[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#4305) BDB-recovery generates bdb cache files with wrong ownership
Aaron,
I have done what you asked, and indeed. Running slapd -u ldap does recover the database correct!
Having investigated somewhat further in the startup script I noticed it is the 'slaptest' that is run from 'configtest' in the
Fedora start-up scripts that breaks things:
---
function configtest() {
local user= ldapuid= dbdir= file=
# Check for simple-but-common errors.
user=ldap
prog=`basename ${slapd}`
ldapuid=`id -u $user`
# Unaccessible database files.
1 --> slaptestflags=
for dbdir in `LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' /etc/openldap/slapd.conf | sed s,^directory,,` ; do
for file in `find ${dbdir}/ -not -uid $ldapuid -and \( -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" \)` ; do
echo -n $"$file is not owned by \"$user\"" ; warning ; echo
done
if ! test -s ${dbdir}/id2entry.ddb ; then
if ! test -s ${dbdir}/id2entry.gdbm ; then
if ! test -s ${dbdir}/id2entry.bdb ; then
2 --> slaptestflags=-u
fi
fi
fi
done
# Unaccessible keytab with an "ldap" key.
if checkkeytab $user ldap ; then
file=${KRB5_KTNAME:-/etc/krb5.keytab}
echo -n $"$file is not readable by \"$user\"" ; warning ; echo
fi
# Unaccessible TLS configuration files.
tlsconfigs=`LANG=C egrep '^(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]'
/etc/openldap/slapd.conf | awk '{print $2}'`
for file in $tlsconfigs ; do
if ! testasuser $user -r $file ; then
echo -n $"$file is not readable by \"$user\"" ; warning ; echo
fi
done
# Check the configuration file.
if ! action $"Checking configuration files for $prog: " $slaptest $slaptestflags ; then
if $slaptest -u > /dev/null 2> /dev/null ; then
dirs=`LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' /etc/openldap/slapd.conf | awk '{print $2}'`
for directory in $dirs ; do
if test -r $directory/__db.001 ; then
echo -n $"stale lock files may be present in $directory" ; warning ; echo
fi
done
fi
exit 1
fi
}
----
If i set "slaptestflags=-u" at location 1, the problem is solved. slapcat no longer opens the database running as user root.
Please close the ITS as it is not OpenLDAP related. Do you guys have some contact @ Fedora who could get this 'configtest' done
right ?
Yours,
Christiaan den Besten
----- Original Message -----
From: "Aaron Richton" <richton@nbcs.rutgers.edu>
To: <openldap-its@openldap.org>; <chris@scorpion.nl>
Sent: Thursday, January 05, 2006 11:02 PM
Subject: Re: (ITS#4305) BDB-recovery generates bdb cache files with wrong ownership
>I can't reproduce this using OpenLDAP software version 2.3.15. I find it
> quite likely that running "service ldap start," which is not OpenLDAP
> software as the OpenLDAP project does not maintain any "service" command,
> is performing recovery without respecting slapd(8) "-u ldap" option.
> Please try the following:
>
> 1. chown all files listed to ldap:ldap, as now that there are files are
> written as root, it's too late for "-u ldap" to matter
> 2. perform the ls -al as in the report to verify the chown
> 3. kill -9 slapd and restart it as "slapd -u ldap -g ldap"
> directly, i.e. not utilizing the "service" command.
> 4. try the "ls -al" again, seeing if the file ownership is root:root or
> ldap:ldap
>
>
>