RE: TLS w/LDAP - SOLVED
After painstakingly commenting everything out of all startup files, then
added them back in, I found the cause of the
"-bash: [: =: unary operator expected"
error that has been occurring on all Linux servers since turning on LDAP
TLS on INT.
In the file:
/etc/profile.d/krb5-workstation.sh
The follow is causing the issue:
if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then
if [ `/usr/bin/id -u` = 0 ] ; then
PATH=/usr/kerberos/sbin:${PATH}
fi
fi
If I add " " around the backticked command, I the bash error goes away.
Not sure who I need to open a ticket against :-)
Thanks,
John
> -Original Message-
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> us...@openssl.org] On Behalf Of Kyle Hamilton
> Sent: Saturday, May 30, 2009 5:04 PM
> To: openssl-users@openssl.org
> Subject: Re: TLS w/LDAP
>
> Try looking in /etc/profile, ~/.profile, ~/.bashrc, or other startup
> files. You can always look at the man page for bash to figure out
> what files it automatically reads, and the '-' at the beginning means
> that it's a login shell.
>
> -Kyle H
>
> On May 29, 2009, at 9:52 PM, John Kane wrote:
>
> > Thanks for the response, Kyle.
> >
> > I've pretty much deduced what the error is, but just cannot figure
> > out where it is coming from. It only happens when I turn on TLS for
> > LDAP. There are really no 'variables' defined in the LDAP configs;
> > nothing using the '[ "$blah" = blahblah ] syntaxthat is why I
> > turned to this list hoping to find what other file (non-ldap) might
> > be read ONLY when I had the 'ssl start_tls' set in my ldap config.
> >
> > John
> >
> >
> >> -Original Message-
> >> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> >> us...@openssl.org] On Behalf Of Kyle Hamilton
> >> Sent: Friday, May 29, 2009 10:19 PM
> >> To: openssl-users@openssl.org
> >> Subject: Re: TLS w/LDAP
> >>
> >> That's an error in the script you're launching at startup. I don't
> >> know what it is, but I'd bet there's an unquoted '[' character
> >> somewhere that is only evaluated when TLS LDAP is enabled. (see
the
> >> '-bash: ' at the beginning of the line? That tells you that bash
is
> >> generating the error message.)
> >>
> >> -Kyle H
> >>
> >> On Fri, May 29, 2009 at 1:34 PM, John Kane
> >> wrote:
> >>> I just turned on TLS on my LDAP (per instructions on
> >>> http://www.openldap.org/faq/data/cache/185.html). Now all of my
> >> Linux
> >>> servers give the following error on login:
> >>>
> >>> -bash: [: =: unary operator expected
> >>>
> >>> The error goes away when I turn TLS back off. I cannot determine
> >> what
> >>> is causing this error, or even which file contains the error.
I've
> >> gone
> >>> through my LDAP config file, cannot find an issue in any of these.
> >>>
> >>> Other than my cacert.pem, and the LDAP config files, are there
> other
> >>> files that are read only when TLS is turned on?
> >>>
> >>> Thanks,
> >>> John
> >>>
> >>> Here's my configs
> >>>
> >>> I turn on TLS by adding the following in my /etc/ldap.conf
(pam/nss
> >>> file):
> >>>
> >>>ssl start_tls
> >>>tls_checkpeer yes
> >>>tls_cacertfile /etc/openldap/cacerts/cacert.pem
> >>>tls_cacertdir /etc/openldap/cacerts/
> >>>
> >>>
> >>> and have the following in my /etc/openldap/ldap.conf (openldap
> >>> file):
> >>>
> >>>HOST 172.25.3.97
> >>>BASE dc=example,dc=net
> >>>TLS_CACERTDIR /etc/openldap/cacerts/
> >>>TLS_REQCERT allow
> >>>
> >>> and my (self-signed) cacert:
> >>>
> >>> [r...@serverx cacerts]# openssl x509 -text -in
> >>> /etc/openldap/cacerts/cacert.pem
> >>> Certificate:
> >>>Data:
> >>>Version: 3 (0x2)
> >>>Serial Number: 0 (0x0)
> >>>Signature Algorithm: sha1WithRSAEncryption
> >>>Issuer: C=US, ST=Utah, O=Bigtime CA, OU=Signers,
> >> CN=Integration
> >>> Root CA/emailaddress=john.sm...@myco.com
> >>>Validity
> >>>Not Before: May 28 04:37:13 2009 GMT
> >>>Not After : May 27 04:37:13 2012 GMT
> >>>Subject: C=US, ST=Utah, O=Bigtime CA, OU=Signers,
> >> CN=Integration
> >>> Root CA/emailaddress=john.sm...@myco.com
> >>>Subject Public Key Info:
> >>>Public Key Algorithm: rsaEncryption
> >>>RSA Public Key: (1024 bit)
> >>>Modulus (1024 bit):
> >>>00:b3:bf:f0:18:5d:7e:57:0a:ce:15:3c:28:2a:81:
> >>>6d:e6:c5:31:98:7e:cc:09:03:d2:28:f2:33:3e:88:
> >>>11:5f:7d:e1:18:33:38:7d:f5:fa:9d:89:a8:95:16:
> >>>08:00:81:08:29:ac:37:b3:b1:2b:f3:20:52:15:d7:
> >>>19:44:92:9c:45:e7:2e:58:fe:7e:07:d4:1f:5a:ad:
> >>>59:91:37:84:14:a8:4e:df:54:a2:62:66:38:9b:f0:
> >>>cf:48:01:68:0d:3a:7c:93:83:02:48:e0:76:a1:5c:
> >>>f9:05:3b:49:1e:03:9a:fd:ea:ee:79:f7:87:66:96:
> >>>b0
Re: TLS w/LDAP - SOLVED
On Sun May 31 2009, John Kane wrote:
> After painstakingly commenting everything out of all startup files, then
> added them back in, I found the cause of the
>
> "-bash: [: =: unary operator expected"
>
> error that has been occurring on all Linux servers since turning on LDAP
> TLS on INT.
>
> In the file:
>
> /etc/profile.d/krb5-workstation.sh
>
> The follow is causing the issue:
>
> if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then
> if [ `/usr/bin/id -u` = 0 ] ; then
> PATH=/usr/kerberos/sbin:${PATH}
> fi
> fi
>
>
> If I add " " around the backticked command, I the bash error goes away.
> Not sure who I need to open a ticket against :-)
>
A more general solution would be:
# Am I running as user 0 (root)?
uid=$(/usr/bin/id -u) 2>/dev/null
if [ $uid == 0 ] ; then
Note the use of white space and the change from
an assignment to a test for equality.
Usually, such problems get reported to the
distribution producer - they know who wrote
the script.
Mike
> Thanks,
> John
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: TLS w/LDAP - SOLVED
They could also use $EUID == $UID == 0 to check the user ID, rather
than relying on an external utility.
($EUID is the effective user ID, $UID is the real uid. Please see the
bash man page for more info.)
-Kyle H
On Sun, May 31, 2009 at 6:05 AM, Michael S. Zick wrote:
> On Sun May 31 2009, John Kane wrote:
>> After painstakingly commenting everything out of all startup files, then
>> added them back in, I found the cause of the
>>
>> "-bash: [: =: unary operator expected"
>>
>> error that has been occurring on all Linux servers since turning on LDAP
>> TLS on INT.
>>
>> In the file:
>>
>> /etc/profile.d/krb5-workstation.sh
>>
>> The follow is causing the issue:
>>
>> if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then
>> if [ `/usr/bin/id -u` = 0 ] ; then
>> PATH=/usr/kerberos/sbin:${PATH}
>> fi
>> fi
>>
>>
>> If I add " " around the backticked command, I the bash error goes away.
>> Not sure who I need to open a ticket against :-)
>>
>
> A more general solution would be:
>
> # Am I running as user 0 (root)?
> uid=$(/usr/bin/id -u) 2>/dev/null
> if [ $uid == 0 ] ; then
>
> Note the use of white space and the change from
> an assignment to a test for equality.
>
> Usually, such problems get reported to the
> distribution producer - they know who wrote
> the script.
>
> Mike
>> Thanks,
>> John
>>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-us...@openssl.org
> Automated List Manager majord...@openssl.org
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: TLS w/LDAP - SOLVED
On Sun May 31 2009, Kyle Hamilton wrote:
> They could also use $EUID == $UID == 0 to check the user ID, rather
> than relying on an external utility.
>
> ($EUID is the effective user ID, $UID is the real uid. Please see the
> bash man page for more info.)
>
I didn't want to re-design it. Just point out the
difference between an assignment and an equality
test.
Mike
> -Kyle H
>
> On Sun, May 31, 2009 at 6:05 AM, Michael S. Zick wrote:
> > On Sun May 31 2009, John Kane wrote:
> >> After painstakingly commenting everything out of all startup files, then
> >> added them back in, I found the cause of the
> >>
> >> "-bash: [: =: unary operator expected"
> >>
> >> error that has been occurring on all Linux servers since turning on LDAP
> >> TLS on INT.
> >>
> >> In the file:
> >>
> >> /etc/profile.d/krb5-workstation.sh
> >>
> >> The follow is causing the issue:
> >>
> >> if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then
> >> if [ `/usr/bin/id -u` = 0 ] ; then
> >> PATH=/usr/kerberos/sbin:${PATH}
> >> fi
> >> fi
> >>
> >>
> >> If I add " " around the backticked command, I the bash error goes away.
> >> Not sure who I need to open a ticket against :-)
> >>
> >
> > A more general solution would be:
> >
> > # Am I running as user 0 (root)?
> > uid=$(/usr/bin/id -u) 2>/dev/null
> > if [ $uid == 0 ] ; then
> >
> > Note the use of white space and the change from
> > an assignment to a test for equality.
> >
> > Usually, such problems get reported to the
> > distribution producer - they know who wrote
> > the script.
> >
> > Mike
> >> Thanks,
> >> John
> >>
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openssl-us...@openssl.org
> > Automated List Manager majord...@openssl.org
> >
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: TLS w/LDAP - SOLVED
(OT) * Michael S. Zick wrote on Sun, May 31, 2009 at 08:05 -0500: > A more general solution would be: > > # Am I running as user 0 (root)? > uid=$(/usr/bin/id -u) 2>/dev/null > if [ $uid == 0 ] ; then BTW, shouldn't it be just one "=" (to be compliant with POSIX and /usr/bin/test)? oki, Steffen --[ End of message ]--->8=== About Ingenico: Ingenico is the world’s leading provider of payment solutions, with over 15 million terminals deployed across the globe. Delivering the very latest secure electronic payment technologies, transaction management and the widest range of value added services, Ingenico is shaping the future direction of the payment solutions market. Leveraging on its global presence and local expertise, Ingenico is reinforcing its leadership by taking banks and businesses beyond payment through offering comprehensive solutions, a true source of differentiation and new revenues streams. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TLS w/LDAP - SOLVED
On Tue, Jun 02, 2009 at 03:49:13PM +0200, Steffen DETTMER wrote: > (OT) > > * Michael S. Zick wrote on Sun, May 31, 2009 at 08:05 -0500: > > A more general solution would be: > > > > # Am I running as user 0 (root)? > > uid=$(/usr/bin/id -u) 2>/dev/null > > if [ $uid == 0 ] ; then > > BTW, shouldn't it be just one "=" (to be compliant with POSIX and > /usr/bin/test)? Yes, and quotes are required, just in case "id -u" fails, and the "uid" value is empty: if [ "$uid" = 0 ] Michael must have had [[ ]] in mind, but forgot the outer "[]". [[ $uid == 0 ]] note, the "==" is actually a pattern match when the second operand is not quoted. $ [[ foo == f* ]] && echo match || echo no match match $ [[ foo == "f*" ]] && echo match || echo no match no match For numeric equality: [[ $uid -eq 0 ]] but, when comparing with 0, this returns true also when $uid is not a number. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
