--On Thursday, October 26, 2006 2:24 PM -0700 Howard Chu <hyc(a)symas.com>
Kurt D. Zeilenga wrote:
>> We've talked about this in the past - why don't we restructure things
>> so that the user and group are read from the config, along with the
>> listeners? I.e., defer dropping root privs until after the config has
>> been read.
> Personally, I prefer our current approach. Everything on the
> command line is done from the user/group/root of the parent,
> everything in the config file is done from the command line
> specified user/group/root.
> Placing user/group/root in the config file makes it confused
> as to what is processed under which user/group/root. For
> instance, in a custom backend with custom directives, would
> these be processed before or after the change?
I was only talking about user and group and listeners, I would leave root
on the command line. As for when they take effect, we'd require that they
get issued before any backend or database directives. With back-config
they would be in the global section and naturally execute before anything
So with Howard's clarification, is there still objection?
In the meantime, in the 2.3 release, it may be worthwhile to note something
in the man pages, like:
--- openldap-old/doc/man/man8/slapindex.8 2006-01-03 23:16:06.000000000
+++ openldap2.3-2.3.27/doc/man/man8/slapindex.8 2006-10-24
@@ -90,6 +90,10 @@
should not be running (at least, not in read-write
mode) when you do this to ensure consistency of the database.
+slapindex ought to be run as the same user that
+.BR slapd (8)
+uses to ensure correct database permissions.
This command provides ample opportunity for the user to obtain
and drink their favorite beverage.
Principal Software Developer
ITS/Shared Application Services
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html