Re: /etc/ldap/slapd.conf: line 158: invalid path: Permission denied

[Mathias Gug <mathiaz@ubuntu.com>]

On Mon, Aug 25, 2008 at 10:04:07AM +0800, zhangweiwu@realss.com wrote:
> zhangweiwu@realss.com wrote:
> > root@emerson # slapd -d 256 -h 'ldap://0.0.0.0:636/'  -f /etc/ldap/slapd.conf
> > @(#) $OpenLDAP: slapd 2.4.9 (Aug  5 2008 20:18:55) $
> > 	buildd@palmer:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
> > /etc/ldap/slapd.conf: line 126: rootdn is always granted unlimited privileges.
> > /etc/ldap/slapd.conf: line 143: rootdn is always granted unlimited privileges.
> > /etc/ldap/slapd.conf: line 158: invalid path: Permission denied
> > slapd stopped.
> > connections_destroy: nothing to destroy.
> >
> > Where:
> > root@emerson # sed -n 158p /etc/ldap/slapd.conf 
> > directory       "/var/lib/ldap_jxpado"
> >
> >   
> After a lot of experiment it seems anything other than '/var/lib/ldap',
> when used for directory directive, would generate "invalid path:
> Permission denied". I also tested /var/lib/ldap/jxpado in case slapd
> runs in chroot by mistake (~openldap=/var/lib/ldap).
> 
> This is rather strange to me, could it be the Ubuntu server edition of
> slapd was modified? I configured a dozen more slapd server where I
> altered directory, on Gentoo Linux, this is the first time I do it on
> Ubuntu server.

Starting from Ubuntu 8.04, slapd is protected by an apparmor profile.
Since you're using a non-standard directory for you database, you'll get
a permission error. You should see audit messages in /var/log/kern.log
related to slapd.

You should adjust your slapd profile to include your directory. See [1]
for more information on how-to update an apparmor profile.

[1]: https://wiki.ubuntu.com/DebuggingApparmor

-- 
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com