Re: still segmentation faults with SSL

[Kent Soper <dksoper@us.ibm.com>]

Hi Tony,

>> Do you have 'localhost' anywhere in your configuration files?
> ahm, well I do - why, is that bad??
It is.  When I saw the "address family not supported"  I was reminded of
previous notes involving configuration files with directives containing
"localhost" and not the FQDN or IP address.  From the location of your
segfault, I wouldn't expect a "localhost" entry, in say ldap.conf, to be
the root of your problem though.  Keep this in mind for the future.

>> Is the slapd daemon really owned by ldap/root (user/group)?  I don't
have
>> to run slapd with -u/-g.
> No, the slapd executable is not owned by user ldap, but by user root. I
> just thought it is good security practice to not have all services run
> by root.
Sure, it's a great practice, but user ldap has to exist and needs
permission to execute the server, read databases, ,certificates, keytabs,
etc.  I think this is your main problem.

>> The "address family not supported by protocol" error for both ldap://
and
>> ldaps:// means that it isn't only a TLS/SSL issue.  I haven't run into
that
>> one (yet), so hopefully someone who has can help you out with it.
> That's what I hope too ;-)
Anyone? Anyone?

>> I would try to start out with a barebones server (no SSL/TLS, etc) and
go
>> from there.  If you are already doing this ... I'll light a candle for
you.
> Thank you very much. I really appreciate your help. I will start from the

> beginning again.
You're welcome, good luck!

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
phone:  1-512-838-9216
e-mail:  dksoper@us.ibm.com