Package: slapd Version: 2.4.9-1 Severity: wishlist We run a daily backup script to dump the contents of our LDAP database to a version controlled repository, using slapcat. We don't want to run the backup script as root, so we tried adding the user which does run the script to the openldap group. Unfortunately we still couldn't run slapcat because /etc/ldap/slapd.conf is only readable by root, and /var/lib/ldap is only readable by the openldap user. To get slapcat working for members of the openldap group, I eventually arrived at the following permissions:
amos% ls -l /etc/ldap total 24 -rw-r--r-- 1 root root 245 2008-02-14 12:14 ldap.conf drwxr-xr-x 2 root root 4096 2007-07-25 19:43 RCS drwxr-xr-x 2 root root 4096 2006-12-13 07:57 sasl2 drwxr-xr-x 2 root root 4096 2008-03-12 17:20 schema -rw-r----- 1 openldap openldap 4376 2007-07-25 19:50 slapd.conf amos% sudo ls -la /var/lib/ldap total 676 drwxrwx--- 2 openldap openldap 4096 2008-04-16 09:14 . drwxr-xr-x 60 root root 4096 2008-05-20 07:45 .. -rw-rw-r-- 1 openldap openldap 4096 2008-06-09 11:34 alock -rw-rw---- 1 openldap openldap 8192 2008-04-16 09:14 __db.001 -rw-rw---- 1 openldap openldap 2629632 2008-04-16 09:14 __db.002 -rw-rw---- 1 openldap openldap 98304 2008-04-16 09:14 __db.003 -rw-rw---- 1 openldap openldap 565248 2008-04-16 09:14 __db.004 -rw-rw---- 1 openldap openldap 24576 2008-04-16 09:14 __db.005 -rw-rw-r-- 1 openldap openldap 96 2007-07-25 19:40 DB_CONFIG -rw-rw---- 1 openldap openldap 8192 2008-04-25 16:45 dn2id.bdb -rw-rw---- 1 openldap openldap 32768 2008-04-25 16:45 id2entry.bdb -rw-rw---- 1 openldap openldap 107031 2008-06-07 13:42 log.0000000001 -rw-rw---- 1 openldap openldap 8192 2008-04-25 16:45 objectClass.bdb amos% My wish is for these to be the default permissions set by the Debian slapd package, unless there's a risk to letting members of the openldap group run slapcat? It seems safer than running our daily backup script as root... Thanks and best wishes, Jack -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.25-2-686 (SMP w/2 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages slapd depends on: ii adduser 3.108 add and remove users and groups ii coreutils 6.10-6 The GNU core utilities ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy ii libc6 2.7-12 GNU C Library: Shared libraries ii libdb4.2 4.2.52+dfsg-4 Berkeley v4.2 Database Libraries [ ii libgnutls26 2.2.5-1 the GNU TLS library - runtime libr ii libldap-2.4-2 2.4.9-1 OpenLDAP libraries ii libltdl3 1.5.26-4 A system independent dlopen wrappe ii libperl5.10 5.10.0-10 Shared Perl library ii libsasl2-2 2.1.22.dfsg1-20 Cyrus SASL - authentication abstra ii libslp1 1.2.1-7.3 OpenSLP libraries ii libwrap0 7.6.q-15 Wietse Venema's TCP wrappers libra ii perl [libmime-base64-per 5.10.0-10 Larry Wall's Practical Extraction ii psmisc 22.6-1 Utilities that use the proc filesy ii unixodbc 2.2.11-16 ODBC tools libraries Versions of packages slapd recommends: ii libsasl2-modules 2.1.22.dfsg1-20 Cyrus SASL - pluggable authenticat -- debconf information: slapd/tlsciphersuite: slapd/fix_directory: true shared/organization: lat slapd/upgrade_slapcat_failure: slapd/backend: BDB slapd/allow_ldap_v2: false slapd/no_configuration: false slapd/move_old_database: true slapd/suffix_change: false slapd/slave_databases_require_updateref: slapd/dump_database_destdir: /var/backups/slapd-VERSION slapd/autoconf_modules: true slapd/domain: lat slapd/password_mismatch: slapd/invalid_config: true slapd/slurpd_obsolete: slapd/upgrade_slapadd_failure: slapd/dump_database: when needed slapd/migrate_ldbm_to_bdb: false slapd/purge_database: false -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]