Openldap does not drop root privileges to a non privileged account on startup I found the following to solve the "problem" create a new user ldap and a new group ldap chmod ldap:ldap /etc/openldap/slapd.conf chmod ldap:ldap /var/state/openldap/openldap-ldbm add "-- -u ldap -g lpap" at the end of the starting line in /etc/init.d/slapd Doing some tests, I achieved to lock the start of slapd : meletos /var/state/openldap # /etc/init.d/slapd start * WARNING: "slapd" has already been started. meletos /var/state/openldap # /etc/init.d/slapd stop * Stopping ldap-server... No /usr/lib/openldap/slapd found running; none killed. [ !! ] But if I execute the start-stop-daemon lines manually it works. Any help is welcome =)
As soon as the ldap user and group are added to the baselayout I will update the ebuilds to utilize this feature. Thanks for the suggestion!
I have just added openldap 2.0.27-r1 and 2.1.10 to portage. Both setup with init scripts which should drop privileges on startup. Please either one or both of these ebuilds and let me know how things work for you or if any changes are needed.
Hello, I think you copy/paste my lines without checking for errors =) "chmod ldap:ldap" should be read "chown ldap:ldap" I found this error lines 100 and 102 of the ebuild. I also saw that the database directody has changed. Perhaps that will be a good thing to inform users to move their data in the new place ? There is an error with the starting script too. When you execute : start-stop-daemon --start --pidfile /var/state/openldap/slapd.pid --exec /usr/lib/openldap/slapd -- -u ldap -g ldap as the slapd process drops its privileges, /var/state/openldap/slapd.pid need to be owned by ldap:ldap. I suggest using this in the ebuild : touch /var/state/openldap/slapd.pid chown ldap:ldap /var/state/openldap/slapd.pid Perhaps it will be a good idea to create a /etc/conf.d/slapd file as we can add the SSL part of slapd here too. Here is the command line I use to start the SSL instance and the unciphered one : start-stop-daemon --start --quiet --pidfile /var/state/openldap/slapd.pid --exec /usr/lib/openldap/slapd -- -u ldap -g ldap -h 'ldaps://0.0.0.0/ ldap://0.0.0.0/' Here is the lines in my slapd.conf file for SSL : TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA TLSCertificateFile /etc/openldap/CA/server/server.crt TLSCertificateKeyFile /etc/openldap/CA/server/server.key Sure, the certificates must exist before ;-) Claer
A more flexible init.d script is coming with a conf.d/slapd entry. I'll post here as I update things.
openldap-2.0.27-r2 has been added to portage with a slapd.conf and other suggested updates. Please let me know if any other changes are required.
db fix