You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Alex Karasulu <ak...@apache.org> on 2007/10/05 17:44:24 UTC
Re: [ApacheDS 1.5.1] try to start default partition on Linux with port 389
Hi Markus,
Yes you're right about this being a permission issue. Good catch! I don't
know what it
would take to enable a non-root user to bind to a port below 1024 but we
have to figure
this one out to modify the installer.
Could you push a JIRA issue about this and we'll make sure we nip this in
the bud on
the next release.
This is a high priority issue since it prevents using the server on 389 and
probably on 636
with LDAPS.
Alex
On 10/5/07, Markus Pohle <ap...@webunity.de> wrote:
>
>
> Hi List Member,
>
> I installed ApacheDS in Version 1.5.1 on Linux (CentOS 4.3) with Sun
> JDK in Version 1.5.0_10. I used the rpm package to install ApacheDS.
>
> Right after installation I configured the server.xml for the default
> partition, that can be found under the following path:
> /var/lib/apacheds/default/conf/
>
> I configured my own partition and switched the ldap port from 10389 to
> 389 and then tried to start ApacheDS with this command:
> [root@apacheds2 conf]# /etc/init.d/apacheds start default
> Starting Apache Directory Server - default...
>
> What I get is this in the logfiles under /var/log/apacheds/default
> [17:02:23] ERROR
> [org.apache.directory.server.jndi.ServerContextFactory] - Failed to
> bind an LDAP service (389) to the service registry.
> java.net.SocketException: Permission denied
> at sun.nio.ch.Net.bind(Native Method)
> at
> sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:119)
> at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java
> :59)
> at
> org.apache.mina.transport.socket.nio.SocketAcceptor.registerNew(
> SocketAcceptor.java:365)
> at
> org.apache.mina.transport.socket.nio.SocketAcceptor.access$900(
> SocketAcceptor.java:55)
> at
> org.apache.mina.transport.socket.nio.SocketAcceptor$Worker.run(
> SocketAcceptor.java:224)
> at
> org.apache.mina.util.NamePreservingRunnable.run(
> NamePreservingRunnable.java:39)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(
> ThreadPoolExecutor.java:650)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java
> :675)
> at java.lang.Thread.run(Thread.java:595)
> [17:02:23] ERROR [org.apache.directory.daemon.Bootstrapper] - Failed
> on null.init(InstallationLayout, String[])
> org.apache.directory.shared.ldap.exception.LdapConfigurationException:
> Failed to bind an LDAP service (389) to the service registry. [Root
> exception is java.n
> et.SocketException: Permission denied]
> at
> org.apache.directory.server.jndi.ServerContextFactory.startLDAP0(
> ServerContextFactory.java:577)
> at
> org.apache.directory.server.jndi.ServerContextFactory.startLDAP(
> ServerContextFactory.java:511)
> at
> org.apache.directory.server.jndi.ServerContextFactory.afterStartup(
> ServerContextFactory.java:306)
> at
> org.apache.directory.server.core.DefaultDirectoryService.startup(
> DefaultDirectoryService.java:266)
> at
>
> org.apache.directory.server.core.jndi.AbstractContextFactory.getInitialContext
> (AbstractContextFactory.java:124)
>
>
> I think (or better I am sure) this is because all ports lower than
> 1024 behave to the root user and the script from /etc/init.d/apacheds
> tries to start the default partition als apacheds user - and this user
> is not allowed to bind port 389.
>
> Can anybody please help me with that?
> TIA
> Markus Pohle
>
>
>
>
>
Re: [ApacheDS 1.5.1] try to start default partition on Linux with port 389
Posted by Chris Custine <cc...@apache.org>.
The problem with Java is that we can't change effective userid after the
startup phase where we allocate the privileged ports as root. For the time
being, the startup wrapper seems to be making it difficult to change this on
a per instance basis but it can be done for the entire server installation
as I outlined on my other reponse. I will look at a way to make this easier
to run as root on a per instance basis, but I also happen to think running
as root is a universally bad idea and I will document how to make this work
on Linux installs with iptables.
Chris
On 10/5/07, Alex Karasulu <ak...@apache.org> wrote:
>
> Oh and forget about Kerberos and changepasswd which at this point can only
> run on default ports.
> These will not run at all so I would say this is a very critical issue
> which
> must be fixed asap.
>
> Alex
>
> On 10/5/07, Alex Karasulu <ak...@apache.org> wrote:
> >
> > Hi Markus,
> >
> > Yes you're right about this being a permission issue. Good catch! I
> > don't know what it
> > would take to enable a non-root user to bind to a port below 1024 but we
> > have to figure
> > this one out to modify the installer.
> >
> > Could you push a JIRA issue about this and we'll make sure we nip this
> in
> > the bud on
> > the next release.
> >
> > This is a high priority issue since it prevents using the server on 389
> > and probably on 636
> > with LDAPS.
> >
> > Alex
> >
> > On 10/5/07, Markus Pohle <ap...@webunity.de> wrote:
> > >
> > >
> > > Hi List Member,
> > >
> > > I installed ApacheDS in Version 1.5.1 on Linux (CentOS 4.3) with Sun
> > > JDK in Version 1.5.0_10. I used the rpm package to install ApacheDS.
> > >
> > > Right after installation I configured the server.xml for the default
> > > partition, that can be found under the following path:
> > > /var/lib/apacheds/default/conf/
> > >
> > > I configured my own partition and switched the ldap port from 10389 to
> > > 389 and then tried to start ApacheDS with this command:
> > > [root@apacheds2 conf]# /etc/init.d/apacheds start default
> > > Starting Apache Directory Server - default...
> > >
> > > What I get is this in the logfiles under /var/log/apacheds/default
> > > [17:02:23] ERROR
> > > [org.apache.directory.server.jndi.ServerContextFactory ] - Failed to
> > > bind an LDAP service (389) to the service registry.
> > > java.net.SocketException: Permission denied
> > > at sun.nio.ch.Net.bind(Native Method)
> > > at
> > > sun.nio.ch.ServerSocketChannelImpl.bind (ServerSocketChannelImpl.java
> > > :119)
> > > at sun.nio.ch.ServerSocketAdaptor.bind(
> ServerSocketAdaptor.java
> > > :59)
> > > at
> > > org.apache.mina.transport.socket.nio.SocketAcceptor.registerNew(
> > > SocketAcceptor.java:365)
> > > at
> > > org.apache.mina.transport.socket.nio.SocketAcceptor.access$900(
> > > SocketAcceptor.java:55)
> > > at
> > > org.apache.mina.transport.socket.nio.SocketAcceptor$Worker.run(
> > > SocketAcceptor.java:224)
> > > at
> > > org.apache.mina.util.NamePreservingRunnable.run(
> > > NamePreservingRunnable.java:39)
> > > at
> > > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(
> > > ThreadPoolExecutor.java:650)
> > > at
> > > java.util.concurrent.ThreadPoolExecutor$Worker.run (
> > > ThreadPoolExecutor.java:675)
> > > at java.lang.Thread.run(Thread.java:595)
> > > [17:02:23] ERROR [org.apache.directory.daemon.Bootstrapper] - Failed
> > > on null.init(InstallationLayout, String[])
> > > org.apache.directory.shared.ldap.exception.LdapConfigurationException:
> > > Failed to bind an LDAP service (389) to the service registry. [Root
> > > exception is java.n
> > > et.SocketException: Permission denied]
> > > at
> > > org.apache.directory.server.jndi.ServerContextFactory.startLDAP0(
> > > ServerContextFactory.java:577)
> > > at
> > > org.apache.directory.server.jndi.ServerContextFactory.startLDAP(
> > > ServerContextFactory.java:511)
> > > at
> > > org.apache.directory.server.jndi.ServerContextFactory.afterStartup (
> > > ServerContextFactory.java:306)
> > > at
> > > org.apache.directory.server.core.DefaultDirectoryService.startup(
> > > DefaultDirectoryService.java:266)
> > > at
> > >
> > >
> org.apache.directory.server.core.jndi.AbstractContextFactory.getInitialContext
> (
> > > AbstractContextFactory.java:124)
> > >
> > >
> > > I think (or better I am sure) this is because all ports lower than
> > > 1024 behave to the root user and the script from /etc/init.d/apacheds
> > > tries to start the default partition als apacheds user - and this user
> > > is not allowed to bind port 389.
> > >
> > > Can anybody please help me with that?
> > > TIA
> > > Markus Pohle
> > >
> > >
> > >
> > >
> > >
> >
>
Re: [ApacheDS 1.5.1] try to start default partition on Linux with port 389
Posted by Alex Karasulu <ak...@apache.org>.
Oh and forget about Kerberos and changepasswd which at this point can only
run on default ports.
These will not run at all so I would say this is a very critical issue which
must be fixed asap.
Alex
On 10/5/07, Alex Karasulu <ak...@apache.org> wrote:
>
> Hi Markus,
>
> Yes you're right about this being a permission issue. Good catch! I
> don't know what it
> would take to enable a non-root user to bind to a port below 1024 but we
> have to figure
> this one out to modify the installer.
>
> Could you push a JIRA issue about this and we'll make sure we nip this in
> the bud on
> the next release.
>
> This is a high priority issue since it prevents using the server on 389
> and probably on 636
> with LDAPS.
>
> Alex
>
> On 10/5/07, Markus Pohle <ap...@webunity.de> wrote:
> >
> >
> > Hi List Member,
> >
> > I installed ApacheDS in Version 1.5.1 on Linux (CentOS 4.3) with Sun
> > JDK in Version 1.5.0_10. I used the rpm package to install ApacheDS.
> >
> > Right after installation I configured the server.xml for the default
> > partition, that can be found under the following path:
> > /var/lib/apacheds/default/conf/
> >
> > I configured my own partition and switched the ldap port from 10389 to
> > 389 and then tried to start ApacheDS with this command:
> > [root@apacheds2 conf]# /etc/init.d/apacheds start default
> > Starting Apache Directory Server - default...
> >
> > What I get is this in the logfiles under /var/log/apacheds/default
> > [17:02:23] ERROR
> > [org.apache.directory.server.jndi.ServerContextFactory ] - Failed to
> > bind an LDAP service (389) to the service registry.
> > java.net.SocketException: Permission denied
> > at sun.nio.ch.Net.bind(Native Method)
> > at
> > sun.nio.ch.ServerSocketChannelImpl.bind (ServerSocketChannelImpl.java
> > :119)
> > at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java
> > :59)
> > at
> > org.apache.mina.transport.socket.nio.SocketAcceptor.registerNew(
> > SocketAcceptor.java:365)
> > at
> > org.apache.mina.transport.socket.nio.SocketAcceptor.access$900(
> > SocketAcceptor.java:55)
> > at
> > org.apache.mina.transport.socket.nio.SocketAcceptor$Worker.run(
> > SocketAcceptor.java:224)
> > at
> > org.apache.mina.util.NamePreservingRunnable.run(
> > NamePreservingRunnable.java:39)
> > at
> > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(
> > ThreadPoolExecutor.java:650)
> > at
> > java.util.concurrent.ThreadPoolExecutor$Worker.run (
> > ThreadPoolExecutor.java:675)
> > at java.lang.Thread.run(Thread.java:595)
> > [17:02:23] ERROR [org.apache.directory.daemon.Bootstrapper] - Failed
> > on null.init(InstallationLayout, String[])
> > org.apache.directory.shared.ldap.exception.LdapConfigurationException :
> > Failed to bind an LDAP service (389) to the service registry. [Root
> > exception is java.n
> > et.SocketException: Permission denied]
> > at
> > org.apache.directory.server.jndi.ServerContextFactory.startLDAP0(
> > ServerContextFactory.java:577)
> > at
> > org.apache.directory.server.jndi.ServerContextFactory.startLDAP(
> > ServerContextFactory.java:511)
> > at
> > org.apache.directory.server.jndi.ServerContextFactory.afterStartup (
> > ServerContextFactory.java:306)
> > at
> > org.apache.directory.server.core.DefaultDirectoryService.startup(
> > DefaultDirectoryService.java:266)
> > at
> >
> > org.apache.directory.server.core.jndi.AbstractContextFactory.getInitialContext(
> > AbstractContextFactory.java:124)
> >
> >
> > I think (or better I am sure) this is because all ports lower than
> > 1024 behave to the root user and the script from /etc/init.d/apacheds
> > tries to start the default partition als apacheds user - and this user
> > is not allowed to bind port 389.
> >
> > Can anybody please help me with that?
> > TIA
> > Markus Pohle
> >
> >
> >
> >
> >
>