>From: fedora-list-bounces@xxxxxxxxxx >[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Tony Nelson >Sent: Friday, November 18, 2005 2:34 PM >To: fedora-list@xxxxxxxxxx >Subject: RE: Problem with /etc/init.d/ldap? > > >At 1:24 PM -0800 11/18/05, Daniel B. Thurman wrote: >>>>"Daniel B. Thurman" <dant@xxxxxxxxx> wrote: >> >>>> >>>>Did you say "export KRB5_KTNAME=FILE:/etc/openldap/ldap.keytab"? >>>> ^^^^^ >>> >>>I was told to add the following environment variable >>>to the /etc/sysconfig/ldap file: >>> >>>KRB5_KTNAME=/etc/openldap/ldap.keytab >>> >>>The file: /etc/openldap/ldap.keytab >>>is chmod 640 and chown root:ldap >>> >> >>I read your information carefully and tried >>the following in the /etc/sysconfig/ldap: >> >>1) KRB5_KTNAME=/etc/openldap/ldap.keytab >>2) KRB5_KTNAME="/etc/openldap/ldap.keytab" >>3) export KRB5_KTNAME=/etc/openldap/ldap.keytab >>4) export KRB5_KTNAME="/etc/openldap/ldap.keytab" >>5) export KRB5_KTNAME=FILE:/etc/openldap/ldap.keytab >>6 export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" >> >>None of these worked. > >Not too carefully. Note your use of " in 6, and compare with >what he wrote. >____________________________________________________________________ >TonyN.:' <mailto:tonynelson@xxxxxxxxxxxxxxxxx> > ' <http://www.georgeanelson.com/> > Tony, I have no idea what you are talking about... I have tried everything within the /etc/init.d/ldap script from trying to directly add the environment variable: KRB5_KTNAME within the temporary wrapper file, and even did this: cat >> $wrapper <<- EOF #!/bin/bash -x export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" echo 'KRB5_KTNAME='$KRB5_KTNAME exec ${slapd} -h ${harg} -d ${user} $OPTIONS $SLAPD_OPTIONS EOF And I find it odd that the exporting of KRB5_KTNAME variable does NOT work within the cat construct but placing the export of KRB5_KTNAME outside of this wrapper does work. Hmmm.... well - at least I do know now that /etc/sysconfig/ldap is working within the /etc/init.d/ldap script, however I still do not know for certain that the KRB5_KTNAME is being accepted by the slapd invocation within the wrapper script. I tried Craig's suggestion to add logging information so that I can see if slapd is accepting the KRB5_KTNAME environment variable: ===================================================== local4.*<tab>/var/log/slapd.log ==> /etc/syslog.conf loglevel 256 ==> /etc/openldap/slapd.conf ===================================================== I was able to get the logging information to work, however, I still was not able to tell if slapd sees the KRB5_KTNAME variable! Does anyone have any suggestions on how to obtain this or can one get it? Also, there was one other thing... I also added: ===================================================== svrtab /etc/openldap/ldap.keytab ==> /etc/openldap/slapd.conf ===================================================== and this did not work either. Again, as root, I can get slapd working on the command-line and kerberos/LDAPS works well: ===================================================== export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" slapd -u ldap -h "ldap:/// ldaps:///" ===================================================== And even this works: ===================================================== export KRB5_KTNAME="/etc/openldap/ldap.keytab" slapd -u ldap -h "ldap:/// ldaps:///" (I don't see at this point why FILE: is even needed) ===================================================== At this point I am running LDAP manually until a solution can be found. One thing that nags me however it is *possible* that I may have accidentally hosed my chown/chgrp settings on my /bin, /sbin and may not have gotten all the file permissions correctly set. If anyone can tell me how to ensure the proper ownership/mode settings by running a rpm or some sort of a checking program, please let me know! I noticed this because the slapd log told me that it could not access /etc/sasldb2 so I chgrp ldap this database and the slapd does no longer complains. I hope this is the right thing to do... Man... is something hosed or is it me. It's been a helluva week. Dan -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.4/175 - Release Date: 11/18/2005
