You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Markus Pohle <ap...@webunity.de> on 2007/10/05 17:09:24 UTC
[ApacheDS 1.5.1] try to start default partition on Linux with port
389
Hi List Member,
I installed ApacheDS in Version 1.5.1 on Linux (CentOS 4.3) with Sun
JDK in Version 1.5.0_10. I used the rpm package to install ApacheDS.
Right after installation I configured the server.xml for the default
partition, that can be found under the following path:
/var/lib/apacheds/default/conf/
I configured my own partition and switched the ldap port from 10389 to
389 and then tried to start ApacheDS with this command:
[root@apacheds2 conf]# /etc/init.d/apacheds start default
Starting Apache Directory Server - default...
What I get is this in the logfiles under /var/log/apacheds/default
[17:02:23] ERROR
[org.apache.directory.server.jndi.ServerContextFactory] - Failed to
bind an LDAP service (389) to the service registry.
java.net.SocketException: Permission denied
at sun.nio.ch.Net.bind(Native Method)
at
sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:119)
at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:59)
at
org.apache.mina.transport.socket.nio.SocketAcceptor.registerNew(SocketAcceptor.java:365)
at
org.apache.mina.transport.socket.nio.SocketAcceptor.access$900(SocketAcceptor.java:55)
at
org.apache.mina.transport.socket.nio.SocketAcceptor$Worker.run(SocketAcceptor.java:224)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:39)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
at java.lang.Thread.run(Thread.java:595)
[17:02:23] ERROR [org.apache.directory.daemon.Bootstrapper] - Failed
on null.init(InstallationLayout, String[])
org.apache.directory.shared.ldap.exception.LdapConfigurationException:
Failed to bind an LDAP service (389) to the service registry. [Root
exception is java.n
et.SocketException: Permission denied]
at
org.apache.directory.server.jndi.ServerContextFactory.startLDAP0(ServerContextFactory.java:577)
at
org.apache.directory.server.jndi.ServerContextFactory.startLDAP(ServerContextFactory.java:511)
at
org.apache.directory.server.jndi.ServerContextFactory.afterStartup(ServerContextFactory.java:306)
at
org.apache.directory.server.core.DefaultDirectoryService.startup(DefaultDirectoryService.java:266)
at
org.apache.directory.server.core.jndi.AbstractContextFactory.getInitialContext(AbstractContextFactory.java:124)
I think (or better I am sure) this is because all ports lower than
1024 behave to the root user and the script from /etc/init.d/apacheds
tries to start the default partition als apacheds user - and this user
is not allowed to bind port 389.
Can anybody please help me with that?
TIA
Markus Pohle
Re: [ApacheDS 1.5.1] try to start default partition on Linux with port 389
Posted by Chris Custine <cc...@apache.org>.
The problem with Java is that we can't change effective userid after the
startup phase where we allocate the privileged ports as root. For the time
being, the startup wrapper seems to be making it difficult to change this on
a per instance basis but it can be done for the entire server installation
as I outlined on my other reponse. I will look at a way to make this easier
to run as root on a per instance basis, but I also happen to think running
as root is a universally bad idea and I will document how to make this work
on Linux installs with iptables.
Chris
On 10/5/07, Alex Karasulu <ak...@apache.org> wrote:
>
> Oh and forget about Kerberos and changepasswd which at this point can only
> run on default ports.
> These will not run at all so I would say this is a very critical issue
> which
> must be fixed asap.
>
> Alex
>
> On 10/5/07, Alex Karasulu <ak...@apache.org> wrote:
> >
> > Hi Markus,
> >
> > Yes you're right about this being a permission issue. Good catch! I
> > don't know what it
> > would take to enable a non-root user to bind to a port below 1024 but we
> > have to figure
> > this one out to modify the installer.
> >
> > Could you push a JIRA issue about this and we'll make sure we nip this
> in
> > the bud on
> > the next release.
> >
> > This is a high priority issue since it prevents using the server on 389
> > and probably on 636
> > with LDAPS.
> >
> > Alex
> >
> > On 10/5/07, Markus Pohle <ap...@webunity.de> wrote:
> > >
> > >
> > > Hi List Member,
> > >
> > > I installed ApacheDS in Version 1.5.1 on Linux (CentOS 4.3) with Sun
> > > JDK in Version 1.5.0_10. I used the rpm package to install ApacheDS.
> > >
> > > Right after installation I configured the server.xml for the default
> > > partition, that can be found under the following path:
> > > /var/lib/apacheds/default/conf/
> > >
> > > I configured my own partition and switched the ldap port from 10389 to
> > > 389 and then tried to start ApacheDS with this command:
> > > [root@apacheds2 conf]# /etc/init.d/apacheds start default
> > > Starting Apache Directory Server - default...
> > >
> > > What I get is this in the logfiles under /var/log/apacheds/default
> > > [17:02:23] ERROR
> > > [org.apache.directory.server.jndi.ServerContextFactory ] - Failed to
> > > bind an LDAP service (389) to the service registry.
> > > java.net.SocketException: Permission denied
> > > at sun.nio.ch.Net.bind(Native Method)
> > > at
> > > sun.nio.ch.ServerSocketChannelImpl.bind (ServerSocketChannelImpl.java
> > > :119)
> > > at sun.nio.ch.ServerSocketAdaptor.bind(
> ServerSocketAdaptor.java
> > > :59)
> > > at
> > > org.apache.mina.transport.socket.nio.SocketAcceptor.registerNew(
> > > SocketAcceptor.java:365)
> > > at
> > > org.apache.mina.transport.socket.nio.SocketAcceptor.access$900(
> > > SocketAcceptor.java:55)
> > > at
> > > org.apache.mina.transport.socket.nio.SocketAcceptor$Worker.run(
> > > SocketAcceptor.java:224)
> > > at
> > > org.apache.mina.util.NamePreservingRunnable.run(
> > > NamePreservingRunnable.java:39)
> > > at
> > > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(
> > > ThreadPoolExecutor.java:650)
> > > at
> > > java.util.concurrent.ThreadPoolExecutor$Worker.run (
> > > ThreadPoolExecutor.java:675)
> > > at java.lang.Thread.run(Thread.java:595)
> > > [17:02:23] ERROR [org.apache.directory.daemon.Bootstrapper] - Failed
> > > on null.init(InstallationLayout, String[])
> > > org.apache.directory.shared.ldap.exception.LdapConfigurationException:
> > > Failed to bind an LDAP service (389) to the service registry. [Root
> > > exception is java.n
> > > et.SocketException: Permission denied]
> > > at
> > > org.apache.directory.server.jndi.ServerContextFactory.startLDAP0(
> > > ServerContextFactory.java:577)
> > > at
> > > org.apache.directory.server.jndi.ServerContextFactory.startLDAP(
> > > ServerContextFactory.java:511)
> > > at
> > > org.apache.directory.server.jndi.ServerContextFactory.afterStartup (
> > > ServerContextFactory.java:306)
> > > at
> > > org.apache.directory.server.core.DefaultDirectoryService.startup(
> > > DefaultDirectoryService.java:266)
> > > at
> > >
> > >
> org.apache.directory.server.core.jndi.AbstractContextFactory.getInitialContext
> (
> > > AbstractContextFactory.java:124)
> > >
> > >
> > > I think (or better I am sure) this is because all ports lower than
> > > 1024 behave to the root user and the script from /etc/init.d/apacheds
> > > tries to start the default partition als apacheds user - and this user
> > > is not allowed to bind port 389.
> > >
> > > Can anybody please help me with that?
> > > TIA
> > > Markus Pohle
> > >
> > >
> > >
> > >
> > >
> >
>
Re: [ApacheDS 1.5.1] try to start default partition on Linux with port 389
Posted by Alex Karasulu <ak...@apache.org>.
Oh and forget about Kerberos and changepasswd which at this point can only
run on default ports.
These will not run at all so I would say this is a very critical issue which
must be fixed asap.
Alex
On 10/5/07, Alex Karasulu <ak...@apache.org> wrote:
>
> Hi Markus,
>
> Yes you're right about this being a permission issue. Good catch! I
> don't know what it
> would take to enable a non-root user to bind to a port below 1024 but we
> have to figure
> this one out to modify the installer.
>
> Could you push a JIRA issue about this and we'll make sure we nip this in
> the bud on
> the next release.
>
> This is a high priority issue since it prevents using the server on 389
> and probably on 636
> with LDAPS.
>
> Alex
>
> On 10/5/07, Markus Pohle <ap...@webunity.de> wrote:
> >
> >
> > Hi List Member,
> >
> > I installed ApacheDS in Version 1.5.1 on Linux (CentOS 4.3) with Sun
> > JDK in Version 1.5.0_10. I used the rpm package to install ApacheDS.
> >
> > Right after installation I configured the server.xml for the default
> > partition, that can be found under the following path:
> > /var/lib/apacheds/default/conf/
> >
> > I configured my own partition and switched the ldap port from 10389 to
> > 389 and then tried to start ApacheDS with this command:
> > [root@apacheds2 conf]# /etc/init.d/apacheds start default
> > Starting Apache Directory Server - default...
> >
> > What I get is this in the logfiles under /var/log/apacheds/default
> > [17:02:23] ERROR
> > [org.apache.directory.server.jndi.ServerContextFactory ] - Failed to
> > bind an LDAP service (389) to the service registry.
> > java.net.SocketException: Permission denied
> > at sun.nio.ch.Net.bind(Native Method)
> > at
> > sun.nio.ch.ServerSocketChannelImpl.bind (ServerSocketChannelImpl.java
> > :119)
> > at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java
> > :59)
> > at
> > org.apache.mina.transport.socket.nio.SocketAcceptor.registerNew(
> > SocketAcceptor.java:365)
> > at
> > org.apache.mina.transport.socket.nio.SocketAcceptor.access$900(
> > SocketAcceptor.java:55)
> > at
> > org.apache.mina.transport.socket.nio.SocketAcceptor$Worker.run(
> > SocketAcceptor.java:224)
> > at
> > org.apache.mina.util.NamePreservingRunnable.run(
> > NamePreservingRunnable.java:39)
> > at
> > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(
> > ThreadPoolExecutor.java:650)
> > at
> > java.util.concurrent.ThreadPoolExecutor$Worker.run (
> > ThreadPoolExecutor.java:675)
> > at java.lang.Thread.run(Thread.java:595)
> > [17:02:23] ERROR [org.apache.directory.daemon.Bootstrapper] - Failed
> > on null.init(InstallationLayout, String[])
> > org.apache.directory.shared.ldap.exception.LdapConfigurationException :
> > Failed to bind an LDAP service (389) to the service registry. [Root
> > exception is java.n
> > et.SocketException: Permission denied]
> > at
> > org.apache.directory.server.jndi.ServerContextFactory.startLDAP0(
> > ServerContextFactory.java:577)
> > at
> > org.apache.directory.server.jndi.ServerContextFactory.startLDAP(
> > ServerContextFactory.java:511)
> > at
> > org.apache.directory.server.jndi.ServerContextFactory.afterStartup (
> > ServerContextFactory.java:306)
> > at
> > org.apache.directory.server.core.DefaultDirectoryService.startup(
> > DefaultDirectoryService.java:266)
> > at
> >
> > org.apache.directory.server.core.jndi.AbstractContextFactory.getInitialContext(
> > AbstractContextFactory.java:124)
> >
> >
> > I think (or better I am sure) this is because all ports lower than
> > 1024 behave to the root user and the script from /etc/init.d/apacheds
> > tries to start the default partition als apacheds user - and this user
> > is not allowed to bind port 389.
> >
> > Can anybody please help me with that?
> > TIA
> > Markus Pohle
> >
> >
> >
> >
> >
>
Re: [ApacheDS 1.5.1] try to start default partition on Linux with port 389
Posted by Alex Karasulu <ak...@apache.org>.
Hi Markus,
Yes you're right about this being a permission issue. Good catch! I don't
know what it
would take to enable a non-root user to bind to a port below 1024 but we
have to figure
this one out to modify the installer.
Could you push a JIRA issue about this and we'll make sure we nip this in
the bud on
the next release.
This is a high priority issue since it prevents using the server on 389 and
probably on 636
with LDAPS.
Alex
On 10/5/07, Markus Pohle <ap...@webunity.de> wrote:
>
>
> Hi List Member,
>
> I installed ApacheDS in Version 1.5.1 on Linux (CentOS 4.3) with Sun
> JDK in Version 1.5.0_10. I used the rpm package to install ApacheDS.
>
> Right after installation I configured the server.xml for the default
> partition, that can be found under the following path:
> /var/lib/apacheds/default/conf/
>
> I configured my own partition and switched the ldap port from 10389 to
> 389 and then tried to start ApacheDS with this command:
> [root@apacheds2 conf]# /etc/init.d/apacheds start default
> Starting Apache Directory Server - default...
>
> What I get is this in the logfiles under /var/log/apacheds/default
> [17:02:23] ERROR
> [org.apache.directory.server.jndi.ServerContextFactory] - Failed to
> bind an LDAP service (389) to the service registry.
> java.net.SocketException: Permission denied
> at sun.nio.ch.Net.bind(Native Method)
> at
> sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:119)
> at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java
> :59)
> at
> org.apache.mina.transport.socket.nio.SocketAcceptor.registerNew(
> SocketAcceptor.java:365)
> at
> org.apache.mina.transport.socket.nio.SocketAcceptor.access$900(
> SocketAcceptor.java:55)
> at
> org.apache.mina.transport.socket.nio.SocketAcceptor$Worker.run(
> SocketAcceptor.java:224)
> at
> org.apache.mina.util.NamePreservingRunnable.run(
> NamePreservingRunnable.java:39)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(
> ThreadPoolExecutor.java:650)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java
> :675)
> at java.lang.Thread.run(Thread.java:595)
> [17:02:23] ERROR [org.apache.directory.daemon.Bootstrapper] - Failed
> on null.init(InstallationLayout, String[])
> org.apache.directory.shared.ldap.exception.LdapConfigurationException:
> Failed to bind an LDAP service (389) to the service registry. [Root
> exception is java.n
> et.SocketException: Permission denied]
> at
> org.apache.directory.server.jndi.ServerContextFactory.startLDAP0(
> ServerContextFactory.java:577)
> at
> org.apache.directory.server.jndi.ServerContextFactory.startLDAP(
> ServerContextFactory.java:511)
> at
> org.apache.directory.server.jndi.ServerContextFactory.afterStartup(
> ServerContextFactory.java:306)
> at
> org.apache.directory.server.core.DefaultDirectoryService.startup(
> DefaultDirectoryService.java:266)
> at
>
> org.apache.directory.server.core.jndi.AbstractContextFactory.getInitialContext
> (AbstractContextFactory.java:124)
>
>
> I think (or better I am sure) this is because all ports lower than
> 1024 behave to the root user and the script from /etc/init.d/apacheds
> tries to start the default partition als apacheds user - and this user
> is not allowed to bind port 389.
>
> Can anybody please help me with that?
> TIA
> Markus Pohle
>
>
>
>
>
Re: [ApacheDS 1.5.1] try to start default partition on Linux with port 389
Posted by Alex Karasulu <ak...@apache.org>.
Thanks Chris for the feedback.
Alex
On 10/5/07, Chris Custine <cc...@apache.org> wrote:
>
> On 10/5/07, Alex Karasulu <ak...@apache.org> wrote:
> >
> > I like this tactic here. Is there some way to give a non-root user the
> > ability to
> > bind to ports below 1024 on UNIX? I looked for this once before but
> never
> > found
> > a way.
>
>
> Sorry, we keep crossing posts! The only way is via a setuid call after
> opening the ports as root, and we can't do that in Java so this comes from
> my bag of security tricks for Java apps on Linux.
>
> Chris
>
> Alex
> >
>
Re: [ApacheDS 1.5.1] try to start default partition on Linux with port 389
Posted by Chris Custine <cc...@apache.org>.
On 10/5/07, Alex Karasulu <ak...@apache.org> wrote:
>
> I like this tactic here. Is there some way to give a non-root user the
> ability to
> bind to ports below 1024 on UNIX? I looked for this once before but never
> found
> a way.
Sorry, we keep crossing posts! The only way is via a setuid call after
opening the ports as root, and we can't do that in Java so this comes from
my bag of security tricks for Java apps on Linux.
Chris
Alex
>
Re: [ApacheDS 1.5.1] try to start default partition on Linux with port 389
Posted by Alex Karasulu <ak...@apache.org>.
On 10/5/07, Chris Custine <cc...@apache.org> wrote:
>
> Hi Markus,
> You have a couple of options and which one to use depends on what level of
> security you want. If you are OK with running the server as root, then
> you
> simply add change the RUN_AS_USER variable in the /etc/init.d/apacheds
> script. After looking at your question I realized that this is not easily
> changed on a per instance basis so I have added an issue to Jira to make
> this more flexible in a future release. If you change it here, all
> instances will run as the same userid.
>
> https://issues.apache.org/jira/browse/DIRSERVER-1084
>
> The second option is to use iptables to route the ports. This is by far
> more secure since you can still run the server on any port as an
> unprivileged user and receive requests on port 389. Here are the full
> iptables commands to test from the command line (you may have to change
> the
> eth0 interface name). The second command is only necessary if you have
> clients running locally that you want to redirect on localhost, the first
> one handles the public interface.
>
> iptables -t nat -A PREROUTING -p tcp --dport 389 -i eth0 -j REDIRECT
> --to-port 10389
> iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 389 -j REDIRECT
> --to-port 10389
>
> I hope this helps, and let us know if you have any issues with this. This
> would make a good FAQ item so I will try to add this to some docs.
>
I like this tactic here. Is there some way to give a non-root user the
ability to
bind to ports below 1024 on UNIX? I looked for this once before but never
found
a way.
Alex
Re: [ApacheDS 1.5.1] try to start default partition on Linux with port 389
Posted by Chris Custine <cc...@apache.org>.
Hi Markus,
You have a couple of options and which one to use depends on what level of
security you want. If you are OK with running the server as root, then you
simply add change the RUN_AS_USER variable in the /etc/init.d/apacheds
script. After looking at your question I realized that this is not easily
changed on a per instance basis so I have added an issue to Jira to make
this more flexible in a future release. If you change it here, all
instances will run as the same userid.
https://issues.apache.org/jira/browse/DIRSERVER-1084
The second option is to use iptables to route the ports. This is by far
more secure since you can still run the server on any port as an
unprivileged user and receive requests on port 389. Here are the full
iptables commands to test from the command line (you may have to change the
eth0 interface name). The second command is only necessary if you have
clients running locally that you want to redirect on localhost, the first
one handles the public interface.
iptables -t nat -A PREROUTING -p tcp --dport 389 -i eth0 -j REDIRECT
--to-port 10389
iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 389 -j REDIRECT
--to-port 10389
I hope this helps, and let us know if you have any issues with this. This
would make a good FAQ item so I will try to add this to some docs.
Thanks,
Chris
On 10/5/07, Markus Pohle <ap...@webunity.de> wrote:
>
>
> Hi List Member,
>
> I installed ApacheDS in Version 1.5.1 on Linux (CentOS 4.3) with Sun
> JDK in Version 1.5.0_10. I used the rpm package to install ApacheDS.
>
> Right after installation I configured the server.xml for the default
> partition, that can be found under the following path:
> /var/lib/apacheds/default/conf/
>
> I configured my own partition and switched the ldap port from 10389 to
> 389 and then tried to start ApacheDS with this command:
> [root@apacheds2 conf]# /etc/init.d/apacheds start default
> Starting Apache Directory Server - default...
>
> What I get is this in the logfiles under /var/log/apacheds/default
> [17:02:23] ERROR
> [org.apache.directory.server.jndi.ServerContextFactory] - Failed to
> bind an LDAP service (389) to the service registry.
> java.net.SocketException: Permission denied
> at sun.nio.ch.Net.bind(Native Method)
> at
> sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:119)
> at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java
> :59)
> at
> org.apache.mina.transport.socket.nio.SocketAcceptor.registerNew(
> SocketAcceptor.java:365)
> at
> org.apache.mina.transport.socket.nio.SocketAcceptor.access$900(
> SocketAcceptor.java:55)
> at
> org.apache.mina.transport.socket.nio.SocketAcceptor$Worker.run(
> SocketAcceptor.java:224)
> at
> org.apache.mina.util.NamePreservingRunnable.run(
> NamePreservingRunnable.java:39)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(
> ThreadPoolExecutor.java:650)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java
> :675)
> at java.lang.Thread.run(Thread.java:595)
> [17:02:23] ERROR [org.apache.directory.daemon.Bootstrapper] - Failed
> on null.init(InstallationLayout, String[])
> org.apache.directory.shared.ldap.exception.LdapConfigurationException:
> Failed to bind an LDAP service (389) to the service registry. [Root
> exception is java.n
> et.SocketException: Permission denied]
> at
> org.apache.directory.server.jndi.ServerContextFactory.startLDAP0(
> ServerContextFactory.java:577)
> at
> org.apache.directory.server.jndi.ServerContextFactory.startLDAP(
> ServerContextFactory.java:511)
> at
> org.apache.directory.server.jndi.ServerContextFactory.afterStartup(
> ServerContextFactory.java:306)
> at
> org.apache.directory.server.core.DefaultDirectoryService.startup(
> DefaultDirectoryService.java:266)
> at
>
> org.apache.directory.server.core.jndi.AbstractContextFactory.getInitialContext
> (AbstractContextFactory.java:124)
>
>
> I think (or better I am sure) this is because all ports lower than
> 1024 behave to the root user and the script from /etc/init.d/apacheds
> tries to start the default partition als apacheds user - and this user
> is not allowed to bind port 389.
>
> Can anybody please help me with that?
> TIA
> Markus Pohle
>
>
>
>
>