[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: still segmentation faults with SSL

Hi Tony,

>> Do you have 'localhost' anywhere in your configuration files?
> ahm, well I do - why, is that bad??
It is.  When I saw the "address family not supported"  I was reminded of
previous notes involving configuration files with directives containing
"localhost" and not the FQDN or IP address.  From the location of your
segfault, I wouldn't expect a "localhost" entry, in say ldap.conf, to be
the root of your problem though.  Keep this in mind for the future.

>> Is the slapd daemon really owned by ldap/root (user/group)?  I don't
>> to run slapd with -u/-g.
> No, the slapd executable is not owned by user ldap, but by user root. I
> just thought it is good security practice to not have all services run
> by root.
Sure, it's a great practice, but user ldap has to exist and needs
permission to execute the server, read databases, ,certificates, keytabs,
etc.  I think this is your main problem.

>> The "address family not supported by protocol" error for both ldap://
>> ldaps:// means that it isn't only a TLS/SSL issue.  I haven't run into
>> one (yet), so hopefully someone who has can help you out with it.
> That's what I hope too ;-)
Anyone? Anyone?

>> I would try to start out with a barebones server (no SSL/TLS, etc) and
>> from there.  If you are already doing this ... I'll light a candle for
> Thank you very much. I really appreciate your help. I will start from the

> beginning again.
You're welcome, good luck!

Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
phone:  1-512-838-9216
e-mail:  dksoper@us.ibm.com