Bug 175051 - ns-slapd: Fails to start, seems to be unable to find key3.db and cert3.db files
Summary: ns-slapd: Fails to start, seems to be unable to find key3.db and cert3.db files
Alias: None
Product: 389
Classification: Retired
Component: Security - SSL
Version: 1.0
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Orla Hegarty
Depends On:
TreeView+ depends on / blocked
Reported: 2005-12-06 00:43 UTC by Bob Kong
Modified: 2008-08-11 23:42 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2006-03-13 21:31:08 UTC

Attachments (Terms of Use)
ls directory listing of /opt/fedora-ds/alias (678 bytes, text/plain)
2005-12-06 01:42 UTC, Bob Kong
no flags Details

Description Bob Kong 2005-12-06 00:43:32 UTC
Description of problem:
ns-slapd: Fails to start with the following after attempting to install a
self-signed SSL certificate and key.

SSL alert: Security Initialization: NSS initialization failed (Netscape Portable
Runtime error -8192 - An I/O error occurred during security authorization.):
path: /opt/fedora-ds/alias/, certdb prefix: slapd-ldap-, keydb prefix: slapd-ldap-.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Installed fedora-ds-1.0.2... using default values. Server starts
2. Follow the directions HowTo:SSL
   2a. Follow directions for self-signed certificate
3. restart ns-slapd
Actual results:
See error message above

Expected results:
Server to start.

Additional info:

Comment 1 Rich Megginson 2005-12-06 00:58:20 UTC
What are the contents of your /opt/fedora-ds/alias directory?
e.g. do an
ls -l /opt/fedora-ds/alias
and attach the output to this bug.

Comment 2 Bob Kong 2005-12-06 01:42:02 UTC
Created attachment 121883 [details]
ls directory listing of /opt/fedora-ds/alias

I've attempted to change the permissions on the all the files so that they were
readable, thinking that it may have been a permssision problem.

Some additional information:
This system is running FC3 completely update-to-date with the latest updates
via 'yum'

Comment 3 Rich Megginson 2005-12-06 02:16:58 UTC
Is your directory server running as uid ldap?  If so, try changing all of your
files to be owned by ldap e.g.
chown ldap:ldap *.db

Comment 4 Bob Kong 2005-12-06 02:35:04 UTC
That corrected the problem. So FDS 1.0 now checks for file ownership and not
whether the file is readable?

Thanks again

Comment 5 Rich Megginson 2005-12-06 04:02:34 UTC
No, it has to open the key/cert db in read-write mode.  However, it's safer to
change the owner rather than leave the files with wide open read-write permissions.

Was this a fresh FDS 1.0 installation?  The server is supposed to chmod/chown
those files appropriately, so this step should have been unnecessary.  Did you
change the server uid after running setup?

Comment 6 Kevin Unthank 2006-03-13 21:31:08 UTC
No further response from customer.
Appears to have be a configuration problem
Closing bug

Comment 7 Chandrasekar Kannan 2008-08-11 23:42:58 UTC
Bug already CLOSED. setting screened+ flag

Note You need to log in before you can comment on or make changes to this bug.