Bug 175051 - ns-slapd: Fails to start, seems to be unable to find key3.db and cert3.db files
ns-slapd: Fails to start, seems to be unable to find key3.db and cert3.db files
Product: 389
Classification: Community
Component: Security - SSL (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Rich Megginson
Orla Hegarty
Depends On:
  Show dependency treegraph
Reported: 2005-12-05 19:43 EST by Bob Kong
Modified: 2008-08-11 19:42 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-03-13 16:31:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
ls directory listing of /opt/fedora-ds/alias (678 bytes, text/plain)
2005-12-05 20:42 EST, Bob Kong
no flags Details

  None (edit)
Description Bob Kong 2005-12-05 19:43:32 EST
Description of problem:
ns-slapd: Fails to start with the following after attempting to install a
self-signed SSL certificate and key.

SSL alert: Security Initialization: NSS initialization failed (Netscape Portable
Runtime error -8192 - An I/O error occurred during security authorization.):
path: /opt/fedora-ds/alias/, certdb prefix: slapd-ldap-, keydb prefix: slapd-ldap-.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Installed fedora-ds-1.0.2... using default values. Server starts
2. Follow the directions HowTo:SSL
   2a. Follow directions for self-signed certificate
3. restart ns-slapd
Actual results:
See error message above

Expected results:
Server to start.

Additional info:
Comment 1 Rich Megginson 2005-12-05 19:58:20 EST
What are the contents of your /opt/fedora-ds/alias directory?
e.g. do an
ls -l /opt/fedora-ds/alias
and attach the output to this bug.
Comment 2 Bob Kong 2005-12-05 20:42:02 EST
Created attachment 121883 [details]
ls directory listing of /opt/fedora-ds/alias

I've attempted to change the permissions on the all the files so that they were
readable, thinking that it may have been a permssision problem.

Some additional information:
This system is running FC3 completely update-to-date with the latest updates
via 'yum'
Comment 3 Rich Megginson 2005-12-05 21:16:58 EST
Is your directory server running as uid ldap?  If so, try changing all of your
files to be owned by ldap e.g.
chown ldap:ldap *.db
Comment 4 Bob Kong 2005-12-05 21:35:04 EST
That corrected the problem. So FDS 1.0 now checks for file ownership and not
whether the file is readable?

Thanks again
Comment 5 Rich Megginson 2005-12-05 23:02:34 EST
No, it has to open the key/cert db in read-write mode.  However, it's safer to
change the owner rather than leave the files with wide open read-write permissions.

Was this a fresh FDS 1.0 installation?  The server is supposed to chmod/chown
those files appropriately, so this step should have been unnecessary.  Did you
change the server uid after running setup?
Comment 6 Kevin Unthank 2006-03-13 16:31:08 EST
No further response from customer.
Appears to have be a configuration problem
Closing bug
Comment 7 Chandrasekar Kannan 2008-08-11 19:42:58 EDT
Bug already CLOSED. setting screened+ flag

Note You need to log in before you can comment on or make changes to this bug.