[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4719) Support for running slapadd/slapindex as a user




--On Tuesday, October 24, 2006 7:16 PM +0000 ahasenack@terra.com.br wrote:

> On Tue, Oct 24, 2006 at 07:00:40PM +0000, quanah@stanford.edu wrote:
>>
>>
>> --On Tuesday, October 24, 2006 6:52 PM +0000 Kurt@OpenLDAP.org wrote:
>>
>> > At 11:48 AM 10/24/2006, ando@sys-net.it wrote:
>> >> quanah@stanford.edu wrote:
>> >>> It would be nice if you could pass -u and -g options to run as
>> >>> another user/group so that on systems where OpenLDAP is running as
>> >>> another user or group, the files created by slapadd & slapindex have
>> >>> the correct ownerships (rather than root, for example).
>> >>>
>> >> OK for slapadd; for slapindex and other tools, what about using
>> >> user/group info from the file(s) itself?
>> >
>> > Why not just use su(1)?  the only reason slapd(8) has -u/-g options
>> > is because it changes root after some initialization.
>>
>> Because some people are brain dead, and because other people set up
>> application accounts that don't actually have a shell.  It also makes
>> things more consistent behavior wise.  I personally don't have this
>> issue  because I run openldap as root anyway, but I've seen list traffic
>> about  this on more than one occasion, and am seeing people hit it on
>> the debian  openldap list as well.
>
> The slapd initscript should/could chown the files whenever slapd is
> (re)started.

And how would the init script know the locations of X number of databases, 
particularly if back-config is used?

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html