I was reviewing the discussion of ITS#4719 and thinking about some of
the options. We could add a setuser/setgroup config directive for the
tools to use. It might be confusing since these directives would not
replace the need for slapd's -u and -g commandline options.
Along those lines, how does anyone use slapd with the -r option? Since
no corresponding option exists for the tools, and presumably the
pathnames in slapd.conf are absolute paths, I guess you would need an
alternate config for running the tools outside the chroot jail, with the
full paths to the jailed directories. Seems rather messy.
I would expect the more common scenario is to just run slapd using a
userID that doesn't have write privileges outside its database
directories, and not worry about a chroot jail.
We've talked about this in the past - why don't we restructure things so
that the user and group are read from the config, along with the
listeners? I.e., defer dropping root privs until after the config has
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/