Initialization script bails mid-way through first launch

[BlueRaccoonTech]

Summary

When launching the container for the first time, the 10-openldap initialization script appears to fail at the "converting schemas to LDIF" part and stop running at that point. The server still seems to launch and function (which actually seems to contradict the message it says where "all services are now halted"?), but looking into the server shows there are things missing that would otherwise be there.

This issue disappears when using the 7.1.22 image.

Steps to reproduce

1. Launch a brand-new container on the 7.2.0 (or latest) tag.
2. Watch logs and notice that slaptest fails, causing 10-openldap to exit uncleanly.

What is the expected correct behavior?

The openldap initialization script completes its tasks and exits normally.

Relevant logs and/or screenshots

+ print_notice 'Converting schemas to LDIF'
+ output_off
+ '[' TRUE = TRUE ']'
+ set +x
2021-11-12-23:26:28 [NOTICE] /etc/cont-init.d/10-openldap ** [openldap] Converting schemas to LDIF
+ schemas=
++ find /assets/slapd/config/bootstrap/schema -not -path '/assets/slapd/config/bootstrap/schema/rfc2307bis/*' -name '*.schema' -type f
+ schema2ldif ''
+ schemas=
+ '[' nis = rfc2307bis ']'
+ '[' nis = RFC2307BIS ']'
+ SCHEMA_TYPE=nis
++ mktemp -d
+ tmpd=/tmp/tmp.BhUKtNHFTB
+ pushd /tmp/tmp.BhUKtNHFTB
+ echo 'include /etc/openldap/schema/core.schema'
+ echo 'include /etc/openldap/schema/cosine.schema'
+ echo 'include /etc/openldap/schema/nis.schema'
+ echo 'include /etc/openldap/schema/inetorgperson.schema'
+ silent slaptest -f convert.dat -F .
+ '[' TRUE = TRUE ']'
+ slaptest -f convert.dat -F .
config_setup_ldif: expected directory . to be empty!
slaptest: bad configuration directory!
[cont-init.d] 10-openldap: exited 1.
[cont-init.d] 99-container: executing... 
+ PROCESS_NAME=container
+ var_false FALSE
+ '[' FALSE = FALSE ']'
+ output_off
+ '[' TRUE = TRUE ']'
+ set +x
**********************************************************************************************************************
**********************************************************************************************************************
****                                                                                                              ****
****       ERROR - Some initialization scripts haven't completed - All services are now halted                    ****
****             - The following scripts in '/etc/cont-init.d' did not pass their completion check                ****
****                                                                                                              ****
**********************************************************************************************************************
**********************************************************************************************************************

10-openldap

**********************************************************************************************************************
**********************************************************************************************************************
****                                                                                                              ****
****       This could have happened for a variety of reasons. Please make sure you have followed the README       ****
****       relating to this image and have proper configuration such as environment variables and volumes set     ****
****                                                                                                              ****
****       If you feel that you have encountered a bug, please submit an issue on the revision control system     ****
****       and provide full debug logs by setting the environment variable 'DEBUG_MODE=TRUE'                      ****
****                                                                                                              ****
**********************************************************************************************************************
**********************************************************************************************************************
[cont-init.d] 99-container: exited 1.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

Environment

• Image version / tag: latest
• Host OS: Ubuntu 20.04 LTS

Any logs | docker-compose.yml

Possible fixes

It seems like there was a change to slaptest where it requires the destination config directory to be empty, but that directory is also where the file with the schemas to be converted are located. I haven't tested it myself, but I wonder if making a new directory within the temp directory and using that for the destination config directory would resolve the issue.

[tiredofit]

Thanks for this report. This is the first image with OpenLDAP 2.6 - I held off on moving out of the 2.4.x branch until this was released. Would you mind if we try a couple tests together?

I've made a new version of tiredofit/openldap:develop that uses your suggestion of creating an additional empty directory. Are you able to try this and see if you get better results?

I may end up pulling 7.2.0 and latest is this persists.

[BlueRaccoonTech]

That makes it no longer crash on that converting schemas step anymore, and goes further in initialization, but it does still fail unfortunately:

2021-11-13-01:21:35 [DEBUG] /etc/cont-init.d/10-openldap ** [openldap] Adding ppolicy Schema
+ /usr/bin/schema2ldif /etc/openldap/schema/ppolicy.schema
Error: /etc/openldap/schema/ppolicy.schema is not a file
[cont-init.d] 10-openldap: exited 2.

The ppolicy.schema file doesn't appear to exist at all, looking in the directory.

[tiredofit]

Looks like here they moved the schema into the module itself. https://github.com/openldap/openldap/commit/44191183be6a1e323eec6708fc8acfb9160d8188#diff-5b7ab737465d821532527e6e4cad597e98039d005012934cb900256562481d5d

I've pushed a new tiredofit/openldap:develop to support this.

[BlueRaccoonTech]

Seems like the initialization completed just fine after that last change.

[tiredofit]

are you getting this by chance?

2021-11-13-01:38:24 [NOTICE] ** [openldap] Using NIS schema type
ldap_sasl_interactive_bind: Can't contact LDAP server (-1)

[BlueRaccoonTech]

That's not happening to me during that part of the script, no. The only time I see the "Can't contact LDAP server" error is while it's waiting for OpenLDAP to be ready, which is of course expected.

[tiredofit]

Many thanks for your patience. Pushing 7.2.1 with these changes in it, and will also rebuild tiredofit/openldap-fusiondirectory for those who are dependent on this image for that one to work :)

[BlueRaccoonTech]

...Oh, something happened and I need to correct myself - I wasn't getting that error in debug mode. I just switched off debug mode and re-initialized my server and now I am getting that error. It doesn't seem to have caused the initialization to fail, however.

And of course! Thank you for your prompt response to my bug report!

[jrevillard]

are you getting this by chance?

2021-11-13-01:38:24 [NOTICE] ** [openldap] Using NIS schema type
ldap_sasl_interactive_bind: Can't contact LDAP server (-1)

Hello, I'm getting this error on the latest image.... ldap does not start anymore.

Best, Jerome

[tiredofit]

HI Jerome, Tell me a bit about your install. Using NIS or RFC2307. Can you share me any other logs as to what happens?

You can also privately send logs to me dave@ (mygithubname).ca

[jrevillard]

Indeed, perhaps not the same .... I just sent you the logs by email.

Best, Jerome

[jurkov]

What's the status? I get the same error for the master and 2.4 branches. Also tiredofit/openldap:develop. Building the image gets also stuck at https://github.com/tiredofit/docker-openldap/blob/0e7d3ef7f1043e1d610998f952abe83e3635e977/Dockerfile#L147