Uploaded image for project: 'Directory ApacheDS'
  1. Directory ApacheDS
  2. DIRSERVER-2286

Apacheds service will not start if kerberos is enable

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Won't Fix
    • 2.0.0.AM25
    • 2.0.0.AM27
    • kerberos
    • None
    • Linux Mint 19.2
      apacheds-2.0.0.AM25

    Description

      Apacheds service will not startup if kerberos is enabled.  I've configured the service to run under the linux user account "apacheds".  Since it's not running under root, the LAPD service is configured to use port 10389 and the LDAPS service is configured to use port 10636; similarly the Kerberos server is configured to use port 60088 and the Change Password Kerberos server is configured to use port 60464.

      I've attached the /lib/systemd/system/apacheds.service description file, but here's what it contains:

      [Service]
      Type=forking
      User=apacheds
      Group=apacheds
      EnvironmentFile=/etc/default/apacheds
      ExecStart=/bin/sh -c "exec /opt/apacheds-2.0.0.AM25/bin/apacheds start default"
      PrivateTmp=true

       

      If you look at either the apacheds.log or wrapper.log you'll see the error says:

      java.io.IOException: Error while binding on /0.0.0.0:88
      original message : Permission denied

      So that should be pretty obvious as to what's wrong.  It says that I trying to bind to port 88 instead port 60088 which is the port that using for the Kerberos Server.

      If I check the status of the Kerberos sever, here's what it says:

      tom@Phinney:~$ systemctl status krb5-kdc
      ● krb5-kdc.service - Kerberos 5 Key Distribution Center
      Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor preset: enabled)
      Active: active (running) since Fri 2019-10-25 10:13:21 PDT; 57min ago
      Process: 1142 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited, status=0/SUCCESS)
      Main PID: 1154 (krb5kdc)
      Tasks: 1 (limit: 4915)
      CGroup: /system.slice/krb5-kdc.service
      └─1154 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid

      Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting pktinfo on socket ::.60088
      Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address 0.0.0.0.10750
      Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address ::.10750
      Oct 25 10:13:21 Phinney krb5kdc[1142]: setsockopt(14,IPV6_V6ONLY,1) worked
      Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address 0.0.0.0.60088
      Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address ::.60088
      Oct 25 10:13:21 Phinney krb5kdc[1142]: setsockopt(16,IPV6_V6ONLY,1) worked
      Oct 25 10:13:21 Phinney krb5kdc[1142]: set up 8 sockets
      Oct 25 10:13:21 Phinney krb5kdc[1154]: commencing operation
      Oct 25 10:13:21 Phinney systemd[1]: Started Kerberos 5 Key Distribution Center.

      It seems to me, that the Kerberos started up and is using the ports that I told it to use. I'm not sure what port 10750 is being used for, but I believe that Kerberos uses that port internally.  This only other thing I'm not sure or is what the setsockopt message with IPV6_ONLY is trying to tell me.  (Does that mean I don't have an IPV4 connection to Kerberos?  If that's the case, it certainly might explain what's going on; but I don't see any configuration parameter related to Kerberos that restricts me to IPV6 only)

      So how I interpret what I'm seeing is that the apacheds service is failing to start since it doesn't have the permission to bind to port 88.  That is correct since my user account "apacheds" is not a sudo user. By why is the LAPD server trying to use port 88 instead of port 60088 as it's configured. I've looked all around to see if I can find a reference to port 88, and all I find is 60088.

      If I disable the Kerberos server from the ApacheDS service , the LAPD service starts up fine.

      My suspicion is the the LADP service is  hard wired to on try to bind to port 88, regardless of configuration.

      Here's one more interesting thing.  The documentation you see now is the service starting up as a system daemon.  So what errors do I get if I now manually try to start the apacheds service.  This time, kerberos service is already running, will that make a difference?  From a shell, I execute:

       /opt/apacheds-2.0.0.AM25/bin/apacheds start default
      Password:
      Starting ApacheDS - default...

      The result is that I still connect to the ladp service, and both apache.log and wrapper.log shows the same result:

      java.io.IOException: Error while binding on /0.0.0.0:88
      original message : Permission denied

      If I then do:

      netstat -tulpn

      I see that there is a LISTENer for all my configured kerberos ports, but no listener for the ldap service port.

       

       

      Attachments

        1. apacheds.service
          0.9 kB
          Tom Rutchik
        2. config.ldif
          28 kB
          Tom Rutchik
        3. wrapper.log
          6 kB
          Tom Rutchik
        4. apacheds.log
          3 kB
          Tom Rutchik

        Activity

          People

            Unassigned Unassigned
            tom@phinneyridge.com Tom Rutchik
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: