[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: slapd chroot jail problem

Hi again
I'm still trying to put the ldap server in a chroot jail.

I've created all files on the jail

$ ls
bin  dev  etc  home  lib  tmp  usr  var

and copied there all libraries, all binaries, all config files, all schemas 
(there is a list of the files at the end of this mail). But when I try to 
start slapd with "-r /home/slapd" it still gives "error loading ucdata (error 
-127)" (full log at the end of the mail)

My config file (I'm sure it's reading /home/slapd/etc/ldap/slapd.conf) is a 
default debian config file, with
modulepath      /usr/lib/ldap
moduleload      back_bdb

and the main database

database        bdb
suffix          "dc=mydomain,dc=com"
directory       "/var/lib/ldap"

Does anyone know what I'm doing wrong, or where should I look to find the 
solution? I've found nothing about jailing slapd :(

Thanks in advance

FILES ON /home/slapd
$ find

Starting OpenLDAP: slapd - failed:
@(#) $OpenLDAP: slapd 2.1.25 (Feb 23 2004 10:42:10)
daemon_init: ldap:/// ldaps:///
daemon_init: listen on ldap:///
daemon_init: listen on ldaps:///
daemon_init: 2 listeners to open... ldap_url_parse_ext(ldap:///)
slap_open_listener: socket() failed for AF_INET6 errno=97 (Address family not 
supported by protocol)
daemon: initialized ldap:/// ldap_url_parse_ext(ldaps:///)
slap_open_listener: socket() failed for AF_INET6 errno=97 (Address family not 
supported by protocol)
daemon: initialized ldaps:///
daemon_init: 4 listeners opened
ldap_pvt_gethostbyname_a: host=orc, r=0
ldap_pvt_gethostbyname_a: host=orc, r=0
slapd init: initiated server.
slap_sasl_init: initialized!
reading config file /etc/ldap/slapd.conf line 11 
(include /etc/ldap/schema/core.schema)
reading config file /etc/ldap/schema/core.schema line 37 (attributetype 
( NAME 'knowledgeInformation' DESC 'RFC2256
line 46 (attributetype ( NAME ( 'sn' 'surname' ) DESC 'RFC2256: last 
(family) name(s) for which the entity is known
line 52 (attributetype ( NAME 'serialNumber' DESC 'RFC2256: serial 
number of the entity' EQUALITY caseIgnoreMatch S
line 56 (attributetype ( NAME ( 'c' 'countryName' ) DESC 'RFC2256: 
ISO-3166 country 2-letter code' SUP name SINGLE-
line 60 (attributetype ( NAME ( 'l' 'localityName' ) DESC 'RFC2256: 
locality which this object resides in' SUP name
line 64 (attributetype ( NAME ( 'st' 'stateOrProvinceName' ) DESC 
'RFC2256: state or province which this object res
line 509 (attributetype ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 
'domainComponent' ) DESC 'RFC1274/2247: domain component'
line 514 (objectclass ( NAME 'dcObject' DESC 'RFC2247: 
domain component object' SUP top AUXILIARY MUST
line 519 (objectclass ( NAME 'uidObject' DESC 'RFC2377: uid 
object' SUP top AUXILIARY MUST uid ))
line 527 (attributetype ( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain' 
DESC 'RFC1274: domain associated with object'
line 535 (attributetype ( 1.2.840.113549.1.9.1 NAME ( 'email' 'emailAddress' 
'pkcs9email' ) DESC 'RFC2459: legacy attribute
>>> dnNormalize: <cn=Subschema> => ldap_bv2dn(cn=Subschema,0) <= 
ldap_bv2dn(cn=Subschema,0)=0 => ldap_dn2bv(272) <= ldap_dn
<<< dnNormalize: <cn=subschema>
error loading ucdata (error -127)
slapd shutdown: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.

El Martes, 23 de Marzo de 2004 19:11, Tomàs Núñez Lirola escribió:
> Hi
> I've installed an ldap server (just apt-get install slapd). I did some
> changes to default installation, like
>   adduser slapd
>   chown -R slapd.slapd /etc/ldap
>   chmod 770 /etc/ldap
>   find /etc/ldap -type f -exec chmod 440 {} \;
>   find /etc/ldap -type d -exec chmod 770 {} \;
>   chown -R slapd.slapd /var/lib/ldap
>   chmod 750 /var/lib/ldap
>   rm /var/lib/ldap/*
>   chown -R slapd.slapd /var/spool/slurpd
>   rm /var/spool/slurpd/*
> then I added to "/etc/default/slapd"
> SLAPD_USER=slapd
> And then I read about "-r" parameter. I thought "-r" would be a better
> approach than the one I was trying. So I added to /etc/default/slapd"
> SLAPD_OPTIONS="-r /home/slapd"
> I added this to have slapd chrooted to /home/slapd. But when I did this and
> tried to restart slapd, I get the error:
> "No passwd entry for user slapd"
> "Of course", I thought, "man says 'slapd will chroot to this directory
> after opening listeners but before reading any configuration files or
> initializing any backends', so slapd has no access to /etc/passwd, and
> can't see slapd entry.". Then I copied /etc/passwd and /etc/shadow (just in
> case)
> to /home/slapd/etc/passwd, and I got the same error. Then I copy them
> to /home/slapd/passwd, and the same error.
> So I thought "I will make slapd start chrooted and after I will search how
> to change user". Then I removed SLAPD_USER and SLAPD_GROUP
> from /etc/default/slapd, and tried to start slapd.
> Now the error is different:
> "error loading ucdata (error -127)"
> So I'm sure the chroot make slapd don't find these files, but I copy them
> just as "/home/slapd" was "/" and I get no difference :(
> So someone's got some info about this parameter of slapd? Where is it
> looking for these files with this config?
> I've looked the admin's guide, and the FAQ's, and the man pages and I've
> found nothing. Can any of you help me, please?
> PD: I'm writing down everything I'm doing to get slapd going secure. When
> I'm done, I'll send it to you. Help will be apreciate ;)

Reply to: