Re: slapd chroot jail problem

To: debian-isp@lists.debian.org
Subject: Re: slapd chroot jail problem
From: Tomàs Núñez Lirola <tomas@grupoeon.net>
Date: Wed, 24 Mar 2004 18:39:57 +0100
Message-id: <[🔎] 200403241839.57075.tomas@grupoeon.net>
In-reply-to: <[🔎] 200403231911.48272.tomas@grupoeon.net>
References: <[🔎] 200403231911.48272.tomas@grupoeon.net>
Hi again
I'm still trying to put the ldap server in a chroot jail.

I've created all files on the jail

$ ls
bin  dev  etc  home  lib  tmp  usr  var

and copied there all libraries, all binaries, all config files, all schemas 
(there is a list of the files at the end of this mail). But when I try to 
start slapd with "-r /home/slapd" it still gives "error loading ucdata (error 
-127)" (full log at the end of the mail)

My config file (I'm sure it's reading /home/slapd/etc/ldap/slapd.conf) is a 
default debian config file, with
modulepath      /usr/lib/ldap
moduleload      back_bdb

and the main database

database        bdb
suffix          "dc=mydomain,dc=com"
directory       "/var/lib/ldap"

Does anyone know what I'm doing wrong, or where should I look to find the 
solution? I've found nothing about jailing slapd :(

Thanks in advance

FILES ON /home/slapd
$ find
.
./.bashrc
./.bash_profile
./.bash_history
./dev
./dev/null
./dev/urandom
./lib
./lib/i686
./lib/libm.so.6
./lib/libnsl.so.1
./lib/libcrypt.so.1
./lib/libresolv.so.2
./lib/libpthread.so.0
./lib/libdl.so.2
./lib/libwrap.so.0
./lib/libc.so.6
./lib/ld-linux.so.2
./lib/libnss_compat-2.3.2.so
./lib/libnss_compat.so.2
./lib/libnss_dns-2.3.2.so
./lib/libnss_dns.so.2
./lib/libnss_files-2.3.2.so
./lib/libnss_files.so.2
./etc
./etc/ldap
./etc/ldap/ldap.conf
./etc/ldap/ldapfilter.conf
./etc/ldap/ldapsearchprefs.conf
./etc/ldap/ldaptemplates.conf
./etc/ldap/schema
./etc/ldap/schema/corba.schema
./etc/ldap/schema/amavis.schema
./etc/ldap/schema/core.schema
./etc/ldap/schema/cosine.schema
./etc/ldap/schema/inetorgperson.schema
./etc/ldap/schema/java.schema
./etc/ldap/schema/misc.schema
./etc/ldap/schema/nis.schema
./etc/ldap/schema/openldap.schema
./etc/ldap/schema/README
./etc/ldap/slapd.conf
./etc/ldap/slapd.conf~
./etc/ssl
./etc/ssl/certs
./etc/ssl/certs/slapd.pem
./etc/passwd
./etc/group
./etc/resolv.conf
./etc/nsswitch.conf
./etc/localtime
./etc/hosts
./home
./home/slapd
./tmp
./bin
./bin/bash
./usr
./usr/sbin
./usr/sbin/slapd
./usr/share
./usr/share/slapd
./usr/share/slapd/fix_ldif
./usr/share/slapd/ldiftopasswd
./usr/share/slapd/slapd.conf
./usr/lib
./usr/lib/libtermcap.so
./usr/lib/libldap_r.so.2
./usr/lib/liblber.so.2
./usr/lib/libdb-4.2.so
./usr/lib/libiodbc.so.2
./usr/lib/libiodbcinst.so.2
./usr/lib/libslp.so.1
./usr/lib/libsasl2.so.2
./usr/lib/libgnutls.so.10
./usr/lib/libtasn1.so.2
./usr/lib/libgcrypt.so.7
./usr/lib/libgpg-error.so.0
./usr/lib/libz.so.1
./usr/lib/libltdl.so.3
./usr/lib/ldap
./usr/lib/ldap/back_bdb.so
./usr/lib/ldap/back_bdb.so.2
./usr/lib/ldap/back_bdb.so.2.0.125
./usr/lib/ldap/back_dnssrv.so
./usr/lib/ldap/back_dnssrv.so.2
./usr/lib/ldap/back_dnssrv.so.2.0.125
./usr/lib/ldap/back_ldap.so
./usr/lib/ldap/back_ldap.so.2
./usr/lib/ldap/back_ldap.so.2.0.125
./usr/lib/ldap/back_ldbm.so
./usr/lib/ldap/back_ldbm.so.2
./usr/lib/ldap/back_ldbm.so.2.0.125
./usr/lib/ldap/back_meta.so
./usr/lib/ldap/back_meta.so.2
./usr/lib/ldap/back_meta.so.2.0.125
./usr/lib/ldap/back_monitor.so
./usr/lib/ldap/back_monitor.so.2
./usr/lib/ldap/back_monitor.so.2.0.125
./usr/lib/ldap/back_null.so
./usr/lib/ldap/back_null.so.2
./usr/lib/ldap/back_null.so.2.0.125
./usr/lib/ldap/back_passwd.so
./usr/lib/ldap/back_passwd.so.2
./usr/lib/ldap/back_passwd.so.2.0.125
./usr/lib/ldap/back_shell.so
./usr/lib/ldap/back_shell.so.2
./usr/lib/ldap/back_shell.so.2.0.125
./usr/lib/ldap/back_sql.so
./usr/lib/ldap/back_sql.so.2
./usr/lib/ldap/back_sql.so.2.0.125
./var
./var/run
./var/log
./var/lib
./var/lib/ldap
./var/lib/ldap/__db.001
./var/lib/ldap/__db.002
./var/lib/ldap/__db.003
./var/lib/ldap/__db.004
./var/lib/ldap/__db.005
./var/lib/ldap/log.0000000001
./var/lib/ldap/id2entry.bdb
./var/lib/ldap/dn2id.bdb
./var/lib/ldap/objectClass.bdb



FULL ERROR LOG
Starting OpenLDAP: slapd - failed:
@(#) $OpenLDAP: slapd 2.1.25 (Feb 23 2004 10:42:10)
$ 
@pulsar:/home/torsten/packages/openldap/release-2.1.26-1/openldap2-2.1.26/debian/build/servers/slapd
daemon_init: ldap:/// ldaps:///
daemon_init: listen on ldap:///
daemon_init: listen on ldaps:///
daemon_init: 2 listeners to open... ldap_url_parse_ext(ldap:///)
slap_open_listener: socket() failed for AF_INET6 errno=97 (Address family not 
supported by protocol)
daemon: initialized ldap:/// ldap_url_parse_ext(ldaps:///)
slap_open_listener: socket() failed for AF_INET6 errno=97 (Address family not 
supported by protocol)
daemon: initialized ldaps:///
daemon_init: 4 listeners opened
ldap_pvt_gethostbyname_a: host=orc, r=0
ldap_pvt_gethostbyname_a: host=orc, r=0
slapd init: initiated server.
slap_sasl_init: initialized!
reading config file /etc/ldap/slapd.conf line 11 
(include /etc/ldap/schema/core.schema)
reading config file /etc/ldap/schema/core.schema line 37 (attributetype 
( 2.5.4.2 NAME 'knowledgeInformation' DESC 'RFC2256
line 46 (attributetype ( 2.5.4.4 NAME ( 'sn' 'surname' ) DESC 'RFC2256: last 
(family) name(s) for which the entity is known
line 52 (attributetype ( 2.5.4.5 NAME 'serialNumber' DESC 'RFC2256: serial 
number of the entity' EQUALITY caseIgnoreMatch S
line 56 (attributetype ( 2.5.4.6 NAME ( 'c' 'countryName' ) DESC 'RFC2256: 
ISO-3166 country 2-letter code' SUP name SINGLE-
line 60 (attributetype ( 2.5.4.7 NAME ( 'l' 'localityName' ) DESC 'RFC2256: 
locality which this object resides in' SUP name
line 64 (attributetype ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' ) DESC 
'RFC2256: state or province which this object res
.
.
.
line 509 (attributetype ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 
'domainComponent' ) DESC 'RFC1274/2247: domain component'
line 514 (objectclass ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247: 
domain component object' SUP top AUXILIARY MUST
line 519 (objectclass ( 1.3.6.1.1.3.1 NAME 'uidObject' DESC 'RFC2377: uid 
object' SUP top AUXILIARY MUST uid ))
line 527 (attributetype ( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain' 
DESC 'RFC1274: domain associated with object'
line 535 (attributetype ( 1.2.840.113549.1.9.1 NAME ( 'email' 'emailAddress' 
'pkcs9email' ) DESC 'RFC2459: legacy attribute
>>> dnNormalize: <cn=Subschema> => ldap_bv2dn(cn=Subschema,0) <= 
ldap_bv2dn(cn=Subschema,0)=0 => ldap_dn2bv(272) <= ldap_dn
<<< dnNormalize: <cn=subschema>
error loading ucdata (error -127)
slapd shutdown: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.


El Martes, 23 de Marzo de 2004 19:11, Tomàs Núñez Lirola escribió:
> Hi
> I've installed an ldap server (just apt-get install slapd). I did some
> changes to default installation, like
>
>   adduser slapd
>   chown -R slapd.slapd /etc/ldap
>   chmod 770 /etc/ldap
>   find /etc/ldap -type f -exec chmod 440 {} \;
>   find /etc/ldap -type d -exec chmod 770 {} \;
>   chown -R slapd.slapd /var/lib/ldap
>   chmod 750 /var/lib/ldap
>   rm /var/lib/ldap/*
>   chown -R slapd.slapd /var/spool/slurpd
>   rm /var/spool/slurpd/*
>
> then I added to "/etc/default/slapd"
> SLAPD_USER=slapd
> SLAPD_GROUP=slapd
>
> And then I read about "-r" parameter. I thought "-r" would be a better
> approach than the one I was trying. So I added to /etc/default/slapd"
> SLAPD_OPTIONS="-r /home/slapd"
>
> I added this to have slapd chrooted to /home/slapd. But when I did this and
> tried to restart slapd, I get the error:
>
> "No passwd entry for user slapd"
>
> "Of course", I thought, "man says 'slapd will chroot to this directory
> after opening listeners but before reading any configuration files or
> initializing any backends', so slapd has no access to /etc/passwd, and
> can't see slapd entry.". Then I copied /etc/passwd and /etc/shadow (just in
> case)
> to /home/slapd/etc/passwd, and I got the same error. Then I copy them
> to /home/slapd/passwd, and the same error.
>
> So I thought "I will make slapd start chrooted and after I will search how
> to change user". Then I removed SLAPD_USER and SLAPD_GROUP
> from /etc/default/slapd, and tried to start slapd.
> Now the error is different:
> "error loading ucdata (error -127)"
>
> So I'm sure the chroot make slapd don't find these files, but I copy them
> just as "/home/slapd" was "/" and I get no difference :(
>
> So someone's got some info about this parameter of slapd? Where is it
> looking for these files with this config?
>
> I've looked the admin's guide, and the FAQ's, and the man pages and I've
> found nothing. Can any of you help me, please?
>
> PD: I'm writing down everything I'm doing to get slapd going secure. When
> I'm done, I'll send it to you. Help will be apreciate ;)
Reply to:
References:
- slapd chroot jail problem
  - From: Tomàs Núñez Lirola <tomas@grupoeon.net>
Prev by Date: Re: Which SATA RAID controller?
Next by Date: Re: Which SATA RAID controller?
Previous by thread: slapd chroot jail problem
Next by thread: lire and it's messages
Index(es):
- Date
- Thread