Re: [blfs-dev] Shouldn't /var/lib/openldap mode be 770?

Sat, 04 Oct 2014 15:07:17 -0700 

On 10/04/2014 11:53 PM, Fernando de Oliveira wrote:
> On 04-10-2014 18:28, Bruce Dubbs wrote:
>> Pierre Labastie wrote:
>>> In the book, /var/lib/openldap is created with mode 700 and owner
>>> root:ldap.
>>>
>>> This implies that the ldap user cannot access it. But it is the place
>>> where
>>> slapd writes user databases, and slapd runs as user ldap.
>>>
>>> Actually, I have always observed that openldap fails at boot, but
>>> since until
>>> today I did not want to use it, I didn't care.
> 
> It starts fine here.
> 
>>> Changing the mode of /var/lib/openldap to 770 allows starting the
>>> daemon at boot.
>>
>> In the patch we apply:
>>
>>   # The database directory MUST exist prior to
>>   # running slapd AND should only be accessible
>>   # by the slapd/tools. Mode 0700 recommended.
>> -directory LOCALSTATEDIR/openldap\-data
>> +directory LOCALSTATEDIR/lib/openldap
>>
>> Sp perhaps our chown -v -R root:ldap /var/lib/openldap command should be
>> changed to ldap:ldap.
> 
> I think this can be done without problem.
> 
> I don't have any of the problems:
> 
> $ ls -ld /var/lib/openldap/
> drwx------ 2 ldap ldap 4096 Out  4 14:22 /var/lib/openldap/
> $ pgrep -l slapd
> 4605 slapd
> $ sudo /etc/rc.d/init.d/slapd restart
>   *  Stopping OpenLDAP [  OK  ]
>   *  Starting OpenLDAP [  OK  ]
> 
> Funny that in my script, I do install as root:ldap, so, no idea, if
> during the configuration it might have changed it? Don't know
> 
> $ grep chown openldap-2.4.40.sh
> chown -v -R ldap:ldap /var/lib/openldap &&

It works because of this. Instructions have chown root:ldap instead of
chown ldap:ldap.

> chown -v root:ldap /etc/openldap/{slapd.{conf,ldif},DB_CONFIG.example} &&
> 
> $ ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts# extended
> LDIF
> #
> # LDAPv3
> # base <> with scope baseObject
> # filter: (objectclass=*)
> # requesting: namingContexts
> #
> 
> #
> dn:
> namingContexts: dc=my-domain,dc=com
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> 


-- 
Note: My last name is not Krejzi.

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to