You are not logged in.
- Topics: Active | Unanswered
#1 2022-08-10 10:37:25
- schard
- Forum Moderator
- From: Hannover
- Registered: 2016-05-06
- Posts: 1,975
- Website
OpenLDAP: slapadd: could not add entry dn="cn=config"
I tried to setup OpenLDAP as per the Wiki.
However, I stumbled over several issues.
First of all, the two directories /var/lib/openldap/openldap-data and /etc/openldap/slapd.d/ needed to be created manually, since after the installation of openldap only their parent directories were created.
Is this a bug in the pacakge or is the Wiki out of date?
After having created the two directories and made the ldap user their owner, I tried to run
sudo -u ldap slapadd -vvvn 0 -F /etc/openldap/slapd.d/ -l /tmp/config.ldifagain, which resulted in
slapadd: could not add entry dn="cn=config" (line=1):
Closing DB...using the following config.ldif
# The root config entry
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /run/openldap/slapd.args
olcPidFile: /run/openldap/slapd.pid
# Schemas
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
# TODO: Include further schemas as necessary
include: file:///etc/openldap/schema/core.ldif
# The config database
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: cn=Manager,dc=homeinfo,dc=de
# The database for our entries
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=homeinfo,dc=de
olcRootDN: cn=Manager,dc=homeinfo,dc=de
olcRootPW: {SSHA}PmWW2jjClyO68nxbTI3mVboOp1Bx6+N4
olcDbDirectory: /var/lib/openldap/openldap-data
# TODO: Create further indexes
olcDbIndex: objectClass eq
# Additional schemas
# RFC1274: Cosine and Internet X.500 schema
include: file:///etc/openldap/schema/cosine.ldif
# RFC2798: Internet Organizational Person
include: file:///etc/openldap/schema/inetorgperson.ldif
# RFC2307: An Approach for Using LDAP as a Network Information Service
include: file:///etc/openldap/schema/nis.ldif
# Additional indexes
olcDbIndex: objectClass eq
olcDbIndex: uid pres,eq
olcDbIndex: mail pres,sub,eq
olcDbIndex: cn,sn pres,sub,eq
olcDbIndex: dc eqWhat am I doing wrong here?
PS: Yes, I'm gonna replace the hash now that I accidentally posted it, just to be on the safe side.
PPS:
$ ls -laR /etc/openldap
/etc/openldap:
insgesamt 28
drwxr-xr-x 4 root root 4096 10. Aug 12:29 .
drwxr-xr-x 54 root root 4096 10. Aug 12:18 ..
-rw-r--r-- 1 root root 247 15. Jul 08:27 ldap.conf
drwxr-xr-x 2 root root 4096 10. Aug 12:18 schema
-rw-r----- 1 root ldap 2695 15. Jul 08:27 slapd.conf
drwxr-xr-x 3 ldap ldap 4096 10. Aug 12:29 slapd.d
-rw-r----- 1 root ldap 2714 15. Jul 08:27 slapd.ldif
/etc/openldap/schema:
insgesamt 544
drwxr-xr-x 2 root root 4096 10. Aug 12:18 .
drwxr-xr-x 4 root root 4096 10. Aug 12:29 ..
-r--r--r-- 1 root root 2036 15. Jul 08:27 collective.ldif
-r--r--r-- 1 root root 6191 15. Jul 08:27 collective.schema
-r--r--r-- 1 root root 1845 15. Jul 08:27 corba.ldif
-r--r--r-- 1 root root 8063 15. Jul 08:27 corba.schema
-r--r--r-- 1 root root 20619 15. Jul 08:27 core.ldif
-r--r--r-- 1 root root 20506 15. Jul 08:27 core.schema
-r--r--r-- 1 root root 12006 15. Jul 08:27 cosine.ldif
-r--r--r-- 1 root root 73995 15. Jul 08:27 cosine.schema
-r--r--r-- 1 root root 3594 15. Jul 08:27 dsee.ldif
-r--r--r-- 1 root root 3374 15. Jul 08:27 dsee.schema
-r--r--r-- 1 root root 4842 15. Jul 08:27 duaconf.ldif
-r--r--r-- 1 root root 10389 15. Jul 08:27 duaconf.schema
-r--r--r-- 1 root root 3500 15. Jul 08:27 dyngroup.ldif
-r--r--r-- 1 root root 3523 15. Jul 08:27 dyngroup.schema
-r--r--r-- 1 root root 3481 15. Jul 08:27 inetorgperson.ldif
-r--r--r-- 1 root root 6267 15. Jul 08:27 inetorgperson.schema
-r--r--r-- 1 root root 2979 15. Jul 08:27 java.ldif
-r--r--r-- 1 root root 13901 15. Jul 08:27 java.schema
-rw-r--r-- 1 root root 1312 15. Jul 08:27 ldapns.schema
-r--r--r-- 1 root root 2082 15. Jul 08:27 misc.ldif
-r--r--r-- 1 root root 2387 15. Jul 08:27 misc.schema
-r--r--r-- 1 root root 121865 15. Jul 08:27 msuser.ldif
-r--r--r-- 1 root root 113752 15. Jul 08:27 msuser.schema
-r--r--r-- 1 root root 1218 15. Jul 08:27 namedobject.ldif
-r--r--r-- 1 root root 1574 15. Jul 08:27 namedobject.schema
-r--r--r-- 1 root root 6809 15. Jul 08:27 nis.ldif
-r--r--r-- 1 root root 7640 15. Jul 08:27 nis.schema
-r--r--r-- 1 root root 3308 15. Jul 08:27 openldap.ldif
-r--r--r-- 1 root root 1514 15. Jul 08:27 openldap.schema
-r--r--r-- 1 root root 6904 15. Jul 08:27 pmi.ldif
-r--r--r-- 1 root root 20467 15. Jul 08:27 pmi.schema
-r--r--r-- 1 root root 3655 15. Jul 08:27 README
/etc/openldap/slapd.d:
insgesamt 16
drwxr-xr-x 3 ldap ldap 4096 10. Aug 12:29 .
drwxr-xr-x 4 root root 4096 10. Aug 12:29 ..
drwxr-x--- 3 ldap ldap 4096 10. Aug 12:29 'cn=config'
-rw------- 1 ldap ldap 440 10. Aug 12:29 'cn=config.ldif'
'/etc/openldap/slapd.d/cn=config':
insgesamt 24
drwxr-x--- 3 ldap ldap 4096 10. Aug 12:29 .
drwxr-xr-x 3 ldap ldap 4096 10. Aug 12:29 ..
drwxr-x--- 2 ldap ldap 4096 10. Aug 12:29 'cn=schema'
-rw------- 1 ldap ldap 378 10. Aug 12:29 'cn=schema.ldif'
-rw------- 1 ldap ldap 446 10. Aug 12:29 'olcDatabase={0}config.ldif'
-rw------- 1 ldap ldap 639 10. Aug 12:29 'olcDatabase={-1}frontend.ldif'
'/etc/openldap/slapd.d/cn=config/cn=schema':
insgesamt 24
drwxr-x--- 2 ldap ldap 4096 10. Aug 12:29 .
drwxr-x--- 3 ldap ldap 4096 10. Aug 12:29 ..
-rw------- 1 ldap ldap 15575 10. Aug 12:29 'cn={0}core.ldif'$ ls -laR /var/lib/openldap
/var/lib/openldap:
insgesamt 16
drwxr-xr-x 3 root root 4096 10. Aug 12:30 .
drwxr-xr-x 20 root root 4096 10. Aug 12:18 ..
drwxr-xr-x 2 ldap ldap 4096 10. Aug 12:30 openldap-data
-rw-r--r-- 1 ldap ldap 55 10. Aug 12:18 .placeholder
/var/lib/openldap/openldap-data:
insgesamt 8
drwxr-xr-x 2 ldap ldap 4096 10. Aug 12:30 .
drwxr-xr-x 3 root root 4096 10. Aug 12:30 ..Update:
After removing openldap entirely, including all config directories under /etc/ and /var/, I re-ran the setup with the following result:
$ sudo -u ldap slapadd -n 0 -F /etc/openldap/slapd.d -l /tmp/config.ldif
str2entry: entry -1 has no dn
slapadd: could not parse entry (line=1021)
Closing DB...Last edited by schard (2022-08-10 11:05:54)
macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }
Offline
#2 2022-08-13 11:19:47
- gallatin
- Member
- Registered: 2017-03-11
- Posts: 2
Re: OpenLDAP: slapadd: could not add entry dn="cn=config"
I had exactly the same problem. IIRC the problem was with empty lines I added to the beginning of the additional schemas and indexes. After removing those lines and appending directly to the relevant sections I could provision the database.
Offline
#3 2022-09-05 15:39:28
- thoth
- Member
- Registered: 2010-01-10
- Posts: 79
Re: OpenLDAP: slapadd: could not add entry dn="cn=config"
Ok, so what is the correct form of this ldif? If someone will help me get it correct I fill fix it in the wiki.
root@eskimo ~ # export BASEDN="dc=example,dc=com"
root@eskimo ~ # export PASSWD="$(slappasswd -s TEST123)"
root@eskimo ~ # envsubst < ldap-config.ldif.tpl > /tmp/config.ldif
root@eskimo ~ # cat /tmp/config.ldif
# The root config entry
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /run/openldap/slapd.args
olcPidFile: /run/openldap/slapd.pid
# Schemas
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
# TODO: Include further schemas as necessary
include: file:///etc/openldap/schema/core.ldif
# The config database
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: cn=Manager,dc=example,dc=com
# The database for our entries
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com
olcRootPW: {SSHA}Q1sba+Q1+5DnxaQH3JYQcU8zYOFI5C++
olcDbDirectory: /var/lib/openldap/openldap-data
# TODO: Create further indexes
olcDbIndex: objectClass eq
# Additional schemas
# RFC1274: Cosine and Internet X.500 schema
include: file:///etc/openldap/schema/cosine.ldif
# RFC2798: Internet Organizational Person
include: file:///etc/openldap/schema/inetorgperson.ldif
# RFC2307: An Approach for Using LDAP as a Network Information Service
include: file:///etc/openldap/schema/nis.ldif
# Additional indexes
olcDbIndex: objectClass eq
olcDbIndex: uid pres,eq
olcDbIndex: mail pres,sub,eq
olcDbIndex: cn,sn pres,sub,eq
olcDbIndex: dc eq
root@eskimo ~ # sudo -u ldap slapadd -n 0 -F /etc/openldap/slapd.d/ -l /tmp/config.ldif
slapadd: could not add entry dn="cn=config" (line=1):
Closing DB...Last edited by thoth (2022-09-05 15:39:47)
Offline
#4 2022-09-05 15:49:27
- thoth
- Member
- Registered: 2010-01-10
- Posts: 79
Re: OpenLDAP: slapadd: could not add entry dn="cn=config"
Some additional thoughts given this Dockerfile.openldap
FROM archlinux:latest
RUN pacman -Syu --noconfirm --color always openldap bash sudo \
&& pacman -Scc --noconfirm
COPY config.ldif /config.ldif
RUN mkdir /etc/openldap/slapd.d \
&& chown -R ldap: /etc/openldap/slapd.d \
&& mkdir /etc/openldap/ssl \
&& chown -R ldap: /etc/openldap/ssl \
&& mkdir /var/lib/openldap/openldap-data \
&& chown ldap: /var/lib/openldap/openldap-data \
&& chown ldap: /config.ldifand this ldap-config.ldif.tpl
# The root config entry
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /run/openldap/slapd.args
olcPidFile: /run/openldap/slapd.pid
# Schemas
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
# TODO: Include further schemas as necessary
include: file:///etc/openldap/schema/core.ldif
# The config database
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: cn=Manager,$BASEDN
# The database for our entries
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: $BASEDN
olcRootDN: cn=Manager,$BASEDN
olcRootPW: $PASSWD
olcDbDirectory: /var/lib/openldap/openldap-data
# TODO: Create further indexes
olcDbIndex: objectClass eq
# Additional schemas
# RFC1274: Cosine and Internet X.500 schema
include: file:///etc/openldap/schema/cosine.ldif
# RFC2798: Internet Organizational Person
include: file:///etc/openldap/schema/inetorgperson.ldif
# RFC2307: An Approach for Using LDAP as a Network Information Service
include: file:///etc/openldap/schema/nis.ldif
# Additional indexes
olcDbIndex: objectClass eq
olcDbIndex: uid pres,eq
olcDbIndex: mail pres,sub,eq
olcDbIndex: cn,sn pres,sub,eq
olcDbIndex: dc eqI can reproduce the issue pretty regularly:
root@eskimo ~ # export BASEDN="dc=example,dc=com"
root@eskimo ~ # export PASSWD="$(slappasswd -s TEST123)"
root@eskimo ~ # envsubst < ldap-config.ldif.tpl > config.ldif
root@eskimo ~ # docker build -t test -f Dockerfile.openldap .
Sending build context to Docker daemon 896.5MB
Step 1/4 : FROM archlinux:latest
---> ec4c97123c01
Step 2/4 : RUN pacman -Syu --noconfirm --color always openldap bash sudo && pacman -Scc --noconfirm
---> Using cache
---> 3641fd787f46
Step 3/4 : COPY config.ldif /config.ldif
---> d5ce6b7881f3
Step 4/4 : RUN mkdir /etc/openldap/slapd.d && chown -R ldap: /etc/openldap/slapd.d && mkdir /etc/openldap/ssl && chown -R ldap: /etc/openldap/ssl && mkdir /var/lib/openldap/openldap-data && chown ldap: /var/lib/openldap/openldap-data && chown ldap: /config.ldif
---> Running in f7546e6127cd
Removing intermediate container f7546e6127cd
---> 81e73eaff693
Successfully built 81e73eaff693
Successfully tagged test:latestrunning like this:
root@eskimo ~ # docker run -it --rm test
[root@47741a72d51a /]# sudo -u ldap slapadd -n 0 -F /etc/openldap/slapd.d/ -l ./config.ldif
str2entry: entry -1 has no dn
slapadd: could not parse entry (line=1021)
Closing DB...
[root@47741a72d51a /]# sudo -u ldap slapadd -n 0 -F /etc/openldap/slapd.d/ -l ./config.ldif
slapadd: could not add entry dn="cn=config" (line=1):
Closing DB...What is the difference between the first and second run of the slapadd?
Offline
#5 2022-09-05 17:48:15
- thoth
- Member
- Registered: 2010-01-10
- Posts: 79
Re: OpenLDAP: slapadd: could not add entry dn="cn=config"
things that do not work
1. removing blank lines
2. removing comments
EDIT: it is the last entry that fails
# Additional indexes
olcDbIndex: objectClass eq
olcDbIndex: uid pres,eq
olcDbIndex: mail pres,sub,eq
olcDbIndex: cn,sn pres,sub,eq
olcDbIndex: dc eqstr2entry: entry -1 has no dn
slapadd: could not parse entry (line=1021)
Removing that block and the slapadd runs without error. So what is the dn there?
Last edited by thoth (2022-09-05 18:10:55)
Offline
#6 2022-09-06 00:39:23
- thoth
- Member
- Registered: 2010-01-10
- Posts: 79
Re: OpenLDAP: slapadd: could not add entry dn="cn=config"
I think those olcDbIndex entries need to be added to the `dn: olcDatabase=mdb,cn=config\` block. Like so:
# The root config entry
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /run/openldap/slapd.args
olcPidFile: /run/openldap/slapd.pid
# Schemas
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
# TODO: Include further schemas as necessary
include: file:///etc/openldap/schema/core.ldif
# The config database
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: cn=Manager,$BASEDN
# The database for our entries
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: $BASEDN
olcRootDN: cn=Manager,$BASEDN
olcRootPW: $PASSWD
olcDbDirectory: /var/lib/openldap/openldap-data
# TODO: Create further indexes
olcDbIndex: objectClass eq
olcDbIndex: uid pres,eq
olcDbIndex: mail pres,sub,eq
olcDbIndex: cn,sn pres,sub,eq
olcDbIndex: dc eq
# Additional schemas
# RFC1274: Cosine and Internet X.500 schema
include: file:///etc/openldap/schema/cosine.ldif
# RFC2798: Internet Organizational Person
include: file:///etc/openldap/schema/inetorgperson.ldif
# RFC2307: An Approach for Using LDAP as a Network Information Service
include: file:///etc/openldap/schema/nis.ldifOffline