I'm currently running OpenLDAP 2.4.6 using SSL/TLS via OpenSSL 0.9.8b and Berkeley DB 4.6.21, which I built and installed from source as root. I'd like to be able to run slapd as a non-root user, as I've seen other packaged OpenLDAP distributions do in the past. However, when I try to run it as a non-root user, OpenLDAP does not have permission to access various things, such as slapd.conf, the back-end database files, and the directory to create its pid file when it starts up. I've tinkered with the file/group ownership and permissions for these files, and I've managed to get it running as a non-root user, but I'm not sure if this is the ideal way to do it. Is there a recommended way to do this?
This is what I get when I initially try to run slapd as a non-root user:
# /usr/local/libexec/slapd -d 256 -u openldap -h ldaps:/// @(#) $OpenLDAP: slapd 2.4.6 (Jan 29 2008 18:42:36) $ bill@bill1:/home/bill/openldap-2.4.6/servers/slapd could not open config file "/usr/local/etc/openldap/slapd.conf": Permission denied (13) slapd stopped. connections_destroy: nothing to destroy.
Here's what I've done to run slapd as a non-root user:
1. Created user/group of openldap/openldap, put the openldap user in the openldap group 2. Ran: chgrp openldap slapd.conf # This was originally owned by the group "other" 3. Ran: chmod 640 slapd.conf # This was originally 600 4. Ran: chgrp -R openldap /usr/local/etc/openldap/certs # Certs for SSL/TLS; originally owned by the group "other" 5. Ran: chmod 440 /usr/local/etc/openldap/certs/host.key # Private key for SSL/TLS; originally 400 6. Ran: chgrp -R openldap /usr/local/var/openldap-data # Back-end bdb; originally owned by the group "other" 7. Ran: chmod 775 /usr/local/var/openldap-data # Originally 755 8. Ran: chmod g+s /usr/local/var/openldap-data 8. Ran: chgrp openldap /usr/local/var/run # Originally owned by the group "other" 9. Ran: chmod 775 /usr/local/var/run # Originally 755 10. Ran: chmod 660 /usr/local/var/openldap-data/* # Originally 600, except for alock 11. Ran: chmod 664 /usr/local/var/openldap-data/alock # Originally 644
After these steps, I can bring up OpenLDAP as my "openldap" user:
# /usr/local/libexec/slapd -d 256 -u openldap -h ldaps:/// @(#) $OpenLDAP: slapd 2.4.6 (Jan 29 2008 18:42:36) $ bill@bill1:/home/bill/openldap-2.4.6/servers/slapd bdb_monitor_open: monitoring disabled; configure monitor database to enable slapd starting
Am I going about this the right way? Is running OpenLDAP as a non-root user a non-recommended thing to do when using an installation built from source? And are there any other gotchas that might cause problems later? One possible problem I can think of is if the database needs to be wiped and recreated from a backed-up LDIF file using slapadd; if slapadd is run as root, the permissions would have to be reset on the database files before slapd could start up.
Any help would be greatly appreciated.
Thanks,
-Bill
_________________________________________________________________ Helping your favorite cause is as easy as instant messaging. You IM, we give. http://im.live.com/Messenger/IM/Home/?source=text_hotmail_join
On Wed, 30 Jan 2008, Bill Sterns wrote:
I'm currently running OpenLDAP 2.4.6 using SSL/TLS via OpenSSL 0.9.8b and Berkeley DB 4.6.21, which I built and installed from source as root. I'd like to be able to run slapd as a non-root user, as I've seen other packaged OpenLDAP distributions do in the past. However, when I try to run it as a non-root user, OpenLDAP does not have permission to access various things, such as slapd.conf, the back-end database files, and the directory to create its pid file when it starts up. I've tinkered with the file/group ownership and permissions for these files, and I've managed to get it running as a non-root user, but I'm not sure if this is the ideal way to do it. Is there a recommended way to do this?
Start it as root, and use the "-u" and "-g" flags; this is the recommended (if not the only) way to do it.
[...]
Am I going about this the right way? Is running OpenLDAP as a non-root user a non-recommended thing to do when using an installation built from source? And are there any other gotchas that might cause problems later? One possible problem I can think of is if the database needs to be wiped and recreated from a backed-up LDIF file using slapadd; if slapadd is run as root, the permissions would have to be reset on the database files before slapd could start up.
You won't be able to bind to port 389 as a non-root user. There's also the matter of resource limits.
--On Thursday, January 31, 2008 8:50 AM +1100 Dave Horsfall daveh@coreng.com.au wrote:
On Wed, 30 Jan 2008, Bill Sterns wrote:
I'm currently running OpenLDAP 2.4.6 using SSL/TLS via OpenSSL 0.9.8b and Berkeley DB 4.6.21, which I built and installed from source as root. I'd like to be able to run slapd as a non-root user, as I've seen other packaged OpenLDAP distributions do in the past. However, when I try to run it as a non-root user, OpenLDAP does not have permission to access various things, such as slapd.conf, the back-end database files, and the directory to create its pid file when it starts up. I've tinkered with the file/group ownership and permissions for these files, and I've managed to get it running as a non-root user, but I'm not sure if this is the ideal way to do it. Is there a recommended way to do this?
Start it as root, and use the "-u" and "-g" flags; this is the recommended (if not the only) way to do it.
His example clearly shows he's already using -u, so I'm guessing this was already figured out.
But yes, the "user/group" slapd will run as must have the correct permissions to read what it needs to read, so setting those bits readable would be the correct thing to do.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On Wed, 30 Jan 2008, Quanah Gibson-Mount wrote:
Is there a recommended way to do this?
Start it as root, and use the "-u" and "-g" flags; this is the recommended (if not the only) way to do it.
His example clearly shows he's already using -u, so I'm guessing this was already figured out.
Sure, but I was responding to the general question.
I guess I should point out that FreeBSD comes with a start-up script as part of the package/port, which makes all the resources accessible by "ldap".
I've tried using the -u option by itself, and I've tried the -u and -g together, but it still does not work. Also, I'm specifying 10636 as the port, so the non-root user should be able to listen on it without any problems. The problem seems to be that when OpenLDAP is installed as root, the configuration and database files are owned by root and are not viewable if you're not root. For example, here's the permissions on slapd.conf after the installation:
-rw------- 1 root other 3442 Jan 14 19:08 /usr/local/etc/openldap/slapd.conf
When OpenLDAP is told to use a non-root account, it tries to open slapd.conf as that user and fails.
Here's what I get, trying different parameters:
1. Start OpenLDAP without -u or -g; comes up fine:
# /usr/local/libexec/slapd -d 256 -h ldaps://:10636@(#) $OpenLDAP: slapd 2.4.6 (Jan 10 2008 00:28:06) $ bill@bill1:/home/bill/openldap-2.4.6/servers/slapdbdb_monitor_open: monitoring disabled; configure monitor database to enableslapd starting
2. Start OpenLDAP with -u; dies with an error:
# /usr/local/libexec/slapd -d 256 -u openldap -h ldaps://:10636 @(#) $OpenLDAP: slapd 2.4.6 (Jan 10 2008 00:28:06) $ bill@bill1:/home/bill/openldap-2.4.6/servers/slapd could not open config file "/usr/local/etc/openldap/slapd.conf": Permission denied (13)slapd stopped.connections_destroy: nothing to destroy.
3. Start OpenLDAP with -u and -g; also dies with an error:
# /usr/local/libexec/slapd -d 256 -u openldap -g openldap -h ldaps://:10636 @(#) $OpenLDAP: slapd 2.4.6 (Jan 10 2008 00:28:06) $ bill@bill1:/home/bill/openldap-2.4.6/servers/slapd could not open config file "/usr/local/etc/openldap/slapd.conf": Permission denied (13)slapd stopped.connections_destroy: nothing to destroy.
Is this how OpenLDAP is supposed to work, or might this be a bug?
Thanks,
-Bill> Date: Wed, 30 Jan 2008 16:02:13 -0800> From: quanah@zimbra.com> To: daveh@coreng.com.au; openldap-software@openldap.org; mrbill321@hotmail.com> Subject: Re: Running slapd as a non-root user> > --On Thursday, January 31, 2008 8:50 AM +1100 Dave Horsfall > daveh@coreng.com.au wrote:> > > On Wed, 30 Jan 2008, Bill Sterns wrote:> >> >> I'm currently running OpenLDAP 2.4.6 using SSL/TLS via OpenSSL 0.9.8b> >> and Berkeley DB 4.6.21, which I built and installed from source as root.> >> I'd like to be able to run slapd as a non-root user, as I've seen other> >> packaged OpenLDAP distributions do in the past. However, when I try to> >> run it as a non-root user, OpenLDAP does not have permission to access> >> various things, such as slapd.conf, the back-end database files, and the> >> directory to create its pid file when it starts up. I've tinkered with> >> the file/group ownership and permissions for these files, and I've> >> managed to get it running as a non-root user, but I'm not sure if this> >> is the ideal way to do it. Is there a recommended way to do this?> >> > Start it as root, and use the "-u" and "-g" flags; this is the> > recommended (if not the only) way to do it.> > His example clearly shows he's already using -u, so I'm guessing this was > already figured out.> > But yes, the "user/group" slapd will run as must have the correct > permissions to read what it needs to read, so setting those bits readable > would be the correct thing to do.> > --Quanah> > > --> > Quanah Gibson-Mount> Principal Software Engineer> Zimbra, Inc> --------------------> Zimbra :: the leader in open source messaging and collaboration _________________________________________________________________ Helping your favorite cause is as easy as instant messaging. You IM, we give. http://im.live.com/Messenger/IM/Home/?source=text_hotmail_join
--On Wednesday, January 30, 2008 6:48 PM -0600 Bill Sterns mrbill321@hotmail.com wrote:
I've tried using the -u option by itself, and I've tried the -u and -g together, but it still does not work. Also, I'm specifying 10636 as the port, so the non-root user should be able to listen on it without any problems. The problem seems to be that when OpenLDAP is installed as root, the configuration and database files are owned by root and are not viewable if you're not root. For example, here's the permissions on slapd.conf after the installation:
All of this applies to what I wrote below. The user *must* be able to read the database, conf files, etc. Period. If you've set it root only, then you haven't configured things right.
But yes, the "user/group" slapd will run as must have the correct permissions to read what it needs to read, so setting those bits readable would be the correct thing to do.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On Wednesday 30 January 2008 23:01:07 Bill Sterns wrote:
I'm currently running OpenLDAP 2.4.6 using SSL/TLS via OpenSSL 0.9.8b and Berkeley DB 4.6.21, which I built and installed from source as root. I'd like to be able to run slapd as a non-root user, as I've seen other packaged OpenLDAP distributions do in the past. However, when I try to run it as a non-root user, OpenLDAP does not have permission to access various things, such as slapd.conf, the back-end database files, and the directory to create its pid file when it starts up. I've tinkered with the file/group ownership and permissions for these files, and I've managed to get it running as a non-root user, but I'm not sure if this is the ideal way to do it. Is there a recommended way to do this?
This is what I get when I initially try to run slapd as a non-root user:
# /usr/local/libexec/slapd -d 256 -u openldap -h ldaps:/// @(#) $OpenLDAP: slapd 2.4.6 (Jan 29 2008 18:42:36) $ bill@bill1:/home/bill/openldap-2.4.6/servers/slapd could not open config file "/usr/local/etc/openldap/slapd.conf": Permission denied (13) slapd stopped. connections_destroy: nothing to destroy.
Note, when starting as root with the -u flag, slapd opens ports before dropping privileges, so you can still run on the standard ports.
Here's what I've done to run slapd as a non-root user:
- Created user/group of openldap/openldap, put the openldap user in the
openldap group 2. Ran: chgrp openldap slapd.conf # This was originally owned by the group "other" 3. Ran: chmod 640 slapd.conf # This was originally 600 4. Ran: chgrp -R openldap /usr/local/etc/openldap/certs # Certs for SSL/TLS; originally owned by the group "other" 5. Ran: chmod 440 /usr/local/etc/openldap/certs/host.key # Private key for SSL/TLS; originally 400
You don't indicate whether you ensure that the openldap user/group had rights to "enter" /usr/local/etc/openldap, most likely you need to do (at minimum):
chmod a+x /usr/local/etc/openldap
Note that you can very easily test component by component, by doing something like:
# su - openldap -s /bin/bash $ cd /usr/local/etc/openldap $ head slapd.conf
(or similar)
(BTW, I consider this to really be basic Unix skills, not OpenLDAP-specific, or terribly advanced).
- Ran: chgrp -R openldap /usr/local/var/openldap-data #
Back-end bdb; originally owned by the group "other" 7. Ran: chmod 775 /usr/local/var/openldap-data # Originally 755 8. Ran: chmod g+s /usr/local/var/openldap-data 8. Ran: chgrp openldap /usr/local/var/run # Originally owned by the group "other" 9. Ran: chmod 775 /usr/local/var/run # Originally 755 10. Ran: chmod 660 /usr/local/var/openldap-data/* # Originally 600, except for alock 11. Ran: chmod 664 /usr/local/var/openldap-data/alock # Originally 644
After these steps, I can bring up OpenLDAP as my "openldap" user:
# /usr/local/libexec/slapd -d 256 -u openldap -h ldaps:/// @(#) $OpenLDAP: slapd 2.4.6 (Jan 29 2008 18:42:36) $ bill@bill1:/home/bill/openldap-2.4.6/servers/slapd bdb_monitor_open: monitoring disabled; configure monitor database to enable slapd starting
Am I going about this the right way? Is running OpenLDAP as a non-root user a non-recommended thing to do when using an installation built from source?
There's no reason this should differ vs when installed from a package - I note that virtually all packages I have seen of OpenLDAP cater specifically to run as non-root (e.g., by default, run as non-root).
And are there any other gotchas that might cause problems later?
No, just watch permissions, as always ...
One possible problem I can think of is if the database needs to be wiped and recreated from a backed-up LDIF file using slapadd; if slapadd is run as root, the permissions would have to be reset on the database files before slapd could start up.
which a single chown will fix.
Any help would be greatly appreciated.
openldap-software@openldap.org
-
Bill Sterns -
Buchan Milne -
Dave Horsfall -
Quanah Gibson-Mount