Hi Ondřej,

Thanks for your reply.

Yes, we are putting our (single file) mdb straight in /var/symas/openldap-data, using subdirs never crossed our minds.

Anyway, we just have to document this behaviour in our upgrade documentation.

Must say: the behaviour, for us, is a little bit unexcpected. We didn't expect rpm upgrades to "mess" with fs permissions, but we can simply work around it.

Thanks again for your reply, appreciated!

On Wed, 13 Sept 2023 at 12:25, Ondřej Kuzník <ondra@mistotebe.net> wrote:

On Tue, Sep 12, 2023 at 04:44:15PM +0200, cYuSeDfZfb cYuSeDfZfb wrote:
> Hi,
>
> We're seeing this quite consistently.
>
> Before updating:
> [root@ldaps01 log]# ls -l
> /var/symas/ drwx------. 3 ldap ldap 50 Aug 28 16:28 openldap-data
>
> After updating:
> [root@ldaps01 log]# ls -l
> /var/symas/ drwx------. 3 root root 50 Aug 28 16:28 openldap-data
>
> And afterwards symas-openldap-server (running as ldap:ldap) no longer
> starts, since permission denied on /var/symas/openldap-data.
>
> Reverting the permissions back to ldap:ldap solves it. But...WHY is this
> happening.
>
> Are we somehow encouraged to run openldap as root..?
>
> Why would a post-install script reset permissions on
> /var/symas/openldap-data?

Hi,
openldap-data is owned by the package and as such you'll have to tell
rpm somehow (a trigger, ...) that you don't want it to mess with it.
AFAIK there's work ongoing to make the directory 711 which should sort
things for you.

That's unless you're putting the databases directly into
/var/symas/openldap-data, we advise you create a subdirectory per DB,
e.g. /var/symas/openldap-data/dc=example,dc=com or
/var/symas/openldap-data/cn=accesslog.

Regards,

--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP