Visit The New, Modern Unix Linux Community


OPENLDAP - not able to download profile from master


 
Thread Tools Search this Thread
Operating Systems Linux OPENLDAP - not able to download profile from master
# 1  
OPENLDAP - not able to download profile from master

Hi,
I have created a new OpenLDAP server, on RHEL 7. I am trying to connect a Solaris-10 client to it. But when I am adding this client to ldap master, it is not able to download ldap_client file and thats why service is not coming online. Need help in fixing this issue.
Code:
-bash-3.2# /usr/sbin/ldapclient -v init -a proxyDN=cn=`hostname`,ou=hosts,dc=foo,dc=bar,dc=baz,dc=us -y /etc/ldap.secret -a domainName=ng522.state.ia.us -a profileName=`hostname` master-wks3-data
Parsing proxyDN=cn=ia-client01,ou=hosts,dc=foo,dc=bar,dc=baz,dc=us
Parsing domainName=ng522.state.ia.us
Parsing profileName=ia-client01
Arguments parsed:
        domainName: ng522.state.ia.us
        proxyDN: cn=ia-client01,ou=hosts,dc=foo,dc=bar,dc=baz,dc=us
        profileName: ia-client01
        proxyPassword: xxxxxxxxxxxxxxxxxx
        defaultServerList: master-wks3-data
Handling init option
About to configure machine by downloading a profile
Proxy DN: cn=ia-client01,ou=hosts,dc=foo,dc=bar,dc=baz,dc=us
Proxy password: {NS1}xxxxxxxxxxxxxxxxxx
Credential level: 1
Authentication method: 3
Shadow Update is not enabled, no adminDN/adminPassword is required.
About to modify this machines configuration by writing the files
Stopping network services
sendmail not running
nscd not running
autofs not running
Stopping ldap
stop: network/ldap/client:default... restoring from maintenance state
stop: sleep 100000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "ng522.state.ia.us"
file_backup: stat(/var/yp/binding/foo.ia.us)=-1
file_backup: No /var/yp/binding/foo.ia.us directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
mv: cannot access /var/ldap/ldap_client_cred
file_backup: file_move(/var/ldap/ldap_client_cred, /var/ldap/restore/ldap_client_cred) failed with 512
Save of system configuration failed.  Attempting recovery.
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "foo.ia.us"
recover: stat(/var/ldap/restore/ldap_client_file)=0
recover: file_move(/var/ldap/restore/ldap_client_file, /var/ldap/ldap_client_file)=0
recover: stat(/var/ldap/restore/ldap_client_cred)=-1
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/foo.ia.us)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname foo.bar.baz... success
start: sleep 100000 microseconds
start: network/ldap/client:default... maintenance
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
Error (1) while starting services during reset
-bash-3.2#
-bash-3.2# svcs -a | grep ldap
maintenance    16:41:41 svc:/network/ldap/client:default
-bash-3.2# svcadm clear svc:/network/ldap/client:default
-bash-3.2# svcs -a | grep ldap
maintenance    16:45:37 svc:/network/ldap/client:default
-bash-3.2# svcs -xv
svc:/network/ldap/client:default (LDAP client)
 State: maintenance since Wed Feb 13 16:45:37 2019
Reason: Start method failed repeatedly, last exited with status 1.
   See: http://sun.com/msg/SMF-8000-KS
   See: man -M /usr/share/man -s 1M ldap_cachemgr
   See: /var/svc/log/network-ldap-client:default.log
Impact: This service is not running.
-bash-3.2# tail -10 /var/svc/log/network-ldap-client:default.log
[ Feb 13 16:41:41 Disabled. ]
[ Feb 13 16:41:41 Enabled. ]
[ Feb 13 16:41:41 Executing start method ("/lib/svc/method/ldap-client start") ]
/usr/lib/ldap/ldap_cachemgr: failed. Please see syslog for details.
[ Feb 13 16:41:41 Method "start" exited with status 1 ]
[ Feb 13 16:45:37 Leaving maintenance because clear requested. ]
[ Feb 13 16:45:37 Enabled. ]
[ Feb 13 16:45:37 Executing start method ("/lib/svc/method/ldap-client start") ]
/usr/lib/ldap/ldap_cachemgr: failed. Please see syslog for details.
[ Feb 13 16:45:37 Method "start" exited with status 1 ]
-bash-3.2# /lib/svc/method/ldap-client start
/usr/lib/ldap/ldap_cachemgr: failed. Please see syslog for details.
-bash-3.2#
-bash-3.2# tail -5 /var/ldap/cachemgr.log
Wed Feb 13 16:45:37.6594        Error: Unable to read '/var/ldap/ldap_client_file': Empty config file: '/var/ldap/ldap_client_file'
Wed Feb 13 16:45:37.6614        detachfromtty(): child failed (rc = 255).
Wed Feb 13 16:45:59.8911        Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
Wed Feb 13 16:45:59.8925        Error: Unable to read '/var/ldap/ldap_client_file': Empty config file: '/var/ldap/ldap_client_file'
Wed Feb 13 16:45:59.8953        detachfromtty(): child failed (rc = 255).
-bash-3.2#

Thanks

Last edited by Scrutinizer; 02-15-2019 at 01:59 AM.. Reason: Removed password / hash
# 2  
It means that the /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred file are empty. This is generated by ldapclient -v init, but then the a profile has to be stored in LDAP . Is that the case? You seem to be looking in the ou=hosts container.

Did you create an RFC2307bis schema in LDAP?

Instead of init you can use ldapclient -v manual and simply specify the ldapclient configuration on the command line..
# 3  
I ran this on LDAP Master side, if I got your question correctly
Code:
[root@master-wks3 ~]# ldapadd -v -x -D cn=ldapadm,dc=ng522,dc=state,dc=ia,dc=us -W -H ldapi:/// -f newhost_add.ldif

And

[root@master-wks3 ~]# cat /root/openldap/newhost_add.ldif
dn: cn=ia-client01,ou=profile,dc=ng522,dc=state,dc=ia,dc=us
objectClass: top
objectClass: DUAConfigProfile
defaultSearchBase: dc=ng522,dc=state,dc=ia,dc=us
preferredServerList: master-wks3-data.ng522.state.ia.us,master-wks3-data.ng522.state.ia.us
cn: ia-client01
searchTimeLimit: 30
bindTimeLimit: 10
defaultSearchScope: one
followReferrals: TRUE
serviceSearchDescriptor: group:ou=Group,?one?
serviceSearchDescriptor: shadow:ou=People,?one?
serviceSearchDescriptor: netgroup:ou=netgroup,?one?
serviceSearchDescriptor: sudoers:ou=SUDOers,?one?
serviceSearchDescriptor: passwd:ou=People,?one?isMemberOf=cn=ia-client01,ou=Hosts,dc=ng522,dc=state,dc=ia,dc=us
serviceSearchDescriptor: user_attr:ou=People,?one?isMemberOf=cn=ia-client01,ou=Hosts,dc=ng522,dc=state,dc=ia,dc=us
authenticationMethod: tls:simple
profileTTL: 43200
credentialLevel: proxy

dn: cn=ia-client01,ou=Hosts,dc=ng522,dc=state,dc=ia,dc=us
objectClass: groupOfNames
objectClass: top
objectClass: simpleSecurityObject
cn: ia-client01
member: cn=IDS-SA,ou=access,dc=ng522,dc=state,dc=ia,dc=us
member: cn=NE,ou=access,dc=ng522,dc=state,dc=ia,dc=us
member: cn=NSS,ou=access,dc=ng522,dc=state,dc=ia,dc=us
member: cn=WTA,ou=access,dc=ng522,dc=state,dc=ia,dc=us
userPassword: {SSHA}xxxxxxxxxxxxxxxxxx
[root@master-wks3 ~]#

Quote:
Originally Posted by Scrutinizer
Instead of init you can use ldapclient -v manual and simply specify the ldapclient configuration on the command line..
I missed your suggestion in above quote ? What command I should on client? Please suggest. Probably this ?
Code:
/usr/sbin/ldapclient -v manual -a proxyDN=cn=`hostname`,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us -y /etc/ldap.secret -a domainName=ng522.state.ia.us -a profileName=`hostname` master-wks3-data
Parsing proxyDN=cn=ia-client01,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us
Parsing domainName=ng522.state.ia.us
Parsing profileName=ia-client01
Arguments parsed:
        domainName: ng522.state.ia.us
        proxyDN: cn=ia-client01,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us
        profileName: ia-client01
        proxyPassword: xxxxxxxxxxxxxxxxxx
        defaultServerList: master-wks3-data
Handling manual option
Manual failed: Missing required defaultSearchBase attribute.
-bash-3.2#


Last edited by Scrutinizer; 02-15-2019 at 01:53 AM.. Reason: Removed password / hash
# 4  
My thoughts were that perhaps the profile information wasn't there, hence my suggestion to try manual but that seems to be OK.

I noticed this bit:
Code:
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
mv: cannot access /var/ldap/ldap_client_cred
file_backup: file_move(/var/ldap/ldap_client_cred, /var/ldap/restore/ldap_client_cred) failed with 512
Save of system configuration failed.  Attempting recovery.

So it appears ldapclient cannot make a backup of the old configuration and then does a walk-back..

Is /var/ldap/ldap_client_cred present/accessible?


--
Note: Please remove sensitive information from your posts..

Last edited by Scrutinizer; 02-15-2019 at 05:12 AM..
# 5  
Is /var/ldap/ldap_client_cred present/accessible?

Yes, it is present.
Code:
-bash-3.2# ls -l /var/ldap/ldap_client_file /var/ldap/ldap_client_cred
-r--------   1 root     root         152 Feb 14 14:32 /var/ldap/ldap_client_cred
-r--------   1 root     root         245 Feb 14 14:32 /var/ldap/ldap_client_file
-bash-3.2#

Per document, it is supposed to be 600, so it is.
==============Update=================
I ran it manual and after few tries, I was able to start ldap service, but client still doesn't seems to be added and failing, though giving different error now. If I compare /var/ldap/ldap_client_file with other working clients, that one is having much more information.
Code:
-bash-3.2# /usr/sbin/ldapclient -v init -a proxyDN=cn=ia-client01,ou=hosts,dc=foo,dc=bar,dc=baz,dc=us -y /etc/ldap.secret -a domainName=ng522.state.ia.us -a profileName=`hostname` 172.28.xx.xx
Parsing proxyDN=cn=ia-client01,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us
Parsing domainName=ng522.state.ia.us
Parsing profileName=ia-client01
Arguments parsed:
        domainName: ng522.state.ia.us
        proxyDN: cn=ia-client01,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us
        profileName: ia-client01
        proxyPassword: yyyyyyyyy
        defaultServerList: 172.28.xx.xx
Handling init option
About to configure machine by downloading a profile
Proxy DN: cn=ia-client01,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us
Proxy password: {NS1}xxxxxxxxxxxxxxx
Credential level: 1
Authentication method: 3
Shadow Update is not enabled, no adminDN/adminPassword is required.
About to modify this machines configuration by writing the files
Stopping network services
sendmail not running
nscd not running
autofs not running
Stopping ldap
stop: sleep 100000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "ng522.state.ia.us"
file_backup: stat(/var/yp/binding/ng522.state.ia.us)=-1
file_backup: No /var/yp/binding/ng522.state.ia.us directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname ng522.state.ia.us... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: sleep 800000 microseconds
start: sleep 1600000 microseconds
start: sleep 3200000 microseconds
start: sleep 6400000 microseconds
start: sleep 12800000 microseconds
start: sleep 25600000 microseconds
start: sleep 51200000 microseconds
start: sleep 17700000 microseconds
start: network/ldap/client:default... timed out
start: network/ldap/client:default... offline to disable
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: sleep 6400000 microseconds
stop: sleep 12800000 microseconds
stop: sleep 25600000 microseconds
stop: sleep 8900000 microseconds
stop: network/ldap/client:default... timed out
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
Error resetting system.
Recovering old system settings.
Stopping network services
sendmail not running
nscd not running
autofs not running
Stopping ldap
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: sleep 6400000 microseconds
stop: sleep 12800000 microseconds
stop: sleep 25600000 microseconds
stop: sleep 8900000 microseconds
stop: network/ldap/client:default... timed out
Stopping ldap failed with (7)
Error (1) while stopping services during reset
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "ng522.state.ia.us"
recover: stat(/var/ldap/restore/ldap_client_file)=0
recover: file_move(/var/ldap/restore/ldap_client_file, /var/ldap/ldap_client_file)=0
recover: stat(/var/ldap/restore/ldap_client_cred)=0
recover: file_move(/var/ldap/restore/ldap_client_cred, /var/ldap/ldap_client_cred)=0
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/ng522.state.ia.us)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname ng522.state.ia.us... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: sleep 800000 microseconds
start: sleep 1600000 microseconds
start: network/ldap/client:default... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
-bash-3.2# svcs -a | grep -i ldap
online          0:49:16 svc:/network/ldap/client:default
-bash-3.2# ls -l /var/ldap/ldap_client_file /var/ldap/ldap_client_cred
-r--------   1 root     root         152 Feb 14 14:32 /var/ldap/ldap_client_cred
-r--------   1 root     root         245 Feb 14 14:32 /var/ldap/ldap_client_file
-bash-3.2# cat /var/ldap/ldap_client_file
#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 172.28.xx.xx
NS_LDAP_SEARCH_BASEDN= dc=ia-client01,dc=ng522,dc=state,dc=ia,dc=us
NS_LDAP_CACHETTL= 0
-bash-3.2#


Last edited by solaris_1977; 02-15-2019 at 05:05 AM..

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

Test Your Knowledge in Computers #587
Difficulty: Medium
All programming languages support recursion.
True or False?

9 More Discussions You Might Find Interesting

1. UNIX Desktop Questions & Answers

How can I replicate master master and master master MySQL databse replication and HA?

I have an application desigend in PHP and MySQl running on apache web server that I is running on a Amazon EC2 server Centos. I want to implement the master-master and master slave replication and high availability disaster recovery on this application database. For this I have created two... (0 Replies)
Discussion started by: Palak Sharma
0 Replies

2. Solaris

Openldap configuration

I m using Intel solaris 10 version . I m trying to install openldap and used several documents and package versions . But every time I got CC PATH error and while I solved the CC issue , I got Barkley DB error . :wall: Is there any perticular site from where I can install and configure... (1 Reply)
Discussion started by: sanjee
1 Replies

3. Solaris

OpenLDAP setup

At work I'm been givin the task to move are backend servers from NIS to LDAP. We have mostly Solaris 10 servers, as well as a few Redhat servers. I am going to use openLDAP as the LDAP server. I'm looking for a good how to guide on setting up the openLDAP server. Most of the docs I have found seem... (0 Replies)
Discussion started by: bitlord
0 Replies

4. Infrastructure Monitoring

trap in etc/profile and user .profile

Hello I really wonder what's trap in etc/profile and in each user .profile. I try to google for it but I think I have no luck. Mostly hit is SNMP traps which I think it is not the same thing. I want to know ... 1. What's a "trap 2 3" means and are there any other value I can set... (4 Replies)
Discussion started by: Smith
4 Replies

5. Red Hat

Need OpenLDAP Help

Hi, all: I'm studying for the RHCE and have hit the section on configuring an OpenLDAP client. I'd like to practice this, but I can't get an OpenLDAP server set up. I followed the directions in RedHat's Deployment Guide, and it looks like the server is up and running, but I can't get the... (0 Replies)
Discussion started by: rjlohman
0 Replies

6. UNIX for Dummies Questions & Answers

difference between /etc/profile and .profile?

What is the difference between /etc/profile and .profile? (5 Replies)
Discussion started by: gehlnar
5 Replies

7. AIX

openLDAP with Aix

hello I have a P570 with 3 partitions. These partitions are available, since 1 year. So there are a lot of users, files, etc, on these partition I must now install an openldap with Debian to manage all these users. But several pb: on LDAP, we are 1 iud for user and one home directory, 1 gid... (0 Replies)
Discussion started by: pascalbout
0 Replies

8. SCO

Difference between .profile and .~/.profile

what is the difference between these two lines, if we use it in korn shell script: .profile .~/.profile (3 Replies)
Discussion started by: maneesh mehta
3 Replies

9. UNIX for Dummies Questions & Answers

changed .profile but didnt ./.profile, yet reflected changes

hi , i added ls -F to .profile. and i need to do ./.profile for the effect to take effect BUT i didnt and YET the next day when i came to work and log in, the changes took effect. i am on aix. please explain.. thanks (4 Replies)
Discussion started by: yls177
4 Replies

Featured Tech Videos