From 38d9e22b00cbf28648da453a610d23e534e1055b Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Thu, 23 Dec 2010 22:03:49 +0000 Subject: [PATCH] ITS#6681 fix examples. Hopefully admins are smart enough to insert the correct uid themselves. --- doc/guide/admin/appendix-common-errors.sdf | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/doc/guide/admin/appendix-common-errors.sdf b/doc/guide/admin/appendix-common-errors.sdf index 124853b5c0..9872917bce 100644 --- a/doc/guide/admin/appendix-common-errors.sdf +++ b/doc/guide/admin/appendix-common-errors.sdf @@ -532,7 +532,8 @@ beyond reach of intruders. That's why the default keytab file is owned by root and protected from being read by others. Do not mess with these permissions, build a different keytab -file for slapd instead. +file for slapd instead, and make sure it is owned by the user that slapd +runs as. To do this, start kadmin, and enter the following commands: @@ -541,7 +542,7 @@ To do this, start kadmin, and enter the following commands: Then, on the shell, do: -> chown ldap.ldap /etc/openldap/ldap.keytab +> chown ldap:ldap /etc/openldap/ldap.keytab > chmod 600 /etc/openldap/ldap.keytab Now you have to tell slapd (well, actually tell the gssapi library in Kerberos 5 @@ -636,9 +637,9 @@ values of . H3: ldap_*: Internal (implementation specific) error (80) - additional info: entry index delete failed This seems to be related with wrong ownership of the BDB's dir (/var/lib/ldap) -and files. +and files. The files must be owned by the user that slapd runs as. -> chmod -R openldap:openldap /var/lib/ldap +> chown -R ldap:ldap /var/lib/ldap fixes it in Debian -- 2.39.5