Getting BIND working on OpenSuSE 10.2 with Zimbra

[enew]

I can't start BIND on my server as it gives this error:

Code:

hxnews:/etc/init.d # ./named start
Starting name server BIND /usr/sbin/named: error while loading shared libraries:
libldap-2.3.so.0: failed to map segment from shared object: Operation not
permitted
startproc:  exit status of parent of /usr/sbin/named: 127

OpenSuSE comes with version 2.3.27-25 of OpenLDAP which BIND must have been linked against.
Can anyone suggest how I get BIND running? I need a split DNS setup.

Thanks,

Edwin.

[enterprisetoday]

I guess you could try and

ldd /usr/sbin/named

to trace file locations... 'operation not permitted' sounds weird.
Mangle things by having two copies of libldap, the suse one and the zimbra one and get each program to look for a symbolic link of whichever one suits.

Otherwise installing a different rpm, src rpm or compiling bind from source. You are then able to determine if bind even needs an ldap library and configure accordingly.

Dallas

[Crexis]

I'm also having this prob but it is on SUSE 10.1. Everything was hunky dory until I installed SUSE updates. The ver of BIND is 9.3.2 and I think it doesn't like the Zimbra libldap-2.3.so.0. I'm not a Linux guru but I wonder if it's possible to have an application specific symlink?

Code:

mail:/usr/sbin # ldd /usr/sbin/named
        linux-gate.so.1 =>  (0xffffe000)
        liblwres.so.9 => /usr/lib/liblwres.so.9 (0xb7f34000)
        libdns.so.21 => /usr/lib/libdns.so.21 (0xb7e2c000)
        libbind9.so.0 => /usr/lib/libbind9.so.0 (0xb7e24000)
        libisccfg.so.1 => /usr/lib/libisccfg.so.1 (0xb7e14000)
        libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0xb7ceb000)
        libisccc.so.0 => /usr/lib/libisccc.so.0 (0xb7ce4000)
        libisc.so.11 => /usr/lib/libisc.so.11 (0xb7ca9000)
        libldap-2.3.so.0 => /opt/zimbra/lib/libldap-2.3.so.0 (0xb7c7a000)
        libnsl.so.1 => /lib/libnsl.so.1 (0xb7c65000)
        libpthread.so.0 => /lib/libpthread.so.0 (0xb7c51000)
        libc.so.6 => /lib/libc.so.6 (0xb7b30000)
        liblber-2.3.so.0 => /opt/zimbra/lib/liblber-2.3.so.0 (0xb7b25000)
        libdl.so.2 => /lib/libdl.so.2 (0xb7b21000)
        libresolv.so.2 => /lib/libresolv.so.2 (0xb7b0e000)
        libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0xb7ade000)
        libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb79e4000)
        /lib/ld-linux.so.2 (0xb7f59000)
mail:/usr/sbin #

Question now is, how on earth do you get /usr/sbin/named to look somewhere else for it's ldap library? Guess I'll just keep hunting...

[enterprisetoday]

It's quite possible that your bind installation isn't even using ldap, so I would try to compile a source rpm, disabling it's ldap abilities.

Otherwise, there's possibly some libldap's in /usr/lib, but you probably uninstalled the suse ldap in order to install zimbr (without issue).

I don't think there's any way to convince named to use anything else without recompiling.


Dallas

[Crexis]

Thanks for the response Dallas. I understand what you're saying but I can't help wondering, if it is not possible to change BIND's dependencies without recompiling, how did the zimbra install manage to do it? I'm pretty sure that Zimbra itself doesn't come with a BIND install but it has managed to include it's libldap into BIND's dependencies?

[fajarpri]

I have exactly the same problem with Opensuse10.2.
At first everything was OK, installation of zimbra went smoothly, all is good. I manage a local DNS on the same machine. Then, when I rebooted, bind failed to load with the same error:

Code:

# service named restart
..dead
Shutting down name server BIND - Warning: named not running!          done
Starting name server BIND /usr/sbin/named: error while loading shared libraries: libldap-2.3.so.0: failed to map segment from shared object: Operation not permitted
startproc:  exit status of parent of /usr/sbin/named: 127
                                                                      failed

So, the suggestion is to reinstall bind?

[fajarpri]

Ah, finally!
Apparmor is really interesting. I think it's similar to SELinux? But, with a
much easier to manage.
Ok, looks like by looking the audit.log, it says about bind is not allowed
to "map" to zimbra's library. The solution is to allow it.
To do it in apparmor, Yast > Apparmor> Edit profile > named > Add Entry > File > /opt/zimbra/lib/* > Save. Done!

Suse is cool!

[Crexis]

SWEET!

Thanks Fajarpri! I found Novell AppArmor in YaST. Didn't seem to work when I tried editing the profile so I just disabled it altogether. BIND works! I wonder if this is not also fixable by adding the "named" user to the "zimbra" group or something like that.

[jholder]

Nice fajarpri,
Thanks for that!

[enew]

The AppArmour fix worked a treat. To make it easier, after trying to start BIND (and obviously failing) go to yast and select "Novell AppArmour => Update Profile Wizard" It should detect the error from its logs and ask if you want to change the profile to allow it in future. Select yes, exit yast and start bind again. There should be no problem. Cheers, Edwin.