Bug 175051

Summary: ns-slapd: Fails to start, seems to be unable to find key3.db and cert3.db files
Product: [Retired] 389 Reporter: Bob Kong <rkong>
Component: Security - SSLAssignee: Rich Megginson <rmeggins>
Status: CLOSED WORKSFORME QA Contact: Orla Hegarty <ohegarty>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0CC: ohegarty
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-13 21:31:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ls directory listing of /opt/fedora-ds/alias none

Description Bob Kong 2005-12-06 00:43:32 UTC 
Description of problem:
ns-slapd: Fails to start with the following after attempting to install a
self-signed SSL certificate and key.

SSL alert: Security Initialization: NSS initialization failed (Netscape Portable
Runtime error -8192 - An I/O error occurred during security authorization.):
path: /opt/fedora-ds/alias/, certdb prefix: slapd-ldap-, keydb prefix: slapd-ldap-.


Version-Release number of selected component (if applicable):


How reproducible:
Everytime

Steps to Reproduce:
1. Installed fedora-ds-1.0.2... using default values. Server starts
2. Follow the directions HowTo:SSL
   2a. Follow directions for self-signed certificate
3. restart ns-slapd
  
Actual results:
See error message above

Expected results:
Server to start.

Additional info:
Comment 1 Rich Megginson 2005-12-06 00:58:20 UTC 
What are the contents of your /opt/fedora-ds/alias directory?
e.g. do an
ls -l /opt/fedora-ds/alias
and attach the output to this bug.
Comment 2 Bob Kong 2005-12-06 01:42:02 UTC 
Created attachment 121883 [details]
ls directory listing of /opt/fedora-ds/alias

I've attempted to change the permissions on the all the files so that they were
readable, thinking that it may have been a permssision problem.

Some additional information:
This system is running FC3 completely update-to-date with the latest updates
via 'yum'
Comment 3 Rich Megginson 2005-12-06 02:16:58 UTC 
Is your directory server running as uid ldap?  If so, try changing all of your
files to be owned by ldap e.g.
chown ldap:ldap *.db
Comment 4 Bob Kong 2005-12-06 02:35:04 UTC 
That corrected the problem. So FDS 1.0 now checks for file ownership and not
whether the file is readable?

Thanks again
Comment 5 Rich Megginson 2005-12-06 04:02:34 UTC 
No, it has to open the key/cert db in read-write mode.  However, it's safer to
change the owner rather than leave the files with wide open read-write permissions.

Was this a fresh FDS 1.0 installation?  The server is supposed to chmod/chown
those files appropriately, so this step should have been unnecessary.  Did you
change the server uid after running setup?
Comment 6 Kevin Unthank 2006-03-13 21:31:08 UTC 
No further response from customer.
Appears to have be a configuration problem
Closing bug
Comment 7 Chandrasekar Kannan 2008-08-11 23:42:58 UTC 
Bug already CLOSED. setting screened+ flag