Problem with /etc/init.d/ldap?

Daniel B. Thurman dant at cdkkt.com
Sat Nov 19 20:58:11 UTC 2005 

>From: fedora-list-bounces at redhat.com
>[mailto:fedora-list-bounces at redhat.com]On Behalf Of Tony Nelson
>Sent: Friday, November 18, 2005 2:34 PM
>To: fedora-list at redhat.com
>Subject: RE: Problem with /etc/init.d/ldap?
>
>
>At 1:24 PM -0800 11/18/05, Daniel B. Thurman wrote:
>>>>"Daniel B. Thurman" <dant at cdkkt.com> wrote:
>>
>>>>
>>>>Did you say "export KRB5_KTNAME=FILE:/etc/openldap/ldap.keytab"?
>>>>                                ^^^^^
>>>
>>>I was told to add the following environment variable
>>>to the /etc/sysconfig/ldap file:
>>>
>>>KRB5_KTNAME=/etc/openldap/ldap.keytab
>>>
>>>The file: /etc/openldap/ldap.keytab
>>>is chmod 640 and chown root:ldap
>>>
>>
>>I read your information carefully and tried
>>the following in the /etc/sysconfig/ldap:
>>
>>1) KRB5_KTNAME=/etc/openldap/ldap.keytab
>>2) KRB5_KTNAME="/etc/openldap/ldap.keytab"
>>3) export KRB5_KTNAME=/etc/openldap/ldap.keytab
>>4) export KRB5_KTNAME="/etc/openldap/ldap.keytab"
>>5) export KRB5_KTNAME=FILE:/etc/openldap/ldap.keytab
>>6 export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
>>
>>None of these worked.
>
>Not too carefully.  Note your use of " in 6, and compare with 
>what he wrote.
>____________________________________________________________________
>TonyN.:'                       <mailto:tonynelson at georgeanelson.com>
>      '                              <http://www.georgeanelson.com/>
>

Tony, I have no idea what you are talking about...

I have tried everything within the /etc/init.d/ldap
script from trying to directly add the environment
variable: KRB5_KTNAME within the temporary wrapper
file, and even did this:

cat >> $wrapper <<- EOF
#!/bin/bash -x
export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
echo 'KRB5_KTNAME='$KRB5_KTNAME
exec ${slapd} -h ${harg} -d ${user} $OPTIONS $SLAPD_OPTIONS
EOF

And I find it odd that the exporting of KRB5_KTNAME variable
does NOT work within the cat construct but placing the export
of KRB5_KTNAME outside of this wrapper does work. Hmmm....
well - at least I do know now that /etc/sysconfig/ldap is
working within the /etc/init.d/ldap script, however I still
do not know for certain that the KRB5_KTNAME is being
accepted by the slapd invocation within the wrapper script.

I tried Craig's suggestion to add logging information
so that I can see if slapd is accepting the KRB5_KTNAME
environment variable:

=====================================================
local4.*<tab>/var/log/slapd.log ==> /etc/syslog.conf
loglevel 256 ==> /etc/openldap/slapd.conf
=====================================================

I was able to get the logging information to work,
however, I still was not able to tell if slapd
sees the KRB5_KTNAME variable!  Does anyone have
any suggestions on how to obtain this or can one
get it?

Also, there was one other thing...  I also added:
=====================================================
svrtab /etc/openldap/ldap.keytab ==> /etc/openldap/slapd.conf
=====================================================

and this did not work either.

Again, as root, I can get slapd working on the
command-line and kerberos/LDAPS works well:
=====================================================
export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
slapd -u ldap -h "ldap:/// ldaps:///"
=====================================================

And even this works:
=====================================================
export KRB5_KTNAME="/etc/openldap/ldap.keytab"
slapd -u ldap -h "ldap:/// ldaps:///"

(I don't see at this point why FILE: is even needed)
=====================================================

At this point I am running LDAP manually until
a solution can  be found.  One thing that nags
me however it is *possible* that I may have
accidentally hosed my chown/chgrp settings on
my /bin, /sbin and may not have gotten all the
file permissions correctly set.  If anyone can
tell me how to ensure the proper ownership/mode
settings by running a rpm or some sort of a
checking program, please let me know!

I noticed this because the slapd log told me
that it could not access /etc/sasldb2 so I chgrp
ldap this database and the slapd does no longer
complains. I hope this is the right thing to do...

Man... is something hosed or is it me.  It's been a
helluva week.

Dan

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.4/175 - Release Date: 11/18/2005

More information about the fedora-list mailing list