ITS#6681

35aebadf · Quanah Gibson-Mount · 9fd0ad6f · 35aebadf · 35aebadf
Commit 35aebadf authored Jan 04, 2011 by Quanah Gibson-Mount
--- a/CHANGES
+++ b/CHANGES
@@ -87,6 +87,7 @@ OpenLDAP 2.4.24 Engineering
 		Fixed slapd-tester filter initialization (ITS#6735)
 		Removed antiquated SunOS LWP support (ITS#6669)
 	Documentation
+		admin24 guide fix examples (ITS#6681)
 		admin24 guide typo fixes (ITS#6609)
 		admin24 guide refint rootdn requirement (ITS#6364)
 		ldap_open(3) document ldap_set_urllist_proc (ITS#6601)

--- a/doc/guide/admin/appendix-common-errors.sdf
+++ b/doc/guide/admin/appendix-common-errors.sdf
@@ -532,7 +532,8 @@ beyond reach of intruders.

 That's why the default keytab file is owned by root and protected from being 
 read by others. Do not mess with these permissions, build a different keytab 
-file for slapd instead.
+file for slapd instead, and make sure it is owned by the user that slapd
+runs as.

 To do this, start kadmin, and enter the following commands:

@@ -541,7 +542,7 @@ To do this, start kadmin, and enter the following commands:

 Then, on the shell, do:

->     chown ldap.ldap /etc/openldap/ldap.keytab
+>     chown ldap:ldap /etc/openldap/ldap.keytab
 >     chmod 600 /etc/openldap/ldap.keytab 

 Now you have to tell slapd (well, actually tell the gssapi library in Kerberos 5 
@@ -636,9 +637,9 @@ values of <n>.
 H3: ldap_*: Internal (implementation specific) error (80) - additional info: entry index delete failed

 This seems to be related with wrong ownership of the BDB's dir (/var/lib/ldap) 
-and files.
+and files. The files must be owned by the user that slapd runs as.

->    chmod -R openldap:openldap /var/lib/ldap 
+>    chown -R ldap:ldap /var/lib/ldap 

 fixes it in Debian