[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cn=config example

To: openldap-software@openldap.org
Subject: Re: cn=config example
From: Adam Tauno Williams <adamtaunowilliams@gmail.com>
Date: Fri, 21 Sep 2007 10:19:46 -0400
In-reply-to: <200709211020.09168.bgmilne@staff.telkomsa.net>
References: <1i4rzbh.1dts9tb19n0ywsM%manu@netbsd.org> <200709210914.23949.bgmilne@staff.telkomsa.net> <46F37823.2010900@symas.com> <200709211020.09168.bgmilne@staff.telkomsa.net>

> > > On Friday 21 September 2007 06:07:47 Howard Chu wrote:
> > >> Use slaptest instead.
> > > except that slaptest doesn't have a "run as another user" flag, and -u is
> > > already taken :-(.

I was just working with converting a conf file to a config backend and
swear I saw a specific note somewhere to use slaptest (and I knew to use
slaptest).  Now poking around a bit I can't find it.

> > Nor do the tools need such an option; you can just use su. The reason slapd
> > can't be started with just "su ldap" is because it may need root privs to
> > open the listener sockets. That's the only reason it has -u/-g options.
> Sure, and I use su in our init script when testing the configuration. But, 
> some other distros don't, and don't use -u, and end up creating transaction 
> log files as root, preventing startup later.

I don't perceive this as an OpenLDAP problem;  it is more of a "bad
distribution! bad!" kind of issue.

>  I am not aware of any 
> recommendation of using su for slaptest (though it is quite obvious to many, 
> it may be worth mentioning explicitly). And, it should certainly be mentioned 
> in any documentation covering converting to back-config.

Nah,  it is simply obvious/standard practice.  Configuring services as a
user or root and then setting permissions as the last step is just how
things are done. 

> > > At present, it seems that if you want to do the conversion while slapd is
> > > running, and for a slapd that runs as non-root, something like this is
> > > the best option:
> > > # slapd -u ldap -g ldap -d none -h
> > > ldap://localhost:391/ -f /etc/openldap/slapd.conf -F
> > > /etc/openldap/slapd.d
> > > As then
> > > -The configuration will be converted
> > > -slapd won't start up
> > What makes you say that?
> It will fail to open the database already opened by the running slapd.

I'm confused by all of this;  who is going to be converting their
configuration (which one assumes would also include testing the
resulting configuration) while slapd is hot?

> > > -you will see any relevant errors
> > > -all the files will be owned by the ldap user/group
> > > -if it succeeds, a restart of slapd is all that is necessary to continue
> > That seems like far more trouble than just using su...
> It's aobut the same amount of typing:

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap.ldap /etc/openldap/slapd.d

-- 
          Consonance: an Open Source .NET OpenGroupware client.
  http://code.google.com/p/consonance/ - Searching for a bored Cairo# hacker.
   Contact:awilliam@whitemiceconsulting.com   http://www.opengroupware.org

References:
- Re: cn=config example
  - From: manu@netbsd.org (Emmanuel Dreyfus)
- Re: cn=config example
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
- Re: cn=config example
  - From: Howard Chu <hyc@symas.com>
- Re: cn=config example
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: extended / extensible search / in 2.3.38 ends with error code 34 invalid DN syntax [Virus checked]
Next by Date: Re: cn=config example
Index(es):
- Chronological
- Thread