directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tom Rutchik (Jira)" <j...@apache.org>
Subject [jira] [Created] (DIRSERVER-2286) Apacheds service will not start if kerberos is enable
Date Fri, 25 Oct 2019 20:27:00 GMT
Tom Rutchik created DIRSERVER-2286:
--------------------------------------

             Summary: Apacheds service will not start if kerberos is enable
                 Key: DIRSERVER-2286
                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2286
             Project: Directory ApacheDS
          Issue Type: Bug
    Affects Versions: 2.0.0.AM25
         Environment: Linux Mint 19.2
apacheds-2.0.0.AM25
            Reporter: Tom Rutchik
         Attachments: apacheds.log, apacheds.service, config.ldif, wrapper.log

Apacheds service will not startup if kerberos is enabled.  I've configured the service to
run under the linux user account "apacheds".  Since it's not running under root, the LAPD
service is configured to use port 10389 and the LDAPS service is configured to use port 10636;
similarly the Kerberos server is configured to use port 60088 and the Change Password Kerberos
server is configured to use port 60464.

I've attached the /lib/systemd/system/apacheds.service description file, but here's what it
contains:

[Service]
Type=forking
User=apacheds
Group=apacheds
EnvironmentFile=/etc/default/apacheds
ExecStart=/bin/sh -c "exec /opt/apacheds-2.0.0.AM25/bin/apacheds start default"
PrivateTmp=true

 

If you look at either the apacheds.log or wrapper.log you'll see the error says:

java.io.IOException: Error while binding on /0.0.0.0:88
original message : Permission denied

So that should be pretty obvious as to what's wrong.  It says that I trying to bind to port
88 instead port 60088 which is the port that using for the Kerberos Server.

If I check the status of the Kerberos sever, here's what it says:

tom@Phinney:~$ systemctl status krb5-kdc
● krb5-kdc.service - Kerberos 5 Key Distribution Center
 Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor preset: enabled)
 Active: active (running) since Fri 2019-10-25 10:13:21 PDT; 57min ago
 Process: 1142 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited,
status=0/SUCCESS)
 Main PID: 1154 (krb5kdc)
 Tasks: 1 (limit: 4915)
 CGroup: /system.slice/krb5-kdc.service
 └─1154 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid

Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting pktinfo on socket ::.60088
Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address 0.0.0.0.10750
Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address ::.10750
Oct 25 10:13:21 Phinney krb5kdc[1142]: setsockopt(14,IPV6_V6ONLY,1) worked
Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address 0.0.0.0.60088
Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address ::.60088
Oct 25 10:13:21 Phinney krb5kdc[1142]: setsockopt(16,IPV6_V6ONLY,1) worked
Oct 25 10:13:21 Phinney krb5kdc[1142]: set up 8 sockets
Oct 25 10:13:21 Phinney krb5kdc[1154]: commencing operation
Oct 25 10:13:21 Phinney systemd[1]: Started Kerberos 5 Key Distribution Center.

It seems to me, that the Kerberos started up and is using the ports that I told it to use.
I'm not sure what port 10750 is being used for, but I believe that Kerberos uses that port
internally.  This only other thing I'm not sure or is what the setsockopt message with IPV6_ONLY
is trying to tell me.  (Does that mean I don't have an IPV4 connection to Kerberos?  If
that's the case, it certainly might explain what's going on; but I don't see any configuration
parameter related to Kerberos that restricts me to IPV6 only)

So how I interpret what I'm seeing is that the apacheds service is failing to start since
it doesn't have the permission to bind to port 88.  That is correct since my user account
"apacheds" is not a sudo user. By why is the LAPD server trying to use port 88 instead of
port 60088 as it's configured. I've looked all around to see if I can find a reference to
port 88, and all I find is 60088.

If I disable the Kerberos server from the ApacheDS service , the LAPD service starts up fine.

My suspicion is the the LADP service is  hard wired to on try to bind to port 88, regardless
of configuration.

Here's one more interesting thing.  The documentation you see now is the service starting
up as a system daemon.  So what errors do I get if I now manually try to start the apacheds
service.  This time, kerberos service is already running, will that make a difference? 
From a shell, I execute:

 /opt/apacheds-2.0.0.AM25/bin/apacheds start default
Password: 
Starting ApacheDS - default...

The result is that I still connect to the ladp service, and both apache.log and wrapper.log
shows the same result:

java.io.IOException: Error while binding on /0.0.0.0:88
original message : Permission denied

If I then do:

netstat -tulpn

I see that there is a LISTENer for all my configured kerberos ports, but no listener for the
ldap service port.

 

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org


Mime
View raw message