[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Running slapd as a non-root user



I've tried using the -u option by itself, and I've tried the -u and -g together, but it still does not work. Also, I'm specifying 10636 as the port, so the non-root user should be able to listen on it without any problems. The problem seems to be that when OpenLDAP is installed as root, the configuration and database files are owned by root and are not viewable if you're not root. For example, here's the permissions on slapd.conf after the installation:
 
-rw-------   1 root     other       3442 Jan 14 19:08 /usr/local/etc/openldap/slapd.conf
 
When OpenLDAP is told to use a non-root account, it tries to open slapd.conf as that user and fails.
 
Here's what I get, trying different parameters:
 
1. Start OpenLDAP without -u or -g; comes up fine:
 
# /usr/local/libexec/slapd -d 256 -h ldaps://:10636
@(#) $OpenLDAP: slapd 2.4.6 (Jan 10 2008 00:28:06) $
        bill@bill1:/home/bill/openldap-2.4.6/servers/slapd
bdb_monitor_open: monitoring disabled; configure monitor database to enable
slapd starting
 
 
2. Start OpenLDAP with -u; dies with an error:
 
# /usr/local/libexec/slapd -d 256 -u openldap -h ldaps://:10636
@(#) $OpenLDAP: slapd 2.4.6 (Jan 10 2008 00:28:06) $
        bill@bill1:/home/bill/openldap-2.4.6/servers/slapd
could not open config file "/usr/local/etc/openldap/slapd.conf": Permission denied (13)
slapd stopped.
connections_destroy: nothing to destroy.
 
 
3. Start OpenLDAP with -u and -g; also dies with an error:
 
# /usr/local/libexec/slapd -d 256 -u openldap -g openldap -h ldaps://:10636
@(#) $OpenLDAP: slapd 2.4.6 (Jan 10 2008 00:28:06) $
        bill@bill1:/home/bill/openldap-2.4.6/servers/slapd
could not open config file "/usr/local/etc/openldap/slapd.conf": Permission denied (13)
slapd stopped.
connections_destroy: nothing to destroy.  
 
Is this how OpenLDAP is supposed to work, or might this be a bug?
 
Thanks,
 
-Bill

> Date: Wed, 30 Jan 2008 16:02:13 -0800
> From: quanah@zimbra.com
> To: daveh@coreng.com.au; openldap-software@openldap.org; mrbill321@hotmail.com
> Subject: Re: Running slapd as a non-root user
>
> --On Thursday, January 31, 2008 8:50 AM +1100 Dave Horsfall
> <daveh@coreng.com.au> wrote:
>
> > On Wed, 30 Jan 2008, Bill Sterns wrote:
> >
> >> I'm currently running OpenLDAP 2.4.6 using SSL/TLS via OpenSSL 0.9.8b
> >> and Berkeley DB 4.6.21, which I built and installed from source as root.
> >> I'd like to be able to run slapd as a non-root user, as I've seen other
> >> packaged OpenLDAP distributions do in the past. However, when I try to
> >> run it as a non-root user, OpenLDAP does not have permission to access
> >> various things, such as slapd.conf, the back-end database files, and the
> >> directory to create its pid file when it starts up. I've tinkered with
> >> the file/group ownership and permissions for these files, and I've
> >> managed to get it running as a non-root user, but I'm not sure if this
> >> is the ideal way to do it. Is there a recommended way to do this?
> >
> > Start it as root, and use the "-u" and "-g" flags; this is the
> > recommended (if not the only) way to do it.
>
> His example clearly shows he's already using -u, so I'm guessing this was
> already figured out.
>
> But yes, the "user/group" slapd will run as must have the correct
> permissions to read what it needs to read, so setting those bits readable
> would be the correct thing to do.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration



Helping your favorite cause is as easy as instant messaging. You IM, we give. Learn more.