[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: 'unary operator expected' error when TLS turned on - SOLVED
Adding the 'set -x' option top of /etc/profile, I was able to determine
the culprit of the
"-bash: [: =: unary operator expected"
error that has been occurring on all Linux servers since turning on LDAP
TLS on INT.
In the file:
/etc/profile.d/krb5-workstation.sh
The follow is causing the issue:
if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then
if [ `/usr/bin/id -u` = 0 ] ; then
PATH=/usr/kerberos/sbin:${PATH}
fi
fi
If I add " " around the backticked command, I the bash error goes away.
Not sure who I need to open a ticket against :-)
Thanks,
John
> -----Original Message-----
> From: openldap-technical-
> bounces+john.kane=prodeasystems.com@OpenLDAP.org [mailto:openldap-
> technical-bounces+john.kane=prodeasystems.com@OpenLDAP.org] On Behalf
> Of John Kane
> Sent: Friday, May 29, 2009 4:12 PM
> To: openldap-technical@openldap.org
> Subject: 'unary operator expected' error when TLS turned on
>
> I've also posted this message on the OpenSSL forum:
>
>
> I just turned on TLS on my LDAP (per instructions on
> http://www.openldap.org/faq/data/cache/185.html). Now all of my Linux
> servers (RH EL5) give the following error on login:
>
> -bash: [: =: unary operator expected
>
> The error goes away when I turn TLS off. I cannot determine what is
> causing this error, or even which file contains the error. I've gone
> through my LDAP config files, cannot find an issue in any of these.
>
> Other than my cacert.pem, and the LDAP config files, are there other
> files that are read only when TLS is turned on?
>
> Thanks,
> John
>
>
> I am running Openldap 2.3.43-2.el5 & OpenSSL 0.9.8b-10.el5 (RPMs from
> Red Hat, which I am required to use unless I put up a BIG fight).
>
> ++++ Here's my configs ++++
>
> I turn on TLS by adding the following in my /etc/ldap.conf (pam/nss
> file):
>
> ssl start_tls
> tls_checkpeer yes
> tls_cacertfile /etc/openldap/cacerts/cacert.pem
> tls_cacertdir /etc/openldap/cacerts/
>
>
> and have the following in my /etc/openldap/ldap.conf (openldap file):
>
> HOST 172.25.3.97
> BASE dc=example,dc=net
> TLS_CACERTDIR /etc/openldap/cacerts/
> TLS_REQCERT allow
>
> and my (self-signed) cacert:
>
> [root@serverx cacerts]# openssl x509 -text -in
> /etc/openldap/cacerts/cacert.pem
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 0 (0x0)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=US, ST=Utah, O=Bigtime CA, OU=Signers,
CN=Integration
> Root CA/emailAddress=john.smith@myco.com
> Validity
> Not Before: May 28 04:37:13 2009 GMT
> Not After : May 27 04:37:13 2012 GMT
> Subject: C=US, ST=Utah, O=Bigtime CA, OU=Signers,
> CN=Integration
> Root CA/emailAddress=john.smith@myco.com
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:b3:bf:f0:18:5d:7e:57:0a:ce:15:3c:28:2a:81:
> 6d:e6:c5:31:98:7e:cc:09:03:d2:28:f2:33:3e:88:
> 11:5f:7d:e1:18:33:38:7d:f5:fa:9d:89:a8:95:16:
> 08:00:81:08:29:ac:37:b3:b1:2b:f3:20:52:15:d7:
> 19:44:92:9c:45:e7:2e:58:fe:7e:07:d4:1f:5a:ad:
> 59:91:37:84:14:a8:4e:df:54:a2:62:66:38:9b:f0:
> cf:48:01:68:0d:3a:7c:93:83:02:48:e0:76:a1:5c:
> f9:05:3b:49:1e:03:9a:fd:ea:ee:79:f7:87:66:96:
> b0:69:39:e1:e6:1a:bd:9e:0d
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
>
> 0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38:07:3C
> X509v3 Authority Key Identifier:
>
> keyid:0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38:07:3C
>
> Signature Algorithm: sha1WithRSAEncryption
> 28:52:3d:9c:90:d1:89:00:d7:9d:3b:06:a6:32:28:e8:c0:8d:
> 9d:5a:0b:79:bb:1a:c9:1a:8d:c6:3a:a5:ec:5d:4c:9f:20:4c:
> c6:1e:41:df:7d:d5:fc:45:09:2b:4b:7c:ff:38:aa:ea:33:a0:
> 4a:be:7c:84:7c:58:e8:98:9b:c9:0e:4b:5b:11:c6:28:84:b1:
> 3f:bb:30:03:f6:38:40:9f:2d:32:bc:3a:97:b8:6f:fd:aa:9f:
> 67:a6:27:07:53:b2:40:41:86:b7:02:f2:6b:07:6f:1b:74:87:
> 63:3b:1b:89:13:08:cb:32:f0:3c:3b:5e:d6:df:e3:91:19:86:
> 7a:d4
> -----BEGIN CERTIFICATE-----
> MIIDDzCCAnigAwIBAgIBADANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UERhMCVVMx
> DjAMBgNVBAgTBVRleGFzMRMwEQYDVQQKEwpCaWd0aW1lIENBMRAwDgYDVQQLEwdT
> aWduZXJzMRwwGgYDVQQDExNJbnRlZ3JhdGlvbiBSb290IENBMSowKAYJKoZIhvcN
> AQkBFhtqb2huLmthbmVAcHJvZGVhc3lzdGV3cy5jb20wHhcNMDkwNTI4MDQzNzEz
> WhcNMTIwNTI3MDQzNzEzWjCBjjELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFz
> MRMwEQYDVQQKEwpCaWd0aW1lIENBMRAwDgYDVQQLEwdTaWduZXJzMRwwGgYDVQQD
> ExNJbnRlZ3JhdGlvbiBSb290IENBMSowKAYJKoZIhvcNAQkBFhtqb2huLmthbmVA
> cHJvZGVhc3lzdGVtcy5jb20wgZ8wDQYJKoZIhvcNAQE1BQADgY0AMIGJAoGBALO/
> 8BhdflcKzhU8KCqBbebFMZh+xAkD0ijyMz6IEV994RgzNX31+p2JqJUWCACBCCms
> N7OxK/MgUhXXGUSSnEXnLlj+fgfUH1qtWZE3hBSoTd9UomJmOJvwz0gBaA06fJOD
> AkjgdqFc+QU7SR4Dmv3q7nn3h2aWsGl54eYavZ4NAgMBAAGjezB5MAkGA1UdEwQC
> MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl
> MB0GA1UdDgQWBBQL+30LDRejzXkCo6OSVxVv3jgHPfAfBgNVHSMEGDAWgBQL+30L
> DRejzXkCo6OSVxVv3jgHPDANBgkqhkiG9w0BAQUFAAOBgQAoUj2ckOGJANedOwam
> MijowI2dWgt5uxrJGo3GOqXsXUyfIEzGHkHffdD8RQkrS3z/OKrqM6BKvnyEfFjo
> mJ7JDktbEcYohLE/uzAD9jhAny0yvDqXuG/9qp9npicHU7JAQYa3AvJrB28bdIdo
> OxuJEwjLNvA8O17W3+ORGYZ61A==
> -----END CERTIFICATE-----
>
>
>
> This message is confidential to Prodea Systems, Inc unless otherwise
> indicated
> or apparent from its nature. This message is directed to the intended
> recipient
> only, who may be readily determined by the sender of this message and
> its
> contents. If the reader of this message is not the intended recipient,
> or an
> employee or agent responsible for delivering this message to the
> intended
> recipient:(a)any dissemination or copying of this message is strictly
> prohibited; and(b)immediately notify the sender by return message and
> destroy
> any copies of this message in any form(electronic, paper or otherwise)
> that you
> have.The delivery of this message and its information is neither
> intended to be
> nor constitutes a disclosure or waiver of any trade secrets,
> intellectual
> property, attorney work product, or attorney-client communications.
The
> authority of the individual sending this message to legally bind
Prodea
> Systems
> is neither apparent nor implied,and must be independently verified.
This message is confidential to Prodea Systems, Inc unless otherwise indicated
or apparent from its nature. This message is directed to the intended recipient
only, who may be readily determined by the sender of this message and its
contents. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended
recipient:(a)any dissemination or copying of this message is strictly
prohibited; and(b)immediately notify the sender by return message and destroy
any copies of this message in any form(electronic, paper or otherwise) that you
have.The delivery of this message and its information is neither intended to be
nor constitutes a disclosure or waiver of any trade secrets, intellectual
property, attorney work product, or attorney-client communications. The
authority of the individual sending this message to legally bind Prodea Systems
is neither apparent nor implied,and must be independently verified.