I need to do 'zmcontrol start' twice to get zimbra up

[djzort]

I tried forcing the umask via sudoers as such:

02_zimbra-ldap:
Defaults!/opt/zimbra/libexec/zmslapd umask_override,umask=XXXX
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd

But it wouldnt play ball

Messing with chmod g+w /opt/zimbra/data/ldap/state/run/ldapi
in /opt/zimbra/bin/ldap fails as the zimbra user doesnt have permission

[djzort]

messing with checkListening() just confirms that the zimbra user doesnt have permission on the socket

[djzort]

the /opt/zimbra/bin/ldap sudo'ing to zimbra seems somewhat pointless, as /etc/init.d/zimbra is using sudo to call zmcontrol, which itself insists on being zimbra

/opt/zimbra/libexec/zmslapd is a shell script. messing with umask in there doesnt impact either

[djzort]

Ive spent enough time on it this evening. A combination of the above also doesnt work, but perhaps there is enough information there for someone else to nail it.

Something has to force slapd to g+w the ldapi socket

[djzort]

Upgrading ubuntu didnt help at all

[djzort]

A fresh install of u16 works correctly.

A strack trace of both openldaps shows they are actually doing the same thing:

umask(0) = 022
bind(7, {sa_family=AF_LOCAL, sun_path="/opt/zimbra/data/ldap/state/run/ldapi"}, 110) = 0
umask(022)

umask(0) = 022
bind(7, {sa_family=AF_LOCAL, sun_path="/opt/zimbra/data/ldap/state/run/ldapi"}, 110) = 0
umask(022)

It must be something in ubuntu

[djzort]

Found it, it seems the upgraded ubuntu is full of acls.

Code: Select all

# getfacl /opt/zimbra/data/ldap
getfacl: Removing leading '/' from absolute path names
# file: opt/zimbra/data/ldap
# owner: zimbra
# group: zimbra
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::r-x

fix with: setfacl -b /opt/zimbra/data/ldap/state/run

Code: Select all

# getfacl /opt/zimbra/data/ldap/state/run
getfacl: Removing leading '/' from absolute path names
# file: opt/zimbra/data/ldap/state/run
# owner: zimbra
# group: zimbra
user::rwx
group::r-x
other::r-x