Bug#381788: [Pkg-openldap-devel] Re: Bug#381788: slapd: TLS connections fail when running as non-root

[Berg, Michael]

> Okay, hm.  Can you try this, preferably with daemontools:
> 
> /usr/bin/setuidgid openldap /bin/cat </path/to/certs/certfiles>
> 
> for every cert you believe the server should be able to read.  It really
> seems like the "openldap" user/group doesn't have permission to
> something that it should.

I don't have daemontools on this system, but I temporarily changed the
shell for the openldap user from /bin/false to /bin/bash and then su'd to
openldap.

$ id
uid=100(openldap) gid=121(openldap) groups=121(openldap)

Certificate Authority public cert was successful:
        $ /bin/cat /etc/ssl/certs/misumasu.dyndns.org_CA.pem
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----

LDAP server public cert was successful:
        $ /bin/cat /etc/ssl/certs/ldap.misumasu.dyndns.org.pem
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----

LDAP server private key cert was successful:
        $ /bin/cat /etc/ldap/private/ldap.misumasu.dyndns.org.pem
        -----BEGIN RSA PRIVATE KEY-----
        ...
        -----END RSA PRIVATE KEY-----


The PID file and args files used by Debian were accessible
        /var/run/slapd/slapd.pid
        /var/run/slapd/slapd.args

And all the database files were accessible
$ ls -l /var/lib/ldap/
total 1852
-rw-r--r-- 1 openldap openldap      96 Aug  5 21:30 DB_CONFIG
-rw------- 1 openldap openldap    8192 Aug  5 21:30 __db.001
-rw------- 1 openldap openldap 2629632 Aug  5 21:30 __db.002
-rw------- 1 openldap openldap   98304 Aug  5 21:30 __db.003
-rw------- 1 openldap openldap  868352 Aug  5 21:30 __db.004
-rw------- 1 openldap openldap   24576 Aug  5 21:30 __db.005
-rw-r--r-- 1 openldap openldap    2048 Aug  8 22:40 alock
-rw------- 1 openldap openldap   16384 Aug  8 22:15 cn.bdb
-rw------- 1 openldap openldap   16384 Aug  5 23:55 displayName.bdb
-rw------- 1 openldap openldap   16384 Aug  8 22:40 dn2id.bdb
-rw------- 1 openldap openldap    8192 Aug  8 22:39 gidNumber.bdb
-rw------- 1 openldap openldap   65536 Aug  8 22:40 id2entry.bdb
-rw------- 1 openldap openldap  817172 Aug  8 22:40 log.0000000001
-rw------- 1 openldap openldap    8192 Aug  8 22:39 memberUid.bdb
-rw------- 1 openldap openldap    8192 Aug  8 22:39 objectClass.bdb
-rw------- 1 openldap openldap    8192 Aug  8 22:39 sambaDomainName.bdb
-rw------- 1 openldap openldap    8192 Aug  5 23:55 sambaPrimaryGroupSID.bdb
-rw------- 1 openldap openldap    8192 Aug  8 22:39 sambaSID.bdb
-rw------- 1 openldap openldap    8192 Aug  5 23:55 sn.bdb
-rw------- 1 openldap openldap    8192 Aug  8 22:39 uid.bdb
-rw------- 1 openldap openldap    8192 Aug  8 22:39 uidNumber.bdb




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]