stevengharms.com

Sententiae viri ex temporibus duobus

OpenLDAP Ate My Week…

This week started off well, with my best friend married and myself and Lauren spending a day in Houston with my dad. Upon returning back to the work week on Tuesday I learned that an LDAP database on one of our systems was no longer updating.

The database updates by checking some source files for modification. If modification is found, the old entry is deleted, and the source file is parsed and uploaded to replace the old entry.

That is, until recently. This process stopped working. I started debugging through the logs and found this transaction

Enter LDAP Password: Delete Result: Unknown error (80) Additional info: DN index delete failed

I spent the majority of this week fighting through this error. Here’s how I solved it, perhaps I can save another admin out there some pain.

  1. Do a text export (slapcat > a_huge_text_file )
  2. Turn off LDAP service
  3. Move your old database directory to a backup space
  4. Do a slapadd -v -l a_huge_text_file ( you may want to add the -c flag, so that errors will be ignored )
  5. Wait a while for this to complete
  6. Do a slapindex on the loaded file, this will take a while
  7. Start up LDAP

While all this looks very simple the indexing process and debugging this took about 25 hours of time to sort out. It’s pretty tedious going.

It’s not really OpenLDAP’s fault, this is an ancient install that was hastily put together and not properly maintained. It’s just my bad luck to inherit it.

I’m planning on migrating all this data to a mysql back end with LDAP on front with a replica (or two!) running. I’m then going to put these two replicas behind a Cisco CSM for fast redundancy.

Comments