Welcome to Soft32 Linux Forums!
FAQFAQ    SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Bug#432662: slapd.conf group not openldap

  
   Soft32 Home -> Linux2 Arch -> Bugs Dist RSS
Next:  Bug#432661: sun-java6-bin: please only recommends..  
Author Message
Trent W. Buck

External


Since: Jul 11, 2007
Posts: 34



(Msg. 1) Posted: Wed Jul 11, 2007 6:10 am
Post subject: Bug#432662: slapd.conf group not openldap
Archived from groups: linux>debian>bugs>dist (more info?)
Package: slapd
Version: 2.3.30-5
Severity: normal

Note: I've never used LDAP before, this may be a non-bug.

Following http://wiki.debian.org/OpenLDAPSetup, I tried the following
command (with slapd stopped):

$ sudo slapindex

WARNING!
Runnig as root!
There's a fair chance slapd will fail to start.
Check file permissions!

slapd runs as the user openldap, so naturally I tried

$ sudo -u openldap slapindex
could not open config file "/etc/ldap/slapd.conf": Permission denied (13)
slapindex: bad configuration file!

I check the config file:

$ ls -l /etc/ldap/slapd.conf
-rw------- 1 root root 4366 2007-07-11 18:37 /etc/ldap/slapd.conf

In #ldap on irc.freenode.net, _ranger_ told me that this file should
be

-rw-r----- 1 root openldap 4366 2007-07-11 18:37 /etc/ldap/slapd.conf

This wouldn't be a problem if slapd ran as root, but apparently it
runs as the user openldap by default.

-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-Cool

Versions of packages slapd depends on:
ii adduser 3.102 Add and remove users and groups
ii coreutils 5.97-5.3 The GNU core utilities
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libdb4.2 4.2.52+dfsg-2 Berkeley v4.2 Database Libraries [
ii libiodbc2 3.52.4-5 iODBC Driver Manager
ii libldap-2.3-0 2.3.30-5 OpenLDAP libraries
ii libltdl3 1.5.22-4 A system independent dlopen wrappe
ii libperl5.8 5.8.8-7 Shared Perl library
ii libsasl2-2 2.1.22.dfsg1-8 Authentication abstraction library
ii libslp1 1.2.1-6.2 OpenSLP libraries
ii libssl0.9.8 0.9.8c-4 SSL shared libraries
ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra
ii perl [libmime-base64-perl 5.8.8-7 Larry Wall's Practical Extraction
ii psmisc 22.3-1 Utilities that use the proc filesy

Versions of packages slapd recommends:
ii libsasl2-modules 2.1.22.dfsg1-8 Pluggable Authentication Modules f

-- debconf information:
slapd/password_mismatch:
slapd/fix_directory: true
slapd/invalid_config: true
shared/organization: twb.ath.cx
slapd/upgrade_slapcat_failure:
slapd/upgrade_slapadd_failure:
slapd/backend: BDB
slapd/dump_database: when needed
slapd/allow_ldap_v2: false
slapd/no_configuration: false
slapd/migrate_ldbm_to_bdb: true
slapd/move_old_database: true
slapd/suffix_change: false
slapd/slave_databases_require_updateref:
slapd/dump_database_destdir: /var/backups/slapd-VERSION
slapd/autoconf_modules: true
slapd/purge_database: false
slapd/domain: twb.ath.cx


--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org
Back to top
Login to vote
Steve Langasek

External


Since: Nov 18, 2006
Posts: 652



(Msg. 2) Posted: Fri Aug 17, 2007 9:47 pm
Post subject: Bug#432662: [Pkg-openldap-devel] Bug#432662: slapd.conf group not openldap [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On Wed, Jul 11, 2007 at 06:56:15PM +1000, Trent W. Buck wrote:
> Note: I've never used LDAP before, this may be a non-bug.

> Following http://wiki.debian.org/OpenLDAPSetup, I tried the following
> command (with slapd stopped):

> $ sudo slapindex

> WARNING!
> Runnig as root!
> There's a fair chance slapd will fail to start.
> Check file permissions!

> slapd runs as the user openldap, so naturally I tried

> $ sudo -u openldap slapindex
> could not open config file "/etc/ldap/slapd.conf": Permission denied (13)
> slapindex: bad configuration file!

> I check the config file:

> $ ls -l /etc/ldap/slapd.conf
> -rw------- 1 root root 4366 2007-07-11 18:37 /etc/ldap/slapd.conf

> In #ldap on irc.freenode.net, _ranger_ told me that this file should
> be

> -rw-r----- 1 root openldap 4366 2007-07-11 18:37 /etc/ldap/slapd.conf

> This wouldn't be a problem if slapd ran as root, but apparently it
> runs as the user openldap by default.

Right, this is a bug; openldap needs to take care that the slapd.conf file
is created with permissions that allow reading by the openldap user.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon.DeleteThis@debian.org http://www.debian.org/


--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST.DeleteThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.DeleteThis@lists.debian.org
Back to top
Login to vote
Russ Allbery

External


Since: Apr 22, 2007
Posts: 346



(Msg. 3) Posted: Sun Nov 11, 2007 8:40 pm
Post subject: Bug#432662: [Pkg-openldap-devel] Bug#432662: Bug#432662: slapd.conf group not openldap [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Steve Langasek <vorlon RemoveThis @debian.org> writes:
> On Wed, Jul 11, 2007 at 06:56:15PM +1000, Trent W. Buck wrote:

>> slapd runs as the user openldap, so naturally I tried

>> $ sudo -u openldap slapindex
>> could not open config file "/etc/ldap/slapd.conf": Permission denied (13)
>> slapindex: bad configuration file!

>> I check the config file:

>> $ ls -l /etc/ldap/slapd.conf
>> -rw------- 1 root root 4366 2007-07-11 18:37 /etc/ldap/slapd.conf

>> In #ldap on irc.freenode.net, _ranger_ told me that this file should be

>> -rw-r----- 1 root openldap 4366 2007-07-11 18:37 /etc/ldap/slapd.conf

>> This wouldn't be a problem if slapd ran as root, but apparently it
>> runs as the user openldap by default.

> Right, this is a bug; openldap needs to take care that the slapd.conf
> file is created with permissions that allow reading by the openldap
> user.

We actually patch slapd to read the configuration file before dropping
privileges. If we change the permissions on slapd.conf so that it's
group-readable by openldap, we could also drop that patch, correct? I'd
like to do that, to reduce divergence from upstream.

--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>



--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org
Back to top
Login to vote
Steve Langasek

External


Since: Nov 18, 2006
Posts: 652



(Msg. 4) Posted: Wed Nov 14, 2007 6:00 pm
Post subject: Bug#432662: [Pkg-openldap-devel] Bug#432662: Bug#432662: slapd.conf group not openldap [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On Sun, Nov 11, 2007 at 05:19:48PM -0800, Russ Allbery wrote:
> Steve Langasek <vorlon.TakeThisOut@debian.org> writes:
> > On Wed, Jul 11, 2007 at 06:56:15PM +1000, Trent W. Buck wrote:

> >> slapd runs as the user openldap, so naturally I tried

> >> $ sudo -u openldap slapindex
> >> could not open config file "/etc/ldap/slapd.conf": Permission denied (13)
> >> slapindex: bad configuration file!

> >> I check the config file:

> >> $ ls -l /etc/ldap/slapd.conf
> >> -rw------- 1 root root 4366 2007-07-11 18:37 /etc/ldap/slapd.conf

> >> In #ldap on irc.freenode.net, _ranger_ told me that this file should be

> >> -rw-r----- 1 root openldap 4366 2007-07-11 18:37 /etc/ldap/slapd.conf

> >> This wouldn't be a problem if slapd ran as root, but apparently it
> >> runs as the user openldap by default.

> > Right, this is a bug; openldap needs to take care that the slapd.conf
> > file is created with permissions that allow reading by the openldap
> > user.

> We actually patch slapd to read the configuration file before dropping
> privileges. If we change the permissions on slapd.conf so that it's
> group-readable by openldap, we could also drop that patch, correct? I'd
> like to do that, to reduce divergence from upstream.

Sounds right to me.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon.TakeThisOut@debian.org http://www.debian.org/



--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org
Back to top
Login to vote
Display posts from previous:   
Related Topics:
Bug#402705: slapd: Runnin postinst chown -R'd /var/run to .. - Package: slapd Version: 2.3.30-1 Severity: critical Why is it critical? well sshd fails to restart saying that...

Bug#411413: Patch to /etc/init.d/slapd allowing "/etc/ldap.. - I also have an interest in experimenting with this new slapd feature. Since /etc/init.d/slapd is a configuration file, ...

Bug#405487: libpam-ldap: libnss_ldap.conf and pam_ldap.con.. - Package: libpam-ldap Version: 180-1 Severity: wishlist libnss_ldap.conf could be cleaned dropping options about PAM..

Bug#405857: initramfs hook should possibily use conf.d ins.. - Package: nslu2-utils Version: 0.10+r71-5 Severity: wishlist I'm filing this as a wishlist bug as a reminder. I think....

Bug#410501: destar: Conf files are not saved if there's no.. - Package: destar Version: 0.2.0-3 Severity: grave Tags: patch Justification: renders package unusable There was a bad..

Bug#392813: libnss-mdns must not edit nsswitch.conf if "se.. - package libnss-mdns found 392813 0.8-6.1 thanks Update from 0.8-6 to 0.8-6.1 broke DNS for me again. libnss-mdns must ...
       Soft32 Home -> Linux2 Arch -> Bugs Dist All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Categories:
 Windows
 Linux
 Mac
 PDA

[ Contact us | Terms of Service/Privacy Policy ]