I'm currently running OpenLDAP 2.4.6 using SSL/TLS via OpenSSL 0.9.8b and Berkeley DB 4.6.21, which I built and installed from source as root. I'd like to be able to run slapd as a non-root user, as I've seen other packaged OpenLDAP distributions do in the past. However, when I try to run it as a non-root user, OpenLDAP does not have permission to access various things, such as slapd.conf, the back-end database files, and the directory to create its pid file when it starts up. I've tinkered with the file/group ownership and permissions for these files, and I've managed to get it running as a non-root user, but I'm not sure if this is the ideal way to do it. Is there a recommended way to do this?
 
This is what I get when I initially try to run slapd as a non-root user:
 
# /usr/local/libexec/slapd -d 256 -u openldap -h ldaps:///
@(#) $OpenLDAP: slapd 2.4.6 (Jan 29 2008 18:42:36) $
        bill@bill1:/home/bill/openldap-2.4.6/servers/slapd
could not open config file "/usr/local/etc/openldap/slapd.conf": Permission denied (13)
slapd stopped.
connections_destroy: nothing to destroy.
 
Here's what I've done to run slapd as a non-root user:
 
1. Created user/group of openldap/openldap, put the openldap user in the openldap group
2. Ran: chgrp openldap slapd.conf   # This was originally owned by the group "other"
3. Ran: chmod 640 slapd.conf         # This was originally 600
4. Ran: chgrp -R openldap /usr/local/etc/openldap/certs      # Certs for SSL/TLS; originally owned by the group "other"
5. Ran: chmod 440 /usr/local/etc/openldap/certs/host.key   # Private key for SSL/TLS; originally 400
6. Ran: chgrp -R openldap /usr/local/var/openldap-data # Back-end bdb; originally owned by the group "other"
7. Ran: chmod 775 /usr/local/var/openldap-data   # Originally 755
8. Ran: chmod g+s /usr/local/var/openldap-data
8. Ran: chgrp openldap /usr/local/var/run    # Originally owned by the group "other"
9. Ran: chmod 775 /usr/local/var/run   # Originally 755
10. Ran: chmod 660 /usr/local/var/openldap-data/*   # Originally 600, except for alock
11. Ran: chmod 664 /usr/local/var/openldap-data/alock   # Originally 644
 
After these steps, I can bring up OpenLDAP as my "openldap" user:
 
# /usr/local/libexec/slapd -d 256 -u openldap -h ldaps:///
@(#) $OpenLDAP: slapd 2.4.6 (Jan 29 2008 18:42:36) $
        bill@bill1:/home/bill/openldap-2.4.6/servers/slapd
bdb_monitor_open: monitoring disabled; configure monitor database to enable
slapd starting

Am I going about this the right way? Is running OpenLDAP as a non-root user a non-recommended thing to do when using an installation built from source? And are there any other gotchas that might cause problems later? One possible problem I can think of is if the database needs to be wiped and recreated from a backed-up LDIF file using slapadd; if slapadd is run as root, the permissions would have to be reset on the database files before slapd could start up.
 
Any help would be greatly appreciated.
 
Thanks,
 
-Bill


Helping your favorite cause is as easy as instant messaging. You IM, we give. Learn more.