Problem with /etc/init.d/ldap? [temp script provided]
Craig White
craigwhite at azapple.com
Sun Nov 20 02:11:41 UTC 2005
On Sat, 2005-11-19 at 16:48 -0800, Daniel B. Thurman wrote:
> >>From: fedora-list-bounces at redhat.com
> >>[mailto:fedora-list-bounces at redhat.com]On Behalf Of Tony Nelson
> >>Sent: Friday, November 18, 2005 2:34 PM
> >>To: fedora-list at redhat.com
> >>Subject: RE: Problem with /etc/init.d/ldap?
> >>
> >>
> >>At 1:24 PM -0800 11/18/05, Daniel B. Thurman wrote:
> >>>>>"Daniel B. Thurman" <dant at cdkkt.com> wrote:
> >>>
> >>>>>
> >>>>>Did you say "export KRB5_KTNAME=FILE:/etc/openldap/ldap.keytab"?
> >>>>> ^^^^^
> >>>>
> >>>>I was told to add the following environment variable
> >>>>to the /etc/sysconfig/ldap file:
> >>>>
> >>>>KRB5_KTNAME=/etc/openldap/ldap.keytab
> >>>>
> >>>>The file: /etc/openldap/ldap.keytab
> >>>>is chmod 640 and chown root:ldap
> >>>>
> >>>
> >>>I read your information carefully and tried
> >>>the following in the /etc/sysconfig/ldap:
> >>>
> >>>1) KRB5_KTNAME=/etc/openldap/ldap.keytab
> >>>2) KRB5_KTNAME="/etc/openldap/ldap.keytab"
> >>>3) export KRB5_KTNAME=/etc/openldap/ldap.keytab
> >>>4) export KRB5_KTNAME="/etc/openldap/ldap.keytab"
> >>>5) export KRB5_KTNAME=FILE:/etc/openldap/ldap.keytab
> >>>6 export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
> >>>
> >>>None of these worked.
> >>
> >>Not too carefully. Note your use of " in 6, and compare with
> >>what he wrote.
> >>____________________________________________________________________
> >>TonyN.:' <mailto:tonynelson at georgeanelson.com>
> >> ' <http://www.georgeanelson.com/>
> >>
> >
> >Tony, I have no idea what you are talking about...
> >
> >I have tried everything within the /etc/init.d/ldap
> >script from trying to directly add the environment
> >variable: KRB5_KTNAME within the temporary wrapper
> >file, and even did this:
> >
> >cat >> $wrapper <<- EOF
> >#!/bin/bash -x
> >export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
> >echo 'KRB5_KTNAME='$KRB5_KTNAME
> >exec ${slapd} -h ${harg} -d ${user} $OPTIONS $SLAPD_OPTIONS
> >EOF
> >
> >And I find it odd that the exporting of KRB5_KTNAME variable
> >does NOT work within the cat construct but placing the export
> >of KRB5_KTNAME outside of this wrapper does work. Hmmm....
> >well - at least I do know now that /etc/sysconfig/ldap is
> >working within the /etc/init.d/ldap script, however I still
> >do not know for certain that the KRB5_KTNAME is being
> >accepted by the slapd invocation within the wrapper script.
> >
> >I tried Craig's suggestion to add logging information
> >so that I can see if slapd is accepting the KRB5_KTNAME
> >environment variable:
> >
> >=====================================================
> >local4.*<tab>/var/log/slapd.log ==> /etc/syslog.conf
> >loglevel 256 ==> /etc/openldap/slapd.conf
> >=====================================================
> >
> >I was able to get the logging information to work,
> >however, I still was not able to tell if slapd
> >sees the KRB5_KTNAME variable! Does anyone have
> >any suggestions on how to obtain this or can one
> >get it?
> >
> >Also, there was one other thing... I also added:
> >=====================================================
> >svrtab /etc/openldap/ldap.keytab ==> /etc/openldap/slapd.conf
> >=====================================================
> >
> >and this did not work either.
> >
> >Again, as root, I can get slapd working on the
> >command-line and kerberos/LDAPS works well:
> >=====================================================
> >export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
> >slapd -u ldap -h "ldap:/// ldaps:///"
> >=====================================================
> >
> >And even this works:
> >=====================================================
> >export KRB5_KTNAME="/etc/openldap/ldap.keytab"
> >slapd -u ldap -h "ldap:/// ldaps:///"
> >
> >(I don't see at this point why FILE: is even needed)
> >=====================================================
> >
> >At this point I am running LDAP manually until
> >a solution can be found. One thing that nags
> >me however it is *possible* that I may have
> >accidentally hosed my chown/chgrp settings on
> >my /bin, /sbin and may not have gotten all the
> >file permissions correctly set. If anyone can
> >tell me how to ensure the proper ownership/mode
> >settings by running a rpm or some sort of a
> >checking program, please let me know!
> >
> >I noticed this because the slapd log told me
> >that it could not access /etc/sasldb2 so I chgrp
> >ldap this database and the slapd does no longer
> >complains. I hope this is the right thing to do...
> >
> >Man... is something hosed or is it me. It's been a
> >helluva week.
> >
> >Dan
> >
>
> Ok, additional information:
>
> I rewrote the ldap script and I discovered that
> the daemon function is somehow responsible for
> preventing SASL to work.
>
> I am now able to get the following:
>
> 1) PASS: Simple authorization, no encryption
> 2) PASS: Simple authorization, SSL via LDAPS
> 3) PASS: Simple authorization, SSL via StartTLS
> 4) PASS: SASL authorization, no encryption
> 5) PASS: SASL authorization, SSL via LDAPS
> 6) PASS: SASL authorization, SSL via StartTLS
>
> Here is the code rewrite but note!!!!! This is
> a REDUCED code to illustrate the point that the
> original script is not working if you are using
> SASL (kerberos) and a different keytab other than
> the kerberos default locations! This code is a
> stripped down version!
>
> #!/bin/bash
>
> # =================================================
> # TEMPORARY FIX BY DBT: ORIGINAL IS BROKEN!
> # =================================================
>
> # Source function library.
> . /etc/init.d/functions
>
> # Source an auxiliary options file if we have one, and pick up OPTIONS,
> # SLAPD_OPTIONS, SLURPD_OPTIONS, SLAPD_LDAPS, SLAPD_LDAPI, and maybe
> # KRB5_KTNAME.
> if [ -r /etc/sysconfig/ldap ] ; then
> . /etc/sysconfig/ldap
> fi
>
> slapd=/usr/sbin/slapd
> [ -x ${slapd} ] || exit 0
>
> user=ldap
> url="ldap:/// ldaps:///"
> prog=`basename ${slapd}`
>
> RETVAL=0
>
> function start() {
>
> # Start daemons.
> echo -n "Starting ${prog} "
> slapd -u ldap -h "ldap:/// ldaps:///"
> [ "$?" -eq 0 ] && success $"$base startup" || failure $"$base startup"
> RETVAL=$?
> echo
>
> }
>
> function stop() {
>
> killproc ${slapd}
> RETVAL=$?
> echo 'Stopped '${prog}
>
> }
>
> case "$1" in
> start)
> start
> ;;
> stop)
> stop
> ;;
> restart)
> stop
> start
> ;;
> status)
> status ${slapd}
> ;;
> *)
> echo "Usage: $0 {start|stop|restart|status}"
> esac
>
> exit $RETVAL
----
It's not a bug until it's in bugzilla.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the fedora-list
mailing list