openldap-bugs October 2006

openldap-bugs@openldap.org

31 participants
137 discussions

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by bgmilne＠staff.telkomsa.net 24 Oct '06

24 Oct '06

--nextPart6645744.gz20WZ6vTg Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 24 October 2006 21:00, quanah(a)stanford.edu wrote: > --On Tuesday, October 24, 2006 6:52 PM +0000 Kurt(a)OpenLDAP.org wrote: > > At 11:48 AM 10/24/2006, ando(a)sys-net.it wrote: > >> quanah(a)stanford.edu wrote: > >>> It would be nice if you could pass -u and -g options to run as another > >>> user/group so that on systems where OpenLDAP is running as another us= er > >>> or group, the files created by slapadd & slapindex have the correct > >>> ownerships (rather than root, for example). > >> > >> OK for slapadd; for slapindex and other tools, what about using > >> user/group info from the file(s) itself? > > > > Why not just use su(1)? the only reason slapd(8) has -u/-g options > > is because it changes root after some initialization. > > Because some people are brain dead, and because other people set up > application accounts that don't actually have a shell. And some brain-dead OS's have an su without a -s flag ? > It also makes=20 > things more consistent behavior wise. I personally don't have this issue > because I run openldap as root anyway, but I've seen list traffic about > this on more than one occasion, and am seeing people hit it on the debian > openldap list as well. Debian doesn't have a brain-dead su, so 'su -s /bin/bash -c "slapadd ...."'= =20 etc. is feasible. One of my colleagues has a sticker on his monitor which says: Social Engineering Specialist: because there is no patch for stupidity. I haven't seen the need for this myself (but then I don't use back-config, = and=20 my initscript parses slapd.conf to find all database directories, and check= s=20 ownership on all of them). Regards, Buchan =2D-=20 Buchan Milne ISP Systems Specialist - Monitoring/Authentication Team Leader B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592) --nextPart6645744.gz20WZ6vTg Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQBFPwhOrJK6UGDSBKcRApYPAKCecAu2I8CXqMin3Uz9a1MQv8cUEgCfZFPm TLqaOhPzhqr0KV8Y0W7fNR4= =93Bl -----END PGP SIGNATURE----- --nextPart6645744.gz20WZ6vTg--

1 0

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by ahasenack＠terra.com.br 24 Oct '06

24 Oct '06

On Tue, Oct 24, 2006 at 12:46:30PM -0700, Quanah Gibson-Mount wrote: > >>Because some people are brain dead, and because other people set up > >>application accounts that don't actually have a shell. It also makes > >>things more consistent behavior wise. I personally don't have this > >>issue because I run openldap as root anyway, but I've seen list traffic > >>about this on more than one occasion, and am seeing people hit it on > >>the debian openldap list as well. > > > >The slapd initscript should/could chown the files whenever slapd is > >(re)started. > > And how would the init script know the locations of X number of databases, > particularly if back-config is used? With back-config things get more complicated, but with slapd.conf it's just a bunch of greps. What about storing this info inside the config file itself (i.e., "slapd_user ldap", "slapd_group ldap")? Chicken and egg problem?

1 0

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by quanah＠stanford.edu 24 Oct '06

24 Oct '06

--On Tuesday, October 24, 2006 7:16 PM +0000 ahasenack(a)terra.com.br wrote: > On Tue, Oct 24, 2006 at 07:00:40PM +0000, quanah(a)stanford.edu wrote: >> >> >> --On Tuesday, October 24, 2006 6:52 PM +0000 Kurt(a)OpenLDAP.org wrote: >> >> > At 11:48 AM 10/24/2006, ando(a)sys-net.it wrote: >> >> quanah(a)stanford.edu wrote: >> >>> It would be nice if you could pass -u and -g options to run as >> >>> another user/group so that on systems where OpenLDAP is running as >> >>> another user or group, the files created by slapadd & slapindex have >> >>> the correct ownerships (rather than root, for example). >> >>> >> >> OK for slapadd; for slapindex and other tools, what about using >> >> user/group info from the file(s) itself? >> > >> > Why not just use su(1)? the only reason slapd(8) has -u/-g options >> > is because it changes root after some initialization. >> >> Because some people are brain dead, and because other people set up >> application accounts that don't actually have a shell. It also makes >> things more consistent behavior wise. I personally don't have this >> issue because I run openldap as root anyway, but I've seen list traffic >> about this on more than one occasion, and am seeing people hit it on >> the debian openldap list as well. > > The slapd initscript should/could chown the files whenever slapd is > (re)started. And how would the init script know the locations of X number of databases, particularly if back-config is used? --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

1 0

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by ahasenack＠terra.com.br 24 Oct '06

24 Oct '06

On Tue, Oct 24, 2006 at 07:00:40PM +0000, quanah(a)stanford.edu wrote: > > > --On Tuesday, October 24, 2006 6:52 PM +0000 Kurt(a)OpenLDAP.org wrote: > > > At 11:48 AM 10/24/2006, ando(a)sys-net.it wrote: > >> quanah(a)stanford.edu wrote: > >>> It would be nice if you could pass -u and -g options to run as another > >>> user/group so that on systems where OpenLDAP is running as another user > >>> or group, the files created by slapadd & slapindex have the correct > >>> ownerships (rather than root, for example). > >>> > >> OK for slapadd; for slapindex and other tools, what about using > >> user/group info from the file(s) itself? > > > > Why not just use su(1)? the only reason slapd(8) has -u/-g options > > is because it changes root after some initialization. > > Because some people are brain dead, and because other people set up > application accounts that don't actually have a shell. It also makes > things more consistent behavior wise. I personally don't have this issue > because I run openldap as root anyway, but I've seen list traffic about > this on more than one occasion, and am seeing people hit it on the debian > openldap list as well. The slapd initscript should/could chown the files whenever slapd is (re)started.

1 0

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by hyc＠symas.com 24 Oct '06

24 Oct '06

Kurt(a)OpenLDAP.org wrote: > At 11:48 AM 10/24/2006, ando(a)sys-net.it wrote: >> quanah(a)stanford.edu wrote: >>> It would be nice if you could pass -u and -g options to run as another >>> user/group so that on systems where OpenLDAP is running as another user or >>> group, the files created by slapadd & slapindex have the correct ownerships >>> (rather than root, for example). >>> >> OK for slapadd; for slapindex and other tools, what about using >> user/group info from the file(s) itself? > > Why not just use su(1)? the only reason slapd(8) has -u/-g options > is because it changes root after some initialization. Agreed. As for using info from the files themselves - that requires per-backend functions to return the user/group info. Seems like unnecessary effort. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/

1 0

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by quanah＠stanford.edu 24 Oct '06

24 Oct '06

--On Tuesday, October 24, 2006 6:52 PM +0000 Kurt(a)OpenLDAP.org wrote: > At 11:48 AM 10/24/2006, ando(a)sys-net.it wrote: >> quanah(a)stanford.edu wrote: >>> It would be nice if you could pass -u and -g options to run as another >>> user/group so that on systems where OpenLDAP is running as another user >>> or group, the files created by slapadd & slapindex have the correct >>> ownerships (rather than root, for example). >>> >> OK for slapadd; for slapindex and other tools, what about using >> user/group info from the file(s) itself? > > Why not just use su(1)? the only reason slapd(8) has -u/-g options > is because it changes root after some initialization. Because some people are brain dead, and because other people set up application accounts that don't actually have a shell. It also makes things more consistent behavior wise. I personally don't have this issue because I run openldap as root anyway, but I've seen list traffic about this on more than one occasion, and am seeing people hit it on the debian openldap list as well. --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

1 0

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by ando＠sys-net.it 24 Oct '06

24 Oct '06

quanah(a)stanford.edu wrote: >> OK for slapadd; for slapindex and other tools, what about using >> user/group info from the file(s) itself? >> > > What file(s)? Assuming this is a new (and only) index? I guess the __db.* > files? or the id2entry file? Just trying to see specifically where you are > going on this. :) > I mean: if slapadding a brand new db, -u/-g (but -g is already in use by glue stuff) is fine. If slapadding/slapindexing an existing db, get the info from the existing file, if any, or from id2entry.bdb. I'd use a specific option, though, and bail out if no definite answer can be gathered (e.g. -H means use ownership from file, -HH use ownership from file, or from id2entry.bdb if file does not exist). Note that it would make sense to have the -HH behavior as the default... p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by Kurt＠OpenLDAP.org 24 Oct '06

24 Oct '06

At 11:48 AM 10/24/2006, ando(a)sys-net.it wrote: >quanah(a)stanford.edu wrote: >> It would be nice if you could pass -u and -g options to run as another >> user/group so that on systems where OpenLDAP is running as another user or >> group, the files created by slapadd & slapindex have the correct ownerships >> (rather than root, for example). >> >OK for slapadd; for slapindex and other tools, what about using >user/group info from the file(s) itself? Why not just use su(1)? the only reason slapd(8) has -u/-g options is because it changes root after some initialization.

1 0

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by quanah＠stanford.edu 24 Oct '06

24 Oct '06

--On Tuesday, October 24, 2006 8:49 PM +0200 Pierangelo Masarati <ando(a)sys-net.it> wrote: > quanah(a)stanford.edu wrote: >> It would be nice if you could pass -u and -g options to run as another >> user/group so that on systems where OpenLDAP is running as another user >> or group, the files created by slapadd & slapindex have the correct >> ownerships (rather than root, for example). >> > OK for slapadd; for slapindex and other tools, what about using > user/group info from the file(s) itself? What file(s)? Assuming this is a new (and only) index? I guess the __db.* files? or the id2entry file? Just trying to see specifically where you are going on this. :) --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

1 0

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by ando＠sys-net.it 24 Oct '06

24 Oct '06

quanah(a)stanford.edu wrote: > It would be nice if you could pass -u and -g options to run as another > user/group so that on systems where OpenLDAP is running as another user or > group, the files created by slapadd & slapindex have the correct ownerships > (rather than root, for example). > OK for slapadd; for slapindex and other tools, what about using user/group info from the file(s) itself? p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs October 2006