[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7541) nssov cannot create socket directory

Full_Name: Ryan Steele
Version: 2.4.34
OS: Ubuntu, RedHat
Submission from: (NULL) (

According to https://github.com/gcp/openldap/blob/master/contrib/slapd-modules/nssov/nssov.c#L808,
nssov tries to create the socket/PID directory /var/run/nslcd if it does not
exist.  However, that mkdir attempt will always fail because slapd runs as a
non-privileged user and the permissions on /var/run are, appropriately,
root:root and 755.  As a result, when a system using slapd+nssov is rebooted,
slapd fails to start and user lookups thusly fail until /var/run/nslcd is
manually created so that slapd can be started.

Traditionally, things in /var/run are created via init scripts, since they run
as root.  Once that is done, privileges can be dropped and the daemon started. 
Given that nssov is a contrib overlay, we could make a separate init script for
nssov that runs before slapd's and creates the appropriate directory in
/var/run.  Alternatively, we could make --with-nslcd-pidfile and
--with-nslcd-socket configurable post-install options instead of being set in
stone at compile time, making it possible to set the PID/socket directory to
something we know will exist and have the right perms, like /var/run/slapd
(i.e., /var/run/slapd/nslcd.socket).

It would probably make sense to remove the mkdir-related lines from nssov.c
entirely, since non-privileged users do not have write perms on /var/run.  I
consider this a pretty serious issue, as it prevents the software from working.