Hello,
I'm trying to run slapd as a non-root user and am having difficulties. As part of a test suite for a library I'm working on, I'd like to automate starting and stopping slapd with various configs, with relatively-pathed config files, etc.
I'm having an issue running slapd with a custom config "slapd.conf" that's not located at /etc/ldap/slapd.conf. Example:
==================== vagrant@lucid64:~/slapd$ pwd /home/vagrant/slapd
vagrant@lucid64:~/slapd$ ls -l total 8 drwxr-xr-x 2 vagrant vagrant 4096 2013-09-27 21:14 schema -rw-r--r-- 1 vagrant vagrant 440 2013-09-27 21:15 slapd.conf
vagrant@lucid64:~/slapd$ sudo slapd -h ldap://localhost:10000 -d 2048 -f slapd.conf @(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:40:04) $ buildd@allspice:/build/buildd/openldap-2.4.21/debian/build/servers/slapd could not open config file "slapd.conf": Permission denied (13) slapd stopped. connections_destroy: nothing to destroy. ==================== The problem is with the "Permission denied": why can't slapd read slapd.conf?
But if I copy the same slapd.conf to /etc/ldap, I get ==================== vagrant@lucid64:~/slapd$ ls -l /etc/ldap/ total 20 -rw-r--r-- 1 root root 245 2011-12-19 17:19 ldap.conf drwxr-xr-x 2 root root 4096 2011-12-19 17:19 sasl2 drwxr-xr-x 2 root root 4096 2013-09-27 20:26 schema -rw-r--r-- 1 root root 440 2013-09-27 21:21 slapd.conf drwxr-x--- 3 openldap openldap 4096 2013-09-27 20:26 slapd.d
vagrant@lucid64:~/slapd$ sudo slapd -h ldap://localhost:10000 -d 2048 -f /etc/ldap/slapd.conf @(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:40:04) $ buildd@allspice:/build/buildd/openldap-2.4.21/debian/build/servers/slapd could not stat config file "./core.schema": No such file or directory (2) slapd stopped. connections_destroy: nothing to destroy. ==================== which doesn't run (I have relative schema directives in the config file) but at least slapd can read the file.
Note that using an absolute path in the first example has the same result; feeding in a non-existent file gives a different error ("could not stat"). Also, I'm using sudo above just to ease things along; eventually it'll run as a normal user.
I'm running Ubuntu Lucid 64-bit.
Am I missing something obvious?
Thanks, Gary
On 13-09-27 12:35 PM, Gary Slopsema wrote:
I'm having an issue running slapd with a custom config "slapd.conf" that's not located at /etc/ldap/slapd.conf.
I guess AppArmor is blocking you. If I'm right, dmesg(1) will show some audit messages that confirm it. Look at /etc/apparmor.d/usr.sbin.slapd for the rules it follows.
The correct fix is to create a local addition to the AppArmor profile (check the documentation) that adds the paths your slapd should be allowed to access.
You could work around AppArmor, either by copying or hard-linking /usr/sbin/slapd somewhere else and running it from there, or by disabling the profile using aa-complain(8). Don't do either of those on a system that handles untrusted data, of course.
If you run your own openldap build (as many people on this list will recommend), it won't use AppArmor and you won't have this problem.
Hope that helps!
openldap-technical@openldap.org
-
Gary Slopsema -
Ryan Tandy