openldap-bugs

openldap-bugs@openldap.org

1 participants
20895 discussions

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by quanah＠stanford.edu 24 Oct '06

24 Oct '06

--On Tuesday, October 24, 2006 7:16 PM +0000 ahasenack(a)terra.com.br wrote: > On Tue, Oct 24, 2006 at 07:00:40PM +0000, quanah(a)stanford.edu wrote: >> >> >> --On Tuesday, October 24, 2006 6:52 PM +0000 Kurt(a)OpenLDAP.org wrote: >> >> > At 11:48 AM 10/24/2006, ando(a)sys-net.it wrote: >> >> quanah(a)stanford.edu wrote: >> >>> It would be nice if you could pass -u and -g options to run as >> >>> another user/group so that on systems where OpenLDAP is running as >> >>> another user or group, the files created by slapadd & slapindex have >> >>> the correct ownerships (rather than root, for example). >> >>> >> >> OK for slapadd; for slapindex and other tools, what about using >> >> user/group info from the file(s) itself? >> > >> > Why not just use su(1)? the only reason slapd(8) has -u/-g options >> > is because it changes root after some initialization. >> >> Because some people are brain dead, and because other people set up >> application accounts that don't actually have a shell. It also makes >> things more consistent behavior wise. I personally don't have this >> issue because I run openldap as root anyway, but I've seen list traffic >> about this on more than one occasion, and am seeing people hit it on >> the debian openldap list as well. > > The slapd initscript should/could chown the files whenever slapd is > (re)started. And how would the init script know the locations of X number of databases, particularly if back-config is used? --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

1 0

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by ahasenack＠terra.com.br 24 Oct '06

24 Oct '06

On Tue, Oct 24, 2006 at 07:00:40PM +0000, quanah(a)stanford.edu wrote: > > > --On Tuesday, October 24, 2006 6:52 PM +0000 Kurt(a)OpenLDAP.org wrote: > > > At 11:48 AM 10/24/2006, ando(a)sys-net.it wrote: > >> quanah(a)stanford.edu wrote: > >>> It would be nice if you could pass -u and -g options to run as another > >>> user/group so that on systems where OpenLDAP is running as another user > >>> or group, the files created by slapadd & slapindex have the correct > >>> ownerships (rather than root, for example). > >>> > >> OK for slapadd; for slapindex and other tools, what about using > >> user/group info from the file(s) itself? > > > > Why not just use su(1)? the only reason slapd(8) has -u/-g options > > is because it changes root after some initialization. > > Because some people are brain dead, and because other people set up > application accounts that don't actually have a shell. It also makes > things more consistent behavior wise. I personally don't have this issue > because I run openldap as root anyway, but I've seen list traffic about > this on more than one occasion, and am seeing people hit it on the debian > openldap list as well. The slapd initscript should/could chown the files whenever slapd is (re)started.

1 0

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by hyc＠symas.com 24 Oct '06

24 Oct '06

Kurt(a)OpenLDAP.org wrote: > At 11:48 AM 10/24/2006, ando(a)sys-net.it wrote: >> quanah(a)stanford.edu wrote: >>> It would be nice if you could pass -u and -g options to run as another >>> user/group so that on systems where OpenLDAP is running as another user or >>> group, the files created by slapadd & slapindex have the correct ownerships >>> (rather than root, for example). >>> >> OK for slapadd; for slapindex and other tools, what about using >> user/group info from the file(s) itself? > > Why not just use su(1)? the only reason slapd(8) has -u/-g options > is because it changes root after some initialization. Agreed. As for using info from the files themselves - that requires per-backend functions to return the user/group info. Seems like unnecessary effort. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/

1 0

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by quanah＠stanford.edu 24 Oct '06

24 Oct '06

--On Tuesday, October 24, 2006 6:52 PM +0000 Kurt(a)OpenLDAP.org wrote: > At 11:48 AM 10/24/2006, ando(a)sys-net.it wrote: >> quanah(a)stanford.edu wrote: >>> It would be nice if you could pass -u and -g options to run as another >>> user/group so that on systems where OpenLDAP is running as another user >>> or group, the files created by slapadd & slapindex have the correct >>> ownerships (rather than root, for example). >>> >> OK for slapadd; for slapindex and other tools, what about using >> user/group info from the file(s) itself? > > Why not just use su(1)? the only reason slapd(8) has -u/-g options > is because it changes root after some initialization. Because some people are brain dead, and because other people set up application accounts that don't actually have a shell. It also makes things more consistent behavior wise. I personally don't have this issue because I run openldap as root anyway, but I've seen list traffic about this on more than one occasion, and am seeing people hit it on the debian openldap list as well. --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

1 0

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by ando＠sys-net.it 24 Oct '06

24 Oct '06

quanah(a)stanford.edu wrote: >> OK for slapadd; for slapindex and other tools, what about using >> user/group info from the file(s) itself? >> > > What file(s)? Assuming this is a new (and only) index? I guess the __db.* > files? or the id2entry file? Just trying to see specifically where you are > going on this. :) > I mean: if slapadding a brand new db, -u/-g (but -g is already in use by glue stuff) is fine. If slapadding/slapindexing an existing db, get the info from the existing file, if any, or from id2entry.bdb. I'd use a specific option, though, and bail out if no definite answer can be gathered (e.g. -H means use ownership from file, -HH use ownership from file, or from id2entry.bdb if file does not exist). Note that it would make sense to have the -HH behavior as the default... p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by Kurt＠OpenLDAP.org 24 Oct '06

24 Oct '06

At 11:48 AM 10/24/2006, ando(a)sys-net.it wrote: >quanah(a)stanford.edu wrote: >> It would be nice if you could pass -u and -g options to run as another >> user/group so that on systems where OpenLDAP is running as another user or >> group, the files created by slapadd & slapindex have the correct ownerships >> (rather than root, for example). >> >OK for slapadd; for slapindex and other tools, what about using >user/group info from the file(s) itself? Why not just use su(1)? the only reason slapd(8) has -u/-g options is because it changes root after some initialization.

1 0

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by quanah＠stanford.edu 24 Oct '06

24 Oct '06

--On Tuesday, October 24, 2006 8:49 PM +0200 Pierangelo Masarati <ando(a)sys-net.it> wrote: > quanah(a)stanford.edu wrote: >> It would be nice if you could pass -u and -g options to run as another >> user/group so that on systems where OpenLDAP is running as another user >> or group, the files created by slapadd & slapindex have the correct >> ownerships (rather than root, for example). >> > OK for slapadd; for slapindex and other tools, what about using > user/group info from the file(s) itself? What file(s)? Assuming this is a new (and only) index? I guess the __db.* files? or the id2entry file? Just trying to see specifically where you are going on this. :) --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

1 0

Re: (ITS#4719) Support for running slapadd/slapindex as a user
by ando＠sys-net.it 24 Oct '06

24 Oct '06

quanah(a)stanford.edu wrote: > It would be nice if you could pass -u and -g options to run as another > user/group so that on systems where OpenLDAP is running as another user or > group, the files created by slapadd & slapindex have the correct ownerships > (rather than root, for example). > OK for slapadd; for slapindex and other tools, what about using user/group info from the file(s) itself? p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

(ITS#4719) Support for running slapadd/slapindex as a user
by quanah＠stanford.edu 24 Oct '06

24 Oct '06

Full_Name: Quanah Gibson-Mount Version: All OS: NA URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (171.66.155.86) It would be nice if you could pass -u and -g options to run as another user/group so that on systems where OpenLDAP is running as another user or group, the files created by slapadd & slapindex have the correct ownerships (rather than root, for example).

1 0

Re: (ITS#4718) Option 'network-timeout' missing from slapd-meta man pages
by ando＠sys-net.it 24 Oct '06

24 Oct '06

damonmo(a)gmail.com wrote: > The option 'network-timeout' used to stablish a socket-level timeout on meta > backend is missing on slapd-meta man pages. > Fixed in HEAD/re23. Thanks, p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs