Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 8780 - openldap does not drop privileges on startup
Summary: openldap does not drop privileges on startup
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: x86 Linux
: Normal minor (vote)
Assignee: Nick Hadaway
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2002-10-05 08:11 UTC by Claer
Modified: 2003-04-04 01:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Claer 2002-10-05 08:11:56 UTC 
Openldap does not drop root privileges to a non privileged account on startup

I found the following to solve the "problem"
create a new user ldap and a new group ldap

chmod ldap:ldap /etc/openldap/slapd.conf
chmod ldap:ldap /var/state/openldap/openldap-ldbm

add "-- -u ldap -g lpap" at the end of the starting line in /etc/init.d/slapd


Doing some tests, I achieved to lock the start of slapd :

meletos /var/state/openldap # /etc/init.d/slapd start
 * WARNING:  "slapd" has already been started.
meletos /var/state/openldap # /etc/init.d/slapd stop 
 * Stopping ldap-server...
No /usr/lib/openldap/slapd found running; none killed.                    [ !! ]

But if I execute the start-stop-daemon lines manually it works.
Any help is welcome =)
Comment 1 Nick Hadaway 2002-12-18 21:37:45 UTC 
As soon as the ldap user and group are added to the baselayout I will update 
the ebuilds to utilize this feature.  Thanks for the suggestion!
Comment 2 Nick Hadaway 2003-01-01 16:03:48 UTC 
I have just added openldap 2.0.27-r1 and 2.1.10 to portage.   Both setup with 
init scripts which should drop privileges  on startup.  Please either one or 
both of these ebuilds and let me know how things work for you or if any 
changes are needed.
Comment 3 Claer 2003-01-03 11:39:08 UTC 
Hello,

I think you copy/paste my lines without checking for errors =)

"chmod ldap:ldap" should be read "chown ldap:ldap"

I found this error lines 100 and 102 of the ebuild.

I also saw that the database directody has changed. Perhaps that will be a good
thing to inform users to move their data in the new place ?

There is an error with the starting script too. When you execute :

start-stop-daemon --start --pidfile /var/state/openldap/slapd.pid --exec
/usr/lib/openldap/slapd -- -u ldap -g ldap

as the slapd process drops its privileges, /var/state/openldap/slapd.pid need to
be owned by ldap:ldap. I suggest using this in the ebuild :

touch /var/state/openldap/slapd.pid 
chown ldap:ldap /var/state/openldap/slapd.pid

Perhaps it will be a good idea to create a /etc/conf.d/slapd file as we can add
the SSL part of slapd here too. Here is the command line I use to start the SSL
instance and the unciphered one :

start-stop-daemon --start --quiet --pidfile /var/state/openldap/slapd.pid --exec
/usr/lib/openldap/slapd -- -u ldap -g ldap -h 'ldaps://0.0.0.0/ ldap://0.0.0.0/'

Here is the lines in my slapd.conf file for SSL :

TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
TLSCertificateFile /etc/openldap/CA/server/server.crt
TLSCertificateKeyFile /etc/openldap/CA/server/server.key

Sure, the certificates must exist before ;-)

Claer
Comment 4 Nick Hadaway 2003-01-03 11:54:39 UTC 
A more flexible init.d script is coming with a conf.d/slapd entry.
I'll post here as I update things.
Comment 5 Nick Hadaway 2003-01-29 18:19:22 UTC 
openldap-2.0.27-r2 has been added to portage with a slapd.conf and other suggested updates.  Please let me know if any other changes are required.
Comment 6 John Davis (zhen) (RETIRED) gentoo-dev 2003-04-04 01:21:04 UTC 
db fix
Comment 7 John Davis (zhen) (RETIRED) gentoo-dev 2003-04-04 01:25:57 UTC 
db fix