On Friday 21 September 2007 06:07:47 Howard Chu wrote:
Use slaptest instead.
except that slaptest doesn't have a "run as another user" flag, and -u is already taken :-(.
I was just working with converting a conf file to a config backend and swear I saw a specific note somewhere to use slaptest (and I knew to use slaptest). Now poking around a bit I can't find it.
Nor do the tools need such an option; you can just use su. The reason slapd can't be started with just "su ldap" is because it may need root privs to open the listener sockets. That's the only reason it has -u/-g options.
Sure, and I use su in our init script when testing the configuration. But, some other distros don't, and don't use -u, and end up creating transaction log files as root, preventing startup later.
I don't perceive this as an OpenLDAP problem; it is more of a "bad distribution! bad!" kind of issue.
I am not aware of any recommendation of using su for slaptest (though it is quite obvious to many, it may be worth mentioning explicitly). And, it should certainly be mentioned in any documentation covering converting to back-config.
Nah, it is simply obvious/standard practice. Configuring services as a user or root and then setting permissions as the last step is just how things are done.
At present, it seems that if you want to do the conversion while slapd is running, and for a slapd that runs as non-root, something like this is the best option: # slapd -u ldap -g ldap -d none -h ldap://localhost:391/ -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d As then -The configuration will be converted -slapd won't start up
What makes you say that?
It will fail to open the database already opened by the running slapd.
I'm confused by all of this; who is going to be converting their configuration (which one assumes would also include testing the resulting configuration) while slapd is hot?
-you will see any relevant errors -all the files will be owned by the ldap user/group -if it succeeds, a restart of slapd is all that is necessary to continue
That seems like far more trouble than just using su...
It's aobut the same amount of typing:
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap.ldap /etc/openldap/slapd.d