i'll try and be concise:
i'm running a Ubuntu server 20.04 VM, i've installed OpenLDAP and Samba (this is an assignment, so i'm not worrying very much that those both are hosted on same server for the time being). I set Samba up and create my shares; then i set LDAP on, and by looking at my LDAP structure, it seems that it's working fine, i installed SSSD to bind the two and allow me to authenticate with my samba credentials, but i'm hitting my head against a brick wall.
I'll explain the passages here:
installed packages:
slapd ldap-utils samba smbldap-tools locate net-tools fusiondirectory-plugin-samba-schema sssd-ldap phpldapadmin
I followed the procedure at these 2 links:
https://ubuntu.com/server/docs/service-ldap
https://ubuntu.com/server/docs/samba-openldap-backend
and yet, whenever i try to log from my guest to the server, using my LDAP credentials, it just yeets me off. It works if i try and log in as a guest tho, so i'm really wondering what's the problem. I've been dealing with it within the past 4 days :(.
I'll post my config files, with all of the sensitive info masked:
smb.conf:
[global]
workgroup = SHELLERATI
netbios name = ldamba
server string = %h server (Samba, Ubuntu)
log file = /var/log/samba/log.%m
max log size = 1000
#ldap idmap suffix = ou=Idmap
idmap config * : range = 10000-199999
#idmap config * : backend = ldapsam:ldapi://server-ip/
logging = syslog#1 /var/log/samba/log.%m
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
#map to guest = bad password
security = domain
realm = ws-samba.it
# LDAP Settings
passdb backend = ldapsam:ldap://server-hostname
ldap suffix = dc=ws-samba,dc=it
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=ws-samba,dc=it
ldap ssl = no
ldap passwd sync = yes
[docs]
comment = Comment
browseable = yes
path = /mnt/docs
guest ok = yes
read only = yes
create mask = 0700
[hr]
comment = Comment
path = /mnt/hr
browseable = no
read only = no
guest ok = no
create mask = 0755
[devel]
comment = Comment
browseable = yes
path = /mnt/devel
guest ok = no
read only = no
create mask = 0755
[tech]
comment = Comment
browseable = yes
path = /mnt/tech
guest ok = no
read only = no
create mask = 0755
sssd.conf:
[sssd]
config_file_version = 2
domains = ws-samba.it
services = nss, pam, autofs
[nss]
homedir_substring = /home
[pam]
[domain/ws-samba.it]
ldap_autofs_map_object_class = automountMap
ldap_autofs_map_name = ou
ldap_autofs_entry_object_class = automount
ldap_autofs_entry_key = cn
ldap_autofs_entry_value = automountInformation
id_provider = ldap
#autofs_provider = ldap
auth_provider = ldap
ldap_uri = ldap://server-ip/
#cache credentials= True
ldap_search_base = dc=ws-samba,dc=it
smbldap.conf:
SID="{correct-sid}"
sambaDomain="SHELLERATI"
slaveLDAP="server-hostname"
slavePort="389"
masterLDAP="server-hostname"
masterPort="389"
ldapTLS="0"
verify=""
cafile=""
clientcert=""
clientkey=""
suffix="dc=ws-samba,dc=it"
usersdn="ou=People,${suffix}"
computersdn="ou=,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=SHELLERATI,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format=""
userLoginShell="/bin/false"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\ldamba\%U"
userProfile="\\ldamba\profiles\%U"
userHomeDrive=""
userScript=""
mailDomain=""
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
last, and i don't know if i'm making it any easier for you, my ldap structure:
dn: ou=People,dc=ws-samba,dc=it
objectClass: organizationalUnit
ou: hr
dn: ou=Groups,dc=ws-samba,dc=it
objectClass: organizationalUnit
ou: hr
dn: cn=employees,ou=Groups,dc=ws-samba,dc=it
objectClass: posixGroup
cn: employees
gidNumber: 5000
dn: cn=hr,ou=Groups,dc=ws-samba,dc=it
objectClass: posixGroup
cn: hr
gidNumber: 5001
dn: cn=tech,ou=Groups,dc=ws-samba,dc=it
objectClass: posixGroup
cn: tech
gidNumber: 5002
dn: cn=devel,ou=Groups,dc=ws-samba,dc=it
objectClass: posixGroup
cn: devel
gidNumber: 5003
dn: uid=panna,ou=People,dc=ws-samba,dc=it
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: panna
sn: surname
givenName: name
cn: name-surname
displayName: name-surname
uidNumber: 10001
gidNumber: 5002
userPassword: password
loginShell: /bin/false
homeDirectory: /home/panna
dn: uid=marcoz,ou=People,dc=ws-samba,dc=it
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: marcoz
sn: surname
givenName: name
cn: name surname
displayName: name surname
uidNumber: 10002
gidNumber: 5003
userPassword: password
loginShell: /bin/false
homeDirectory: /home/marcoz
dn: uid=pmarco,ou=People,dc=ws-samba,dc=it
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: pmarco
sn: surname
givenName: name
cn: name surname
displayName: name surname
uidNumber: 10003
gidNumber: 5001
userPassword: password
loginShell: /bin/false
homeDirectory: /home/pmarco
I manually created the home directories for my 3 users, and checking the password, it matches with the one in my possession. If i launch smbldap-useradd -a panna it tells me that it already exists, but when i run a search on my local machine, it doesn't exist.
as of now, if i try and run an ldapsearch, it finds any parameter i look for, but by running pdbedit -L it returns blanks, and I really don't know where to look for anymore, Needless to say, whenever I try and reach for my shares, i find them as guest, but when I try to log to any one share which is not the [docs] one, it gives me:
$ smbclient //server-ip/tech -U panna
Password for [SHELLERATI\panna]:
session setup failed: NT_STATUS_NO_LOGON_SERVERS
I'm sorry for the long post, and i'm grateful in advance for your attention.
Cheers!
i tried editing manually all of these 3 conf files, following many guides online, studying ldap structure, clearly rebooting and/or restarting services, changing user, changing password, adding a user locally to the machine, nothing worked.
Related
I set a centos 8 server as openldap server and kerberos auth. and I'm not able to get userldap remotely
#server:
[15:04 root#server ~] > ldapsearch -x -b "dc=bravo,dc=lab" -H ldap:/// -D "cn=admin,dc=bravo,dc=lab" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=bravo,dc=lab> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# bravo.lab
dn: dc=bravo,dc=lab
objectClass: dcObject
objectClass: organization
objectClass: top
o: bravo
dc: bravo
# groups, bravo.lab
dn: ou=groups,dc=bravo,dc=lab
objectClass: organizationalUnit
objectClass: top
ou: groups
# people, bravo.lab
dn: ou=people,dc=bravo,dc=lab
objectClass: organizationalUnit
objectClass: top
ou: people
# kb_user01, people, bravo.lab
dn: uid=kb_user01,ou=people,dc=bravo,dc=lab
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: kb_user01
cn: John
sn: Doe
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/kb_user01
userPassword:: e1NTSEF9S3hGUnozUnUzTVMxZXQvNDVLdFFYSHVWVU4vajV1MVI=
# kb_user01, groups, bravo.lab
dn: cn=kb_user01,ou=groups,dc=bravo,dc=lab
objectClass: posixGroup
cn: kb_user01
gidNumber: 10000
memberUid: kb_user01
# kb_user02, people, bravo.lab
dn: uid=kb_user02,ou=people,dc=bravo,dc=lab
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: kb_user02
cn: Adam
sn: blanc
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/kb_user02
userPassword:: e1NTSEF9SUFrSkUvQmZObHdlSmpUblFaMWxjMWRMR1k3MFh5Nlg=
# kb_user02, groups, bravo.lab
dn: cn=kb_user02,ou=groups,dc=bravo,dc=lab
objectClass: posixGroup
cn: kb_user02
gidNumber: 10001
memberUid: kb_user02
# system, bravo.lab
dn: ou=system,dc=bravo,dc=lab
objectClass: organizationalUnit
objectClass: top
ou: system
# readonly, system, bravo.lab
dn: cn=readonly,ou=system,dc=bravo,dc=lab
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: readonly
userPassword:: e1NTSEF9M3lSV2wzdkhpc0UzR2w3d3JqMDR4dTF6R3NDajB3Rm4g
description: Bind DN user for LDAP Operations
# search result
search: 2
result: 0 Success
# numResponses: 10
enter code here`# numEntries: 9
I created user readonly to query ldapDatabase with those Access
[15:16 root#server ~] > ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}mdb)' olcAccess
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,ou=People
,dc=bravo,dc=lab" write by dn="cn=readonly,ou=People,dc=bravo,dc=lab" read by
self write by anonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,ou=People,dc=bravo,dc=lab" write by dn="cn=
readonly,ou=People,dc=bravo,dc=lab" read by self write by anonymous auth by *
none
client nslcd configuration
uri ldap://server.bravo.lab/
base dc=bravo,dc=lab
binddn cn=readonly,ou=People,dc=bravo,dc=lab
When i launch this it does not work
id kb_user01
I get on the server
Oct 7 15:26:28 server slapd[114988]: conn=1312 fd=17 ACCEPT from IP=10.0.0.111:48728 (IP=0.0.0.0:389)
Oct 7 15:26:28 server slapd[114988]: conn=1312 op=0 BIND dn="cn=readonly,ou=People,dc=bravo,dc=lab" method=128
Oct 7 15:26:28 server slapd[114988]: conn=1312 op=0 RESULT tag=97 err=53 text=unauthenticated bind (DN with no password) disallowed
Oct 7 15:26:28 server slapd[114988]: conn=1312 op=1 UNBIND
Oct 7 15:26:28 server slapd[114988]: conn=1312 fd=17 closed
Do you have any Idea because from my point of view I would like to grant read access without password but still i get the error.
Please help thanks and best regards
Finally I got it,
I did three mistakes:
1 : On the client side (nslcd configuration) the right Binddn was
binddn cn=readonly,ou=***SYSTEM***,dc=bravo,dc=lab
2 : On the client side (nslcd configuration) in BindPW I put the Hashed password instant of clair on
3 : the same mistake as #1 but this time on ACL of the ldap
by dn="cn=readonly,ou=***SYSTEM***,dc=bravo,dc=lab" read by self write
On current setup I have OpenLDAP server on which I had manually added eduPerson schema and from it I can retrieve without any problem attributes like eduPersonPrincipalName, eduPersonPrimaryAffiliation etc.
Now I want to test with 389 Directory Server which from what I have understood it has pre-added eduPerson schema. The problem is that even after I create a user with eduPerson attributes like eduPersonPrincipalName etc, I can not retrieve any attribute value of eduPerson schema. I need it because of SimpleSAMLphp SSO we use. Below is an search example of a user with multiple eduPerson attributes and none of them gets shown:
ldapsearch -x -b "cn=John Doe,ou=people,dc=domain,dc=com" -H ldap://127.0.0.1:389
# extended LDIF
#
# LDAPv3
# base <cn=John Doe,ou=people,dc=domain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# John Doe, people, domain.com
dn: cn=John Doe,ou=people,dc=domain,dc=com
objectClass: eduPerson
objectClass: inetOrgPerson
objectClass: organizationcomPerson
objectClass: person
objectClass: posixAccount
objectClass: top
cn: John Doe
gidNumber: 10000
homeDirectory: /home/user#domain.com
uid: user#domain.com
uidNumber: 10055
description: Authenticated at 2020-04-28 12:27:08.657033
loginShell: /bin/bash
mail: user#domain.com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Thank you,
EDIT:
Another example which might help more. Below is a ldif file of a user:
version: 1
dn: cn=John Doe,ou=people,dc=domain,dc=com
objectClass: eduPerson
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
cn: John Doe
gidNumber: 10000
homeDirectory: /home/jdoe#domain.com
sn: Doe
uid: jdoe#domain.com
uidNumber: 10057
carLicense: AA123BB
departmentNumber: IT
eduPersonPrimaryAffiliation: employee
eduPersonPrincipalName: jdoe#domain.com
eduPersonScopedAffiliation: employee#domain.com
employeeNumber: 1234567890
givenName: John
initials: JD
loginShell: /bin/bash
mail: jdoe#domain.com
title: Software Developer
userPassword:: e0NSWVBUfSQ2JG1LcDlHUmRUcENBRVZ1ZkUkc0djRkNsalcyWEVoby9FRlNGS
jhLRXRYR1dmTGFUNXNYUk9BbHFRSHhoWXN4TWlZWEl6SEFCa0U1UzN3cm5uSktMSVAyTlg1d0V5
YXN1U1laNXJocDA=
When I try to search for this user I get only the attributes below:
ldapsearch -x -b "cn=John Doe,ou=people,dc=rash,dc=al" -H ldap://127.0.0.1:389
# extended LDIF
#
# LDAPv3
# base <cn=John Doe,ou=people,dc=rash,dc=al> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# John Doe, people, rash.al
dn: cn=John Doe,ou=people,dc=rash,dc=al
objectClass: eduPerson
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
loginShell: /bin/bash
homeDirectory: /home/jdoe#domain.com
uid: jdoe#domain.com
cn: John Doe
uidNumber: 10057
gidNumber: 10000
mail: jdoe#domain.com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I'm running OpenLDAP 2.4.42, and this is my configuration file:
include C:/OpenLDAP/schema/core.schema
include C:/OpenLDAP/schema/cosine.schema
include C:/OpenLDAP/schema/inetorgperson.schema
pidfile C:/data/slapd/pidfile.pid
database config
database monitor
access to dn.subtree="cn=Monitor" by dn.exact="uid=Admin,dc=my,dc=org" write
access to * by * write
database bdb
include C:/data/pwm/openldap.schema
directory C:/data/slapd/db/bdb
suffix dc=example,dc=it
rootdn cn=root,dc=example,dc=it
rootpw secret
access to * by * manage
index default pres,eq
index cn eq,sub
index sn pres,eq,sub
index objectClass eq
With this slapcat (cut) output:
dn: cn=paul,dc=example,dc=it
objectClass: organizationalRole
cn: paul
dn: l=somewhere,dc=example,dc=it
objectClass: top
objectClass: locality
l: somewhere
dn: cn=john,l=somewhere,dc=example,dc=it
objectClass: organizationalRole
cn: john
structuralObjectClass: organizationalRole
dn: ou=users,dc=example,dc=it
objectClass: organizationalUnit
ou: users
structuralObjectClass: organizationalUnit
dn: cn=charles,ou=users,dc=example,dc=it
objectClass: person
objectClass: pwmUser
cn: charles
sn: charles
userPassword:: bWFyY28y
structuralObjectClass: person
Why does this return results (actually the "charles" entry):
ldapsearch -W -D cn=root,dc=example,dc=it -b "ou=users,dc=example,dc=it"
while this gives "no such object"?
ldapsearch -W -D cn=root,dc=example,dc=it -b "dc=example,dc=it"
I would think that the latter is the most general version of a search, where I'm asking for everything under that suffix.
I'm trying to get the dynamic memberOf attribute to work in my in-memory-ldap-server. I'm using the standard edition of UnboundID.
I tried with the following .ldif-files if it is activated by default:
base.ldif:
dn: dc=example,dc=com
objectclass: domain
dc: example
dn: ou=Group,dc=example,dc=com
objectclass: organizationalUnit
ou: Group
dn: ou=People,dc=example,dc=com
objectclass: organizationalUnit
ou: People
dn: uid=test1,ou=People,dc=example,dc=com
objectclass: account
uid: test1
#Group 1.1
dn: cn=testUndergroup,ou=Group,dc=example,dc=com
objectclass: groupOfNames
cn: testUndergroup
#Group 1
dn: cn=testgroup,ou=Group,dc=example,dc=com
objectclass: groupOfNames
cn: testgroup
modify.ldif:
dn: cn=testgroup,ou=Group,dc=example,dc=com
changetype: modify
add: member
member: uid=test1,ou=People,dc=example,dc=com
when i do this ldap-search:
seach:
ldapsearch --hostname localhost --port 3268 --baseDN dc=example,dc=com "(uid=test1)" memberOf
i dont get the memberof in the answer:
# Connected to localhost:3268
dn: uid=test1,ou=People,dc=example,dc=com
# The search operation was processed successfully.
# Entries returned: 1
# References returned: 0
# Disconnected from the server
So it isn't activated by default.
How can i activate the memberOf attribute in UnboundID?
BTW: i can not use dynamic groups like they are mentioned here
The in-memory directory server shipped with the LDAP SDK does not support groups. The document that you are referencing on our community portal refers to the UnboundID Directory Server - which is a commercial product and distinct from the in-memory directory server. You can request a free trial download to the UnboundID Directory Server through the main website (https://www.unboundid.com or https://www.pingidentity.com). I hope this helps.
I just Installed OpenLDAP on Ubuntu Server 12.10, and I added an ldif file using slapadd -c -l init.ldif as the following :
dn:dc=tpw,dc=uca,dc=ma
dc: tpw
objectClass: dcObject
objectClass: top
objectClass: domain
dn: ou=people,dc=tpw,dc=uca,dc=ma
ou: people
objectClass: organizationalUnit
objectClass: top
dn: ou=groupes,dc=tpw,dc=uca,dc=ma
ou: groupes
objectClass: organizationalUnit
objectClass: top
dn: uid=admin,ou=people,dc=tpw,dc=uca,dc=ma
uid: admin
sn: Admin
cn: Admin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: e1NIQX0wRFBpS3VOSXJyVm1EOElVQ3V3MWhReE5xWmM9
mail: admin#uca.ma
givenName: admin
dn: cn=GI,ou=groupes,dc=tpw,dc=uca,dc=ma
uniquemember: uid=admin,ou=people,dc=tpw,dc=uca,dc=ma
cn: GI
objectClass: groupOfUniqueNames
objectClass: top
dn: cn=GP,ou=groupes,dc=tpw,dc=uca,dc=ma
uniquemember: uid=admin,ou=people,dc=tpw,dc=uca,dc=ma
cn: GP
objectClass: groupOfUniqueNames
objectClass: top
dn: cn=GT,ou=groupes,dc=tpw,dc=uca,dc=ma
uniquemember: uid=admin,ou=people,dc=tpw,dc=uca,dc=ma
cn: GT
objectClass: groupOfUniqueNames
objectClass: top
Now my ldap tree looks like this :
Then I tried to add a new inetOrgPerson using Apache Directory Studio, but I got this error :
[LDAP: error code 80 - index generation failed]
Then I tried the same thing using phpLDAPadmin, but I got this error :
Impossible d'ajouter l'objet au serveur LDAP.
LDAP dit :: Other (e.g., implementation specific) error
Erreur numéro :: 0x50 (LDAP_OTHER)
Then I created a file which I named xx.ldif :
dn: uid=xx,ou=people,dc=tpw,dc=uca,dc=ma
cn: XX
givenname: xx
mail: xx#edu.uca.ma
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
sn: XX
uid: xx
userpassword: toor
And I tried to add this entry using this command via terminal :
sudo ldapadd -x -D cn=Manager,dc=tpw,dc=uca,dc=ma -W -f xx.ldif
But I got this error :
ldap_add: Other (e.g., implementation specific) error (80)
additional info: index generation failed
How can I solve this problem ?
PS : In another scenario I deleted my database and I modified the file init.ldif wich contains all the entries I want to add, and I added the entry xx, then I imported my file using the slapadd command, but In this way I have to delete the database every time I want to add a new entry, which is not practical.
Edit1 :
This is the output of the command slapindex :
WARNING!
Runnig as root!
There's a fair chance slapd will fail to start.
Check file permissions!
5370d6f9 /etc/ldap/slapd.conf: line 95: rootdn is always granted unlimited privileges.
5370d6f9 /etc/ldap/slapd.conf: line 112: rootdn is always granted unlimited privileges.
5370d6f9 hdb_db_open: database "dc=tpw,dc=uca,dc=ma": database already in use.
5370d6f9 backend_startup_one (type=hdb, suffix="dc=tpw,dc=uca,dc=ma"): bi_db_open failed! (-1)
slap_startup failed
The first thing is that init.ldif file seems to be misconfigured :
domainComponent "uca" (dc=uca) is missing, there should be an entry (dcObject or domain objectClass) to define this attribute that holds a component of the domain name.
dcObject is intended to be used in entries for which there is an appropriate structural object class. For example, if the domain represents a particular organization, the entry would have as its structural object class 'organization', and the 'dcObject' class would be an auxiliary class.
domain is a structural object class used for entries in which no other information is being stored. The domain object class is typically used for entries that are placeholders or whose domains do not correspond to real-world entities.
In your .ldif file you can replace the first entry "dn: dc=tpw,dc=uca,dc=ma" with these 2 (then delete your database again and redo the slapadd command) :
dn: dc=uca,dc=ma
objectClass: top
objectClass: organization
objectClass: dcObject
dc: uca
o: an organization name (mandatory with 'organization' objectClass)
dn: dc=tpw,dc=uca,dc=ma
objectClass: top
objectClass: domain
dc: tpw
Second thing : obviously you have landed into an index issue. I think you do want to use indexes but if not, find and remove any line beginning with index from slapd.conf, e.g. :
index objectClass eq.
Remember to stop slapd and run slapindex after every change comitted to the index definitions in slapd.conf, and ensure all ldap clients have been disconnected before running slap commands to prevent database already in use messages.
So take the hints given you by slapindex. Don't run slapd as root, fix lines 95 and 112, and don't run slapd twice, or fix whatever is causing it to think the database is already in use.
While this isn't relevant to the OP's question, I ran into a similar error of:
bdb_db_open: database already in use
or
hdb_db_open: database "dc=XXX,dc=XXX,dc=XXX": database already in use.
One of our Openshift nodes went down and the PVC's (mount) /var/lib/ldap/ __db.001, __db.002 and __db.003 had become locked. After googling for hours, the only solution I found was to perform the following (and note, since it was OpenShift, I had to use a debug pod to get a shell).
mkdir /var/lib/ldap/backup
mv /var/lib/ldap/__db.* /var/lib/ldap/backup
Try and restart slapD, if it still fails as it did with one of OpenLDap instances, then move the alock file
mv /var/lib/ldap/__db.* /var/lib/ldap/backup
Restart slapD or in our instance delete the OpenShift pod and let it be recreated. Everything may now be working as it did for us - hope this might help anyone else running into the same issue.