Problem: Start of OpenLDAP Fails with "undefined slapschema"

Knowledge Base Community
, , , ,
#1

Problem:

Start of OpenLDAP fails with "undefined slapschema"
Following this error the notifier and listener services are not in sync.

Environment

An attempt to start the OpenLDAP server fails and journalctl -xe shows:

root@ucs:/var/log/univention# service slapd status
● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)
   Loaded: loaded (/etc/init.d/slapd; generated; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2019-03-21 10:34:53 CET; 6min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 791 ExecStart=/etc/init.d/slapd start (code=exited, status=1/FAILURE)
      CPU: 156ms

Mär 21 10:34:48 ucs systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)...
Mär 21 10:34:51 ucs slapd[1090]: @(#) $OpenLDAP: slapd  (Aug  6 2018 15:28:57) $
                                            Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Mär 21 10:34:53 ucs slapd[791]: Starting ldap server(s): slapd...
/etc/ldap/slapd.conf: line 77: index attribute "memberOf" undefined
[...]
Mär 21 10:34:53 ucs systemd[1]: slapd.service: Control process exited, code=exited status=1
Mär 21 10:34:53 ucs systemd[1]: Failed to start LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).
Mär 21 10:34:53 ucs systemd[1]: slapd.service: Unit entered failed state.
Mär 21 10:34:53 ucs systemd[1]: slapd.service: Failed with result 'exit-code'.

Solution

The main error message from above log snipplet is “Index attribute "memberOf" undefined”. The to-be-indexed attributes are defined through ucr variables.

Step 1

First check if the “memberOf” is properly installed. Output should look like this:

root@ucs:~# dpkg -l | grep member
ii  univention-ldap-overlay-memberof                    10.0.0-4A~4.3.0.201802051318                     all          configuration for OpenLDAP memberOf overlay module

Step 2

Verify the memberOf is activated and shows the following ucr-variables:

root@ucs:~# ucr dump | grep memberof
ldap/overlay/memberof/dangling: ignore
ldap/overlay/memberof/member: uniqueMember
ldap/overlay/memberof/memberof: memberOf
ldap/overlay/memberof/modifiersname: cn=admin,dc=univention,dc=unconfigured
ldap/overlay/memberof/refint: false
ldap/overlay/memberof: true

Step 3

Re-write the OpenLDAP configuration file in order to match the UCS settings:

root@ucs:~# ucr commit /etc/ldap/slapd.conf
root@ucs:~# systemctl start slapd

If it still fails with the same error, go ahead with the following troubleshooting steps.

Step 4

Check for manual changes on the Univention templates. It should show no edits:
root@ucs:~# univention-check-template

Step 5

As slapd complains about some index issues with member of, figure out the current ucr-variables regarding these values.


root@ucs:~# ucr dump | grep index
ldap/index/eq: aRecord,automountInformation,cNAMERecord,cn,memberof,description,dhcpHWAddress,displayName,entryUUID,gidNumber,givenName,homeDirectory,krb5PrincipalName,macAddress,mail,mailAlternativeAddress,mailPrimaryAddress,memberUid,objectClass,ou,pTRRecord,relativeDomainName,sambaAcctFlags,sambaDomainName [...]

The above output shows the “memberof” in the “eq index”. This is uncommon and causes the issue.

Step 6

Set the ucr-variable to a value without the “memberof” attribute by using cut&paste for the remaining values:

root@ucs:~# ucr set ldap/index/eq=\ aRecord,automountInformation,cNAMERecord,cn,description,dhcpHWAddress,displayName,entryUUID,gidNumber,givenName,homeDirectory,krb5PrincipalName,macAddress,mail,mailAlternativeAddress,mailPrimaryAddress,memberUid,objectClass,ou,pTRRecord,relativeDomainName,sambaAcctFlags,sambaDomainName [...]

Step 7

Commit changes and restart slapd:

root@ucs:~# ucr commit /etc/ldap/slapd.conf
root@ucs:~# systemctl start slapd
Slapd bei 100% durch Nextcloud-Group-Folders-LDAP-Suche
Mastodon