For the most part IPA runs its services using whatever the default unix user is for that service, e.g. Apache as httpd, ntpd as ntp, etc.

389-ds doesn't have a system user. We create one named dirsrv in ipa-server-install and use that. We also remove this user when uninstalling.

This can leave orphaned files, particularly log files.

We've seen a few problems when upgrading to 2.2 due to this. 2.2 adds a memcached and a new unix user, memcache. If you've installed IPA, uninstalled IPA, then install a new package that adds a user (like memcache) then it will get the dirsrv uid and things go down hill from there. Your slapd logs, lock, and run dirs will be owned by memcache and installation will fail very early.

Short-term fix for this is to not delete the dirsrv user when uninstalling IPA.

Mid-term fix for this is to make dirsrv a known unix service user.

Long-term fix is, well, up for discussion. Should we create an ipa user and run everything as this? This might require relocating a bunch of configuration so we can have custom SELinux policy. It also means we can/could lock down SELinux differently than the default system (read tighter).



Freeipa-devel mailing list

Reply via email to