cred) failed with 512
Save of system configuration failed.  Attempting recovery.
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "foo.ia.us"
recover: stat(/var/ldap/restore/ldap_client_file)=0
recover: file_move(/var/ldap/restore/ldap_client_file, /var/ldap/ldap_client_file)=0
recover: stat(/var/ldap/restore/ldap_client_cred)=-1
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/foo.ia.us)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname foo.bar.baz... success
start: sleep 100000 microseconds
start: network/ldap/client:default... maintenance
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
Error (1) while starting services during reset
-bash-3.2#
-bash-3.2# svcs -a | grep ldap
maintenance    16:41:41 svc:/network/ldap/client:default
-bash-3.2# svcadm clear svc:/network/ldap/client:default
-bash-3.2# svcs -a | grep ldap
maintenance    16:45:37 svc:/network/ldap/client:default
-bash-3.2# svcs -xv
svc:/network/ldap/client:default (LDAP client)
 State: maintenance since Wed Feb 13 16:45:37 2019
Reason: Start method failed repeatedly, last exited with status 1.
   See: http://sun.com/msg/SMF-8000-KS
   See: man -M /usr/share/man -s 1M ldap_cachemgr
   See: /var/svc/log/network-ldap-client:default.log
Impact: This service is not running.
-bash-3.2# tail -10 /var/svc/log/network-ldap-client:default.log
[ Feb 13 16:41:41 Disabled. ]
[ Feb 13 16:41:41 Enabled. ]
[ Feb 13 16:41:41 Executing start method ("/lib/svc/method/ldap-client start") ]
/usr/lib/ldap/ldap_cachemgr: failed. Please see syslog for details.
[ Feb 13 16:41:41 Method "start" exited with status 1 ]
[ Feb 13 16:45:37 Leaving maintenance because clear requested. ]
[ Feb 13 16:45:37 Enabled. ]
[ Feb 13 16:45:37 Executing start method ("/lib/svc/method/ldap-client start") ]
/usr/lib/ldap/ldap_cachemgr: failed. Please see syslog for details.
[ Feb 13 16:45:37 Method "start" exited with status 1 ]
-bash-3.2# /lib/svc/method/ldap-client start
/usr/lib/ldap/ldap_cachemgr: failed. Please see syslog for details.
-bash-3.2#
-bash-3.2# tail -5 /var/ldap/cachemgr.log
Wed Feb 13 16:45:37.6594        Error: Unable to read '/var/ldap/ldap_client_file': Empty config file: '/var/ldap/ldap_client_file'
Wed Feb 13 16:45:37.6614        detachfromtty(): child failed (rc = 255).
Wed Feb 13 16:45:59.8911        Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
Wed Feb 13 16:45:59.8925        Error: Unable to read '/var/ldap/ldap_client_file': Empty config file: '/var/ldap/ldap_client_file'
Wed Feb 13 16:45:59.8953        detachfromtty(): child failed (rc = 255).
-bash-3.2#

Thanks

Last edited by Scrutinizer; 02-15-2019 at 01:59 AM.. Reason: Removed password / hash
# 2  
It means that the /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred file are empty. This is generated by ldapclient -v init, but then the a profile has to be stored in LDAP . Is that the case? You seem to be looking in the ou=hosts container.

Did you create an RFC2307bis schema in LDAP?

Instead of init you can use ldapclient -v manual and simply specify the ldapclient configuration on the command line..
# 3  
I ran this on LDAP Master side, if I got your question correctly
Code:
[root@master-wks3 ~]# ldapadd -v -x -D cn=ldapadm,dc=ng522,dc=state,dc=ia,dc=us -W -H ldapi:/// -f newhost_add.ldif

And

[root@master-wks3 ~]# cat /root/openldap/newhost_add.ldif
dn: cn=ia-client01,ou=profile,dc=ng522,dc=state,dc=ia,dc=us
objectClass: top
objectClass: DUAConfigProfile
defaultSearchBase: dc=ng522,dc=state,dc=ia,dc=us
preferredServerList: master-wks3-data.ng522.state.ia.us,master-wks3-data.ng522.state.ia.us
cn: ia-client01
searchTimeLimit: 30
bindTimeLimit: 10
defaultSearchScope: one
followReferrals: TRUE
serviceSearchDescriptor: group:ou=Group,?one?
serviceSearchDescriptor: shadow:ou=People,?one?
serviceSearchDescriptor: netgroup:ou=netgroup,?one?
serviceSearchDescriptor: sudoers:ou=SUDOers,?one?
serviceSearchDescriptor: passwd:ou=People,?one?isMemberOf=cn=ia-client01,ou=Hosts,dc=ng522,dc=state,dc=ia,dc=us
serviceSearchDescriptor: user_attr:ou=People,?one?isMemberOf=cn=ia-client01,ou=Hosts,dc=ng522,dc=state,dc=ia,dc=us
authenticationMethod: tls:simple
profileTTL: 43200
credentialLevel: proxy

dn: cn=ia-client01,ou=Hosts,dc=ng522,dc=state,dc=ia,dc=us
objectClass: groupOfNames
objectClass: top
objectClass: simpleSecurityObject
cn: ia-client01
member: cn=IDS-SA,ou=access,dc=ng522,dc=state,dc=ia,dc=us
member: cn=NE,ou=access,dc=ng522,dc=state,dc=ia,dc=us
member: cn=NSS,ou=access,dc=ng522,dc=state,dc=ia,dc=us
member: cn=WTA,ou=access,dc=ng522,dc=state,dc=ia,dc=us
userPassword: {SSHA}xxxxxxxxxxxxxxxxxx
[root@master-wks3 ~]#

Quote:
Originally Posted by Scrutinizer
Instead of init you can use ldapclient -v manual and simply specify the ldapclient configuration on the command line..
I missed your suggestion in above quote ? What command I should on client? Please suggest. Probably this ?
Code:
/usr/sbin/ldapclient -v manual -a proxyDN=cn=`hostname`,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us -y /etc/ldap.secret -a domainName=ng522.state.ia.us -a profileName=`hostname` master-wks3-data
Parsing proxyDN=cn=ia-client01,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us
Parsing domainName=ng522.state.ia.us
Parsing profileName=ia-client01
Arguments parsed:
        domainName: ng522.state.ia.us
        proxyDN: cn=ia-client01,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us
        profileName: ia-client01
        proxyPassword: xxxxxxxxxxxxxxxxxx
        defaultServerList: master-wks3-data
Handling manual option
Manual failed: Missing required defaultSearchBase attribute.
-bash-3.2#


Last edited by Scrutinizer; 02-15-2019 at 01:53 AM.. Reason: Removed password / hash
# 4  
My thoughts were that perhaps the profile information wasn't there, hence my suggestion to try manual but that seems to be OK.

I noticed this bit:
Code:
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
mv: cannot access /var/ldap/ldap_client_cred
file_backup: file_move(/var/ldap/ldap_client_cred, /var/ldap/restore/ldap_client_cred) failed with 512
Save of system configuration failed.  Attempting recovery.

So it appears ldapclient cannot make a backup of the old configuration and then does a walk-back..

Is /var/ldap/ldap_client_cred present/accessible?


--
Note: Please remove sensitive information from your posts..

Last edited by Scrutinizer; 02-15-2019 at 05:12 AM..
# 5  
Is /var/ldap/ldap_client_cred present/accessible?

Yes, it is present.
Code:
-bash-3.2# ls -l /var/ldap/ldap_client_file /var/ldap/ldap_client_cred
-r--------   1 root     root         152 Feb 14 14:32 /var/ldap/ldap_client_cred
-r--------   1 root     root         245 Feb 14 14:32 /var/ldap/ldap_client_file
-bash-3.2#

Per document, it is supposed to be 600, so it is.
==============Update=================
I ran it manual and after few tries, I was able to start ldap service, but client still doesn't seems to be added and failing, though giving different error now. If I compare /var/ldap/ldap_client_file with other working clients, that one is having much more information.
Code:
-bash-3.2# /usr/sbin/ldapclient -v init -a proxyDN=cn=ia-client01,ou=hosts,dc=foo,dc=bar,dc=baz,dc=us -y /etc/ldap.secret -a domainName=ng522.state.ia.us -a profileName=`hostname` 172.28.xx.xx
Parsing proxyDN=cn=ia-client01,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us
Parsing domainName=ng522.state.ia.us
Parsing profileName=ia-client01
Arguments parsed:
        domainName: ng522.state.ia.us
        proxyDN: cn=ia-client01,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us
        profileName: ia-client01
        proxyPassword: yyyyyyyyy
        defaultServerList: 172.28.xx.xx
Handling init option
About to configure machine by downloading a profile
Proxy DN: cn=ia-client01,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us
Proxy password: {NS1}xxxxxxxxxxxxxxx
Credential level: 1
Authentication method: 3
Shadow Update is not enabled, no adminDN/adminPassword is required.
About to modify this machines configuration by writing the files
Stopping network services
sendmail not running
nscd not running
autofs not running
Stopping ldap
stop: sleep 100000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "ng522.state.ia.us"
file_backup: stat(/var/yp/binding/ng522.state.ia.us)=-1
file_backup: No /var/yp/binding/ng522.state.ia.us directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname ng522.state.ia.us... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: sleep 800000 microseconds
start: sleep 1600000 microseconds
start: sleep 3200000 microseconds
start: sleep 6400000 microseconds
start: sleep 12800000 microseconds
start: sleep 25600000 microseconds
start: sleep 51200000 microseconds
start: sleep 17700000 microseconds
start: network/ldap/client:default... timed out
start: network/ldap/client:default... offline to disable
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: sleep 6400000 microseconds
stop: sleep 12800000 microseconds
stop: sleep 25600000 microseconds
stop: sleep 8900000 microseconds
stop: network/ldap/client:default... timed out
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
Error resetting system.
Recovering old system settings.
Stopping network services
sendmail not running
nscd not running
autofs not running
Stopping ldap
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: sleep 6400000 microseconds
stop: sleep 12800000 microseconds
stop: sleep 25600000 microseconds
stop: sleep 8900000 microseconds
stop: network/ldap/client:default... timed out
Stopping ldap failed with (7)
Error (1) while stopping services during reset
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "ng522.state.ia.us"
recover: stat(/var/ldap/restore/ldap_client_file)=0
recover: file_move(/var/ldap/restore/ldap_client_file, /var/ldap/ldap_client_file)=0
recover: stat(/var/ldap/restore/ldap_client_cred)=0
recover: file_move(/var/ldap/restore/ldap_client_cred, /var/ldap/ldap_client_cred)=0
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/ng522.state.ia.us)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname ng522.state.ia.us... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: sleep 800000 microseconds
start: sleep 1600000 microseconds
start: network/ldap/client:default... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
-bash-3.2# svcs -a | grep -i ldap
online          0:49:16 svc:/network/ldap/client:default
-bash-3.2# ls -l /var/ldap/ldap_client_file /var/ldap/ldap_client_cred
-r--------   1 root     root         152 Feb 14 14:32 /var/ldap/ldap_client_cred
-r--------   1 root     root         245 Feb 14 14:32 /var/ldap/ldap_client_file
-bash-3.2# cat /var/ldap/ldap_client_file
#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 172.28.xx.xx
NS_LDAP_SEARCH_BASEDN= dc=ia-client01,dc=ng522,dc=state,dc=ia,dc=us
NS_LDAP_CACHETTL= 0
-bash-3.2#


Last edited by solaris_1977; 02-15-2019 at 05:05 AM..
Login or Register to Reply

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

9 More Discussions You Might Find Interesting

1. UNIX Desktop Questions & Answers

How can I replicate master master and master master MySQL databse replication and HA?

I have an application desigend in PHP and MySQl running on apache web server that I is running on a Amazon EC2 server Centos. I want to implement the master-master and master slave replication and high availability disaster recovery on this application database. For this I have created two... (0 Replies)
Discussion started by: Palak Sharma
0 Replies

2. Red Hat

Openldap 2.4.31 replication

Hi, I have done setup for openldap master and slave. Its working fine and replicating also. But it is working only with plane text password in syncrepl . How we can use encrypted password here also like we are using in rootpw ? Below portion is working. syncrepl rid=101 ... (3 Replies)
Discussion started by: Priy
3 Replies

3. Solaris

OpenLDAP setup

At work I'm been givin the task to move are backend servers from NIS to LDAP. We have mostly Solaris 10 servers, as well as a few Redhat servers. I am going to use openLDAP as the LDAP server. Iím looking for a good how to guide on setting up the openLDAP server. Most of the docs I have found seem... (0 Replies)
Discussion started by: bitlord
0 Replies

4. Infrastructure Monitoring

trap in etc/profile and user .profile

Hello I really wonder what's trap in etc/profile and in each user .profile. I try to google for it but I think I have no luck. Mostly hit is SNMP traps which I think it is not the same thing. I want to know ... 1. What's a "trap 2 3" means and are there any other value I can set... (4 Replies)
Discussion started by: Smith
4 Replies

5. Red Hat

Need OpenLDAP Help

Hi, all: I'm studying for the RHCE and have hit the section on configuring an OpenLDAP client. I'd like to practice this, but I can't get an OpenLDAP server set up. I followed the directions in RedHat's Deployment Guide, and it looks like the server is up and running, but I can't get the... (0 Replies)
Discussion started by: rjlohman
0 Replies

6. UNIX for Dummies Questions & Answers

difference between /etc/profile and .profile?

What is the difference between /etc/profile and .profile? (5 Replies)
Discussion started by: gehlnar
5 Replies

7. SCO

Difference between .profile and .~/.profile

what is the difference between these two lines, if we use it in korn shell script: .profile .~/.profile (3 Replies)
Discussion started by: maneesh mehta
3 Replies

8. UNIX for Advanced & Expert Users

OpenLDAP and Apache

Hello! I'm starting to panic here! I'm trying to authorize Subversion (via apache) users at my company here via LDAP. Sure everything works when just authorizing users with require valid-user But! That is not what I'm looking for, I wish to Authorize by membership in specifik groups... This... (0 Replies)
Discussion started by: Esaia
0 Replies

9. UNIX for Dummies Questions & Answers

changed .profile but didnt ./.profile, yet reflected changes

hi , i added ls -F to .profile. and i need to do ./.profile for the effect to take effect BUT i didnt and YET the next day when i came to work and log in, the changes took effect. i am on aix. please explain.. thanks (4 Replies)
Discussion started by: yls177
4 Replies

Featured Tech Videos