Full_Name: Ryan Steele Version: 2.4.34 OS: Ubuntu, RedHat URL: Submission from: (NULL) (12.150.6.65)

According to https://github.com/gcp/openldap/blob/master/contrib/slapd-modules/nssov/nsso..., nssov tries to create the socket/PID directory /var/run/nslcd if it does not exist. However, that mkdir attempt will always fail because slapd runs as a non-privileged user and the permissions on /var/run are, appropriately, root:root and 755. As a result, when a system using slapd+nssov is rebooted, slapd fails to start and user lookups thusly fail until /var/run/nslcd is manually created so that slapd can be started.

Traditionally, things in /var/run are created via init scripts, since they run as root. Once that is done, privileges can be dropped and the daemon started. Given that nssov is a contrib overlay, we could make a separate init script for nssov that runs before slapd's and creates the appropriate directory in /var/run. Alternatively, we could make --with-nslcd-pidfile and --with-nslcd-socket configurable post-install options instead of being set in stone at compile time, making it possible to set the PID/socket directory to something we know will exist and have the right perms, like /var/run/slapd (i.e., /var/run/slapd/nslcd.socket).

It would probably make sense to remove the mkdir-related lines from nssov.c entirely, since non-privileged users do not have write perms on /var/run. I consider this a pretty serious issue, as it prevents the software from working.