Bug 680201

Summary: IPA server installation fails with: Ensure that user "dirsrv" has read and write permissions on /var/run/dirsrv
Product: Red Hat Enterprise Linux 6 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: benl, dpal, jgalipea
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.0.0-13.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 13:44:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Rob Crittenden 2011-02-24 16:30:48 UTC 
Description of problem:

ipa-server-install fails with the following error in the 389-ds log:

[23/Feb/2011:16:13:02 -0500] - Unable to access nsslapd-rundir: Permission denied
[23/Feb/2011:16:13:02 -0500] - Ensure that user "dirsrv" has read and write permissions on /var/run/dirsrv
[23/Feb/2011:16:13:02 -0500] - Shutting down.
[23/Feb/2011:16:23:02 -0500] - Unable to access nsslapd-rundir: Permission denied
[23/Feb/2011:16:23:02 -0500] - Ensure that user "dirsrv" has read and write permissions on /var/run/dirsrv
[23/Feb/2011:16:23:02 -0500] - Shutting down. 

Version-Release number of selected component (if applicable):

ipa-server-2.0.0-11.20110223T0630zgite5cda47.el6.i686
389-ds-base-1.2.8-2011022302.el6dsrv.i386
Comment 1 Rob Crittenden 2011-02-24 16:31:25 UTC 
Nathan Kinder commented:

One thing I notice is that SuiteSpotGroup is not set in the General section of the inf file used to create the instance.  If a previous instance was created for Dogtag and this new instance is created as a different user, you must specify the same group in the SuiteSpotGroup parameter when creating the second instance.  This is required now that we have secure permissions on /var/run, which was just fixed for the 8.2 errata and is in the 9.0 builds now as well.
Comment 2 Rob Crittenden 2011-02-24 16:51:16 UTC 
If I remove /var/run/dirsrv before starting the IPA installer then it succeeds whether I have SuiteSpotGroup defined or not.

The resulting difference is:

SuiteSpotGroup set: /var/run/dirsrv mode 0770
no group: /var/run/dirsrv mode 0700

It looks like the 389-ds-base postinstall script creates /var/run/dirsrv if it doesn't already exist.
Comment 3 Rob Crittenden 2011-02-24 19:25:41 UTC 
https://fedorahosted.org/freeipa/ticket/1010
Comment 4 Rob Crittenden 2011-02-24 20:44:19 UTC 
commit 99d6e0883af6759f80ddba01cbb1d90431929bfd
Comment 6 Jenny Severance 2011-03-23 19:38:17 UTC 
verified.

version: 

ipa-server-2.0.0-16.el6.x86_64

# ls -al /var/run/dirsrv/
total 24
drwxrwx---.  2 root   dirsrv 4096 Mar 23 15:29 .
drwxr-xr-x. 24 root   root   4096 Mar 23 15:30 ..
-rw-r--r--.  1 pkisrv dirsrv    6 Mar 23 15:29 slapd-PKI-IPA.pid
-rw-r--r--.  1 pkisrv dirsrv 2072 Mar 23 15:37 slapd-PKI-IPA.stats
-rw-r--r--.  1 dirsrv dirsrv    6 Mar 23 15:29 slapd-TESTRELM.pid
-rw-r--r--.  1 dirsrv dirsrv 2072 Mar 23 15:37 slapd-TESTRELM.stats
Comment 7 errata-xmlrpc 2011-05-19 13:44:29 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0631.html