[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7541) nssov cannot create socket directory

To: openldap-its@OpenLDAP.org
Subject: (ITS#7541) nssov cannot create socket directory
From: ryan.g.steele@gmail.com
Date: Mon, 18 Mar 2013 14:44:42 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Ryan Steele
Version: 2.4.34
OS: Ubuntu, RedHat
URL:
Submission from: (NULL) (12.150.6.65)

According to https://github.com/gcp/openldap/blob/master/contrib/slapd-modules/nssov/nssov.c#L808,
nssov tries to create the socket/PID directory /var/run/nslcd if it does not
exist. However, that mkdir attempt will always fail because slapd runs as a
non-privileged user and the permissions on /var/run are, appropriately,
root:root and 755. As a result, when a system using slapd+nssov is rebooted,
slapd fails to start and user lookups thusly fail until /var/run/nslcd is
manually created so that slapd can be started.

Traditionally, things in /var/run are created via init scripts, since they run
as root. Once that is done, privileges can be dropped and the daemon started.
Given that nssov is a contrib overlay, we could make a separate init script for
nssov that runs before slapd's and creates the appropriate directory in
/var/run. Alternatively, we could make --with-nslcd-pidfile and
--with-nslcd-socket configurable post-install options instead of being set in
stone at compile time, making it possible to set the PID/socket directory to
something we know will exist and have the right perms, like /var/run/slapd
(i.e., /var/run/slapd/nslcd.socket).

It would probably make sense to remove the mkdir-related lines from nssov.c
entirely, since non-privileged users do not have write perms on /var/run. I
consider this a pretty serious issue, as it prevents the software from working.

Prev by Date: (ITS#7540) syncrepl "replicates" entries with unknown schema elements
Next by Date: Re: (ITS#7541) nssov cannot create socket directory
Index(es):
- Chronological
- Thread