I've tried using the -u option by itself, and I've tried the -u and -g
together, but it still does not work. Also, I'm specifying 10636 as the port,
so the non-root user should be able to listen on it without any problems. The
problem seems to be that when OpenLDAP is installed as root, the configuration
and database files are owned by root and are not viewable if you're not root.
For example, here's the permissions on slapd.conf after the installation:
-rw------- 1 root other 3442 Jan 14 19:08
/usr/local/etc/openldap/slapd.conf
When OpenLDAP is told to use a non-root account, it tries to open slapd.conf as
that user and fails.
Here's what I get, trying different parameters:
1. Start OpenLDAP without -u or -g; comes up fine:
# /usr/local/libexec/slapd -d 256 -h ldaps://:10636@(#) $OpenLDAP: slapd 2.4.6
(Jan 10 2008 00:28:06) $ [EMAIL
PROTECTED]:/home/bill/openldap-2.4.6/servers/slapdbdb_monitor_open: monitoring
disabled; configure monitor database to enableslapd starting
2. Start OpenLDAP with -u; dies with an error:
# /usr/local/libexec/slapd -d 256 -u openldap -h ldaps://:10636
@(#) $OpenLDAP: slapd 2.4.6 (Jan 10 2008 00:28:06) $ [EMAIL
PROTECTED]:/home/bill/openldap-2.4.6/servers/slapd
could not open config file "/usr/local/etc/openldap/slapd.conf": Permission
denied (13)slapd stopped.connections_destroy: nothing to destroy.
3. Start OpenLDAP with -u and -g; also dies with an error:
# /usr/local/libexec/slapd -d 256 -u openldap -g openldap -h ldaps://:10636
@(#) $OpenLDAP: slapd 2.4.6 (Jan 10 2008 00:28:06) $ [EMAIL
PROTECTED]:/home/bill/openldap-2.4.6/servers/slapd
could not open config file "/usr/local/etc/openldap/slapd.conf": Permission
denied (13)slapd stopped.connections_destroy: nothing to destroy.
Is this how OpenLDAP is supposed to work, or might this be a bug?
Thanks,
-Bill> Date: Wed, 30 Jan 2008 16:02:13 -0800> From: [EMAIL PROTECTED]> To:
[EMAIL PROTECTED]; [email protected]; [EMAIL PROTECTED]> Subject:
Re: Running slapd as a non-root user> > --On Thursday, January 31, 2008 8:50 AM
+1100 Dave Horsfall > <[EMAIL PROTECTED]> wrote:> > > On Wed, 30 Jan 2008, Bill
Sterns wrote:> >> >> I'm currently running OpenLDAP 2.4.6 using SSL/TLS via
OpenSSL 0.9.8b> >> and Berkeley DB 4.6.21, which I built and installed from
source as root.> >> I'd like to be able to run slapd as a non-root user, as
I've seen other> >> packaged OpenLDAP distributions do in the past. However,
when I try to> >> run it as a non-root user, OpenLDAP does not have permission
to access> >> various things, such as slapd.conf, the back-end database files,
and the> >> directory to create its pid file when it starts up. I've tinkered
with> >> the file/group ownership and permissions for these files, and I've> >>
managed to get it running as a non-root user, but I'm not sure if this> >> is
the ideal way to do it. Is there a recommended way to do this?> >> > Start it
as root, and use the "-u" and "-g" flags; this is the> > recommended (if not
the only) way to do it.> > His example clearly shows he's already using -u, so
I'm guessing this was > already figured out.> > But yes, the "user/group" slapd
will run as must have the correct > permissions to read what it needs to read,
so setting those bits readable > would be the correct thing to do.> > --Quanah>
> > --> > Quanah Gibson-Mount> Principal Software Engineer> Zimbra, Inc>
--------------------> Zimbra :: the leader in open source messaging and
collaboration
_________________________________________________________________
Helping your favorite cause is as easy as instant messaging. You IM, we give.
http://im.live.com/Messenger/IM/Home/?source=text_hotmail_join
