At work, we’re developing an application that uses LDAP for authentication. Specifically, we’re using OpenLDAP. We use a VM for development, which allows each developer to have a copy of the ‘standard’ environment, to ensure we’re on the same version of libraries, compilers, databases, etc. As part of managing the VMs, we write maintenance scripts to keep everyones VM in line with each other. I wrote a script to install a baseline installation of OpenLDAP. I thought I’d covered my bases with permissions, but upon startup OpenLDAP created a new file which was owned by root, and had 0600 permissions, which meant no one but root could read or write to that file. I had configured OpenLDAP to run as ‘openldap’, so of course, it couldn’t read the file. Unfortunately, the error message is less than helpful:
'0x50 (Other (e.g., implementation specific) error): updating: <my DN, etc etc>'
So, checking to see the file permissions under /var/lib/ldap, I see a file objectClass.bdb owned by root. Changed it to openldap:openldap, and all is well.
Moral of the story: Always check file permissions. Especially after starting up the server.