openldap-2.2.28 has no {CLEARTEXT} option for password-hash. This option is necessary for some openldap/kerberos5 interactions. This is an acknowledged bug, and was fixed in openldap-2.3.8, but the fix has not been backported officially to 2.2.28. A patch providing the fix against 2.2.28 was posted to the openldap mailing list. Reproducible: Always Steps to Reproduce: 1. emerge =net-nds/openldap-2.2.28 2. configure "/etc/openldap/slapd.conf" with "password-hash {CLEARTEXT}" 3. /etc/init.d/slapd start Actual Results: The logger outputs something similar to this: Nov 14 14:09:24 hermes slapd[25115]: @(#) $OpenLDAP: slapd 2.2.28 (Nov 14 2005 11:45:52) $ root@hermes:/root Nov 14 14:09:24 hermes slapd[25115]: bdb_db_init: Initializing BDB database Nov 14 14:09:24 hermes slapd[25115]: /etc/openldap/db.conf: line 28: password scheme "{CLEARTEXT}" not available Nov 14 14:09:24 hermes slapd[25115]: /etc/openldap/db.conf: line 28: no valid hashes found Nov 14 14:09:24 hermes slapd[25115]: slapd stopped. Nov 14 14:09:24 hermes slapd[25115]: connections_destroy: nothing to destroy. Expected Results: slapd should have successfully started. Portage 2.0.53_rc7 (hardened/x86/2.6, gcc-3.4.4, glibc-2.3.6-r0, 2.6.13-hardened i686) ================================================================= System uname: 2.6.13-hardened i686 Intel(R) Xeon(TM) CPU 2.80GHz Gentoo Base System version 1.12.0_pre10 dev-lang/python: 2.3.4-r1, 2.4.2 sys-apps/sandbox: 1.2.13 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.20-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium4 -O3 -fomit-frame-pointer -ftracer -fforce-addr -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium4 -O3 -fomit-frame-pointer -ftracer -fforce-addr -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distcc distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.mirrors.pair.com/" MAKEOPTS="" PKGDIR="/usr/portage//packages/x86/" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="acpi apache2 berkdb crypt dlloader fam ftp gd gdbm gif hardened jpeg kerberos ldap mx mysql ncurses nptl nptlonly pam perl pic png python readline sqlite sse sse2 ssl tcpd truetype unicode usb utf8 vhosts x86 xml xml2 zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
Including kerberos CC as requested by Seemant.
Created attachment 72903 [details, diff] Patch posted to openldap mailing list. This patch was posted as a backport of the fix in 2.3.8, I have editted it to more cleanly be applied as with other patches for this package. I have tested this and can verify that it compiles correctly, and runs correctly.
Created attachment 72904 [details] Updated ebuild to apply patch. This is an ebuild to apply the given patch.
fixed in cvs