Bug 175051 – ns-slapd: Fails to start, seems to be unable to find key3.db and cert3.db files

Bug 175051 - ns-slapd: Fails to start, seems to be unable to find key3.db and cert3.db files

Summary:	ns-slapd: Fails to start, seems to be unable to find key3.db and cert3.db files

Status:	CLOSED WORKSFORME

Aliases:	None

Product:	389
Classification:	Community
Component:	Security - SSL (Show other bugs)
Sub Component:
Version:	1.0
Hardware:	i686 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Rich Megginson
QA Contact:	Orla Hegarty
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2005-12-05 19:43 EST by Bob Kong
Modified:	2008-08-11 19:42 EDT (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2006-03-13 16:31:08 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
ls directory listing of /opt/fedora-ds/alias (678 bytes, text/plain) 2005-12-05 20:42 EST, Bob Kong	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Bob Kong 2005-12-05 19:43:32 EST

Description of problem:
ns-slapd: Fails to start with the following after attempting to install a
self-signed SSL certificate and key.

SSL alert: Security Initialization: NSS initialization failed (Netscape Portable
Runtime error -8192 - An I/O error occurred during security authorization.):
path: /opt/fedora-ds/alias/, certdb prefix: slapd-ldap-, keydb prefix: slapd-ldap-.


Version-Release number of selected component (if applicable):


How reproducible:
Everytime

Steps to Reproduce:
1. Installed fedora-ds-1.0.2... using default values. Server starts
2. Follow the directions HowTo:SSL
   2a. Follow directions for self-signed certificate
3. restart ns-slapd
  
Actual results:
See error message above

Expected results:
Server to start.

Additional info:

Comment 1 Rich Megginson 2005-12-05 19:58:20 EST

What are the contents of your /opt/fedora-ds/alias directory?
e.g. do an
ls -l /opt/fedora-ds/alias
and attach the output to this bug.

Comment 2 Bob Kong 2005-12-05 20:42:02 EST

Created attachment 121883 [details]
ls directory listing of /opt/fedora-ds/alias

I've attempted to change the permissions on the all the files so that they were
readable, thinking that it may have been a permssision problem.

Some additional information:
This system is running FC3 completely update-to-date with the latest updates
via 'yum'

Comment 3 Rich Megginson 2005-12-05 21:16:58 EST

Is your directory server running as uid ldap?  If so, try changing all of your
files to be owned by ldap e.g.
chown ldap:ldap *.db

Comment 4 Bob Kong 2005-12-05 21:35:04 EST

That corrected the problem. So FDS 1.0 now checks for file ownership and not
whether the file is readable?

Thanks again

Comment 5 Rich Megginson 2005-12-05 23:02:34 EST

No, it has to open the key/cert db in read-write mode.  However, it's safer to
change the owner rather than leave the files with wide open read-write permissions.

Was this a fresh FDS 1.0 installation?  The server is supposed to chmod/chown
those files appropriately, so this step should have been unnecessary.  Did you
change the server uid after running setup?

Comment 6 Kevin Unthank 2006-03-13 16:31:08 EST

No further response from customer.
Appears to have be a configuration problem
Closing bug

Comment 7 Chandrasekar Kannan 2008-08-11 19:42:58 EDT

Bug already CLOSED. setting screened+ flag

Note You need to log in before you can comment on or make changes to this bug.