[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: -u and -g not working with slapd

To: "Jim C." <jcllings@javahop.com>
Subject: Re: -u and -g not working with slapd
From: Buchan Milne <bgmilne@obsidian.co.za>
Date: Mon, 14 Jun 2004 12:51:25 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <40CD08A8.7010207@javahop.com>
References: <40CCDD43.6070702@javahop.com> <6.0.1.1.0.20040613170156.048f14c0@127.0.0.1> <40CD08A8.7010207@javahop.com>
User-agent: Mozilla Thunderbird 0.6 (X11/20040609)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jim C. wrote:
| Figured it out.
|
| OK, so:
| [root@enigma openldap]# /usr/sbin/slapd -d 16 -u ldap -g ldap -l LOCAL0
| -s 0 -h "ldap:/// ldaps:/// "
|
| returns this:
|
| bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (March 25, 2004)
| TLS: could not load verify locations
| (file:`/etc/ssl/openldap/ldap.pem',dir:`').
| TLS: error:02001002:system library:fopen:No such file or directory
| bss_file.c:104
| TLS: error:2006D080:BIO routines:BIO_new_file:no such file bss_file.c:107
| TLS: error:0B084002:x509 certificate
| routines:X509_load_cert_crl_file:system lib by_file.c:274
| main: TLS init def ctx failed: -1
| slapd stopped.
| connections_destroy: nothing to destroy.
| [root@enigma openldap]#
|
| ldap.pem, huh? Bad perms/ownership?
|
| It is showing root.root as owner.  I've changed it to root.ldap and now
| it works fine.... except when /etc/ssl/openldap/ldap.pem does not exist.
| ~ Then we have the same error because the new script does not generate
| /etc/ssl/openldap/ldap.pem dynamically when the file is found to be
| non-existant.  This was the case in previous versions of the
| /etc/init.d/ldap initscript on Mandrake.

I don't think so:
http://cvs.mandrakesoft.com/cgi-bin/cvsweb.cgi/SPECS/openldap/ldap.init?rev=1.8&content-type=text/x-cvsweb-markup

Certs are currently (and have been for a long time) generated in %post
of openldap-servers:

$ rpm -q --scripts openldap-servers |grep -C5 "\.pem"
~                chmod 0600 $i
~                chown ldap:ldap $i
~        fi
done

# generate the ldap.pem cert here instead of the initscript
if [ ! -e /etc/ssl/openldap/ldap.pem ] ; then
~  if [ -x /usr/share/openldap/gencert.sh ] ; then
~    echo "Generating self-signed certificate..."
~    pushd /etc/ssl/openldap/ > /dev/null
~    yes ""|/usr/share/openldap/gencert.sh >/dev/null 2>&1
~    chmod 640 ldap.pem
~    chown root:ldap ldap.pem
~    popd > /dev/null
~  fi
~  echo "To generate a self-signed certificate, you can use the utility"
~  echo "/usr/share/openldap/gencert.sh..."
fi

We can't do *everything* for the user ... (but a better solution is
required for managing certificates, don't know if we'll have time to
implement for 10.1 though ...).

Either you lost your cert in the upgrade, ora combination of your
slapd.conf and the bad regex that was in the older init script was
saving you from this problem before?

Regards,
Buchan

- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng                                RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAzYMtrJK6UGDSBKcRAiOLAKCesM9DOO1DvRW4jT/Vb33O8SgriQCeKiCd
rfnd8PJaYcppdWoo08thZ9I=
=Mola
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: -u and -g not working with slapd
  - From: "Jim C." <jcllings@javahop.com>

References:
- -u and -g not working with slapd
  - From: "Jim C." <jcllings@javahop.com>
- Re: -u and -g not working with slapd
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: -u and -g not working with slapd
  - From: "Jim C." <jcllings@javahop.com>

Prev by Date: Re: -u and -g not working with slapd
Next by Date: Re: lookups on multivalued field fails
Index(es):
- Chronological
- Thread