OPENLDAP - not able to download profile from master

solaris_1977 · February 14, 2019, 4:47pm

Hi,
I have created a new OpenLDAP server, on RHEL 7. I am trying to connect a Solaris-10 client to it. But when I am adding this client to ldap master, it is not able to download ldap_client file and thats why service is not coming online. Need help in fixing this issue.

-bash-3.2# /usr/sbin/ldapclient -v init -a proxyDN=cn=`hostname`,ou=hosts,dc=foo,dc=bar,dc=baz,dc=us -y /etc/ldap.secret -a domainName=ng522.state.ia.us -a profileName=`hostname` master-wks3-data
Parsing proxyDN=cn=ia-client01,ou=hosts,dc=foo,dc=bar,dc=baz,dc=us
Parsing domainName=ng522.state.ia.us
Parsing profileName=ia-client01
Arguments parsed:
        domainName: ng522.state.ia.us
        proxyDN: cn=ia-client01,ou=hosts,dc=foo,dc=bar,dc=baz,dc=us
        profileName: ia-client01
        proxyPassword: xxxxxxxxxxxxxxxxxx
        defaultServerList: master-wks3-data
Handling init option
About to configure machine by downloading a profile
Proxy DN: cn=ia-client01,ou=hosts,dc=foo,dc=bar,dc=baz,dc=us
Proxy password: {NS1}xxxxxxxxxxxxxxxxxx
Credential level: 1
Authentication method: 3
Shadow Update is not enabled, no adminDN/adminPassword is required.
About to modify this machines configuration by writing the files
Stopping network services
sendmail not running
nscd not running
autofs not running
Stopping ldap
stop: network/ldap/client:default... restoring from maintenance state
stop: sleep 100000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "ng522.state.ia.us"
file_backup: stat(/var/yp/binding/foo.ia.us)=-1
file_backup: No /var/yp/binding/foo.ia.us directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
mv: cannot access /var/ldap/ldap_client_cred
file_backup: file_move(/var/ldap/ldap_client_cred, /var/ldap/restore/ldap_client_cred) failed with 512
Save of system configuration failed.  Attempting recovery.
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "foo.ia.us"
recover: stat(/var/ldap/restore/ldap_client_file)=0
recover: file_move(/var/ldap/restore/ldap_client_file, /var/ldap/ldap_client_file)=0
recover: stat(/var/ldap/restore/ldap_client_cred)=-1
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/foo.ia.us)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname foo.bar.baz... success
start: sleep 100000 microseconds
start: network/ldap/client:default... maintenance
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
Error (1) while starting services during reset
-bash-3.2#
-bash-3.2# svcs -a | grep ldap
maintenance    16:41:41 svc:/network/ldap/client:default
-bash-3.2# svcadm clear svc:/network/ldap/client:default
-bash-3.2# svcs -a | grep ldap
maintenance    16:45:37 svc:/network/ldap/client:default
-bash-3.2# svcs -xv
svc:/network/ldap/client:default (LDAP client)
 State: maintenance since Wed Feb 13 16:45:37 2019
Reason: Start method failed repeatedly, last exited with status 1.
   See: http://sun.com/msg/SMF-8000-KS
   See: man -M /usr/share/man -s 1M ldap_cachemgr
   See: /var/svc/log/network-ldap-client:default.log
Impact: This service is not running.
-bash-3.2# tail -10 /var/svc/log/network-ldap-client:default.log
[ Feb 13 16:41:41 Disabled. ]
[ Feb 13 16:41:41 Enabled. ]
[ Feb 13 16:41:41 Executing start method ("/lib/svc/method/ldap-client start") ]
/usr/lib/ldap/ldap_cachemgr: failed. Please see syslog for details.
[ Feb 13 16:41:41 Method "start" exited with status 1 ]
[ Feb 13 16:45:37 Leaving maintenance because clear requested. ]
[ Feb 13 16:45:37 Enabled. ]
[ Feb 13 16:45:37 Executing start method ("/lib/svc/method/ldap-client start") ]
/usr/lib/ldap/ldap_cachemgr: failed. Please see syslog for details.
[ Feb 13 16:45:37 Method "start" exited with status 1 ]
-bash-3.2# /lib/svc/method/ldap-client start
/usr/lib/ldap/ldap_cachemgr: failed. Please see syslog for details.
-bash-3.2#
-bash-3.2# tail -5 /var/ldap/cachemgr.log
Wed Feb 13 16:45:37.6594        Error: Unable to read '/var/ldap/ldap_client_file': Empty config file: '/var/ldap/ldap_client_file'
Wed Feb 13 16:45:37.6614        detachfromtty(): child failed (rc = 255).
Wed Feb 13 16:45:59.8911        Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
Wed Feb 13 16:45:59.8925        Error: Unable to read '/var/ldap/ldap_client_file': Empty config file: '/var/ldap/ldap_client_file'
Wed Feb 13 16:45:59.8953        detachfromtty(): child failed (rc = 255).
-bash-3.2#

Thanks

Scrutinizer · February 14, 2019, 5:09pm

It means that the /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred file are empty. This is generated by ldapclient -v init, but then the a profile has to be stored in LDAP . Is that the case? You seem to be looking in the ou=hosts container.

Did you create an RFC2307bis schema in LDAP?

Instead of init you can use ldapclient -v manual and simply specify the ldapclient configuration on the command line..

solaris_1977 · February 14, 2019, 5:19pm

I ran this on LDAP Master side, if I got your question correctly

[root@master-wks3 ~]# ldapadd -v -x -D cn=ldapadm,dc=ng522,dc=state,dc=ia,dc=us -W -H ldapi:/// -f newhost_add.ldif

And

[root@master-wks3 ~]# cat /root/openldap/newhost_add.ldif
dn: cn=ia-client01,ou=profile,dc=ng522,dc=state,dc=ia,dc=us
objectClass: top
objectClass: DUAConfigProfile
defaultSearchBase: dc=ng522,dc=state,dc=ia,dc=us
preferredServerList: master-wks3-data.ng522.state.ia.us,master-wks3-data.ng522.state.ia.us
cn: ia-client01
searchTimeLimit: 30
bindTimeLimit: 10
defaultSearchScope: one
followReferrals: TRUE
serviceSearchDescriptor: group:ou=Group,?one?
serviceSearchDescriptor: shadow:ou=People,?one?
serviceSearchDescriptor: netgroup:ou=netgroup,?one?
serviceSearchDescriptor: sudoers:ou=SUDOers,?one?
serviceSearchDescriptor: passwd:ou=People,?one?isMemberOf=cn=ia-client01,ou=Hosts,dc=ng522,dc=state,dc=ia,dc=us
serviceSearchDescriptor: user_attr:ou=People,?one?isMemberOf=cn=ia-client01,ou=Hosts,dc=ng522,dc=state,dc=ia,dc=us
authenticationMethod: tls:simple
profileTTL: 43200
credentialLevel: proxy

dn: cn=ia-client01,ou=Hosts,dc=ng522,dc=state,dc=ia,dc=us
objectClass: groupOfNames
objectClass: top
objectClass: simpleSecurityObject
cn: ia-client01
member: cn=IDS-SA,ou=access,dc=ng522,dc=state,dc=ia,dc=us
member: cn=NE,ou=access,dc=ng522,dc=state,dc=ia,dc=us
member: cn=NSS,ou=access,dc=ng522,dc=state,dc=ia,dc=us
member: cn=WTA,ou=access,dc=ng522,dc=state,dc=ia,dc=us
userPassword: {SSHA}xxxxxxxxxxxxxxxxxx
[root@master-wks3 ~]#

I missed your suggestion in above quote ? What command I should on client? Please suggest. Probably this ?

/usr/sbin/ldapclient -v manual -a proxyDN=cn=`hostname`,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us -y /etc/ldap.secret -a domainName=ng522.state.ia.us -a profileName=`hostname` master-wks3-data
Parsing proxyDN=cn=ia-client01,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us
Parsing domainName=ng522.state.ia.us
Parsing profileName=ia-client01
Arguments parsed:
        domainName: ng522.state.ia.us
        proxyDN: cn=ia-client01,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us
        profileName: ia-client01
        proxyPassword: xxxxxxxxxxxxxxxxxx
        defaultServerList: master-wks3-data
Handling manual option
Manual failed: Missing required defaultSearchBase attribute.
-bash-3.2#

Scrutinizer · February 15, 2019, 2:32am

My thoughts were that perhaps the profile information wasn't there, hence my suggestion to try manual but that seems to be OK.

I noticed this bit:

file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
mv: cannot access /var/ldap/ldap_client_cred
file_backup: file_move(/var/ldap/ldap_client_cred, /var/ldap/restore/ldap_client_cred) failed with 512
Save of system configuration failed.  Attempting recovery.

So it appears ldapclient cannot make a backup of the old configuration and then does a walk-back..

Is /var/ldap/ldap_client_cred present/accessible?

--
Note: Please remove sensitive information from your posts..

solaris_1977 · February 15, 2019, 3:33am

Is /var/ldap/ldap_client_cred present/accessible?

Yes, it is present.

-bash-3.2# ls -l /var/ldap/ldap_client_file /var/ldap/ldap_client_cred
-r--------   1 root     root         152 Feb 14 14:32 /var/ldap/ldap_client_cred
-r--------   1 root     root         245 Feb 14 14:32 /var/ldap/ldap_client_file
-bash-3.2#

Per document, it is supposed to be 600, so it is.
==============Update=================
I ran it manual and after few tries, I was able to start ldap service, but client still doesn't seems to be added and failing, though giving different error now. If I compare /var/ldap/ldap_client_file with other working clients, that one is having much more information.

-bash-3.2# /usr/sbin/ldapclient -v init -a proxyDN=cn=ia-client01,ou=hosts,dc=foo,dc=bar,dc=baz,dc=us -y /etc/ldap.secret -a domainName=ng522.state.ia.us -a profileName=`hostname` 172.28.xx.xx
Parsing proxyDN=cn=ia-client01,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us
Parsing domainName=ng522.state.ia.us
Parsing profileName=ia-client01
Arguments parsed:
        domainName: ng522.state.ia.us
        proxyDN: cn=ia-client01,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us
        profileName: ia-client01
        proxyPassword: yyyyyyyyy
        defaultServerList: 172.28.xx.xx
Handling init option
About to configure machine by downloading a profile
Proxy DN: cn=ia-client01,ou=hosts,dc=ng522,dc=state,dc=ia,dc=us
Proxy password: {NS1}xxxxxxxxxxxxxxx
Credential level: 1
Authentication method: 3
Shadow Update is not enabled, no adminDN/adminPassword is required.
About to modify this machines configuration by writing the files
Stopping network services
sendmail not running
nscd not running
autofs not running
Stopping ldap
stop: sleep 100000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "ng522.state.ia.us"
file_backup: stat(/var/yp/binding/ng522.state.ia.us)=-1
file_backup: No /var/yp/binding/ng522.state.ia.us directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname ng522.state.ia.us... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: sleep 800000 microseconds
start: sleep 1600000 microseconds
start: sleep 3200000 microseconds
start: sleep 6400000 microseconds
start: sleep 12800000 microseconds
start: sleep 25600000 microseconds
start: sleep 51200000 microseconds
start: sleep 17700000 microseconds
start: network/ldap/client:default... timed out
start: network/ldap/client:default... offline to disable
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: sleep 6400000 microseconds
stop: sleep 12800000 microseconds
stop: sleep 25600000 microseconds
stop: sleep 8900000 microseconds
stop: network/ldap/client:default... timed out
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
Error resetting system.
Recovering old system settings.
Stopping network services
sendmail not running
nscd not running
autofs not running
Stopping ldap
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: sleep 6400000 microseconds
stop: sleep 12800000 microseconds
stop: sleep 25600000 microseconds
stop: sleep 8900000 microseconds
stop: network/ldap/client:default... timed out
Stopping ldap failed with (7)
Error (1) while stopping services during reset
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "ng522.state.ia.us"
recover: stat(/var/ldap/restore/ldap_client_file)=0
recover: file_move(/var/ldap/restore/ldap_client_file, /var/ldap/ldap_client_file)=0
recover: stat(/var/ldap/restore/ldap_client_cred)=0
recover: file_move(/var/ldap/restore/ldap_client_cred, /var/ldap/ldap_client_cred)=0
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/ng522.state.ia.us)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname ng522.state.ia.us... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: sleep 800000 microseconds
start: sleep 1600000 microseconds
start: network/ldap/client:default... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
-bash-3.2# svcs -a | grep -i ldap
online          0:49:16 svc:/network/ldap/client:default
-bash-3.2# ls -l /var/ldap/ldap_client_file /var/ldap/ldap_client_cred
-r--------   1 root     root         152 Feb 14 14:32 /var/ldap/ldap_client_cred
-r--------   1 root     root         245 Feb 14 14:32 /var/ldap/ldap_client_file
-bash-3.2# cat /var/ldap/ldap_client_file
#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 172.28.xx.xx
NS_LDAP_SEARCH_BASEDN= dc=ia-client01,dc=ng522,dc=state,dc=ia,dc=us
NS_LDAP_CACHETTL= 0
-bash-3.2#