All,
Trying to switch to slapd.conf instead of dynamic configuration in order to test the back-sql backend I ran into a problem with SELinux that I do not understand.
The startup fails with the error:
/etc/openldap/slapd.conf: line 27: invalid path: Permission denied
Disabling SELinux fixes the problem, however I'm not sure what is going on. The line in question is naturally the "directory" that points in this case to /var/lib/ldap. That directory is a hand-made clone of the original one that was there which was moved (renamed) out of the way. Here is what I did:
mv /etc/openldap/slapd.d /etc/openldap/slapd.d.BAK mv /var/lib/ldap /var/lib/ldap.BAK mkdir /var/lib/ldap chown ldap:ldap /var/lib/ldap chmod 700 /var/lib/ldap create a simple /etc/openldap/slapd.conf
The ownership and permissions on ldap and ldap.BAK directories are identical. OpenLDAP works fine if I disable SELinux.
What is SELinux doing here?
On 01/17/2013 07:11 AM, Ori Bani wrote:
All,
Trying to switch to slapd.conf instead of dynamic configuration in order to test the back-sql backend I ran into a problem with SELinux that I do not understand.
The startup fails with the error:
/etc/openldap/slapd.conf: line 27: invalid path: Permission denied
They probably have the wrong labels since you created new directories. So SELinux does what it then should do: block. Did you do a restorecon on the new directories?
# restorecon -v -F -R /etc/openldap # restorecon -v -F -R /var/lib/ldap
The reason that SELinux blocks something should show up as an AVC in /var/log/audit/auditd.log.
Regards, Patrick
On Wed, Jan 16, 2013 at 10:40 PM, Patrick Lists openldap-list@puzzled.xs4all.nl wrote:
On 01/17/2013 07:11 AM, Ori Bani wrote:
All,
Trying to switch to slapd.conf instead of dynamic configuration in order to test the back-sql backend I ran into a problem with SELinux that I do not understand.
The startup fails with the error:
/etc/openldap/slapd.conf: line 27: invalid path: Permission denied
They probably have the wrong labels since you created new directories. So SELinux does what it then should do: block. Did you do a restorecon on the new directories?
# restorecon -v -F -R /etc/openldap # restorecon -v -F -R /var/lib/ldap
The reason that SELinux blocks something should show up as an AVC in /var/log/audit/auditd.log.
Thank you, this of course did the trick.
As of version 2.4.27, I believe back-sql supports dynamic configuration, so there's no need to switch to slapd.conf
see http://www.openldap.org/software/release/changes.html :
OpenLDAP 2.4.27 Release (2011/11/24)
Added slapd-sql dynamic config support
Le 17/01/2013 07:11, Ori Bani a écrit :
All,
Trying to switch to slapd.conf instead of dynamic configuration in order to test the back-sql backend I ran into a problem with SELinux that I do not understand.
The startup fails with the error:
/etc/openldap/slapd.conf: line 27: invalid path: Permission denied
Disabling SELinux fixes the problem, however I'm not sure what is going on. The line in question is naturally the "directory" that points in this case to /var/lib/ldap. That directory is a hand-made clone of the original one that was there which was moved (renamed) out of the way. Here is what I did:
mv /etc/openldap/slapd.d /etc/openldap/slapd.d.BAK mv /var/lib/ldap /var/lib/ldap.BAK mkdir /var/lib/ldap chown ldap:ldap /var/lib/ldap chmod 700 /var/lib/ldap create a simple /etc/openldap/slapd.conf
The ownership and permissions on ldap and ldap.BAK directories are identical. OpenLDAP works fine if I disable SELinux.
What is SELinux doing here?
openldap-technical@openldap.org
-
Benin Technologies -
Ori Bani -
Patrick Lists